Menu
I have assigned with Owner role to a resource group. I am unable to create a new resource group.
For creating a resource group whether I need owner/contributor role to subscription?
And When a user is assigned with Owner and Reader role, which role controls the user access?
619
Grant the owner permission of this subscription to that account, in this way that account will have permission to create new resource group. Note: If we grant owner permission of this subscription to that account, that account will get all permission of all resource group.
To assign roles, you must be signed in with a user that is assigned a role that has role assignments write permission, such as Owner or User Access Administrator at the scope you are trying to assign the role. Similarly, to remove a role assignment, you must have the role assignments delete permission.
The user makes a REST API call to Azure Resource Manager with the token attached. Azure Resource Manager retrieves all the role assignments and deny assignments that apply to the resource upon which the action is being taken. If a deny assignment applies, access is blocked. Otherwise, evaluation continues.
OP asks for RBAC permissions necesssary to create a new resource group. @jason-ye suggests subscription Owner role. This is more permissions than necessary hence not a good answer for production or related environments.
Per Built-in roles for Azure resources, Contributor role on subscription is sufficient to create all resources, including resource groups. Following are the permissions assignments for Contributor role, "*" means everything, some things are explicitly denied:
Actions
*
NotActions
Microsoft.Authorization/*/Delete
Microsoft.Authorization/*/Write
Microsoft.Authorization/elevateAccess/Action
Microsoft.Blueprint/blueprintAssignments/write
Microsoft.Blueprint/blueprintAssignments/delete
I would like a means to grant "Create New Resource Group" without granting "*" to existing resources.
Update: Based on Azure built-in [RBAC] roles, there is no other built-in role that provides the necessary permission to create (or write) resource groups.
However, now that Azure supports custom RBAC roles, you can create a custom role with the Microsoft.Resources resource provider operation
Microsoft.Resources/subscriptions/resourceGroups/write
which would provide the least privileges to achieve the desired result.
110
Azure provides four levels of scope (ordered from high to low): management groups, subscriptions, resource groups, and resources.
You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied to the resource group and all its resources. However, another resource group doesn't have that policy assignment. For more info, check here
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
