Microsoft.Authorization roleDefinitions
Bicep resource definition
The roleDefinitions resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep.
Valid deployment scopes for the roleDefinitions resource are:
- Management Group
- Subscription
- Resource Group
For a list of changed properties in each API version, see change log.
Remarks
For guidance on creating role assignments and definitions, see Create Azure RBAC resources by using Bicep.
Resource format
To create a Microsoft.Authorization/roleDefinitions resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
name: 'string'
scope: resourceSymbolicName
properties: {
assignableScopes: [
'string'
]
description: 'string'
permissions: [
{
actions: [
'string'
]
dataActions: [
'string'
]
notActions: [
'string'
]
notDataActions: [
'string'
]
}
]
roleName: 'string'
type: 'string'
}
}
Property values
roleDefinitions
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) Character limit: 36 Valid characters: Must be a globally unique identifier (GUID). Resource name must be unique across tenant. |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For Bicep, set this property to the symbolic name of the resource to apply the extension resource. |
| properties | Role definition properties. | RoleDefinitionProperties |
RoleDefinitionProperties
| Name | Description | Value |
|---|---|---|
| assignableScopes | Role definition assignable scopes. | string[] |
| description | The role definition description. | string |
| permissions | Role definition permissions. | Permission[] |
| roleName | The role name. | string |
| type | The role type. | string |
Permission
| Name | Description | Value |
|---|---|---|
| actions | Allowed actions. | string[] |
| dataActions | Allowed Data actions. | string[] |
| notActions | Denied actions. | string[] |
| notDataActions | Denied Data actions. | string[] |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
IBM Cloud Pak for Data on Azure |
This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses. |
| Deploy a Storage Account for SAP ILM Store |
The Microsoft Azure Storage Account can now be used as a ILM Store to persist the Archive files and attachments from an SAP ILM system. An ILM Store is a component which fulfills the requirements of SAP ILM compliant storage systems. One can store archive files in a storage media using WebDAV interface standards while making use of SAP ILM Retention Management rules. For more information about SAP ILM Store, refer to the SAP Help Portal . |
| Azure Image Builder with Azure Windows Baseline. |
Creates an Azure Image Builder environment and builds a Windows Server image with the latest Windows Updates and Azure Windows Baseline applied. |
| Create a new role def via a subscription level deployment |
This template is a subscription level template that will create a role definition at subscription scope. |
ARM template resource definition
The roleDefinitions resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates.
Valid deployment scopes for the roleDefinitions resource are:
- Management Group
- Subscription
- Resource Group
For a list of changed properties in each API version, see change log.
Remarks
For guidance on creating role assignments and definitions, see Create Azure RBAC resources by using Bicep.
Resource format
To create a Microsoft.Authorization/roleDefinitions resource, add the following JSON to your template.
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2022-04-01",
"name": "string",
"scope": "string",
"properties": {
"assignableScopes": [ "string" ],
"description": "string",
"permissions": [
{
"actions": [ "string" ],
"dataActions": [ "string" ],
"notActions": [ "string" ],
"notDataActions": [ "string" ]
}
],
"roleName": "string",
"type": "string"
}
}
Property values
roleDefinitions
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.Authorization/roleDefinitions' |
| apiVersion | The resource api version | '2022-04-01' |
| name | The resource name | string (required) Character limit: 36 Valid characters: Must be a globally unique identifier (GUID). Resource name must be unique across tenant. |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For JSON, set the value to the full name of the resource to apply the extension resource to. |
| properties | Role definition properties. | RoleDefinitionProperties |
RoleDefinitionProperties
| Name | Description | Value |
|---|---|---|
| assignableScopes | Role definition assignable scopes. | string[] |
| description | The role definition description. | string |
| permissions | Role definition permissions. | Permission[] |
| roleName | The role name. | string |
| type | The role type. | string |
Permission
| Name | Description | Value |
|---|---|---|
| actions | Allowed actions. | string[] |
| dataActions | Allowed Data actions. | string[] |
| notActions | Denied actions. | string[] |
| notDataActions | Denied Data actions. | string[] |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| IBM Cloud Pak for Data on Azure |
This template deploys an Openshift cluster on Azure with all the required resources, infrastructure and then deploys IBM Cloud Pak for Data along with the add-ons that user chooses. |
| Deploy a Storage Account for SAP ILM Store |
The Microsoft Azure Storage Account can now be used as a ILM Store to persist the Archive files and attachments from an SAP ILM system. An ILM Store is a component which fulfills the requirements of SAP ILM compliant storage systems. One can store archive files in a storage media using WebDAV interface standards while making use of SAP ILM Retention Management rules. For more information about SAP ILM Store, refer to the SAP Help Portal . |
| Azure Image Builder with Azure Windows Baseline. |
Creates an Azure Image Builder environment and builds a Windows Server image with the latest Windows Updates and Azure Windows Baseline applied. |
| Create a new role def via a subscription level deployment |
This template is a subscription level template that will create a role definition at subscription scope. |
Terraform (AzAPI provider) resource definition
The roleDefinitions resource type is an extension resource, which means you can apply it to another resource.
Use the parent_id property on this resource to set the scope for this resource.
Valid deployment scopes for the roleDefinitions resource are:
- Management Group
- Subscription
- Resource Group
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Authorization/roleDefinitions resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Authorization/roleDefinitions@2022-04-01"
name = "string"
parent_id = "string"
body = jsonencode({
properties = {
assignableScopes = [
"string"
]
description = "string"
permissions = [
{
actions = [
"string"
]
dataActions = [
"string"
]
notActions = [
"string"
]
notDataActions = [
"string"
]
}
]
roleName = "string"
type = "string"
}
})
}
Property values
roleDefinitions
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.Authorization/roleDefinitions@2022-04-01" |
| name | The resource name | string (required) Character limit: 36 Valid characters: Must be a globally unique identifier (GUID). Resource name must be unique across tenant. |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | Role definition properties. | RoleDefinitionProperties |
RoleDefinitionProperties
| Name | Description | Value |
|---|---|---|
| assignableScopes | Role definition assignable scopes. | string[] |
| description | The role definition description. | string |
| permissions | Role definition permissions. | Permission[] |
| roleName | The role name. | string |
| type | The role type. | string |
Permission
| Name | Description | Value |
|---|---|---|
| actions | Allowed actions. | string[] |
| dataActions | Allowed Data actions. | string[] |
| notActions | Denied actions. | string[] |
| notDataActions | Denied Data actions. | string[] |