If Redhat OpenShift(ARO) by default makes a Resource Group "Read Only", is there anyway to modify the "Deny Assignment" so that access to this RG can be given to other Users? [ 2112280060001080 ]

Peter Thurwachter (MINDTREE LIMITED) 621 Reputation points
2022-01-03T16:56:29.657+00:00

Hello Experts,

When using Azure Redhat OpenShift(ARO), using the IAM blade, it seems impossible to add access control to new users. The end goal is to allow them to confirm the cost of a specific Resource Group in cost Management.

It seems this inability to do so is because said resource group is locked in a read-only state.
https://learn.microsoft.com/en-us/azure/openshift/openshift-faq

------------------------------------------

Are control plane nodes abstracted away as they are with Azure Kubernetes Service (AKS)?

No. All resources, including the cluster master nodes, run in your customer subscription.
These types of resources are put in a read-only resource group.

------------------------------------------

According to this “How blueprint locks work” link: https://learn.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking#how-blueprint-locks-work

-------------------------------

An Azure RBAC deny assignments deny action is applied to artifact resources during assignment of a blueprint if the assignment selected the Read Only or Do Not Delete option. The deny action is added by the managed identity of the blueprint assignment and can only be removed from the artifact resources by the same managed identity.

-------------------------------

Further down the same document, there are sections pertaining to “Exclude a principal from a deny assignment” and “Exclude an action from a deny assignment”

IF this resource group was made “read-only” by Redhat OpenShift, does that mean there is simply no way to modify this “deny assignment” so that a subscription owner can add new users that have the ability to view the cost of this resource group?

Thank you,

Azure Red Hat OpenShift
Azure Red Hat OpenShift
An Azure service that provides a flexible, self-service deployment of fully managed OpenShift clusters.
70 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AnuragSingh-MSFT 20,016 Reputation points
    2022-01-27T09:34:44.087+00:00

    @Peter Thurwachter (MINDTREE LIMITED) , I see that feedback was shared at the link below for this limitation. Please feel free to add any additional comment below to help others looking for answers to similar queries.

    https://feedback.azure.com/d365community/idea/0e154339-0c7e-ec11-a81b-0022484bfd94

    Copying the excerpt from the feedback as below:

    Currently, it is not possible to add new users (with viewing roles) to an already existing ARO resource group after resource group creation due to the Deny Assignments placed on the Resource Group. Although it is understandable the Deny Assignments (that is automatically put in place) is a very effective protective measure, it can also be problematic if there is a need to later modify after the Resource Groups' initial creation.

    0 comments