I suggest you ...

Need for RBAC permission specialized for "Local Network Gateway".

At the moment, we do not have a permission specialized for RBAC.

As its background, we want to limit the amount of the permission which we assign to our user.
Since there are too many permissions when we add "Microsoft.Network/*", our user needs a permission specialized for Local Network Gateway.

We can set following permissions (Actions and NotActions) by setting up the NotActions listed below.
However, in order to avoid unexpected permissions when a new feature is released, could you kindly add specialized Local Network Gateway permission?

[Japanese]
RBAC の権限として、ローカル ネットワーク ゲートウェイに特化したものがありません。

各ユーザーに対して、必要最小限の権限のみを与えたいと考えていますが、
"Microsoft.Network/*" を付与する方法では付与される権限が多すぎるため
ローカル ネットワーク ゲートウェイに特化した権限を必要としています。

以下のように NotActions を設定することで不要な操作を防ぐことは出来ますが、
新機能がリリースされた際など、予期せず権限がついてしまうことを避けるため
ローカル ネットワーク ゲートウェイに特化した権限を追加いただけないでしょうか。

[Actions]
Microsoft.Network/*

[NotActions]
Microsoft.Network/networkSecurityGroups/delete
Microsoft.Network/networkSecurityGroups/securityRules/delete
Microsoft.Network/networkSecurityGroups/securityRules/write
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/publicIPAddresses/write
Microsoft.Network/virtualNetworks/delete
Microsoft.Network/virtualNetworks/peer/action
Microsoft.Network/virtualNetworks/subnets/delete
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
Microsoft.Network/virtualNetworks/write
:
:
:

19 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Shuhei Uda shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Lyndon Frei commented  ·   ·  Flag as inappropriate

        Has this maybe been solved in the meantime as the following provider operations can be assigned to a custom role?
        Microsoft.Network/localnetworkgateways/read Get LocalNetworkGateway
        Microsoft.Network/localnetworkgateways/write Create or update LocalNetworkGateway
        Microsoft.Network/localnetworkgateways/delete Delete LocalNetworkGateway

      Feedback and Knowledge Base