Assign a custom role
In this how-to guide, you learn how to assign a custom role for Service Operators to Azure Operator Service Manager Publisher resources. The permissions in this role are required for deploying a Site Network Service.
Prerequisites
You must have created a custom role via Create a custom role. This article assumes that you named the custom role 'Custom Role - AOSM Service Operator access to Publisher.'
To perform the tasks in this article, you need either the 'Owner' or 'User Access Administrator' role in your chosen scope.
You must have identified the users who you want to perform the Service Operator role and deploy Site Network Services.
Choose scope(s) for assigning custom role
The publisher resources that you need to assign the custom role to are:
The Network Function Definition Versions (NFDVs).
The Network Service Design Versions (NSDVs).
The Configuration Group Schemas (CGSs) for the Network Service Design (NSD).
You must decide if you want to assign the custom role individually to each resource, or to a parent resource such as the publisher resource group.
Applying to a parent resource grants access over all child resources. For example, applying to the whole publisher resource group gives the operator access to:
All the Network Function Definition Groups and Versions.
All the Network Service Design Groups and Versions.
All the Configuration Group Schemas.
The custom role permissions limit access to the list of the permissions shown here:
Microsoft.HybridNetwork/Publishers/NetworkFunctionDefinitionGroups/NetworkFunctionDefinitionVersions/use/action
Microsoft.HybridNetwork/Publishers/NetworkFunctionDefinitionGroups/NetworkFunctionDefinitionVersions/read
Microsoft.HybridNetwork/Publishers/NetworkServiceDesignGroups/NetworkServiceDesignVersions/use/action
Microsoft.HybridNetwork/Publishers/NetworkServiceDesignGroups/NetworkServiceDesignVersions/read
Microsoft.HybridNetwork/Publishers/ConfigurationGroupSchemas/read
Note
Do not provide write or delete access to any of these publisher resources.
Assign the custom role
Access the Azure portal and open your chosen scope (Publisher Resource Group or individual resources).
In the side menu of this item, select Access Control (IAM).
Choose Add Role Assignment.
Under Job function roles find your Custom Role in the list then proceed with Next.
Select User, group, or service principal, then Choose + Select Members then find and choose the users you want to have access. Choose Select.
Select Review and assign
Repeat the role assignment
Repeat the tasks in this article for all your chosen scopes.