You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/role-assignments-portal.md
+16-6Lines changed: 16 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.devlang: na
12
12
ms.topic: conceptual
13
13
ms.tgt_pltfrm: na
14
14
ms.workload: identity
15
-
ms.date: 11/25/2019
15
+
ms.date: 01/25/2020
16
16
ms.author: rolyon
17
17
ms.reviewer: bagovind
18
18
---
@@ -31,7 +31,7 @@ To add or remove role assignments, you must have:
31
31
32
32
## Overview of Access control (IAM)
33
33
34
-
**Access control (IAM)** is the blade that you use to assign roles. It's also known as identity and access management and appears in several locations in the Azure portal. The following shows an example of the Access control (IAM) blade for a subscription.
34
+
**Access control (IAM)** is the blade that you use to assign roles to grant access to Azure resources. It's also known as identity and access management and appears in several locations in the Azure portal. The following shows an example of the Access control (IAM) blade for a subscription.
35
35
36
36
37
37
@@ -55,18 +55,22 @@ Follow these steps to assign a role at different scopes.
55
55
56
56
1. In the Azure portal, click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
57
57
58
-
1. Click the specific resource.
58
+
1. Click the specific resource for that scope.
59
59
60
60
1. Click **Access control (IAM)**.
61
61
62
62
1. Click the **Role assignments** tab to view all the role assignments at this scope.
63
63
64
-
1. Click **Add** > **Add role assignment** to open the Add role assignment pane.
64
+
65
+
66
+
1. Click **Add** > **Add role assignment**.
65
67
66
68
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
71
75
72
76
1. In the **Role** drop-down list, select a role such as **Virtual Machine Contributor**.
@@ -77,6 +81,8 @@ Follow these steps to assign a role at different scopes.
77
81
78
82
After a few moments, the security principal is assigned the role at the selected scope.
79
83
84
+
85
+
80
86
## Assign a user as an administrator of a subscription
81
87
82
88
To make a user an administrator of an Azure subscription, assign them the [Owner](built-in-roles.md#owner) role at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. These steps are the same as any other role assignment.
@@ -89,12 +95,16 @@ To make a user an administrator of an Azure subscription, assign them the [Owner
89
95
90
96
1. Click the **Role assignments** tab to view all the role assignments for this subscription.
91
97
92
-
1. Click **Add** > **Add role assignment** to open the Add role assignment pane.
98
+
99
+
100
+
1. Click **Add** > **Add role assignment**.
93
101
94
102
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
99
109
100
110
1. In the **Role** drop-down list, select the **Owner** role.
@@ -123,7 +133,7 @@ In RBAC, to remove access, you remove a role assignment. Follow these steps to r
123
133
124
134
1. In the remove role assignment message that appears, click **Yes**.
125
135
126
-
Inherited role assignments cannot be removed. If you need to remove an inherited role assignment, you must do it at the scope where the role assignment was created. In the **Scope** column, next to **(Inherited)** there is a link that takes you to the scope where this role was assigned. Go to the scope listed there to remove the role assignment.
136
+
If you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child scope. You should open Access control (IAM) at the scope where the role was assigned and try again. A quick way to open Access control (IAM) at the correct scope is to look at the **Scope** column and click the link next to **(Inherited)**.
127
137
128
138
0 commit comments