Users must not delete resource groups if they are not allowed to delete the resources.
We created custom roles to allow another team to operate our environment. To avoid accidental deletion of data, we removed the delete action for several storage components, for example Data Lake Store Gen1.
Unfortunately when deleting a resource group, it completely ignores the permissions on resource level. For example, I do not have deletion rights on ADLS, but I can still remove it, by deleting the whole resource group.
Resource Groups are simple containers and restricting people on managing them on their own will have a huge impact. We will waste a lot of time to define processes and executing them. If we do not restrict usage of resource groups, we have no easy way to prevent people from deleting resources, which they must not delete.
This behavior looks broken to me and everyone I showed it. Please check on deletion of a resource group, if the resources may be deleted by the user.
We are looking into it and will update you when we know more.
Arturo via Chen
Mateos Alliaj commented
Agree with Christian!