I have a requirement to customize the contributor role at Azure Subscription level, such that, people added to that customized contributor role can NOT view or read the data from the storage account (under that subscription).
This is how i’m doing this:
Step1
Step2
Step3 ( Actions shows * )
This MSFT link does NOT show me the JSON details that can be removed or added so that the read access to the storage account can be blocked.
Hence, I’m trying below ways to customize this (two assignable scopes to cover subscription as well as block viewing the storage data):
Note, The idea is to People need a contributor role to manage the subscription. However, they MUST NOT view the data from the storage under this particular subscription.
I think this is not the right approach. Are there any other ways to achieve this? Thanks.
2
Answers
If you want to create a custom role, then you should have a look at the resource provider operations. From there, you can see all the available actions per resource provider.
You would probably be interested in the
DataActionssuch asMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/readand others depending on what you want to filter out.If you want to block particularly Azure Storage under Subscription Scope Level.
Kindly Exclude Azure Storage under Add Permission Section in order to block Azure Storage only while creating RBAC Role