Which resources can exist outside of a resource group?

意知 0

I only have resource group-level permissions, yet I can access subscription-level resources. For example, GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Network/locations/{location}/usages?api-version=2023-09-01

Is this a design flaw?

1 answer

SadiqhAhmed-MSFT 40,026 Reputation points Microsoft Employee

2024-06-25T12:39:45.4466667+00:00

Hello @意知 Thank you for reaching out to us on Microsoft Q&A platform. Happy to answer any questions you may have!

To answer your question, It is not a design flaw. Azure Resource Manager allows you to access resources at a higher level of scope if you have access to a lower level of scope. This is known as "inherited permissions".

For example, if you have access to a resource group, you can access all resources within that resource group, including resources that are at the subscription level. However, you cannot access resources that are in a different resource group or subscription unless you have been granted access to those resources explicitly.

In your case, since you have resource group-level permissions, you can access resources within that resource group as well as any resources that are at the subscription level. This is by design and is intended to make it easier for you to manage your resources.

Hope this helps. Please write back to us If you have any questions.

If the response helped, do "Accept Answer" and up-vote it
Please sign in to rate this answer.
意知 0 Reputation points

2024-06-26T03:04:14.1166667+00:00

Thank you for responding to my question. However, the logic of “"inherited permissions" you mentioned seems to be contrary to my previous understanding of Azure. My understanding, as well as what I have read in the documentation, suggests that with higher-level subscription permissions, I would automatically have access to the lower-level resources under the subscription. But you're suggesting the opposite—that with resource group-level access, I can access all resources at the subscription level above the resource group? If there are different resource groups under a subscription, does that mean that if I have permissions for Resource Group A, I can also access resources in Resource Group B under the same subscription? I look forward to your reply.

SadiqhAhmed-MSFT 40,026 Reputation points Microsoft Employee

2024-06-26T06:19:28.47+00:00

@意知 Sorry for the confusion. Let's say you have access to a resource group called "myResourceGroup" and there is a virtual machine (VM) called "myVM" that is located in the same subscription as the resource group but in a different resource group called "otherResourceGroup".

If you have access to "myResourceGroup", you can access all resources within that resource group, including the virtual machine "myVM" that is located in a different resource group. This is because you have inherited permissions from the subscription level, which allows you to access resources at a higher level of scope.

However, if there is another virtual machine called "otherVM" that is located in a different subscription, you cannot access it unless you have been granted access to that subscription explicitly.

I hope this example helps clarify how inherited permissions work in Azure Resource Manager.

意知 0 Reputation points

2024-06-26T06:53:03.0533333+00:00

Thank you for your reply. This is consistent with my understanding. That is, if I have permissions at the higher subscription level, then I would inherently have access to all resources under that subscription.

However, this does not explain my initial question as I only have permissions at the resource group level, yet I can access resources that do not belong to that resource group.

For instance, when creating Policy Definitions, you only need to specify a subscription; they do not belong to any resource group. I only have permissions for resource groups under that subscription, but I can list all Policy Definitions, yet I cannot modify or delete them. This contradicts the inheritance logic. Is there some special reasoning behind this?

https://learn.microsoft.com/en-us/rest/api/policy/policy-definitions/list?view=rest-policy-2023-04-01&tabs=HTTP

意知 0 Reputation points

2024-06-26T07:05:49.9+00:00

Thank you for responding to my question.This is consistent with my understanding. That is, if I have permissions at the higher subscription level, then I would inherently have access to all resources under that subscription. However, this does not explain my initial question as I only have permissions at the resource group level, yet I can access resources that do not belong to that resource group.

For instance, when creating Policy Definitions, you only need to specify a subscription; they do not belong to any resource group. I only have permissions for resource groups under that subscription, but I can list all Policy Definitions, yet I cannot modify or delete them. This contradicts the inheritance logic. Is there some special reasoning behind this?

https://learn.microsoft.com/en-us/rest/api/policy/policy-definitions/list?view=rest-policy-2023-04-01&tabs=HTTP
Sign in to comment

Share via

Which resources can exist outside of a resource group?

1 answer