You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/custom-roles.md
+25-23Lines changed: 25 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,10 +31,6 @@ Custom roles can be shared between subscriptions that trust the same Azure AD di
31
31
32
32
## Custom role example
33
33
34
-
When you create a custom role, it appears in the Azure portal with an orange resource icon.
35
-
36
-

37
-
38
34
The following shows what a custom role looks like as displayed using Azure PowerShell in JSON format. This custom role can be used for monitoring and restarting virtual machines.
39
35
40
36
```json
@@ -107,29 +103,13 @@ The following shows the same custom role as displayed using Azure CLI.
107
103
]
108
104
```
109
105
110
-
## Steps to create a custom role
111
-
112
-
1. Decide how you want to create the custom role
113
-
114
-
You can create custom roles using [Azure portal](custom-roles-portal.md), [Azure PowerShell](custom-roles-powershell.md), [Azure CLI](custom-roles-cli.md), or the [REST API](custom-roles-rest.md).
115
-
116
-
1. Determine the permissions you need
117
-
118
-
When you create a custom role, you need to know the operations that are available to define your permissions. To view the list of operations, see the [Azure Resource Manager resource provider operations](resource-provider-operations.md). You will add the operations to the `Actions` or `NotActions` properties of the [role definition](role-definitions.md). If you have data operations, you will add those to the `DataActions` or `NotDataActions` properties.
119
-
120
-
1. Create the custom role
121
-
122
-
Typically, you start with an existing built-in role and then modify it for your needs. The easiest way to create a custom role is to use the Azure portal, but can you can also create custom roles using commands. To create a custom role, you must be signed in with a user that has the `Microsoft.Authorization/roleDefinitions/write` permission on all `AssignableScopes`, such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator).
123
-
124
-
1. Test the custom role
125
-
126
-
Once you have your custom role, you have to test it to verify that it works as you expect. If you need to make adjustments later, you can update the custom role.
106
+
When you create a custom role, it appears in the Azure portal with an orange resource icon.
127
107
128
-
For steps on how to create a custom role using the Azure portal, see [Create or update Azure custom roles using the Azure portal](custom-roles-portal.md).
108
+

129
109
130
110
## Custom role properties
131
111
132
-
A custom role has the following properties.
112
+
The following table describes what the custom role properties mean.
133
113
134
114
| Property | Required | Type | Description |
135
115
| --- | --- | --- | --- |
@@ -143,6 +123,28 @@ A custom role has the following properties.
143
123
|`NotDataActions`| No | String[]| An array of strings that specifies the data operations that are excluded from the allowed `DataActions`. For more information, see [NotDataActions](role-definitions.md#notdataactions). |
144
124
|`AssignableScopes`| Yes | String[]| An array of strings that specifies the scopes that the custom role is available for assignment. You can only define one management group in `AssignableScopes` of a custom role. Adding a management group to `AssignableScopes` is currently in preview. For more information, see [AssignableScopes](role-definitions.md#assignablescopes). |
145
125
126
+
## Steps to create a custom role
127
+
128
+
To create a custom role, here are basics steps you should follow.
129
+
130
+
1. Decide how you want to create the custom role.
131
+
132
+
You can create custom roles using Azure portal, Azure PowerShell, Azure CLI, or the REST API.
133
+
134
+
1. Determine the permissions you need.
135
+
136
+
When you create a custom role, you need to know the operations that are available to define your permissions. To view the list of operations, see the [Azure Resource Manager resource provider operations](resource-provider-operations.md). You will add the operations to the `Actions` or `NotActions` properties of the [role definition](role-definitions.md). If you have data operations, you will add those to the `DataActions` or `NotDataActions` properties.
137
+
138
+
1. Create the custom role.
139
+
140
+
Typically, you start with an existing built-in role and then modify it for your needs. The easiest way is to use the Azure portal. For steps on how to create a custom role using the Azure portal, see [Create or update Azure custom roles using the Azure portal](custom-roles-portal.md).
141
+
142
+
To create a custom role, you must be signed in with a user that has the `Microsoft.Authorization/roleDefinitions/write` permission on all `AssignableScopes`, such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator).
143
+
144
+
1. Test the custom role.
145
+
146
+
Once you have your custom role, you have to test it to verify that it works as you expect. If you need to make adjustments later, you can update the custom role.
147
+
146
148
## Who can create, delete, update, or view a custom role
147
149
148
150
Just like built-in roles, the `AssignableScopes` property specifies the scopes that the role is available for assignment. The `AssignableScopes` property for a custom role also controls who can create, delete, update, or view the custom role.
0 commit comments