Role Assignments - Create

Service:: Authorization

API Version:: 2022-04-01

Create or update a role assignment by scope and name.

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2022-04-01

URI Parameters

Name	In	Required	Type	Description
roleAssignmentName	path	True	string	The name of the role assignment. It can be any valid GUID.
scope	path	True	string	The fully qualified Azure Resource manager identifier of the resource.
api-version	query	True	string minLength: 1	The API version to use for this operation.

Request Body

Name	Required	Type	Description
properties.principalId	True	string	The principal ID.
properties.roleDefinitionId	True	string	The role definition ID.
properties.condition		string	The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'
properties.conditionVersion		string	Version of the condition. Currently the only accepted value is '2.0'
properties.delegatedManagedIdentityResourceId		string	Id of the delegated managed identity resource
properties.description		string	Description of role assignment
properties.principalType		PrincipalType	The principal type of the assigned principal ID.

Responses

Name	Type	Description
200 OK	RoleAssignment	Resource 'RoleAssignment' update operation succeeded
201 Created	RoleAssignment	Resource 'RoleAssignment' create operation succeeded
Other Status Codes	ErrorResponse	An unexpected error response.

Permissions

To call this API, you must be assigned a role that has the following permissions. For more information, see Azure built-in roles.

Microsoft.Authorization/roleAssignments/write

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Create role assignment for resource

Create role assignment for resource group

Create role assignment for subscription

Create role assignment for resource

Sample request

PUT https://management.azure.com/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff?api-version=2022-04-01

{
  "properties": {
    "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
    "principalType": "User",
    "roleDefinitionId": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d"
  }
}

from azure.identity import DefaultAzureCredential

from azure.mgmt.authorization import AuthorizationManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-authorization
# USAGE
    python role_assignments_create_for_resource.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = AuthorizationManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="SUBSCRIPTION_ID",
    )

    response = client.role_assignments.create(
        scope="subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account",
        role_assignment_name="05c5a614-a7d6-4502-b150-c2fb455033ff",
        parameters={
            "properties": {
                "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
                "principalType": "User",
                "roleDefinitionId": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
            }
        },
    )
    print(response)


# x-ms-original-file: 2022-04-01/RoleAssignments_CreateForResource.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armauthorization_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3"
)

// Generated from example definition: 2022-04-01/RoleAssignments_CreateForResource.json
func ExampleRoleAssignmentsClient_Create_createRoleAssignmentForResource() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armauthorization.NewClientFactory("<subscriptionID>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewRoleAssignmentsClient().Create(ctx, "subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account", "05c5a614-a7d6-4502-b150-c2fb455033ff", armauthorization.RoleAssignmentCreateParameters{
		Properties: &armauthorization.RoleAssignmentProperties{
			PrincipalID:      to.Ptr("ce2ce14e-85d7-4629-bdbc-454d0519d987"),
			PrincipalType:    to.Ptr(armauthorization.PrincipalTypeUser),
			RoleDefinitionID: to.Ptr("/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d"),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res = armauthorization.RoleAssignmentsClientCreateResponse{
	// 	RoleAssignment: &armauthorization.RoleAssignment{
	// 		Name: to.Ptr("05c5a614-a7d6-4502-b150-c2fb455033ff"),
	// 		Type: to.Ptr("Microsoft.Authorization/roleAssignments"),
	// 		ID: to.Ptr("/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff"),
	// 		Properties: &armauthorization.RoleAssignmentProperties{
	// 			PrincipalID: to.Ptr("ce2ce14e-85d7-4629-bdbc-454d0519d987"),
	// 			PrincipalType: to.Ptr(armauthorization.PrincipalTypeUser),
	// 			RoleDefinitionID: to.Ptr("/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d"),
	// 			Scope: to.Ptr("/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account"),
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { AuthorizationManagementClient } = require("@azure/arm-authorization");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to create or update a role assignment by scope and name.
 *
 * @summary create or update a role assignment by scope and name.
 * x-ms-original-file: 2022-04-01/RoleAssignments_CreateForResource.json
 */
async function createRoleAssignmentForResource() {
  const credential = new DefaultAzureCredential();
  const client = new AuthorizationManagementClient(credential);
  const result = await client.roleAssignments.create(
    "subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account",
    "05c5a614-a7d6-4502-b150-c2fb455033ff",
    {
      principalId: "ce2ce14e-85d7-4629-bdbc-454d0519d987",
      principalType: "User",
      roleDefinitionId:
        "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
    },
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "name": "05c5a614-a7d6-4502-b150-c2fb455033ff",
  "type": "Microsoft.Authorization/roleAssignments",
  "id": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff",
  "properties": {
    "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
    "principalType": "User",
    "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
    "scope": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account"
  }
}

