You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The following shows an example of the properties in a role definition when displayed using the [Azure portal](role-definitions-list.md#azure-portal), [Azure CLI](role-definitions-list.md#azure-cli), or the[REST API](role-definitions-list.md#rest-api):
37
+
The following shows an example of the properties in a role definition when displayed using the [Azure CLI](role-definitions-list.md#azure-cli) or [REST API](role-definitions-list.md#rest-api):
36
38
37
39
```
38
40
roleName
39
41
name
42
+
id
43
+
roleType
40
44
type
41
45
description
42
46
actions []
43
47
notActions []
44
48
dataActions []
45
49
notDataActions []
46
50
assignableScopes []
51
+
condition
52
+
conditionVersion
53
+
createdOn
54
+
updatedOn
55
+
createdBy
56
+
updatedBy
47
57
```
48
58
49
59
The following table describes what the role properties mean.
50
60
51
61
| Property | Description |
52
62
| --- | --- |
53
-
|`Name`</br>`roleName`| The display name of the role. |
54
-
|`Id`</br>`name`| The unique ID of the role. Built-in roles have the same role ID across clouds. |
55
-
|`IsCustom`</br>`roleType`| Indicates whether this is a custom role. Set to `true` or `CustomRole` for custom roles. Set to `false` or `BuiltInRole` for built-in roles. |
56
-
|`Description`</br>`description`| The description of the role. |
57
-
|`Actions`</br>`actions`| An array of strings that specifies the control plane actions that the role allows to be performed. |
58
-
|`NotActions`</br>`notActions`| An array of strings that specifies the control plane actions that are excluded from the allowed `Actions`. |
59
-
|`DataActions`</br>`dataActions`| An array of strings that specifies the data plane actions that the role allows to be performed to your data within that object. |
60
-
|`NotDataActions`</br>`notDataActions`| An array of strings that specifies the data plane actions that are excluded from the allowed `DataActions`. |
61
-
|`AssignableScopes`</br>`assignableScopes`| An array of strings that specifies the scopes that the role is available for assignment. |
63
+
|`Name`</br>`roleName`| Display name of the role. |
64
+
|`Id`</br>`name`| Unique ID of the role. Built-in roles have the same role ID across clouds. |
65
+
|`id`| Fully qualified unique ID of the role. |
66
+
|`IsCustom`</br>`roleType`| Indicates whether this role is a custom role. Set to `true` or `CustomRole` for custom roles. Set to `false` or `BuiltInRole` for built-in roles. |
67
+
|`type`| Type of object. Set to `Microsoft.Authorization/roleDefinitions`. |
68
+
|`Description`</br>`description`| Description of the role. |
69
+
|`Actions`</br>`actions`| Array of strings that specifies the control plane actions that the role allows to be performed. |
70
+
|`NotActions`</br>`notActions`| Array of strings that specifies the control plane actions that are excluded from the allowed `Actions`. |
71
+
|`DataActions`</br>`dataActions`| Array of strings that specifies the data plane actions that the role allows to be performed to your data within that object. |
72
+
|`NotDataActions`</br>`notDataActions`| Array of strings that specifies the data plane actions that are excluded from the allowed `DataActions`. |
73
+
|`AssignableScopes`</br>`assignableScopes`| Array of strings that specifies the scopes that the role is available for assignment. |
74
+
|`Condition`<br/>`condition`| For built-in roles, condition statement based on one or more actions in role definition. |
75
+
|`ConditionVersion`<br/>`conditionVersion`| Condition version number. Defaults to 2.0 and is the only supported version. |
76
+
|`createdOn`| Date and time role was created. |
77
+
|`updatedOn`| Date and time role was last updated. |
78
+
|`createdBy`| For custom roles, principal that created role. |
79
+
|`updatedBy`| For custom roles, principal that updated role. |
62
80
63
81
### Actions format
64
82
@@ -87,7 +105,7 @@ Contributor role as displayed in [Azure PowerShell](role-definitions-list.md#azu
87
105
"Name": "Contributor",
88
106
"Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
89
107
"IsCustom": false,
90
-
"Description": "Lets you manage everything except access to resources.",
108
+
"Description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
91
109
"Actions": [
92
110
"*"
93
111
],
@@ -96,46 +114,62 @@ Contributor role as displayed in [Azure PowerShell](role-definitions-list.md#azu
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
Only data plane actions can be added to the `DataActions` and `NotDataActions` properties. Resource providers identify which actions are data actions, by setting the `isDataAction` property to `true`. To see a list of the actions where `isDataAction` is `true`, see [Resource provider operations](resource-provider-operations.md). Roles that do not have data actions are not required to have `DataActions` and `NotDataActions` properties within the role definition.
Since Alice has a wildcard (`*`) action at a subscription scope, their permissions inherit down to enable them to perform all control plane actions. Alice can read, write, and delete containers. However, Alice cannot perform data plane actions without taking additional steps. For example, by default, Alice cannot read the blobs inside a container. To read the blobs, Alice would have to retrieve the storage access keys and use them to access the blobs.
244
289
@@ -353,7 +398,7 @@ Examples of valid assignable scopes include:
353
398
354
399
You can define only one management group in `AssignableScopes` of a custom role.
355
400
356
-
Although it's possible to create a custom role with a resource instance in `AssignableScopes` using the command line, it's not recommended. Each tenant supports a maximum of 5000 custom roles. Using this strategy could potentially exhaust your available custom roles. Ultimately, the level of access is determined by the custom role assignment (scope + role permissions + security principal) and not the `AssignableScopes` listed in the custom role. So, create your custom roles with `AssignableScopes` of management group, subscription, or resource group, but assign the custom roles with narrow scope, such as resource or resource group.
401
+
Although it's possible to create a custom role with a resource instance in `AssignableScopes` using the command line, it's not recommended. Each tenant supports a maximum of 5,000 custom roles. Using this strategy could potentially exhaust your available custom roles. Ultimately, the level of access is determined by the custom role assignment (scope + role permissions + security principal) and not the `AssignableScopes` listed in the custom role. So, create your custom roles with `AssignableScopes` of management group, subscription, or resource group, but assign the custom roles with narrow scope, such as resource or resource group.
357
402
358
403
For more information about `AssignableScopes` for custom roles, see [Azure custom roles](custom-roles.md).
0 commit comments