Can we restrict user access from a resource group?
up vote
0
down vote
favorite
I have multiple resource groups in azure but only want to restrict users to 1. Don't want to have to manually assign user to all resource but one so wondering if it can be done the opposite way?
azure rbac asked Nov 14 at 11:41
Zoe Mackay
1
add a comment |
up vote
0
down vote
favorite
I have multiple resource groups in azure but only want to restrict users to 1. Don't want to have to manually assign user to all resource but one so wondering if it can be done the opposite way?
azure rbac asked Nov 14 at 11:41
Zoe Mackay
1
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have multiple resource groups in azure but only want to restrict users to 1. Don't want to have to manually assign user to all resource but one so wondering if it can be done the opposite way?
azure rbac asked Nov 14 at 11:41
Zoe Mackay
1
I have multiple resource groups in azure but only want to restrict users to 1. Don't want to have to manually assign user to all resource but one so wondering if it can be done the opposite way?
azure rbac azure rbac asked Nov 14 at 11:41
Zoe Mackay
1
asked Nov 14 at 11:41
Zoe Mackay
1
asked Nov 14 at 11:41
Zoe Mackay
1
asked Nov 14 at 11:41
Zoe Mackay
1
asked Nov 14 at 11:41
Zoe Mackay
1
1
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
yes, you need to remove users permissions on the subscription level and grant them permissions on the resource group level.
Reading:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
answered Nov 14 at 11:43
4c74356b41
23.3k32050
but then i would need to add them into every resource group. If i have 100 resource groups but dont want user to access 1 resource group. i would need to add all these users to resource groups. What i really want to do is just remove them from this 1 resource group
– Zoe Mackay
Nov 14 at 11:48
no, you cannot do that in an easy fashion. there is no block inheritance option. so you have only 1 way of doing this - being granular, creating some script that autoassign access to certain usergroups but skip others. you have pretty much the same problem with custom roles.
– 4c74356b41
Nov 14 at 12:00
Wouldn't using an ARM template easily work for this? Allowing all and deny the specific resource group... stackoverflow.com/questions/48216764/… stackoverflow.com/questions/48284885/…
– Rthomas529
Nov 21 at 14:28
1
you cant really remove permissions with arm template, you cant really remove anything with arm template, unless you use complete mode, but, i doubt that would work for permissiions @Rthomas529
– 4c74356b41
Nov 21 at 14:34
That's unfortunate. This is quite simply achieve in AWS through the IAM templates.
– Rthomas529
Nov 21 at 14:42
|
show 1 more comment
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
yes, you need to remove users permissions on the subscription level and grant them permissions on the resource group level.
Reading:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
answered Nov 14 at 11:43
4c74356b41
23.3k32050
but then i would need to add them into every resource group. If i have 100 resource groups but dont want user to access 1 resource group. i would need to add all these users to resource groups. What i really want to do is just remove them from this 1 resource group
– Zoe Mackay
Nov 14 at 11:48
no, you cannot do that in an easy fashion. there is no block inheritance option. so you have only 1 way of doing this - being granular, creating some script that autoassign access to certain usergroups but skip others. you have pretty much the same problem with custom roles.
– 4c74356b41
Nov 14 at 12:00
Wouldn't using an ARM template easily work for this? Allowing all and deny the specific resource group... stackoverflow.com/questions/48216764/… stackoverflow.com/questions/48284885/…
– Rthomas529
Nov 21 at 14:28
1
you cant really remove permissions with arm template, you cant really remove anything with arm template, unless you use complete mode, but, i doubt that would work for permissiions @Rthomas529
– 4c74356b41
Nov 21 at 14:34
That's unfortunate. This is quite simply achieve in AWS through the IAM templates.
– Rthomas529
Nov 21 at 14:42
|
show 1 more comment
up vote
2
down vote
yes, you need to remove users permissions on the subscription level and grant them permissions on the resource group level.
Reading:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
answered Nov 14 at 11:43
4c74356b41
23.3k32050
but then i would need to add them into every resource group. If i have 100 resource groups but dont want user to access 1 resource group. i would need to add all these users to resource groups. What i really want to do is just remove them from this 1 resource group
– Zoe Mackay
Nov 14 at 11:48
no, you cannot do that in an easy fashion. there is no block inheritance option. so you have only 1 way of doing this - being granular, creating some script that autoassign access to certain usergroups but skip others. you have pretty much the same problem with custom roles.
– 4c74356b41
Nov 14 at 12:00
Wouldn't using an ARM template easily work for this? Allowing all and deny the specific resource group... stackoverflow.com/questions/48216764/… stackoverflow.com/questions/48284885/…
– Rthomas529
Nov 21 at 14:28
1
you cant really remove permissions with arm template, you cant really remove anything with arm template, unless you use complete mode, but, i doubt that would work for permissiions @Rthomas529
– 4c74356b41
Nov 21 at 14:34
That's unfortunate. This is quite simply achieve in AWS through the IAM templates.
