Create the ability to remove or change inherited permissions at the resource group level.
We have a managed service provider and some customers that need a degree of permissions at the subscription level. There are several resource groups that I do not want them to have the same level of access they have at the subscription level. For instance, I would like to remove them from the Azure Automation RG or provide them read level access to our OS image folder.
We also require this.
All of our developers need Read access at subscription level to be able to see Azure Service Health alert information, but we don't want them to have access to Production resource groups.