Skip to content

Rbac Policy Apis

Suwat Ch edited this page Oct 25, 2019 · 7 revisions
  • Listing all authorization resource types
ARMClient.exe get /subscriptions/{sub}/providers/Microsoft.Authorization?api-version=2015-07-01
  • Listing all role definitions (Contributor, Reader, Owner, ...)
ARMClient.exe get /subscriptions/{sub}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01
  • Add role definition
ARMClient.exe put /subscriptions/{sub}/providers/Microsoft.Authorization/roleDefinitions/{roleId}?api-version=2015-07-01  roledef.json

roledef.json sample below allowing all operations on Microsoft.ServiceFabric resources on a subscription.

{
  "type": "Microsoft.Authorization/roleDefinitions",
  "properties": {
    "roleName": "ACI Contributor Custom Role Definition",
    "type": "CustomRole",
    "description": "ACI Contributor Custom Role Definition",
    "AssignableScopes": [
      "/subscriptions/{sub}"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.ServiceFabric/*"
        ],
        "notActions": []
      }
    ]
  },
}
  • Listing all role assignments. This is where each users (principalId) is assigned to role definition id for specific resource scope.
ARMClient.exe get /subscriptions/{sub}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01
  • Listing specific role assignment.
ARMClient.exe get /subscriptions/{sub}/providers/Microsoft.Authorization/roleAssignments/{name}?api-version=2015-07-01
  • Add new role assignment.
ARMClient.exe put /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{site}/providers/Microsoft.Authorization/roleAssignments/{name}?api-version=2015-07-01 @roleAssignment.json

roleAssignment.json sample:

{
  "properties": {
    "roleDefinitionId": "/subscriptions/{sub}/providers/Microsoft.Authorization/roleDefinitions/{id}",
    "principalId": "{oid}"
  }
}

Note: there is a role assignment cache per token. If one continues to use the same token, the role assignment may not be effective yet. Best way to test is to get the new token (ARMClient.exe login).

  • Remove role assignment.
ARMClient.exe delete /subscriptions/{sub}/providers/Microsoft.Authorization/roleAssignments/{name}?api-version=2015-07-01
  • List current user permissions on specific resource
ARMClient.exe get /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/serverFarms/{name}/providers/microsoft.authorization/permissions?api-version=2015-07-01
  • List a given user permissions on all resources for a subscription.
ARMClient.exe get "/subscriptions/{sub}/providers/Microsoft.Authorization/roleAssignments?$filter=principalId eq '{oid}'&api-version=2015-07-01"
Clone this wiki locally