Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide functionality to assign a role to a resource group based on the ObjectId #150

Open
mbraekman opened this issue Mar 26, 2021 · 1 comment
Open

Provide functionality to assign a role to a resource group based on the ObjectId #150

mbraekman opened this issue Mar 26, 2021 · 1 comment
Labels
area:security All issues related to Azure Security feature-suggestion All issues related suggestion of a new feature. These are nice to haves but not customer requests
Milestone
v1.5.0

Comments

@mbraekman
Copy link
Contributor

Is your feature request related to a problem? Please describe.
Currently, the script New-AzResourceGroupRoleAssignment allows you to assign a role to a specific resource group for a resource/service.
While this is a start, one could also require the capability of assigning a specific role to a resource group in name of a user/group/...
In this case, it would be interesting to provide the capability to pass along an ObjectId instead of the resourceGroupName/resourceName-combination

Describe the solution you'd like
Can we extend the current function New-AzResourceGroupRoleAssignment to allow either passing along the ObjectId OR the ResourceGroupName/ResourceName-combo?
Using a ParameterSetName we should be able to force the user to either provide the ObjectId or the ResourceGroupName/ResourceName.

Meaning the script will either perform the lookup for ObjectId itself (if it's a resource/service), or use the provided ObjectId to assign a new role.

Describe alternatives you've considered
Alternately, this would mean having a separate script to make this possible.

Additional context
We might have to modify the parameter-definition to something as follows (based on a first quick test): see below.
However, I would've hoped it to be possible to keep the exception-throwing as part of the parameter-definition in itself. (--> to be investigated)

[CmdletBinding(DefaultParametersetName='None')] 
param (
    [Parameter(Mandatory = $true)][string] $TargetResourceGroupName = $(throw "Target resource group name to which access should be granted is required"),
    [Parameter(ParameterSetName='Resource',Mandatory = $true)][string] $ResourceGroupName,
    [Parameter(ParameterSetName='Resource',Mandatory = $true)][string] $ResourceName,
    [Parameter(Mandatory = $true)][string] $RoleDefinitionName = $(throw "Name of the role definition is required"),
    [Parameter(ParameterSetName='Object',Mandatory = $true)][string] $ObjectId
)
    
$ParamSetName = $PsCmdLet.ParameterSetName

if($ParamSetName -eq 'Resource')
{
    if(-not($ResourceGroupName))
    {
        throw "Resource group name where the resource is located which should be granted access is required"
    }
    if(-not($ResourceName))
    {
        throw "Name of the resource which should be granted access is required"
    }
}
elseif($ParamSetName -eq 'Object')
{
    if(-not($ObjectId))
    {
        throw "The ObjectId of the resource that needs to get a role assigned."
    }
}
else
{
    throw "Please provide either the ObjectId- or the ResourceGroupName/ResourceName-parameters."
}
@mbraekman mbraekman added feature-suggestion All issues related suggestion of a new feature. These are nice to haves but not customer requests area:security All issues related to Azure Security labels Mar 26, 2021
@mbraekman mbraekman mentioned this issue Mar 26, 2021
Open
@mbraekman mbraekman added this to the v0.5.0 milestone Mar 26, 2021
@stijnmoreels
Copy link
Member

stijnmoreels commented Apr 9, 2021
edited
Loading

We could use ValidateScript attribute or specify the error message as a HelpMessage on the [Parameter] attribute maybe?

@tomkerkhove tomkerkhove modified the milestones: v0.5.0, v0.6.0 Oct 8, 2021
@stijnmoreels stijnmoreels modified the milestones: v0.6.0, v0.7.0 Apr 1, 2022
@stijnmoreels stijnmoreels modified the milestones: v0.7.0, v0.8 Aug 26, 2022
@stijnmoreels stijnmoreels modified the milestones: v0.8.0, v0.9.0 Jan 10, 2023
@pim-simons pim-simons modified the milestones: v0.9.0, v1.0.0, v1.1.0 May 10, 2023
@stijnmoreels stijnmoreels modified the milestones: v1.1.0, v1.2.0 Jul 3, 2023
@pim-simons pim-simons modified the milestones: v1.2.0, v1.3.0 Nov 21, 2023
@stijnmoreels stijnmoreels modified the milestones: v1.3.0, v1.4.0 Jun 13, 2024
@pim-simons pim-simons modified the milestones: v1.4.0, v1.5.0 Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:security All issues related to Azure Security feature-suggestion All issues related suggestion of a new feature. These are nice to haves but not customer requests
Projects
None yet
Milestone
v1.5.0
Development

No branches or pull requests
4 participants
@tomkerkhove @stijnmoreels @mbraekman @pim-simons