Merge pull request #203048 from rolyon/rolyon-rbac-custom-roles-wildcard-note

PRMerger10 · web-flow · commit f433a3069425 · 2022-06-28T12:32:07.000-07:00
[Azure RBAC] Custom roles wildcard best practice
diff --git a/articles/role-based-access-control/best-practices.md b/articles/role-based-access-control/best-practices.md
@@ -7,7 +7,7 @@ manager: karenhoran
 ms.service: role-based-access-control
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/15/2021
+ms.date: 06/28/2022
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to learn how to best use Azure RBAC.
@@ -54,6 +54,10 @@ Even if a role is renamed, the role ID does not change. If you are using scripts
 
 For more information, see [Assign a role using the unique role ID and Azure PowerShell](role-assignments-powershell.md#assign-a-role-for-a-user-using-the-unique-role-id-at-a-resource-group-scope) and [Assign a role using the unique role ID and Azure CLI](role-assignments-cli.md#assign-a-role-for-a-user-using-the-unique-role-id-at-a-resource-group-scope).
 
+## Avoid using a wildcard when creating custom roles
+
+When creating custom roles, you can use the wildcard (`*`) character to define permissions. It's recommended that you specify `Actions` and `DataActions` explicitly instead of using the wildcard (`*`) character. The additional access and permissions granted through future `Actions` or `DataActions` may be unwanted behavior using the wildcard. For more information, see [Azure custom roles](custom-roles.md#wildcard-permissions).
+
 ## Next steps
 
 - [Troubleshoot Azure RBAC](troubleshooting.md)
diff --git a/articles/role-based-access-control/custom-roles.md b/articles/role-based-access-control/custom-roles.md
@@ -7,7 +7,7 @@ manager: karenhoran
 ms.service: role-based-access-control
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 06/14/2022
+ms.date: 06/28/2022
 ms.author: rolyon
 ---
 
@@ -178,6 +178,8 @@ Instead of adding all of these strings, you could just add a wildcard string. Fo
 Microsoft.CostManagement/exports/*
 ```
 
+It's recommended that you specify `Actions` and `DataActions` explicitly instead of using the wildcard (`*`) character. The additional access and permissions granted through future `Actions` or `DataActions` may be unwanted behavior using the wildcard.
+
 ## Who can create, delete, update, or view a custom role
 
 Just like built-in roles, the `AssignableScopes` property specifies the scopes that the role is available for assignment. The `AssignableScopes` property for a custom role also controls who can create, delete, update, or view the custom role.
