RBAC rules need an option to block IAM inheritance
Create an option that allows blocking of inheritance for RBAC rules.
ATM if you create a generic rule at a top layer it means you cannot block access to a particular item.
As such the only way to create a rule which doesnt allow access is by creating multiple top layer items that exclude the one item you want to block.
Need a setup similar to NTFS security inheritance blocking options.
Thank you for taking the time to vote for this item. We are glad to let you know that you can accomplish this today using Azure Blueprints locking mechanism. You can read about this here: https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking
We encourage customers to use this path.
Any update on this? I need to give read access to one specific resource group (they need to see details of it) and read access to just one key vault within that resource group.
I can grant the Key Vault Reader permissions at the resource level but they see all key vaults within that resource group.
Denying access on other key vaults is also not efficient.
Yep its really needed.
I agree with Chris that blueprint locking is something different and doesn't do the job.
Missing of deny or breaking inheritance funcionality makes azure resources governance much more complicated.
Chris Lewis commented
Blueprint locking and RBAC Inheritance blocking are two completely different things that accomplish two different asks.
RBAC IAM inheritance works at the ManagementGroup layer. What the request is asking is that if an RBAC is set at an MG, that it can be blocked/denied at a sub-MG or Subscription.
This is also a real issue for us and doesn't really makes sense
Richard Davies commented
I agree. Management Groups does nothing to address this either.
adopting NTFS / deny options is a must to bring it up to date with security principles
yeah this is silly atm its all or nothing.