Status code:: 201

{
  "name": "05c5a614-a7d6-4502-b150-c2fb455033ff",
  "type": "Microsoft.Authorization/roleAssignments",
  "id": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff",
  "properties": {
    "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
    "principalType": "User",
    "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
    "scope": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.DocumentDb/databaseAccounts/test-db-account"
  }
}

Create role assignment for resource group

Sample request

PUT https://management.azure.com/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff?api-version=2022-04-01

{
  "properties": {
    "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
    "principalType": "User",
    "roleDefinitionId": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d"
  }
}

from azure.identity import DefaultAzureCredential

from azure.mgmt.authorization import AuthorizationManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-authorization
# USAGE
    python role_assignments_create_for_resource_group.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = AuthorizationManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="SUBSCRIPTION_ID",
    )

    response = client.role_assignments.create(
        scope="subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg",
        role_assignment_name="05c5a614-a7d6-4502-b150-c2fb455033ff",
        parameters={
            "properties": {
                "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
                "principalType": "User",
                "roleDefinitionId": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
            }
        },
    )
    print(response)


# x-ms-original-file: 2022-04-01/RoleAssignments_CreateForResourceGroup.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armauthorization_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3"
)

// Generated from example definition: 2022-04-01/RoleAssignments_CreateForResourceGroup.json
func ExampleRoleAssignmentsClient_Create_createRoleAssignmentForResourceGroup() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armauthorization.NewClientFactory("<subscriptionID>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewRoleAssignmentsClient().Create(ctx, "subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg", "05c5a614-a7d6-4502-b150-c2fb455033ff", armauthorization.RoleAssignmentCreateParameters{
		Properties: &armauthorization.RoleAssignmentProperties{
			PrincipalID:      to.Ptr("ce2ce14e-85d7-4629-bdbc-454d0519d987"),
			PrincipalType:    to.Ptr(armauthorization.PrincipalTypeUser),
			RoleDefinitionID: to.Ptr("/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d"),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res = armauthorization.RoleAssignmentsClientCreateResponse{
	// 	RoleAssignment: &armauthorization.RoleAssignment{
	// 		Name: to.Ptr("05c5a614-a7d6-4502-b150-c2fb455033ff"),
	// 		Type: to.Ptr("Microsoft.Authorization/roleAssignments"),
	// 		ID: to.Ptr("/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff"),
	// 		Properties: &armauthorization.RoleAssignmentProperties{
	// 			PrincipalID: to.Ptr("ce2ce14e-85d7-4629-bdbc-454d0519d987"),
	// 			PrincipalType: to.Ptr(armauthorization.PrincipalTypeUser),
	// 			RoleDefinitionID: to.Ptr("/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d"),
	// 			Scope: to.Ptr("/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg"),
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { AuthorizationManagementClient } = require("@azure/arm-authorization");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to create or update a role assignment by scope and name.
 *
 * @summary create or update a role assignment by scope and name.
 * x-ms-original-file: 2022-04-01/RoleAssignments_CreateForResourceGroup.json
 */
async function createRoleAssignmentForResourceGroup() {
  const credential = new DefaultAzureCredential();
  const client = new AuthorizationManagementClient(credential);
  const result = await client.roleAssignments.create(
    "subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg",
    "05c5a614-a7d6-4502-b150-c2fb455033ff",
    {
      principalId: "ce2ce14e-85d7-4629-bdbc-454d0519d987",
      principalType: "User",
      roleDefinitionId:
        "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
    },
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "name": "05c5a614-a7d6-4502-b150-c2fb455033ff",
  "type": "Microsoft.Authorization/roleAssignments",
  "id": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff",
  "properties": {
    "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
    "principalType": "User",
    "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
    "scope": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg"
  }
}

