Hello Experts,
When using Azure Redhat OpenShift(ARO), using the IAM blade, it seems impossible to add access control to new users. The end goal is to allow them to confirm the cost of a specific Resource Group in cost Management.
It seems this inability to do so is because said resource group is locked in a read-only state.
https://docs.microsoft.com/en-us/azure/openshift/openshift-faq
Are control plane nodes abstracted away as they are with Azure Kubernetes Service (AKS)?
No. All resources, including the cluster master nodes, run in your customer subscription.
These types of resources are put in a read-only resource group.
According to this “How blueprint locks work” link: https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking#how-blueprint-locks-work
An Azure RBAC deny assignments deny action is applied to artifact resources during assignment of a blueprint if the assignment selected the Read Only or Do Not Delete option. The deny action is added by the managed identity of the blueprint assignment and can only be removed from the artifact resources by the same managed identity.
Further down the same document, there are sections pertaining to “Exclude a principal from a deny assignment” and “Exclude an action from a deny assignment”
IF this resource group was made “read-only” by Redhat OpenShift, does that mean there is simply no way to modify this “deny assignment” so that a subscription owner can add new users that have the ability to view the cost of this resource group?
Thank you,
