You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/custom-roles.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -88,15 +88,15 @@ A custom role has the following properties.
88
88
89
89
| Property | Required | Type | Description |
90
90
| --- | --- | --- | --- |
91
-
|`Name`| Yes | String | The display name of the custom role. While a role definition is a management group or subscription-level resource, a role definition can be used in multiple management group or subscriptions that share the same Azure AD directory. This display name must be unique at the scope of the Azure AD directory. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 128. |
91
+
|`Name`| Yes | String | The display name of the custom role. While a role definition is a management group or subscription-level resource, a role definition can be used in multiple subscriptions that share the same Azure AD directory. This display name must be unique at the scope of the Azure AD directory. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 128. |
92
92
|`Id`| Yes | String | The unique ID of the custom role. For Azure PowerShell and Azure CLI, this ID is automatically generated when you create a new role. |
93
93
|`IsCustom`| Yes | String | Indicates whether this is a custom role. Set to `true` for custom roles. |
94
94
|`Description`| Yes | String | The description of the custom role. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 1024. |
95
95
|`Actions`| Yes | String[]| An array of strings that specifies the management operations that the role allows to be performed. For more information, see [Actions](role-definitions.md#actions). |
96
96
|`NotActions`| No | String[]| An array of strings that specifies the management operations that are excluded from the allowed `Actions`. For more information, see [NotActions](role-definitions.md#notactions). |
97
97
|`DataActions`| No | String[]| An array of strings that specifies the data operations that the role allows to be performed to your data within that object. If you create a custom role with `DataActions`, that role cannot be assigned at the management group scope. For more information, see [DataActions](role-definitions.md#dataactions). |
98
98
|`NotDataActions`| No | String[]| An array of strings that specifies the data operations that are excluded from the allowed `DataActions`. For more information, see [NotDataActions](role-definitions.md#notdataactions). |
99
-
|`AssignableScopes`| Yes | String[]| An array of strings that specifies the scopes that the custom role is available for assignment. Adding a management group to `AssignableScopes` is currently in preview. For more information, see [AssignableScopes](role-definitions.md#assignablescopes). |
99
+
|`AssignableScopes`| Yes | String[]| An array of strings that specifies the scopes that the custom role is available for assignment. You can only define one management group in `AssignableScopes` of a custom role. Adding a management group to `AssignableScopes` is currently in preview. For more information, see [AssignableScopes](role-definitions.md#assignablescopes). |
100
100
101
101
## Who can create, delete, update, or view a custom role
102
102
@@ -110,16 +110,16 @@ Just like built-in roles, the `AssignableScopes` property specifies the scopes t
110
110
111
111
## Custom role limits
112
112
113
-
The following list describes the limits custom roles.
113
+
The following list describes the limits for custom roles.
114
114
115
115
- Each directory can have up to **5000** custom roles.
116
-
-Specialized clouds, such as Azure Government, Azure Germany, and Azure China 21Vianet, can have up to 2000 custom roles for each directory.
116
+
- Azure Germany and Azure China 21Vianet can have up to 2000 custom roles for each directory.
117
117
- You cannot set `AssignableScopes` to the root scope (`"/"`).
118
-
- You can only define one management group in `AssignableScopes` of a custom role.
118
+
- You can only define one management group in `AssignableScopes` of a custom role. Adding a management group to `AssignableScopes` is currently in preview.
119
119
- Custom roles with `DataActions` cannot be assigned at the management group scope.
120
120
- Azure Resource Manager doesn't validate the management group's existence in the role definition's assignable scope.
121
121
122
-
For more information about custom role limits, see [Organize your resources with Azure management groups](../governance/management-groups/overview.md#limitations).
122
+
For more information about custom roles and management groups, see [Organize your resources with Azure management groups](../governance/management-groups/overview.md#custom-roles-and-management-groups-preview).
123
123
124
124
## Next steps
125
125
-[Create or update Azure custom roles using the Azure portal (Preview)](custom-roles-portal.md)
0 commit comments