How to create Azure Role Assignment scoped to a certain resource type

2
votes

I'm trying to create an Azure Role Assignment which assigns the User Access Administrator role to a service principal but only for Azure Data Factory resources.

I see plenty of documentation on setting scopes by subscription, resource group, or even resource, but can't figure out how to set it for all resources of a certain type.

I've tried this PowerShell command which runs successfully but doesn't have the intended effect. The service principal still can't perform the actions of that role on ADF resources.

New-AzRoleAssignment -ObjectId ddddddd-dddd-dddd-dddd-dddddddddddd -RoleDefinitionId 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 -Scope "/providers/Microsoft.DataFactory"

Powershell command runs successfully

I've also tried experimenting with wildcards in the scope, but this seems unsupported: /subscriptions/dddddddd-dddd-dddd-dddd-dddddddddddd/resourceGroups/*/providers/Microsoft.DataFactory/dataFactories/*

Here's the documentation I've already read:

2
azureazure-active-directoryrbacazure-rbac
Furthermore, I can't remove the role assignment created in the screenshot above. "The provided information does not map to a role assignment". But re-applying the PowerShell command throws error: "The role assignment already exists." Seems like a bug in role assignment.jschmitter
Create a separate question for your other problem.Daniel Björk
@DanielBjörk Yeah just thought that info might help indicate something of why the role assignment isn't working.jschmitter

2 Answers

1
votes

The Role Assignment is used to assign the user a predefined or custom role "role definition".

The role definition is the one that defines the scope of the role. The scope of the role needs to be subscription(s), resource group(s) and resource(s). You can't define a type of resource. Its more like one or multiple locations.

Scope structure

Structure of RBAC Scope: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview#scope

How to create a Custom Role: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

In your case, if you want to grant a user to be able to handle IAM on all DataFactory you will need to manually define each datafactory scope. Then use the actions in the Microsoft.Authorization provider: https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization

When defining the Scope for the assignment you can either define it with the -Scope <String> parameter or a combination of the following parameters. 

   -ResourceGroupName <String>
   -ResourceName <String>
   -ResourceType <String>

The resource type "-ResourceType ". For e.g. Microsoft.Network/virtualNetworks. Should only be used in conjunction with ResourceGroupName, ResourceName and (optionally)ParentResource parameters to construct a hierarchical scope in the form of a relative URI that identifies a resource.

For more details see: https://docs.microsoft.com/en-us/powershell/module/az.resources/new-azroleassignment?view=azps-3.3.0

0
votes

the existing answer is pretty much on point, however there are a few things you can do to make it work:

  1. the most obvious limit all data factories to a single resource group (or a couple of them) and grant SP owner permissions to those resource groups (or create a custom RBAC role).
  2. use a simple script to assign those permissions dynamically

If you cant put all of the data factories in the same resource group\set of resource groups. Script would look like this ("pseudo" code, not tested, but will give you the idea):

Get-AzSbuscription | Foreach-Object {
    $_ | Select-AzSubscription
    Get-AzDataFactory | Foreach-Object {
        New-AzRoleAssignment -Scope $_.ResourceId`
           -ObjectId ddddddd-dddd-dddd-dddd-dddddddddddd `
           -RoleDefinitionId 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 
    }
}

and run it on a schedule