Status code:: 201

{
  "name": "05c5a614-a7d6-4502-b150-c2fb455033ff",
  "type": "Microsoft.Authorization/roleAssignments",
  "id": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff",
  "properties": {
    "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
    "principalType": "User",
    "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
    "scope": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/resourceGroups/testrg"
  }
}

Create role assignment for subscription

Sample request

PUT https://management.azure.com/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff?api-version=2022-04-01

{
  "properties": {
    "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
    "principalType": "User",
    "roleDefinitionId": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d"
  }
}

from azure.identity import DefaultAzureCredential

from azure.mgmt.authorization import AuthorizationManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-authorization
# USAGE
    python role_assignments_create_for_subscription.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = AuthorizationManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="SUBSCRIPTION_ID",
    )

    response = client.role_assignments.create(
        scope="subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2",
        role_assignment_name="05c5a614-a7d6-4502-b150-c2fb455033ff",
        parameters={
            "properties": {
                "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
                "principalType": "User",
                "roleDefinitionId": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
            }
        },
    )
    print(response)


# x-ms-original-file: 2022-04-01/RoleAssignments_CreateForSubscription.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armauthorization_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3"
)

// Generated from example definition: 2022-04-01/RoleAssignments_CreateForSubscription.json
func ExampleRoleAssignmentsClient_Create_createRoleAssignmentForSubscription() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armauthorization.NewClientFactory("<subscriptionID>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewRoleAssignmentsClient().Create(ctx, "subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2", "05c5a614-a7d6-4502-b150-c2fb455033ff", armauthorization.RoleAssignmentCreateParameters{
		Properties: &armauthorization.RoleAssignmentProperties{
			PrincipalID:      to.Ptr("ce2ce14e-85d7-4629-bdbc-454d0519d987"),
			PrincipalType:    to.Ptr(armauthorization.PrincipalTypeUser),
			RoleDefinitionID: to.Ptr("/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d"),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res = armauthorization.RoleAssignmentsClientCreateResponse{
	// 	RoleAssignment: &armauthorization.RoleAssignment{
	// 		Name: to.Ptr("05c5a614-a7d6-4502-b150-c2fb455033ff"),
	// 		Type: to.Ptr("Microsoft.Authorization/roleAssignments"),
	// 		ID: to.Ptr("/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff"),
	// 		Properties: &armauthorization.RoleAssignmentProperties{
	// 			PrincipalID: to.Ptr("ce2ce14e-85d7-4629-bdbc-454d0519d987"),
	// 			PrincipalType: to.Ptr(armauthorization.PrincipalTypeUser),
	// 			RoleDefinitionID: to.Ptr("/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d"),
	// 			Scope: to.Ptr("/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2"),
	// 		},
	// 	},
	// }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { AuthorizationManagementClient } = require("@azure/arm-authorization");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to create or update a role assignment by scope and name.
 *
 * @summary create or update a role assignment by scope and name.
 * x-ms-original-file: 2022-04-01/RoleAssignments_CreateForSubscription.json
 */
async function createRoleAssignmentForSubscription() {
  const credential = new DefaultAzureCredential();
  const client = new AuthorizationManagementClient(credential);
  const result = await client.roleAssignments.create(
    "subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2",
    "05c5a614-a7d6-4502-b150-c2fb455033ff",
    {
      principalId: "ce2ce14e-85d7-4629-bdbc-454d0519d987",
      principalType: "User",
      roleDefinitionId:
        "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
    },
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "name": "05c5a614-a7d6-4502-b150-c2fb455033ff",
  "type": "Microsoft.Authorization/roleAssignments",
  "id": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff",
  "properties": {
    "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
    "principalType": "User",
    "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
    "scope": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2"
  }
}

