0
# Core RBAC Operations
1
2
Essential role-based access control functionality that forms the foundation of Azure authorization management. These operations enable managing role assignments, role definitions, permissions, and deny assignments across Azure resources.
3
4
## Capabilities
5
6
### Role Assignments Management
7
8
Create, manage, and query role assignments that grant users, groups, or service principals access to Azure resources at various scopes.
9
10
```python { .api }
11
def create(scope: str, role_assignment_name: str, parameters: RoleAssignmentCreateParameters) -> RoleAssignment:
12
"""
13
Create a role assignment at the specified scope.
14
15
Parameters:
16
- scope: The scope of the role assignment (subscription, resource group, or resource)
17
- role_assignment_name: GUID for the role assignment name
18
- parameters: Role assignment creation parameters
19
20
Returns:
21
RoleAssignment object with assignment details
22
"""
23
24
def delete(scope: str, role_assignment_name: str) -> RoleAssignment:
25
"""
26
Delete a role assignment.
27
28
Parameters:
29
- scope: The scope of the role assignment
30
- role_assignment_name: Name of the role assignment to delete
31
32
Returns:
33
Deleted RoleAssignment object
34
"""
35
36
def get(scope: str, role_assignment_name: str) -> RoleAssignment:
37
"""
38
Get details of a specific role assignment.
39
40
Parameters:
41
- scope: The scope of the role assignment
42
- role_assignment_name: Name of the role assignment
43
44
Returns:
45
RoleAssignment object
46
"""
47
48
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleAssignment]:
49
"""
50
List role assignments for a specific scope.
51
52
Parameters:
53
- scope: The scope to list assignments for
54
- filter: OData filter expression (optional)
55
56
Returns:
57
Iterator of RoleAssignment objects
58
"""
59
60
def list_for_subscription(filter: Optional[str] = None) -> Iterator[RoleAssignment]:
61
"""
62
List all role assignments in a subscription.
63
64
Parameters:
65
- filter: OData filter expression (optional)
66
67
Returns:
68
Iterator of RoleAssignment objects
69
"""
70
71
def list_for_resource_group(resource_group_name: str, filter: Optional[str] = None) -> Iterator[RoleAssignment]:
72
"""
73
List role assignments for a resource group.
74
75
Parameters:
76
- resource_group_name: Name of the resource group
77
- filter: OData filter expression (optional)
78
79
Returns:
80
Iterator of RoleAssignment objects
81
"""
82
83
def list_for_resource(
84
resource_group_name: str,
85
resource_provider_namespace: str,
86
resource_type: str,
87
resource_name: str,
88
filter: Optional[str] = None
89
) -> Iterator[RoleAssignment]:
90
"""
91
List role assignments for a specific resource.
92
93
Parameters:
94
- resource_group_name: Name of the resource group
95
- resource_provider_namespace: Namespace of the resource provider
96
- resource_type: Type of the resource
97
- resource_name: Name of the resource
98
- filter: OData filter expression (optional)
99
100
Returns:
101
Iterator of RoleAssignment objects
102
"""
103
```
104
105
### Role Definitions Management
106
107
Manage built-in and custom role definitions that define the permissions and actions available for role assignments.
108
109
```python { .api }
110
def create_or_update(scope: str, role_definition_id: str, parameters: RoleDefinition) -> RoleDefinition:
111
"""
112
Create or update a custom role definition.
113
114
Parameters:
115
- scope: The scope at which the role definition applies
116
- role_definition_id: GUID for the role definition ID
117
- parameters: Role definition properties
118
119
Returns:
120
RoleDefinition object
121
"""
122
123
def delete(scope: str, role_definition_id: str) -> RoleDefinition:
124
"""
125
Delete a custom role definition.
126
127
Parameters:
128
- scope: The scope of the role definition
129
- role_definition_id: ID of the role definition to delete
130
131
Returns:
132
Deleted RoleDefinition object
133
"""
134
135
def get(scope: str, role_definition_id: str) -> RoleDefinition:
136
"""
137
Get details of a specific role definition.
138
139
Parameters:
140
- scope: The scope of the role definition
141
- role_definition_id: ID of the role definition
142
143
Returns:
144
RoleDefinition object
145
"""
146
147
def get_by_id(role_id: str) -> RoleDefinition:
148
"""
149
Get a role definition by its fully qualified ID.
