question

SomogyiJnos-9302 avatar image
0 Votes"
SomogyiJnos-9302 asked sikumars commented

Azure – Access Control (IAM): Invisible custom roles

In Azure, I was playing with custom roles, I created some then I deleted them. I saw them in the listing at

Subscriptions>#######>Access Control (IAM)>Roles

where I used the type filter to make it show only the custom roles. They were there, just like how I created them. I deleted them eventually I didn't need them anymore.

Now I wanted to make some again and now suddenly when I create one, everything seems fine, Azure tells me it was created but then I don't see it. If I want to create it once again it tells me a custom role with that name already exists.

Where are they, why can't I see them?

azure-rbac
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,

0 Votes 0 ·
SomogyiJnos-9302 avatar image
0 Votes"
SomogyiJnos-9302 answered

So it turned out that there's a specific kind of custom roles I don't see after having created them: Actually, I wanted to define a custom role with an assignable scope limited to only one virtual machine instance in a specific resource group. I have still no idea while I can't see these (and only these) but there is a workaround which may be the preferred way by Azure, no idea.
It's:

  1. Go to the virtual machine you want to grant access to

  2. There is an Access Control (IAM) panel, too

  3. Add an Owner role to somebody you want access to that particular virtual machine only

The person will be able to start/stop this specific virtual machine. Done.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered

Hello @SomogyiJnos-9302 ,

Thanks for reaching out and apologize for delayed response.

There could be changes that if the selected subscription isn't in the AssignableScopes of the role, the custom role won't be listed. If selected subscription is in the AssignableScopes then it must list custom role-definition which can be viewed from Portal as well using Az PowerShell module, cmdlet Get-AzRoleDefinition -Custom.

In addition to that, when you delete and recreate Role definition with same name there should not be any issues as long as custom Role-Definition deleted successfully.

You could use VM Contributor role by which uses can start/stop specific virtual machine

Hope this helps.

More information, refer:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-powershell#list-custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions-list?tabs=roles


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.