I suggest you ...

Need for RBAC permission specialized for "Local Network Gateway".

At the moment, we do not have a permission specialized for RBAC.

As its background, we want to limit the amount of the permission which we assign to our user.
Since there are too many permissions when we add "Microsoft.Network/*", our user needs a permission specialized for Local Network Gateway.

We can set following permissions (Actions and NotActions) by setting up the NotActions listed below.
However, in order to avoid unexpected permissions when a new feature is released, could you kindly add specialized Local Network Gateway permission?

[Japanese]
RBAC の権限として、ローカル ネットワーク ゲートウェイに特化したものがありません。

各ユーザーに対して、必要最小限の権限のみを与えたいと考えていますが、
"Microsoft.Network/*" を付与する方法では付与される権限が多すぎるため
ローカル ネットワーク ゲートウェイに特化した権限を必要としています。

以下のように NotActions を設定することで不要な操作を防ぐことは出来ますが、
新機能がリリースされた際など、予期せず権限がついてしまうことを避けるため
ローカル ネットワーク ゲートウェイに特化した権限を追加いただけないでしょうか。

[Actions]
Microsoft.Network/*

[NotActions]
Microsoft.Network/networkSecurityGroups/delete
Microsoft.Network/networkSecurityGroups/securityRules/delete
Microsoft.Network/networkSecurityGroups/securityRules/write
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/publicIPAddresses/write
Microsoft.Network/virtualNetworks/delete
Microsoft.Network/virtualNetworks/peer/action
Microsoft.Network/virtualNetworks/subnets/delete
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
Microsoft.Network/virtualNetworks/write
:
:
:

19 votes
Vote
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
You have left! (?) (thinking…)
Shuhei Uda shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Lyndon Frei commented  ·   ·  Flag as inappropriate

    Has this maybe been solved in the meantime as the following provider operations can be assigned to a custom role?
    Microsoft.Network/localnetworkgateways/read Get LocalNetworkGateway
    Microsoft.Network/localnetworkgateways/write Create or update LocalNetworkGateway
    Microsoft.Network/localnetworkgateways/delete Delete LocalNetworkGateway

Feedback and Knowledge Base