Merge pull request #271651 from rolyon/rolyon-rbac-constrained-delegation-example-update

prmerger-automator[bot] · web-flow · commit 361c3359530e · 2024-04-09T21:33:00.000Z
[Azure RBAC] Allow most roles, but don't allow others to assign roles
diff --git a/articles/role-based-access-control/delegate-role-assignments-examples.md b/articles/role-based-access-control/delegate-role-assignments-examples.md
@@ -708,7 +708,7 @@ To target both the add and remove role assignment actions, notice that you must
 > | Actions | [Create or update role assignments](conditions-authorization-actions-attributes.md#create-or-update-role-assignments) |
 > | Attribute source | Request |
 > | Attribute | [Role definition ID](conditions-authorization-actions-attributes.md#role-definition-id) |
-> | Operator | [ForAnyOfAnyValues:GuidNotEquals](conditions-format.md#foranyofanyvalues) |
+> | Operator | [ForAnyOfAllValues:GuidNotEquals](conditions-format.md#foranyofallvalues) |
 > | Comparison | Value |
 > | Roles | [Owner](built-in-roles.md#owner)<br/>[Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator)<br/>[User Access Administrator](built-in-roles.md#user-access-administrator) |
 
@@ -718,7 +718,7 @@ To target both the add and remove role assignment actions, notice that you must
 > | Actions | [Delete a role assignment](conditions-authorization-actions-attributes.md#delete-a-role-assignment) |
 > | Attribute source | Resource |
 > | Attribute | [Role definition ID](conditions-authorization-actions-attributes.md#role-definition-id) |
-> | Operator | [ForAnyOfAnyValues:GuidNotEquals](conditions-format.md#foranyofanyvalues) |
+> | Operator | [ForAnyOfAllValues:GuidNotEquals](conditions-format.md#foranyofallvalues) |
 > | Comparison | Value |
 > | Roles | [Owner](built-in-roles.md#owner)<br/>[Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator)<br/>[User Access Administrator](built-in-roles.md#user-access-administrator) |
 
@@ -729,7 +729,7 @@ To target both the add and remove role assignment actions, notice that you must
  )
  OR 
  (
-  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}
+  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}
  )
 )
 AND
@@ -739,7 +739,7 @@ AND
  )
  OR 
  (
-  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}
+  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}
  )
 )
 ```
@@ -752,7 +752,7 @@ Here's how to add this condition using Azure PowerShell.
 $roleDefinitionId = "f58310d9-a9f6-439a-9e8d-f62e7b41a168"
 $principalId = "<principalId>"
 $scope = "/subscriptions/<subscriptionId>"
-$condition = "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}))"
+$condition = "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}))"
 $conditionVersion = "2.0"
 New-AzRoleAssignment -ObjectId $principalId -Scope $scope -RoleDefinitionId $roleDefinitionId -Condition $condition -ConditionVersion $conditionVersion
 ```

Original file line number	Diff line number	Diff line change
`@@ -708,7 +708,7 @@ To target both the add and remove role assignment actions, notice that you must`
`708`	`708`	`> \| Actions \| [Create or update role assignments](conditions-authorization-actions-attributes.md#create-or-update-role-assignments) \|`
`709`	`709`	`> \| Attribute source \| Request \|`
`710`	`710`	`> \| Attribute \| [Role definition ID](conditions-authorization-actions-attributes.md#role-definition-id) \|`
`711`		`-> \| Operator \| [ForAnyOfAnyValues:GuidNotEquals](conditions-format.md#foranyofanyvalues) \|`
	`711`	`+> \| Operator \| [ForAnyOfAllValues:GuidNotEquals](conditions-format.md#foranyofallvalues) \|`
`712`	`712`	`> \| Comparison \| Value \|`
`713`	`713`	`> \| Roles \| [Owner](built-in-roles.md#owner)<br/>[Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator)<br/>[User Access Administrator](built-in-roles.md#user-access-administrator) \|`
`714`	`714`
`@@ -718,7 +718,7 @@ To target both the add and remove role assignment actions, notice that you must`
`718`	`718`	`> \| Actions \| [Delete a role assignment](conditions-authorization-actions-attributes.md#delete-a-role-assignment) \|`
`719`	`719`	`> \| Attribute source \| Resource \|`
`720`	`720`	`> \| Attribute \| [Role definition ID](conditions-authorization-actions-attributes.md#role-definition-id) \|`
`721`		`-> \| Operator \| [ForAnyOfAnyValues:GuidNotEquals](conditions-format.md#foranyofanyvalues) \|`
	`721`	`+> \| Operator \| [ForAnyOfAllValues:GuidNotEquals](conditions-format.md#foranyofallvalues) \|`
`722`	`722`	`> \| Comparison \| Value \|`
`723`	`723`	`> \| Roles \| [Owner](built-in-roles.md#owner)<br/>[Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator)<br/>[User Access Administrator](built-in-roles.md#user-access-administrator) \|`
`724`	`724`
`@@ -729,7 +729,7 @@ To target both the add and remove role assignment actions, notice that you must`
`729`	`729`	`)`
`730`	`730`	`OR`
`731`	`731`	`(`
`732`		`- @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}`
	`732`	`+ @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}`
`733`	`733`	`)`
`734`	`734`	`)`
`735`	`735`	`AND`
`@@ -739,7 +739,7 @@ AND`
`739`	`739`	`)`
`740`	`740`	`OR`
`741`	`741`	`(`
`742`		`- @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}`
	`742`	`+ @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}`
`743`	`743`	`)`
`744`	`744`	`)`
`745`	`745`	```
`@@ -752,7 +752,7 @@ Here's how to add this condition using Azure PowerShell.`
`752`	`752`	`$roleDefinitionId = "f58310d9-a9f6-439a-9e8d-f62e7b41a168"`
`753`	`753`	`$principalId = "<principalId>"`
`754`	`754`	`$scope = "/subscriptions/<subscriptionId>"`
`755`		-$condition = "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}))"
	`755`	+$condition = "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, f58310d9-a9f6-439a-9e8d-f62e7b41a168, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}))"
`756`	`756`	`$conditionVersion = "2.0"`
`757`	`757`	`New-AzRoleAssignment -ObjectId $principalId -Scope $scope -RoleDefinitionId $roleDefinitionId -Condition $condition -ConditionVersion $conditionVersion`
`758`	`758`	```