admin管理员组

文章数量:1429708

I want to allow certain development team members access to the Azure Web App Development Tools.

Preferably only the App Service Editor. I know I can grant "Website Contributor", but I'd prefer to narrow the scope down to only this area.

Allowing access to "config" doesn't do it. Below is my custom role JSON. Is there a way to add access to App Service Editor only or must I grant Website Contributor?

    {
    "id": "/subscriptions/xxxxx/providers/Microsoft.Authorization/roleDefinitions/xxx",
    "properties": {
        "roleName": "xDevRole",
        "description": "Actions developers may perform",
        "assignableScopes": [
            "/subscriptions/xxxx",
            "/subscriptions/xxx"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                    "Microsoft.OperationalInsights/workspaces/analytics/query/action",
                    "Microsoft.OperationalInsights/workspaces/search/action",
                    "Microsoft.Support/*",
                    "microsoft.web/sites/config/appsettings/read",
                    "Microsoft.Web/sites/config/Read",
                    "Microsoft.Web/sites/config/list/Action",
                    "microsoft.web/sites/config/web/appsettings/read",
                    "microsoft.web/sites/config/web/connectionstrings/read",
                    "microsoft.web/sites/config/snapshots/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

I want to allow certain development team members access to the Azure Web App Development Tools.

Preferably only the App Service Editor. I know I can grant "Website Contributor", but I'd prefer to narrow the scope down to only this area.

Allowing access to "config" doesn't do it. Below is my custom role JSON. Is there a way to add access to App Service Editor only or must I grant Website Contributor?

    {
    "id": "/subscriptions/xxxxx/providers/Microsoft.Authorization/roleDefinitions/xxx",
    "properties": {
        "roleName": "xDevRole",
        "description": "Actions developers may perform",
        "assignableScopes": [
            "/subscriptions/xxxx",
            "/subscriptions/xxx"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                    "Microsoft.OperationalInsights/workspaces/analytics/query/action",
                    "Microsoft.OperationalInsights/workspaces/search/action",
                    "Microsoft.Support/*",
                    "microsoft.web/sites/config/appsettings/read",
                    "Microsoft.Web/sites/config/Read",
                    "Microsoft.Web/sites/config/list/Action",
                    "microsoft.web/sites/config/web/appsettings/read",
                    "microsoft.web/sites/config/web/connectionstrings/read",
                    "microsoft.web/sites/config/snapshots/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
  • azure
  • rbac
Share Improve this question edited Nov 28, 2024 at 10:30 Damo asked Nov 28, 2024 at 10:21 DamoDamo 2,0808 gold badges39 silver badges65 bronze badges 2
  • Could you include what specific actions you don't want user to access? – Sridevi Commented Nov 28, 2024 at 11:12
  • AFAIK, you must include "microsoft.web/sites/*" action in custom role json for accessing Development Tools. There is no other way as there is no direct action available to give access to App Service Editor in particular. – Sridevi Commented Nov 28, 2024 at 12:39
Add a comment  | 

1 Answer 1

Reset to default 0

Note that, App Service Editor relies on several underlying API operations for both retrieving and modifying configuration settings, files, and directories within the App Service that requires "Microsoft.Web/sites/*" action to access.

For narrowing down the access, collect the actions of the operations that you don't want user to perform and add them under "notActions" section of custom role JSON as an alternative:

{
    "properties": {
        "roleName": "AppServiceEditorRole",
        "description": "Custom role to allow access to App Service Editor, basic web app management, and configuration",
        "assignableScopes": [
            "/subscriptions/xxxxxxxxx"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Web/sites/*",
                    "Microsoft.Support/*",
                    "Microsoft.Web/serverFarms/join/action",
                    "Microsoft.Web/serverFarms/read",
                    "Microsoft.OperationalInsights/workspaces/analytics/query/action",
                    "Microsoft.OperationalInsights/workspaces/search/action",
                ],
                "notActions": [
                    "Microsoft.Web/sites/Delete",
                    "Microsoft.Web/sites/stop/Action",
                    "Microsoft.Web/sites/extensions/delete"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Assigning above custom role to users will allow them access to App Service Editor but restricts access on stopping and deleting web application and it's extensions like this:

App Service Editor access:

Stop & Delete greyed out:

Delete extension option greyed out:

本文标签: azureAllow access to Development Tools using Custom RBAC RoleStack Overflow

版权声明:本文标题:azure - Allow access to Development Tools using Custom RBAC Role - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745515661a2661522.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。