– Rthomas529
Nov 21 at 14:42
|
show 1 more comment
up vote
2
down vote
up vote
2
down vote
yes, you need to remove users permissions on the subscription level and grant them permissions on the resource group level.
Reading:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
answered Nov 14 at 11:43
4c74356b41
23.3k32050
yes, you need to remove users permissions on the subscription level and grant them permissions on the resource group level.
Reading:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
answered Nov 14 at 11:43
4c74356b41
23.3k32050
answered Nov 14 at 11:43
4c74356b41
23.3k32050
answered Nov 14 at 11:43
4c74356b41
23.3k32050
answered Nov 14 at 11:43
4c74356b41
23.3k32050
23.3k32050
but then i would need to add them into every resource group. If i have 100 resource groups but dont want user to access 1 resource group. i would need to add all these users to resource groups. What i really want to do is just remove them from this 1 resource group
– Zoe Mackay
Nov 14 at 11:48
no, you cannot do that in an easy fashion. there is no block inheritance option. so you have only 1 way of doing this - being granular, creating some script that autoassign access to certain usergroups but skip others. you have pretty much the same problem with custom roles.
– 4c74356b41
Nov 14 at 12:00
Wouldn't using an ARM template easily work for this? Allowing all and deny the specific resource group... stackoverflow.com/questions/48216764/… stackoverflow.com/questions/48284885/…
– Rthomas529
Nov 21 at 14:28
1
you cant really remove permissions with arm template, you cant really remove anything with arm template, unless you use complete mode, but, i doubt that would work for permissiions @Rthomas529
– 4c74356b41
Nov 21 at 14:34
That's unfortunate. This is quite simply achieve in AWS through the IAM templates.
– Rthomas529
Nov 21 at 14:42
|
show 1 more comment
but then i would need to add them into every resource group. If i have 100 resource groups but dont want user to access 1 resource group. i would need to add all these users to resource groups. What i really want to do is just remove them from this 1 resource group
– Zoe Mackay
Nov 14 at 11:48
no, you cannot do that in an easy fashion. there is no block inheritance option. so you have only 1 way of doing this - being granular, creating some script that autoassign access to certain usergroups but skip others. you have pretty much the same problem with custom roles.
– 4c74356b41
Nov 14 at 12:00
Wouldn't using an ARM template easily work for this? Allowing all and deny the specific resource group... stackoverflow.com/questions/48216764/… stackoverflow.com/questions/48284885/…
– Rthomas529
Nov 21 at 14:28
1
you cant really remove permissions with arm template, you cant really remove anything with arm template, unless you use complete mode, but, i doubt that would work for permissiions @Rthomas529
– 4c74356b41
Nov 21 at 14:34
That's unfortunate. This is quite simply achieve in AWS through the IAM templates.
– Rthomas529
Nov 21 at 14:42
but then i would need to add them into every resource group. If i have 100 resource groups but dont want user to access 1 resource group. i would need to add all these users to resource groups. What i really want to do is just remove them from this 1 resource group
– Zoe Mackay
Nov 14 at 11:48
but then i would need to add them into every resource group. If i have 100 resource groups but dont want user to access 1 resource group. i would need to add all these users to resource groups. What i really want to do is just remove them from this 1 resource group
– Zoe Mackay
Nov 14 at 11:48
no, you cannot do that in an easy fashion. there is no block inheritance option. so you have only 1 way of doing this - being granular, creating some script that autoassign access to certain usergroups but skip others. you have pretty much the same problem with custom roles.
– 4c74356b41
Nov 14 at 12:00
no, you cannot do that in an easy fashion. there is no block inheritance option. so you have only 1 way of doing this - being granular, creating some script that autoassign access to certain usergroups but skip others. you have pretty much the same problem with custom roles.
– 4c74356b41
Nov 14 at 12:00
Wouldn't using an ARM template easily work for this? Allowing all and deny the specific resource group... stackoverflow.com/questions/48216764/… stackoverflow.com/questions/48284885/…
– Rthomas529
Nov 21 at 14:28
Wouldn't using an ARM template easily work for this? Allowing all and deny the specific resource group... stackoverflow.com/questions/48216764/… stackoverflow.com/questions/48284885/…
– Rthomas529
Nov 21 at 14:28
1
1
you cant really remove permissions with arm template, you cant really remove anything with arm template, unless you use complete mode, but, i doubt that would work for permissiions @Rthomas529
– 4c74356b41
Nov 21 at 14:34
you cant really remove permissions with arm template, you cant really remove anything with arm template, unless you use complete mode, but, i doubt that would work for permissiions @Rthomas529
– 4c74356b41
Nov 21 at 14:34
That's unfortunate. This is quite simply achieve in AWS through the IAM templates.
– Rthomas529
Nov 21 at 14:42
That's unfortunate. This is quite simply achieve in AWS through the IAM templates.
– Rthomas529
Nov 21 at 14:42
|
show 1 more comment
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53299422%2fcan-we-restrict-user-access-from-a-resource-group%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
