Hello @Mattias Jorstedt
Thank you for reaching out. I would like to confirm that following points:
- in case of RBAC, any role that is assigned to the Subscription or Resource Group, that flows down and gets inherited to all the resources, that comes under that specific Subscription or Resource Group.
- I don't think there is any way available to block this inheritance as this is by design and RBAC roles will flow down from the top to bottom level based on where the RBAC role is applied.
- For more details on Scope and Hierarchical structure for Azure Resources you can review following document: Understand scope for Azure RBAC.
- Only way you can block certain users is by using "Deny Assignments", where you can specify certain users not to perform certain tasks on a particular resource.
- You can read more on Deny Assignments on following article: List Azure deny assignments using the Azure portal.
I hope this answer helps to resolve your issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.