7
votes

I have assigned with Owner role to a resource group. I am unable to create a new resource group.

For creating a resource group whether I need owner/contributor role to subscription?

And When a user is assigned with Owner and Reader role, which role controls the user access?

5

5 Answers

0
votes

I have assigned with Owner role to a resource group. I unable to create new resource group.

It is a by design behavior because the owner permission works for that resource group, not for the subscription.

If you want to grant create resource group permission to that account, we can set it here:

enter image description here

Grant the owner permission of this subscription to that account, in this way that account will have permission to create new resource group.

Note: If we grant owner permission of this subscription to that account, that account will get all permission of all resource group.

18
votes

OP asks for RBAC permissions necesssary to create a new resource group. @jason-ye suggests subscription Owner role. This is more permissions than necessary hence not a good answer for production or related environments.

Per Built-in roles for Azure resources, Contributor role on subscription is sufficient to create all resources, including resource groups. Following are the permissions assignments for Contributor role, "*" means everything, some things are explicitly denied:

Actions  
*
NotActions  
Microsoft.Authorization/*/Delete 
Microsoft.Authorization/*/Write 
Microsoft.Authorization/elevateAccess/Action 
Microsoft.Blueprint/blueprintAssignments/write 
Microsoft.Blueprint/blueprintAssignments/delete 

I would like a means to grant "Create New Resource Group" without granting "*" to existing resources.

Update: Based on Azure built-in [RBAC] roles, there is no other built-in role that provides the necessary permission to create (or write) resource groups.

However, now that Azure supports custom RBAC roles, you can create a custom role with the Microsoft.Resources resource provider operation

Microsoft.Resources/subscriptions/resourceGroups/write 

which would provide the least privileges to achieve the desired result.

1
votes

Here is how you do that.

create a file newrole.json and add below text.

Create role with below command

New-AzRoleDefinition -InputFile newrole.json

{
    "Name":  "XXX ReadOnly",
    "Id":  "acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "IsCustom":  false,
    "Description":  "Lets you view everything, Create Resource Groups but not make any changes.",
    "Actions":  [
                    "*/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/write"
                ],
    "NotActions":  [
                   ],
    "DataActions":  [
                    ],
    "NotDataActions":  [
                       ],
    "AssignableScopes":  [                           
                             "/subscriptions/id"
                         ]
}
1
votes

Azure provides four levels of scope (ordered from high to low): management groups, subscriptions, resource groups, and resources.

You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied to the resource group and all its resources. However, another resource group doesn't have that policy assignment. For more info, check here

0
votes

Its pretty east to do that. 1)create a new Role and assign at subscription level with below permissions. everything is read at subscription level , but you can create resourcegroups "*/read", "Microsoft.Resources/subscriptions/resourceGroups/write"

2) assign owner permission to the user at appropriate resourcegroups he wants to manage.