Is it possible to remove inherited permission for a storage account

Question

Is it possible to remove inherited permission for a storage account

Mattias Jorstedt 20

Hi!

I have a subscription <my-subscription> in that subscription I have a few owners and some contributors. I would like to create a new storage account that only the owners of the subscription and two defined ad-groups (one read, one write) have access to.

I cannot find a way to remove the inherited accesses of the contributors. I have looked in to deny assignments but that does not seem to be right for me. Is there a way to remove access to the new storage account for the roles who are not owners.

Best regards,
Mattias

Answer 1

Harpreet Singh Matharoo 3,351 Microsoft Employee

Hello @Mattias Jorstedt

Thank you for reaching out. I would like to confirm that following points:

in case of RBAC, any role that is assigned to the Subscription or Resource Group, that flows down and gets inherited to all the resources, that comes under that specific Subscription or Resource Group.
I don't think there is any way available to block this inheritance as this is by design and RBAC roles will flow down from the top to bottom level based on where the RBAC role is applied.
For more details on Scope and Hierarchical structure for Azure Resources you can review following document: Understand scope for Azure RBAC.
Only way you can block certain users is by using "Deny Assignments", where you can specify certain users not to perform certain tasks on a particular resource.
You can read more on Deny Assignments on following article: List Azure deny assignments using the Azure portal.

I hope this answer helps to resolve your issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Mattias Jorstedt 20 Reputation points

2023-03-14T07:15:17.7333333+00:00

Hello @Harpreet Singh Matharoo

Thank you for you quick answer. I have read the links but it is really hard to find an example where you set deny on System Defined Principle and open for two ad-groups. Do you know if there is an example that explains how to do that?

Best regards,
Mattias
Harpreet Singh Matharoo 3,351 Reputation points Microsoft Employee

2023-03-14T07:45:55.9666667+00:00

I guess it is possible as per screenshot listed on following documentation: List deny assignments, however the question is would it block inherited access?

I assume the answer is no, since the Inherited access would flow from Parent resource to all child resources as that's the design, however you can try to create deny assignment for specific user 1st to check if it works.
Mattias Jorstedt 20 Reputation points

2023-03-15T18:17:29.44+00:00

From all the reading I have done I have found that it is not possible to use deny assignments in any configurable way. You can deploy resources with an Azure Blueprint and set do not delete or read only locking out other permissions but here is now way to construct a json or something else to block certain roles totally. You might be able to create a storage account using managed apps but that seems to be such a complicated workaround to stop inherited accesses.

Is it possible to remove inherited permission for a storage account

0 additional answers

Activity