Navigation Menu
Search code, repositories, users, issues, pull requests..., provide feedback.
We read every piece of feedback, and take your input very seriously.
Saved searches
Use saved searches to filter your results more quickly.
To see all available qualifiers, see our documentation .
- Notifications You must be signed in to change notification settings
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Authorization] Bugs in Role Assignments & Definitions #1785
tombuildsstuff commented Oct 3, 2017 • edited by azuresdkci Loading
| 👋 I'm using the Azure SDK for Go to try and manage both Role Definitions and Role Assignments. Please note: in the examples below I've sanitised the outputs of our user ID's. When attempting retrieve the Role Definition like so: The following HTTP response is returned: Figuring this was an error with the Swagger - I checked :
and then updated the "name" to include the Subscription ID as listed in the documentation: Which then produced the request: Finally, figuring this was an error with the API version - I updated the API version to match an ARM Template in the QuickStart Repository which used the version - which gave the response: ) - which lead me to believe there's an issue with both services.As such - I believe there's issues with both the API's and the Swagger Definitions for both Role Assignments and Role Definitions. In addition the documentation needs to be updated as it's currently incorrect. Would it be possible to confirm if this hypothesis is correct and then update the Swagger to correctly represent both API's? :) Thanks! |
| The text was updated successfully, but these errors were encountered: |
perseusCode commented Oct 5, 2017
| Thanks Tom, The fully qualified definition id may look like Depending upon if you are doing the operation at tenant level or subscription level. I do agree that documentation could have given an example about what the fully qualified id may look like :(. |
Sorry, something went wrong.
cloudbooster commented Oct 6, 2017
| are you unblocked at this point ? |
tombuildsstuff commented Oct 10, 2017
| @harijayms sorry for the delayed response - I've just double checked the first example with Role Assignments and this looks good - I'll take a proper look tomorrow to validate Role Definitions too (and then close this issue when I've confirmed); but I think this looks good! Thanks! |
tombuildsstuff commented Oct 13, 2017
| thanks for confirming the ID's - this worked for us. Closing. |
No branches or pull requests
|
|
|
Azure Role Assignment
Add the following attributes to your schema using the Create New Schema IdentityNow REST API .
Note For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.
Display name.
Azure Role Assignment ID.
Display name of the resource on which role can be assigned.
Display name of the role which can be assigned on resource.
Example schema:
The following is the corresponding sample entry of this entitlement in the account schema (if needed):
© SailPoint Technologies, Inc. All Rights Reserved.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Role Assignments - List For Scope
List all role assignments that apply to a scope.
URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
| path | True | string | The scope of the operation or resource. Valid scopes are: subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}' | |
| query | True | string | The API version to use for this operation. | |
| query | string | The filter to apply on the operation. Use $filter=atScope() to return all role assignments at or above the scope. Use $filter=principalId eq {id} to return all role assignments at, above or below the scope for the specified principal. | ||
| query | string | The skipToken to apply on the operation. Use $skipToken={skiptoken} to return paged role assignments following the skipToken passed. Only supported on provider level calls. | ||
| query | string | Tenant ID for cross-tenant request |
| Name | Type | Description |
|---|---|---|
| 200 OK |
| Returns an array of role assignments. |
| Other Status Codes |
| Error response describing why the operation failed. |
Permissions
To call this API, you must be assigned a role that has the following permissions. For more information, see Azure built-in roles .
Microsoft.Authorization/roleAssignments/read
Azure Active Directory OAuth2 Flow
Type: oauth2 Flow: implicit Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
List role assignments for scope
Sample request.
To use the Azure SDK library in your project, see this documentation . To provide feedback on this code sample, open a GitHub issue
Sample response
Definitions.
| Name | Description |
|---|---|
| The resource management error additional info. | |
| The error detail. | |
| Error response | |
| The principal type of the assigned principal ID. | |
| Role Assignments | |
| Role assignment list operation result. |
Error Additional Info
The resource management error additional info.
| Name | Type | Description |
|---|---|---|
| info | object | The additional info. |
| type | string | The additional info type. |
Error Detail
The error detail.
| Name | Type | Description |
|---|---|---|
| additionalInfo | [] | The error additional info. |
| code | string | The error code. |
| details | [] | The error details. |
| message | string | The error message. |
| target | string | The error target. |
Error Response
Error response
| Name | Type | Description |
|---|---|---|
| error |
| The error object. |
Principal Type
The principal type of the assigned principal ID.
