Access Control (IAM) - Subscription

Ricardo Rinaldi 20 Reputation points
2023-09-15T19:01:27.8733333+00:00

Hello! When I assign a role in a subscription, it is inherited to all resources in the subscription. But if I want a particular resource to not have said permission that appears as inherited in the "Scope". Is it possible to do this?

Or is every role I assign in a subscription inherited to all resources in that subscription?

Thank you so much.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
789 questions
0 comments No comments
{count} votes

Accepted answer
  1. Michael Durkan 12,201 Reputation points MVP
    2023-09-16T07:01:15.16+00:00

    Hi

    Any role that is assigned to the subscription, that flows down and gets inherited to all the resources, that comes under that subscription. Similarly, any role on a Resource Group, gets inherited to all the resources, within that Resource Groups. There is no way to block this inheritance as this is by design and RBAC roles will flow down from the top to bottom level based on where the RBAC role is applied.

    One thing that can be done is to use "Deny Assignments", where you can specify certain users not to perform certain tasks on a particular resource.

    https://learn.microsoft.com/en-us/azure/role-based-access-control/deny-assignments-portal?wt.mc_id=AZ-MVP-5005255

    Hope this helps,

    Thanks

    Michael Durkan

    • If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.