150
151
Parameters:
152
- role_id: Fully qualified role definition ID
153
154
Returns:
155
RoleDefinition object
156
"""
157
158
def list(scope: str, filter: Optional[str] = None) -> Iterator[RoleDefinition]:
159
"""
160
List role definitions available at a scope.
161
162
Parameters:
163
- scope: The scope to list role definitions for
164
- filter: OData filter expression (optional)
165
166
Returns:
167
Iterator of RoleDefinition objects
168
"""
169
```
170
171
### Permissions Management
172
173
Query effective permissions at various scopes to understand what actions are allowed for security principals.
174
175
```python { .api }
176
def list_for_resource(
177
resource_group_name: str,
178
resource_provider_namespace: str,
179
resource_type: str,
180
resource_name: str
181
) -> List[Permission]:
182
"""
183
List effective permissions for a specific resource.
184
185
Parameters:
186
- resource_group_name: Name of the resource group
187
- resource_provider_namespace: Namespace of the resource provider
188
- resource_type: Type of the resource
189
- resource_name: Name of the resource
190
191
Returns:
192
List of Permission objects representing effective permissions
193
"""
194
195
def list_for_resource_group(resource_group_name: str) -> List[Permission]:
196
"""
197
List effective permissions for a resource group.
198
199
Parameters:
200
- resource_group_name: Name of the resource group
201
202
Returns:
203
List of Permission objects representing effective permissions
204
"""
205
```
206
207
### Deny Assignments Management
208
209
Query deny assignments that explicitly block specific actions, overriding any allow permissions from role assignments.
210
211
```python { .api }
212
def get(scope: str, deny_assignment_id: str) -> DenyAssignment:
213
"""
214
Get details of a specific deny assignment.
215
216
Parameters:
217
- scope: The scope of the deny assignment
218
- deny_assignment_id: ID of the deny assignment
219
220
Returns:
221
DenyAssignment object
222
"""
223
224
def get_by_id(deny_assignment_id: str) -> DenyAssignment:
225
"""
226
Get a deny assignment by its fully qualified ID.
227
228
Parameters:
229
- deny_assignment_id: Fully qualified deny assignment ID
230
231
Returns:
232
DenyAssignment object
233
"""
234
235
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[DenyAssignment]:
236
"""
237
List deny assignments for a specific scope.
238
239
Parameters:
240
- scope: The scope to list deny assignments for
241
- filter: OData filter expression (optional)
242
243
Returns:
244
Iterator of DenyAssignment objects
245
"""
246
247
def list_for_subscription(filter: Optional[str] = None) -> Iterator[DenyAssignment]:
248
"""
249
List all deny assignments in a subscription.
250
251
Parameters:
252
- filter: OData filter expression (optional)
253
254
Returns:
255
Iterator of DenyAssignment objects
256
"""
257
258
def list_for_resource_group(resource_group_name: str, filter: Optional[str] = None) -> Iterator[DenyAssignment]:
259
"""
260
List deny assignments for a resource group.
261
262
Parameters:
263
- resource_group_name: Name of the resource group
264
- filter: OData filter expression (optional)
265
266
Returns:
267
Iterator of DenyAssignment objects
268
"""
269
270
def list_for_resource(
271
resource_group_name: str,
272
resource_provider_namespace: str,
273
resource_type: str,
274
resource_name: str,
275
filter: Optional[str] = None
276
) -> Iterator[DenyAssignment]:
277
"""
278
List deny assignments for a specific resource.
279
280
Parameters:
281
- resource_group_name: Name of the resource group
282
- resource_provider_namespace: Namespace of the resource provider
283
- resource_type: Type of the resource
284
- resource_name: Name of the resource
285
- filter: OData filter expression (optional)
286
287
Returns:
288
Iterator of DenyAssignment objects
289
"""
290
```
291
292
### Provider Operations Metadata
293
294
Discover available Azure resource provider operations and their metadata for creating custom role definitions.
295
296
```python { .api }
297
def get(resource_provider_namespace: str, expand: Optional[str] = None) -> ProviderOperationsMetadata:
298
"""
299
Get operations metadata for a specific resource provider.
300
301
Parameters:
302
- resource_provider_namespace: Namespace of the resource provider
303
- expand: Optional expansion parameter
304
305
Returns:
306
ProviderOperationsMetadata object with operation details
307
"""
308
309
def list(expand: Optional[str] = None) -> Iterator[ProviderOperationsMetadata]:
310
"""
311
List operations metadata for all resource providers.
312
313
Parameters:
314
- expand: Optional expansion parameter
315
316
Returns:
317
Iterator of ProviderOperationsMetadata objects
318
"""
319
```
320
321
## Usage Examples
322
323
### Creating a Custom Role
324
325
```python
326
from azure.mgmt.authorization import AuthorizationManagementClient
327
from azure.mgmt.authorization.models import RoleDefinition
328
329
# Create a custom role definition
330
custom_role = RoleDefinition(
331
role_name="Custom Storage Reader",
332
description="Can read storage account properties and list keys",
333
type="CustomRole",
334
permissions=[{
335
"actions": [
336
"Microsoft.Storage/storageAccounts/read",
337
"Microsoft.Storage/storageAccounts/listKeys/action"
338
],
339
"not_actions": [],
340
"data_actions": [],
341
"not_data_actions": []
342
}],
343
assignable_scopes=["/subscriptions/your-subscription-id"]
344
)
345
346
# Create the role definition
347
role_def = client.role_definitions.create_or_update(
348
scope="/subscriptions/your-subscription-id",
349
role_definition_id="custom-role-guid",
350
parameters=custom_role
351
)
352
```
353
354
### Assigning a Role
355
356
```python
357
from azure.mgmt.authorization.models import RoleAssignmentCreateParameters
358
359
# Create role assignment parameters
360
assignment_params = RoleAssignmentCreateParameters(
361
role_definition_id="/subscriptions/sub-id/providers/Microsoft.Authorization/roleDefinitions/role-def-id",
362
principal_id="user-or-service-principal-object-id",
363
principal_type="User" # or "Group", "ServicePrincipal"
364
)
365
366
# Create the role assignment
367
assignment = client.role_assignments.create(
368
scope="/subscriptions/your-subscription-id/resourceGroups/my-rg",
369
role_assignment_name="assignment-guid",
370
parameters=assignment_params
371
)
372
```
373
374
### Querying Effective Permissions
375
376
```python
377
# Get effective permissions for a resource group
378
permissions = client.permissions.list_for_resource_group("my-resource-group")
379
380
for perm in permissions:
381
print("Allowed Actions:")
382
for action in perm.actions or []:
383
print(f" {action}")
384
385
print("Denied Actions:")
386
for not_action in perm.not_actions or []:
387
print(f" {not_action}")
388
```
389
390
## Types
391
392
### Core Data Models
393
394
```python { .api }
395
class RoleAssignmentCreateParameters:
396
role_definition_id: str
397
principal_id: str
398
principal_type: Optional[str]
399
description: Optional[str]
400
condition: Optional[str]
401
condition_version: Optional[str]
402
403
class RoleAssignmentFilter:
404
principal_id: Optional[str]
405
can_delegate: Optional[bool]
406
407
class DenyAssignmentPermission:
408
actions: Optional[List[str]]
409
not_actions: Optional[List[str]]
410
data_actions: Optional[List[str]]
411
not_data_actions: Optional[List[str]]
412
413
class Principal:
414
id: Optional[str]
415
type: Optional[str]
416
417
class ProviderOperationsMetadata:
418
id: Optional[str]
419
name: Optional[str]
420
type: Optional[str]
421
display_name: Optional[str]
422
operations: Optional[List[ProviderOperation]]
423
resource_types: Optional[List[ResourceType]]
424
425
class ProviderOperation:
426
name: Optional[str]
427
display_name: Optional[str]
428
description: Optional[str]
429
origin: Optional[str]
430
properties: Optional[dict]
431
```
432
433
## Error Handling
434
435
Common exceptions when working with RBAC operations:
436
437
- **ResourceNotFoundError**: Role definition, assignment, or resource not found
438
- **ClientAuthenticationError**: Authentication credentials invalid or expired
439
- **ForbiddenError**: Insufficient permissions to perform the operation
440
- **ConflictError**: Role assignment already exists or role definition name conflict
441
- **BadRequestError**: Invalid parameters or malformed request
442
443
```python
444
from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError
445
446
try:
447
role_assignment = client.role_assignments.get(scope, assignment_name)
448
except ResourceNotFoundError:
449
print("Role assignment not found")
450
except ClientAuthenticationError:
451
print("Authentication failed - check credentials")
452
```