| Name | Type | Description |
|---|---|---|
| Device | string | |
| ForeignGroup | string | |
| Group | string | |
| ServicePrincipal | string | |
| User | string |
Role Assignment
Role Assignments
| Name | Type | Default value | Description |
|---|---|---|---|
| id | string | The role assignment ID. | |
| name | string | The role assignment name. | |
| properties.condition | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container' | |
| properties.conditionVersion | string | Version of the condition. Currently the only accepted value is '2.0' | |
| properties.createdBy | string | Id of the user who created the assignment | |
| properties.createdOn | string | Time it was created | |
| properties.delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource | |
| properties.description | string | Description of role assignment | |
| properties.principalId | string | The principal ID. | |
| properties.principalType |
| User | The principal type of the assigned principal ID. |
| properties.roleDefinitionId | string | The role definition ID. | |
| properties.scope | string | The role assignment scope. | |
| properties.updatedBy | string | Id of the user who updated the assignment | |
| properties.updatedOn | string | Time it was updated | |
| type | string | The role assignment type. |
Role Assignment List Result
Role assignment list operation result.
| Name | Type | Description |
|---|---|---|
| nextLink | string | The skipToken to use for getting the next set of results. |
| value | [] | Role assignment list. |
Additional resources
- Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
- Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
- OverflowAI GenAI features for Teams
- OverflowAPI Train & fine-tune LLMs
- Labs The future of collective knowledge sharing
- About the company Visit the blog
Collectives™ on Stack Overflow
Find centralized, trusted content and collaborate around the technologies you use most.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Get early access and see previews of new features.
Why doesn't Azure REST API to assign user role to a subscription work?
I am trying to add a user role to a subscription in Azure using REST API following this documentation .
- I got a bearer token with my login and passed it as a header Authorization parameter.
- Gave all the values as described in the doc
- PFA REST API call I performed.
API response says below;
Please let me know if any one successfully used this API and performed operations. Also is there any Azure .NET API to this operation?
REST API Postman request
- azure-resource-manager
- azure-rest-api
- Seems the token you obtained has no permission to perform this action. May I know how you get this token? – Stanley Gong Commented Feb 16, 2021 at 7:25
- @StanleyGong When I login to an Azure web app using my credentials I get a access token in network calls in the response. I copy pasted it to postman for Authorization parameter. – Pruthvi Ustepalle Commented Feb 16, 2021 at 16:12
- I see, if so ,it means you have no permission to assign roles to your subscription. Pls ask your subscription admin to assign a azure subscription role ,i,e contributor to you. – Stanley Gong Commented Feb 17, 2021 at 1:29
- I have UAA permissions to the subscription – Pruthvi Ustepalle Commented Feb 18, 2021 at 6:49
- Click Try it in this link , login your account and call the api directly. – Joy Wang Commented Feb 18, 2021 at 7:13
The error means your user account does not have the permission to create the role assignment, specifically Microsoft.Authorization/roleAssignments/write .
To solve the issue, you need to ask the admin who is the Owner or User Access Administrator (or custom RBAC role with Microsoft.Authorization/roleAssignments/write permission) of your subscription to assign the Owner or User Access Administrator or custom role with the permission above for you at the subscription scope first, follow this link , then get a new token, you will be able to assign the role to others like the admin assign the role to you i.e. create role assignment.
If you want to get the access token via your user credential, you could use the auth code flow , please follow the steps below.
1.In your App registration, add the user_impersonation Delegated permission of Azure Service Management API.
2.Hit the URL below in the browser, change the tenant-id , client-id , redirect_uri to yours, login your user account.
Then you will get a code like below, copy it.
Don't forget to remove the state and session_state.
3.In the postman, use the query below, then you can get the token.
Your Answer
Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more
Sign up or log in
Post as a guest.
Required, but never shown
By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .
Not the answer you're looking for? Browse other questions tagged azure rest azure-resource-manager azure-rest-api or ask your own question .
- The Overflow Blog
- Scaling systems to manage all the metadata ABOUT the data
- Navigating cities of code with Norris Numbers
- Featured on Meta
- We've made changes to our Terms of Service & Privacy Policy - July 2024
- Bringing clarity to status tag usage on meta sites
- Feedback requested: How do you use tag hover descriptions for curating and do...
