Add "VM JIT Requestor" role to Resource/RG level role list
Quite often, I want to grant users login access to an Azure VM without giving them contributor access to modify the metadata associated with the VM itself. However, while Reader access gives users access to the Azure portal, and Virtual Machine User Login access allows users to login to the VM once in the portal, neither the aforementioned roles nor any other predefined role provides the ability to request JIT access to the VM.
My workaround has been to create a cusotm role with the following allowed action: Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
However, this seems like an action that should either be allowed for VM Admin/User login roles anyway, or at a bare minimum created as a new role. Would it be possible to update or create the necessary roles in this manner?