Tag management on Azure
For a client I am attempting to build a tag manager role that allows only changing of tags on resources (add/remove/change from existing subscription tags), without being able to create new tags on the subscription. However, with the permissions set as below, the user is able to create/delete tags on the subscription level, even though the description of the notActions permissions explicitly describe roles that create tags on the subscription level.
Is the issue here that the permissions are hierarchical, with "Microsoft.Resources/tags/write" superceding "Microsoft.Resources/subscriptions/tagNames/write"?
Is it even possible to do what I want to do?
Thanks in advance,
Sven