Microsoft.Authorization roleDefinitions
Bicep resource definition
The roleDefinitions resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep.
Valid deployment scopes for the roleDefinitions resource are:
- Resource groups - See resource group deployment commands
- Subscriptions - See subscription deployment commands
- Management groups - See management group deployment commands
For a list of changed properties in each API version, see change log.
Remarks
For guidance on creating role assignments and definitions, see Create Azure RBAC resources by using Bicep.
Resource format
To create a Microsoft.Authorization/roleDefinitions resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
name: 'string'
scope: resourceSymbolicName
properties: {
assignableScopes: [
'string'
]
description: 'string'
permissions: [
{
actions: [
'string'
]
dataActions: [
'string'
]
notActions: [
'string'
]
notDataActions: [
'string'
]
}
]
roleName: 'string'
type: 'string'
}
}
Property values
roleDefinitions
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) Character limit: 36 Valid characters: Must be a globally unique identifier (GUID). Resource name must be unique across tenant. |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For Bicep, set this property to the symbolic name of the resource to apply the extension resource. |
| properties | Role definition properties. | RoleDefinitionProperties |
RoleDefinitionProperties
| Name | Description | Value |
|---|---|---|
| assignableScopes | Role definition assignable scopes. | string[] |
| description | The role definition description. | string |
| permissions | Role definition permissions. | Permission[] |
| roleName | The role name. | string |
| type | The role type. | string |
Permission
| Name | Description | Value |
|---|---|---|
| actions | Allowed actions. | string[] |
| dataActions | Allowed Data actions. | string[] |
| notActions | Denied actions. | string[] |
| notDataActions | Denied Data actions. | string[] |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
IBM Cloud Pak for Data on Azure |
This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses. |
| Deploy a Storage Account for SAP ILM Store |
The Microsoft Azure Storage Account can now be used as a ILM Store to persist the Archive files and attachments from an SAP ILM system. An ILM Store is a component which fulfills the requirements of SAP ILM compliant storage systems. One can store archive files in a storage media using WebDAV interface standards while making use of SAP ILM Retention Management rules. For more information about SAP ILM Store, refer to the SAP Help Portal . |
| Azure Image Builder with Azure Windows Baseline |
Creates an Azure Image Builder environment and builds a Windows Server image with the latest Windows Updates and Azure Windows Baseline applied. |
| Configure Dev Box service |
This template would create all Dev Box admin resources as per Dev Box quick start guide. You can view all resources created, or directly go to DevPortal.microsoft.com to create your first Dev Box. |
| Create a new role def via a subscription level deployment |
This template is a subscription level template that will create a role definition at subscription scope. |
ARM template resource definition
The roleDefinitions resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates.
Valid deployment scopes for the roleDefinitions resource are:
- Resource groups - See resource group deployment commands
- Subscriptions - See subscription deployment commands
- Management groups - See management group deployment commands
For a list of changed properties in each API version, see change log.
Remarks
For guidance on creating role assignments and definitions, see Create Azure RBAC resources by using Bicep.
Resource format
To create a Microsoft.Authorization/roleDefinitions resource, add the following JSON to your template.
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2022-04-01",
"name": "string",
"scope": "string",
"properties": {
"assignableScopes": [ "string" ],
"description": "string",
"permissions": [
{
"actions": [ "string" ],
"dataActions": [ "string" ],
"notActions": [ "string" ],
"notDataActions": [ "string" ]
}
],
"roleName": "string",
"type": "string"
}
}
Property values
roleDefinitions
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.Authorization/roleDefinitions' |
| apiVersion | The resource api version | '2022-04-01' |
| name | The resource name | string (required) Character limit: 36 Valid characters: Must be a globally unique identifier (GUID). Resource name must be unique across tenant. |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For JSON, set the value to the full name of the resource to apply the extension resource to. |
| properties | Role definition properties. | RoleDefinitionProperties |
RoleDefinitionProperties
| Name | Description | Value |
|---|---|---|
| assignableScopes | Role definition assignable scopes. | string[] |
| description | The role definition description. | string |
| permissions | Role definition permissions. | Permission[] |
| roleName | The role name. | string |
| type | The role type. | string |
Permission
| Name | Description | Value |
|---|---|---|
| actions | Allowed actions. | string[] |
| dataActions | Allowed Data actions. | string[] |
| notActions | Denied actions. | string[] |
| notDataActions | Denied Data actions. | string[] |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| IBM Cloud Pak for Data on Azure |
This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses. |
| Deploy a Storage Account for SAP ILM Store |
The Microsoft Azure Storage Account can now be used as a ILM Store to persist the Archive files and attachments from an SAP ILM system. An ILM Store is a component which fulfills the requirements of SAP ILM compliant storage systems. One can store archive files in a storage media using WebDAV interface standards while making use of SAP ILM Retention Management rules. For more information about SAP ILM Store, refer to the SAP Help Portal . |
| Azure Image Builder with Azure Windows Baseline |
Creates an Azure Image Builder environment and builds a Windows Server image with the latest Windows Updates and Azure Windows Baseline applied. |
| Configure Dev Box service |
This template would create all Dev Box admin resources as per Dev Box quick start guide. You can view all resources created, or directly go to DevPortal.microsoft.com to create your first Dev Box. |
| Create a new role def via a subscription level deployment |
This template is a subscription level template that will create a role definition at subscription scope. |
Terraform (AzAPI provider) resource definition
The roleDefinitions resource type is an extension resource, which means you can apply it to another resource.
Use the parent_id property on this resource to set the scope for this resource.
Valid deployment scopes for the roleDefinitions resource are:
- Resource groups
- Subscriptions
- Management groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/roleDefinitions resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Authorization/roleDefinitions@2022-04-01"
name = "string"
parent_id = "string"
body = jsonencode({
properties = {
assignableScopes = [
"string"
]
description = "string"
permissions = [
{
actions = [
"string"
]
dataActions = [
"string"
]
notActions = [
"string"
]
notDataActions = [
"string"
]
}
]
roleName = "string"
type = "string"
}
})
}
Property values
roleDefinitions
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.Authorization/roleDefinitions@2022-04-01" |
| name | The resource name | string (required) Character limit: 36 Valid characters: Must be a globally unique identifier (GUID). Resource name must be unique across tenant. |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | Role definition properties. | RoleDefinitionProperties |
RoleDefinitionProperties
| Name | Description | Value |
|---|---|---|
| assignableScopes | Role definition assignable scopes. | string[] |
| description | The role definition description. | string |
| permissions | Role definition permissions. | Permission[] |
| roleName | The role name. | string |
| type | The role type. | string |
Permission
| Name | Description | Value |
|---|---|---|
| actions | Allowed actions. | string[] |
| dataActions | Allowed Data actions. | string[] |
| notActions | Denied actions. | string[] |
| notDataActions | Denied Data actions. | string[] |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for