Merge pull request #275897 from mumian/0521-stacks-rollback

prmerger-automator[bot] · web-flow · commit f429d72e7db3 · 2024-05-21T18:13:53.000Z
rollback the permission updates
diff --git a/articles/azure-resource-manager/bicep/deployment-stacks.md b/articles/azure-resource-manager/bicep/deployment-stacks.md
@@ -3,7 +3,7 @@ title: Create & deploy deployment stacks in Bicep
 description: Describes how to create deployment stacks in Bicep.
 ms.topic: conceptual
 ms.custom: devx-track-azurecli, devx-track-azurepowershell, devx-track-bicep
-ms.date: 05/14/2024
+ms.date: 04/11/2024
 ---
 
 # Deployment stacks
@@ -42,13 +42,6 @@ Deployment stacks provide the following benefits:
 - [What-if](./deploy-what-if.md) isn't available in the preview.
 - A management group-scoped stack is restricted from deploying to another management group. It can only deploy to the management group of the stack itself or to a child subscription.
 
-## Built-in roles
-
-There are two built-in roles for deployment stack:
-
-- **Azure Deployment Stack Contributor**: Allows users to manage deployment stacks, but cannot create or delete deny assignments within the deployment stacks.
-- **Azure Deployment Stack Owner**: Allows users to manage deployment stacks, including those with deny assignments.
-
 ## Create deployment stacks
 
 A deployment stack resource can be created at resource group, subscription, or management group scope. The template passed into a deployment stack defines the resources to be created or updated at the target scope specified for the template deployment.
@@ -599,16 +592,6 @@ To delete a managed resource, remove the resource definition from the underlying
 
 ## Protect managed resources against deletion
 
-When creating a deployment stack, it's possible to assign a specific type of permissions to the managed resources, which prevents their deletion by unauthorized security principals. These settings are referred to as deny settings. You want to store the stack at a parent scope.
-
-> [!NOTE]
-> The latest release requires specific permissions at the stack scope in order to:
->
-> - Create or update a deployment stack and set the deny setting to a value other than "None".
-> - Update or delete a deployment stack with an existing deny setting of something other than "None"
->
-> Use the [built-in roles](#built-in-roles) to grant the permissions.
-
 # [PowerShell](#tab/azure-powershell)
 
 The Azure PowerShell includes these parameters to customize the deny assignment:
