How can an Azure user create a Resource Group if user is not Contributor or Owner?

0
votes

What role can I assign to a user that will allow them to create resource groups? I cannot use owner or contributor because those are too powerful. The whole point is limit what various developers can do.

For example, our development teams create web apps with databases and deploy them to Azure. These resources are put in a single resource group. So the dev needs to create the app service, app service plan, sql db, app insights and resource group. But we don't want all developers to have access to many of the other resources in Azure. This is why contributor or owner is too powerful.

Also, FYI, we are working towards ARM templates deployed by pipelines but that is taking a while. So in the mean time, some of this is done manually.

All of this seems possible with RBAC except resource group.

Thanks,

Andy

1
azureazure-active-directoryazure-rbac
An alternative would be to create separate subscriptions per project that the company is working on. Then the devs can have contributor within that sub. This also has the added advantage of separate billing visibility.David C
Thanks @DavidC, but I think that is more complicated that we are looking for. Plus, the point is developers would still be able to create the resources.Schwammy

1 Answers

1
votes

You could create a custom role, then assign to the user, the Actions need to incldue the Microsoft.Resources/subscriptions/resourceGroups/write, you can also include other actions, it depends on your requirement.

Sample:

{
  "Name": "Resource Group Operator",
  "Id": "88888888-8888-8888-8888-888888888888",
  "IsCustom": true,
  "Description": "Can operate on resource groups",
  "Actions": [
    "Microsoft.Resources/subscriptions/resourceGroups/write",
    "Microsoft.Resources/subscriptions/resourceGroups/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId}"
  ]
}