0
0
Azurecloud~10 mins

Custom role definitions in Azure - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Custom role definitions
Start: Define role properties
Specify permissions (actions, notActions)
Set assignable scopes
Create role definition JSON
Deploy role via Azure CLI or Portal
Role available for assignment
End
The flow shows defining permissions and scopes, creating the JSON role definition, deploying it, then using the role.
Execution Sample
Azure
{
  "Name": "Custom Reader",
  "IsCustom": true,
  "Description": "Can read resources",
  "Actions": ["Microsoft.Resources/subscriptions/resourceGroups/read"],
  "NotActions": [],
  "AssignableScopes": ["/subscriptions/12345678-1234-1234-1234-123456789abc"]
}
This JSON defines a custom role that allows reading resource groups in a specific subscription.
Process Table
StepActionInput/ValueResult/State
1Define role name and descriptionName: Custom Reader, Description: Can read resourcesRole properties set
2Specify permissionsActions: read resource groups, NotActions: nonePermissions configured
3Set assignable scopesScope: subscription /subscriptions/12345678-1234-1234-1234-123456789abcScope assigned
4Create JSON role definitionCombine all properties into JSONRole definition JSON ready
5Deploy roleUse Azure CLI or Portal to create roleRole created and available
6Assign role to user/groupAssign Custom Reader roleUser/group can read resource groups
7ExitAll steps completeCustom role ready for use
💡 Role is created and ready for assignment after deployment.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
NameundefinedCustom ReaderCustom ReaderCustom ReaderCustom ReaderCustom Reader
DescriptionundefinedCan read resourcesCan read resourcesCan read resourcesCan read resourcesCan read resources
Actionsundefinedundefined["Microsoft.Resources/subscriptions/resourceGroups/read"]["Microsoft.Resources/subscriptions/resourceGroups/read"]["Microsoft.Resources/subscriptions/resourceGroups/read"]["Microsoft.Resources/subscriptions/resourceGroups/read"]
NotActionsundefinedundefined[][][][]
AssignableScopesundefinedundefinedundefined["/subscriptions/12345678-1234-1234-1234-123456789abc"]["/subscriptions/12345678-1234-1234-1234-123456789abc"]["/subscriptions/12345678-1234-1234-1234-123456789abc"]
RoleDefinitionJSONundefinedundefinedundefinedundefinedJSON object with all propertiesJSON object with all properties
Key Moments - 3 Insights
Why do we need to specify both Actions and NotActions in a custom role?
Actions define what is allowed, NotActions exclude specific permissions from those allowed. This lets you fine-tune permissions. See step 2 in execution_table where Actions and NotActions are set.
What happens if AssignableScopes is not set correctly?
The role cannot be assigned outside the specified scopes. Step 3 shows setting AssignableScopes; if missing or wrong, role assignment fails.
Is the custom role immediately usable after JSON creation?
No, after creating the JSON (step 4), you must deploy it (step 5) before it can be assigned and used.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step is the role definition JSON created?
AStep 5
BStep 2
CStep 4
DStep 3
💡 Hint
Check the 'Action' column in execution_table for when JSON is created.
According to variable_tracker, what is the value of Actions after Step 2?
A["Microsoft.Resources/subscriptions/resourceGroups/read"]
Bundefined
C[]
Dnull
💡 Hint
Look at the Actions row under After Step 2 in variable_tracker.
If AssignableScopes was set to an empty list, what would happen according to the flow?
ARole can be assigned anywhere
BRole cannot be assigned anywhere
CRole automatically assigned to all users
DRole permissions are ignored
💡 Hint
Refer to step 3 in execution_table and key_moments about AssignableScopes.
Concept Snapshot
Custom role definitions in Azure:
- Define role name, description
- Specify allowed Actions and NotActions
- Set AssignableScopes (where role applies)
- Create JSON with these properties
- Deploy role via Azure CLI or Portal
- Assign role to users/groups for custom permissions
Full Transcript
Custom role definitions in Azure start by defining the role's name and description. Then, you specify the permissions allowed (Actions) and any exceptions (NotActions). Next, you set the assignable scopes to limit where the role can be used. All these properties are combined into a JSON role definition. This JSON is deployed using Azure CLI or the Azure Portal. After deployment, the role becomes available for assignment to users or groups, granting them the specified permissions within the defined scopes.