question

SvenJauffred avatar image
0 Votes"
SvenJauffred asked shashishailaj commented

Tag management on Azure

For a client I am attempting to build a tag manager role that allows only changing of tags on resources (add/remove/change from existing subscription tags), without being able to create new tags on the subscription. However, with the permissions set as below, the user is able to create/delete tags on the subscription level, even though the description of the notActions permissions explicitly describe roles that create tags on the subscription level.

Is the issue here that the permissions are hierarchical, with "Microsoft.Resources/tags/write" superceding "Microsoft.Resources/subscriptions/tagNames/write"?

Is it even possible to do what I want to do?

99791-image.png



Thanks in advance,
Sven

azure-rbac
image.png (17.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SvenJauffred , I am trying to find more information on this and will update the thread.

1 Vote 1 ·

0 Answers