Status code:: 201

{
  "name": "05c5a614-a7d6-4502-b150-c2fb455033ff",
  "type": "Microsoft.Authorization/roleAssignments",
  "id": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2/providers/Microsoft.Authorization/roleAssignments/05c5a614-a7d6-4502-b150-c2fb455033ff",
  "properties": {
    "principalId": "ce2ce14e-85d7-4629-bdbc-454d0519d987",
    "principalType": "User",
    "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/0b5fe924-9a61-425c-96af-cfe6e287ca2d",
    "scope": "/subscriptions/a925f2f7-5c63-4b7b-8799-25a5f97bc3b2"
  }
}

Definitions

Name	Description
createdByType	The type of identity that created the resource.
ErrorAdditionalInfo	The resource management error additional info.
ErrorDetail	The error detail.
ErrorResponse	Error response
PrincipalType	The principal type of the assigned principal ID.
RoleAssignment	Role Assignments
RoleAssignmentCreateParameters	Role assignment create parameters.
systemData	Metadata pertaining to creation and last modification of the resource.

createdByType

Enumeration

The type of identity that created the resource.

Value	Description
User
Application
ManagedIdentity
Key

ErrorAdditionalInfo

Object

The resource management error additional info.

Name	Type	Description
info	object	The additional info.
type	string	The additional info type.

ErrorDetail

Object

The error detail.

Name	Type	Description
additionalInfo	ErrorAdditionalInfo[]	The error additional info.
code	string	The error code.
details	ErrorDetail[]	The error details.
message	string	The error message.
target	string	The error target.

ErrorResponse

Object

Error response

Name	Type	Description
error	ErrorDetail	The error object.

PrincipalType

Enumeration

The principal type of the assigned principal ID.

Value	Description
User	User
Group	Group
ServicePrincipal	ServicePrincipal
ForeignGroup	ForeignGroup
Device	Device

RoleAssignment

Object

Role Assignments

Name	Type	Default value	Description
id	string		Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
name	string		The name of the resource
properties.condition	string		The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'
properties.conditionVersion	string		Version of the condition. Currently the only accepted value is '2.0'
properties.createdBy	string		Id of the user who created the assignment
properties.createdOn	string (date-time)		Time it was created
properties.delegatedManagedIdentityResourceId	string		Id of the delegated managed identity resource
properties.description	string		Description of role assignment
properties.principalId	string		The principal ID.
properties.principalType	PrincipalType	User	The principal type of the assigned principal ID.
properties.roleDefinitionId	string		The role definition ID.
properties.scope	string		The role assignment scope.
properties.updatedBy	string		Id of the user who updated the assignment
properties.updatedOn	string (date-time)		Time it was updated
systemData	systemData		Azure Resource Manager metadata containing createdBy and modifiedBy information.
type	string		The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

RoleAssignmentCreateParameters

Object

Role assignment create parameters.

Name	Type	Default value	Description
properties.condition	string		The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'
properties.conditionVersion	string		Version of the condition. Currently the only accepted value is '2.0'
properties.createdBy	string		Id of the user who created the assignment
properties.createdOn	string (date-time)		Time it was created
properties.delegatedManagedIdentityResourceId	string		Id of the delegated managed identity resource
properties.description	string		Description of role assignment
properties.principalId	string		The principal ID.
properties.principalType	PrincipalType	User	The principal type of the assigned principal ID.
properties.roleDefinitionId	string		The role definition ID.
properties.scope	string		The role assignment scope.
properties.updatedBy	string		Id of the user who updated the assignment
properties.updatedOn	string (date-time)		Time it was updated

systemData

Object

Metadata pertaining to creation and last modification of the resource.

Name	Type	Description
createdAt	string (date-time)	The timestamp of resource creation (UTC).
createdBy	string	The identity that created the resource.
createdByType	createdByType	The type of identity that created the resource.
lastModifiedAt	string (date-time)	The timestamp of resource last modification (UTC)
lastModifiedBy	string	The identity that last modified the resource.
lastModifiedByType	createdByType	The type of identity that last modified the resource.