Deny Access Control in the RBAC
Please add the options below to RBAC.
We recently added deny capability to Azure’s RBAC system, in the form of deny assignments that can be set by the system only. The first Azure feature to use deny is BluePrint. We intend to add a configurable deny capability in the future, but have not yet announced any details.
/Stuart and Balaji
Aravind Katragadda commented
This is a major deficiency for very long time and need this feature to be enabled sooner for critical subscriptions and management groups from Root Management. as well as tiered levels.
The instructions in Deny Assignments are misleading the customers as if the feature is fully available.
Bikash Karmakar commented
Please provide this feature sooner since it helps us to isolate foundation subscriptions by using deny assignments.
Sahana Prabhakar commented
When is this feature going to be extended to "Deny" viewing of certain resources to some users ? Looks like the only option now is to create a new subscription.
Walsh. Stephen (Enterprise Services) commented
We need this please, to be able to deny permissions within Azure RBAC not using Blueprints
Bolan, Richard commented
Are there any examples of how to create a deny assignment using a Blueprint?
Having a user configurable deny capability would be outstanding. For example, you might want to give Read access to an entire subscription to let a large quantity of folks be able to see most things from a troubleshooting perspective. With some resources, however, there may be some sensitive information that should not be seen and you would just like to deny read on a handful of lower level items. For example, with API Management it is not uncommon to use the Named Values sub-feature to store certain secrets that should not be seen by everyone. If we could deny read on API Management Named Values in a custom role...we could then assign both the standard subscription Read role as well as the custom Deny role to achieve the desired result. I look forward to this feature getting built out!
Andrew Burke commented
I was looking to use this for a set of Azure Apps. We have a number of developers that have all been given the contributor role so they can access and amend other resources but we wanted to Denny it on our primary slots in Azure web apps to stop code been pushed live without the needed control and testing
Oystein Busch commented
I want to grant full access to some, but restrict access to edit NSG. Adding a deny rule on the NSG would be useful
Nicole Welch commented
Best practice with ACL is to deny all and then add what is needed. RBAC should support this too.
Would be good to this feature. Even I got stuck in implementing RBAC model and need this feature badly.
Deny would make it easier for me.
If I have 100 objects in my portal:
I want to grant read only to 95 of them I would have to grant read permissions on 95 different objects.
With an abillity to deny, I could grant read access to the subscription, then just deny the 5 objects I want to deny.
My real setup is much more complicated then the example above. I have 13 subscriptions (with more coming) and 100's of objects. I have about 20-30 objects I need to lock down so very few people can even read them for security reasons.
Thank you for your consideration!