gpt4 book ai didi

azure - 创建无法删除资源组或资源组中的单个资源的自定义角色

转载 作者:行者123 更新时间:2023-12-02 23:55:17 26 4
gpt4 key购买 nike

我想为开发人员创建自定义角色。

enter image description here

使用此自定义角色,开发人员应具有对资源组“TestRessourceGroup”及其所有存储资源的贡献者访问权限,但开发人员不应有权删除此资源组或资源组中的单个资源。

这是我到目前为止所拥有的:

{
"properties": {
"roleName": "Contributor without permission to delete resources",
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, share image galleries, or delete resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Resources/subscriptions/resourceGroups/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}

开发人员仍然应该能够:

  • 删除存储帐户中的 blob 和容器
  • 删除 AMLS 中的计算实例或计算集群

我需要添加什么,以便具有此自定义角色的用户无法删除资源组或资源组中的单个资源(例如存储帐户、Databricks、Key Vault、AMLS .....),但任何内容else 是否像正常贡献者访问一样工作?

最佳答案

如果您不想包含资源删除,最简单的方法是在 notActions 数组中添加 */delete:

{
"properties": {
"roleName": "Contributor without permission to delete resources",
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, share image galleries, or delete resources.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"*/delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}

然后,您可以拥有另一个角色来允许用户删除机器学习工作区中的资源:

{
"properties": {
"roleName": "Allow ML workspace resources deletion",
"description": "",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/*/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}

如果您创建 AAD 组并将这两个角色分配给该组,那么它应该可以工作。

关于azure - 创建无法删除资源组或资源组中的单个资源的自定义角色,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73239065/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com