![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 86%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
968 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 12%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Hi @Cloud Learner ,
Azure roles assignments and permissions are an additive model. If you assign a user to different user roles (Reader and Owner ) on different scopes (Management Groups and Subscription) the user gets the sum of the role assignments/permissions based on the scopes.
In your example, for instance User1:
User1 is in the Reader role for the Management Group1 scope -> User1 gets reader permissions to all subscriptions related to this management group.
In addition User1 is assigned to the Owner role for Subscription1 (and Subscription1 is related to the Management Group): -> User1 gets owner permission in addition to the reader permission for Subscription1.
Source: RBAC - Multiple role assignments
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten