tessl/pypi-azure-mgmt-authorization
Microsoft Azure Authorization Management Client Library for Python providing RBAC, PIM, and access control capabilities
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
core-rbac.mddocs/
Core RBAC Operations
Essential role-based access control functionality that forms the foundation of Azure authorization management. These operations enable managing role assignments, role definitions, permissions, and deny assignments across Azure resources.
Capabilities
Role Assignments Management
Create, manage, and query role assignments that grant users, groups, or service principals access to Azure resources at various scopes.
def create(scope: str, role_assignment_name: str, parameters: RoleAssignmentCreateParameters) -> RoleAssignment:
"""
Create a role assignment at the specified scope.
Parameters:
- scope: The scope of the role assignment (subscription, resource group, or resource)
- role_assignment_name: GUID for the role assignment name
- parameters: Role assignment creation parameters
Returns:
RoleAssignment object with assignment details
"""
def delete(scope: str, role_assignment_name: str) -> RoleAssignment:
"""
Delete a role assignment.
Parameters:
- scope: The scope of the role assignment
- role_assignment_name: Name of the role assignment to delete
Returns:
Deleted RoleAssignment object
"""
def get(scope: str, role_assignment_name: str) -> RoleAssignment:
"""
Get details of a specific role assignment.
Parameters:
- scope: The scope of the role assignment
- role_assignment_name: Name of the role assignment
Returns:
RoleAssignment object
"""
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[RoleAssignment]:
"""
List role assignments for a specific scope.
Parameters:
- scope: The scope to list assignments for
- filter: OData filter expression (optional)
Returns:
Iterator of RoleAssignment objects
"""
def list_for_subscription(filter: Optional[str] = None) -> Iterator[RoleAssignment]:
"""
List all role assignments in a subscription.
Parameters:
- filter: OData filter expression (optional)
Returns:
Iterator of RoleAssignment objects
"""
def list_for_resource_group(resource_group_name: str, filter: Optional[str] = None) -> Iterator[RoleAssignment]:
"""
List role assignments for a resource group.
Parameters:
- resource_group_name: Name of the resource group
- filter: OData filter expression (optional)
Returns:
Iterator of RoleAssignment objects
"""
def list_for_resource(
resource_group_name: str,
resource_provider_namespace: str,
resource_type: str,
resource_name: str,
filter: Optional[str] = None
) -> Iterator[RoleAssignment]:
"""
List role assignments for a specific resource.
Parameters:
- resource_group_name: Name of the resource group
- resource_provider_namespace: Namespace of the resource provider
- resource_type: Type of the resource
- resource_name: Name of the resource
- filter: OData filter expression (optional)
Returns:
Iterator of RoleAssignment objects
"""Role Definitions Management
Manage built-in and custom role definitions that define the permissions and actions available for role assignments.
def create_or_update(scope: str, role_definition_id: str, parameters: RoleDefinition) -> RoleDefinition:
"""
Create or update a custom role definition.
Parameters:
- scope: The scope at which the role definition applies
- role_definition_id: GUID for the role definition ID
- parameters: Role definition properties
Returns:
RoleDefinition object
"""
def delete(scope: str, role_definition_id: str) -> RoleDefinition:
"""
Delete a custom role definition.
Parameters:
- scope: The scope of the role definition
- role_definition_id: ID of the role definition to delete
Returns:
Deleted RoleDefinition object
"""
def get(scope: str, role_definition_id: str) -> RoleDefinition:
"""
Get details of a specific role definition.
Parameters:
- scope: The scope of the role definition
- role_definition_id: ID of the role definition
Returns:
RoleDefinition object
"""
def get_by_id(role_id: str) -> RoleDefinition:
"""
Get a role definition by its fully qualified ID.
Parameters:
- role_id: Fully qualified role definition ID
Returns:
RoleDefinition object
"""
def list(scope: str, filter: Optional[str] = None) -> Iterator[RoleDefinition]:
"""
List role definitions available at a scope.
Parameters:
- scope: The scope to list role definitions for
- filter: OData filter expression (optional)
Returns:
Iterator of RoleDefinition objects
"""Permissions Management
Query effective permissions at various scopes to understand what actions are allowed for security principals.
def list_for_resource(
resource_group_name: str,
resource_provider_namespace: str,
resource_type: str,
resource_name: str
) -> List[Permission]:
"""
List effective permissions for a specific resource.
Parameters:
- resource_group_name: Name of the resource group
- resource_provider_namespace: Namespace of the resource provider
- resource_type: Type of the resource
- resource_name: Name of the resource
Returns:
List of Permission objects representing effective permissions
"""
def list_for_resource_group(resource_group_name: str) -> List[Permission]:
"""
List effective permissions for a resource group.
Parameters:
- resource_group_name: Name of the resource group
Returns:
List of Permission objects representing effective permissions
"""Deny Assignments Management
Query deny assignments that explicitly block specific actions, overriding any allow permissions from role assignments.
def get(scope: str, deny_assignment_id: str) -> DenyAssignment:
"""
Get details of a specific deny assignment.
Parameters:
- scope: The scope of the deny assignment
- deny_assignment_id: ID of the deny assignment
Returns:
DenyAssignment object
"""
def get_by_id(deny_assignment_id: str) -> DenyAssignment:
"""
Get a deny assignment by its fully qualified ID.
Parameters:
- deny_assignment_id: Fully qualified deny assignment ID
Returns:
DenyAssignment object
"""
def list_for_scope(scope: str, filter: Optional[str] = None) -> Iterator[DenyAssignment]:
"""
List deny assignments for a specific scope.
Parameters:
- scope: The scope to list deny assignments for
- filter: OData filter expression (optional)
Returns:
Iterator of DenyAssignment objects
"""
def list_for_subscription(filter: Optional[str] = None) -> Iterator[DenyAssignment]:
"""
List all deny assignments in a subscription.
Parameters:
- filter: OData filter expression (optional)
Returns:
Iterator of DenyAssignment objects
"""
def list_for_resource_group(resource_group_name: str, filter: Optional[str] = None) -> Iterator[DenyAssignment]:
"""
List deny assignments for a resource group.
Parameters:
- resource_group_name: Name of the resource group
- filter: OData filter expression (optional)
Returns:
Iterator of DenyAssignment objects
"""
def list_for_resource(
resource_group_name: str,
resource_provider_namespace: str,
resource_type: str,
resource_name: str,
filter: Optional[str] = None
) -> Iterator[DenyAssignment]:
"""
List deny assignments for a specific resource.
Parameters:
- resource_group_name: Name of the resource group
- resource_provider_namespace: Namespace of the resource provider
- resource_type: Type of the resource
- resource_name: Name of the resource
- filter: OData filter expression (optional)
Returns:
Iterator of DenyAssignment objects
"""Provider Operations Metadata
Discover available Azure resource provider operations and their metadata for creating custom role definitions.
def get(resource_provider_namespace: str, expand: Optional[str] = None) -> ProviderOperationsMetadata:
"""
Get operations metadata for a specific resource provider.
Parameters:
- resource_provider_namespace: Namespace of the resource provider
- expand: Optional expansion parameter
Returns:
ProviderOperationsMetadata object with operation details
"""
def list(expand: Optional[str] = None) -> Iterator[ProviderOperationsMetadata]:
"""
List operations metadata for all resource providers.
Parameters:
- expand: Optional expansion parameter
Returns:
Iterator of ProviderOperationsMetadata objects
"""Usage Examples
Creating a Custom Role
from azure.mgmt.authorization import AuthorizationManagementClient
from azure.mgmt.authorization.models import RoleDefinition
# Create a custom role definition
custom_role = RoleDefinition(
role_name="Custom Storage Reader",
description="Can read storage account properties and list keys",
type="CustomRole",
permissions=[{
"actions": [
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"not_actions": [],
"data_actions": [],
"not_data_actions": []
}],
assignable_scopes=["/subscriptions/your-subscription-id"]
)
# Create the role definition
role_def = client.role_definitions.create_or_update(
scope="/subscriptions/your-subscription-id",
role_definition_id="custom-role-guid",
parameters=custom_role
)Assigning a Role
from azure.mgmt.authorization.models import RoleAssignmentCreateParameters
# Create role assignment parameters
assignment_params = RoleAssignmentCreateParameters(
role_definition_id="/subscriptions/sub-id/providers/Microsoft.Authorization/roleDefinitions/role-def-id",
principal_id="user-or-service-principal-object-id",
principal_type="User" # or "Group", "ServicePrincipal"
)
# Create the role assignment
assignment = client.role_assignments.create(
scope="/subscriptions/your-subscription-id/resourceGroups/my-rg",
role_assignment_name="assignment-guid",
parameters=assignment_params
)Querying Effective Permissions
# Get effective permissions for a resource group
permissions = client.permissions.list_for_resource_group("my-resource-group")
for perm in permissions:
print("Allowed Actions:")
for action in perm.actions or []:
print(f" {action}")
print("Denied Actions:")
for not_action in perm.not_actions or []:
print(f" {not_action}")Types
Core Data Models
class RoleAssignmentCreateParameters:
role_definition_id: str
principal_id: str
principal_type: Optional[str]
description: Optional[str]
condition: Optional[str]
condition_version: Optional[str]
class RoleAssignmentFilter:
principal_id: Optional[str]
can_delegate: Optional[bool]
class DenyAssignmentPermission:
actions: Optional[List[str]]
not_actions: Optional[List[str]]
data_actions: Optional[List[str]]
not_data_actions: Optional[List[str]]
class Principal:
id: Optional[str]
type: Optional[str]
class ProviderOperationsMetadata:
id: Optional[str]
name: Optional[str]
type: Optional[str]
display_name: Optional[str]
operations: Optional[List[ProviderOperation]]
resource_types: Optional[List[ResourceType]]
class ProviderOperation:
name: Optional[str]
display_name: Optional[str]
description: Optional[str]
origin: Optional[str]
properties: Optional[dict]Error Handling
Common exceptions when working with RBAC operations:
- ResourceNotFoundError: Role definition, assignment, or resource not found
- ClientAuthenticationError: Authentication credentials invalid or expired
- ForbiddenError: Insufficient permissions to perform the operation
- ConflictError: Role assignment already exists or role definition name conflict
- BadRequestError: Invalid parameters or malformed request
from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError
try:
role_assignment = client.role_assignments.get(scope, assignment_name)
except ResourceNotFoundError:
print("Role assignment not found")
except ClientAuthenticationError:
print("Authentication failed - check credentials")Install with Tessl CLI
npx tessl i tessl/pypi-azure-mgmt-authorization