-
Notifications
You must be signed in to change notification settings - Fork 97
Rbac Policy Apis
Suwat Ch edited this page Aug 21, 2015
·
7 revisions
- Listing all authorization resource types
ARMClient.exe get /subscriptions/{sub}/providers/Microsoft.Authorization?api-version=2015-07-01
- Listing all role definitions (Contributor, Reader, Owner, ...)
ARMClient.exe get /subscriptions/{sub}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01
- Listing all role assignments. This is where each users (principalId) is assigned to role definition id for specific resource scope.
ARMClient.exe get /subscriptions/{sub}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01
- Listing specific role assignment.
ARMClient.exe get /subscriptions/{sub}/providers/Microsoft.Authorization/roleAssignments/{name}?api-version=2015-07-01
- Add new role assignment.
ARMClient.exe put /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{site}/providers/Microsoft.Authorization/roleAssignments/{name}?api-version=2015-07-01 @roleAssignment.json
roleAssignment.json sample:
{
"properties": {
"roleDefinitionId": "/subscriptions/{sub}/providers/Microsoft.Authorization/roleDefinitions/{id}",
"principalId": "{oid}"
}
}Note: there is a role assignment cache per token. If one continues to use the same token, the role assignment may not be effective yet. Best way to test is to get the new token (ARMClient.exe login).
- Remove role assignment.
ARMClient.exe delete /subscriptions/{sub}/providers/Microsoft.Authorization/roleAssignments/{name}?api-version=2015-07-01
- List current user permissions on specific resource
ARMClient.exe get /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/serverFarms/{name}/providers/microsoft.authorization/permissions?api-version=2015-07-01