AzRoleAdvertizer

last sync: 2024-Sep-19 17:51:49 UTC

Virtual Machine Data Access Administrator (preview)

Azure BuiltIn RBAC Role definition

Name

Virtual Machine Data Access Administrator (preview)

66f75aeb-eabe-4b70-9f1e-c350c4c9ad04

Description

Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.

CreatedOn

2023-08-08 15:31:17 UTC

UpdatedOn

2023-11-01 15:17:03 UTC

History

Date/Time (UTC ymd) (i)	Change	Change detail
2023-10-25 19:09:31	add: Role	66f75aeb-eabe-4b70-9f1e-c350c4c9ad04

Permissions summary

Effective control plane and data plane operations: 74 (unique operations)
•action: 7
•delete: 2
•read: 62
•write: 3

Actions: 14
Resolved control plane operations from Actions: 74
Effective control plane operations: 74
•action: 7
•delete: 2
•read: 62
•write: 3

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 15721

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3259

Actions

Operation	Description
Microsoft.Authorization/*/read	wildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditioned	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditioned	Create a role assignment at the specified scope.
Microsoft.Compute/virtualMachines/*/read	wildcarded / no description
Microsoft.HybridCompute/machines/*/read	wildcarded / no description
Microsoft.Management/managementGroups/read	List management groups for the authenticated user.
Microsoft.Network/loadBalancers/read	Gets a load balancer definition
Microsoft.Network/networkInterfaces/read	Gets a network interface definition.
Microsoft.Network/publicIPAddresses/read	Gets a public ip address definition.
Microsoft.Network/virtualNetworks/read	Get the virtual network definition
Microsoft.Resources/deployments/*	wildcarded / no description
Microsoft.Resources/subscriptions/read	Gets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/read	Gets or lists resource groups.
Microsoft.Support/*	wildcarded / no description

NotActions

n/a

DataActions

n/a

NotDataActions

n/a

Used in
BuiltIn Policy

none

JSON

api-version=2023-07-01-preview

Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1c0163c0-47e6-4577-8991-ea5c82e286e4 (Virtual Machine Administrator Login),
            fb879df8-f326-4884-b1cf-06f3ad86be52 (Virtual Machine User Login)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1c0163c0-47e6-4577-8991-ea5c82e286e4 (Virtual Machine Administrator Login),
            fb879df8-f326-4884-b1cf-06f3ad86be52 (Virtual Machine User Login)
            }
        )
    )