Hot Network Questions
- QGIS selecting multiple features per each feature, based on attribute value of each feature
- Trying to understand an attack showcased in a viral YouTube video
- What connotation does "break out the checkbook" have?
- Car LED circuit
- Many and Many of - a subtle difference in meaning?
- Has the application of a law ever being appealed anywhere due to the lawmakers not knowing what they were voting/ruling?
- What is a word/phrase that best describes a "blatant disregard or neglect" for something, but with the connotation of that they should have known?
- Why HIMEM was implemented as a DOS driver and not a TSR
- Caulking Bathtub and Wall Surround to prevent water leak
- How to satisfy the invitation letter requirement for Spain when the final destination is not Spain
- Does the First Amendment protect deliberately publicizing the incorrect date for an election?
- Age is just a number!
- Has anybody replaced a LM723 for a ua723 and experienced problems with drift and oscillations
- Power line crossing data lines via the ground plane
- Can I cast True Strike, then cast Message to give someone else advantage?
- Why would Space Colonies even want to secede?
- Advice needed: Team needs developers, but company isn't posting jobs
- How to create a extruded 4-star shape that is rotated inwards?
- Why do these finite group Dedekind matrices seem to have integer spectrum when specialized to the order of group elements?
- Word to classify what powers a god is associated with?
- Do "Whenever X becomes the target of a spell" abilities get triggered by counterspell?
- Repeats: Simpler at the cost of more redundant?
- Trace operation as contraction - how can we contract only contravariant indices?
- Is a *magnetized* ferrite less ideal as a core?
IMAGES
COMMENTS
Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the REST API. Prerequisites. To assign Azure roles, you must have:
List role assignments. In Azure RBAC, to list access, you list the role assignments. To list role assignments, use one of the Role Assignments Get or List REST APIs. To refine your results, you specify a scope and an optional filter. Within the URI, replace {scope} with the scope for which you want to list the role assignments.
Create or update a role assignment by scope and name. Create or update a role assignment by ID. Delete a role assignment by scope and name. Delete a role assignment by ID. Get a role assignment by scope and name. Get a role assignment by ID. List all role assignments that apply to a resource. List all role assignments that apply to a resource ...
In Azure RBAC, to list access, you list the role assignments. To list role assignments, use one of the Role Assignments Get or List REST APIs. To refine your results, you specify a scope and an optional filter. Start with the following request:
Based on your requirement you can change the scope and add the filter to get the role assignments. Refer the below MsDoc: List Azure role assignments using the REST API - Azure RBAC. Currently it is not feasible to retrieve the role assignments via Azure Resource Graph. Alternatively, you can make use of Azure PowerShell or Azure CLI.
An Azure role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object. This article describes how to add, edit, list, or delete conditions for your role assignments using the REST API.
from azure.identity import DefaultAzureCredential from azure.mgmt.authorization import AuthorizationManagementClient """ # PREREQUISITES pip install azure-identity pip install azure-mgmt-authorization # USAGE python role_assignments_create_for_resource_group.py Before run the sample, please set the values of the client ID, tenant ID and client ...
This article is a design to use logic app to give other user RBAC permission via rest API. Design: Step 1: We need to know the role definition Id for the aim RBAC. We can using the power shell code in the azure portal to get the role definition id: Open the PowerShell in azure portal: Enter 'az' to connect to use azure CIL, this step might need ...
Delegating Azure role assignments with conditions is supported using the Azure portal, Azure Resource Manager REST API, PowerShell, and Azure CLI. Try it out and let us know your feedback in the comments or by using the Feedback button on the Access control (IAM) blade in the Azure portal! Figure 11: Provide feedback Stuart Kwan
This custom role would allow users to perform all default owner operations except deleting APIM services in the subscription. Step 1: Maneuver to the Access Control (IAM) blade of a sample APIM service on the Azure Portal and click on the Roles tab. This would display the list of roles that are available for assignment.
Next - given that some of the Azure Portal functions reuse the same API's, I figured I'd see how the Portal achieves this. However after some investigation it appears this uses a completely different API/Endpoint (this is Role Assignments, but it's a different API for Role Definitions too:
from azure.identity import DefaultAzureCredential from azure.mgmt.authorization import AuthorizationManagementClient """ # PREREQUISITES pip install azure-identity pip install azure-mgmt-authorization # USAGE python role_assignments_get.py Before run the sample, please set the values of the client ID, tenant ID and client secret of the AAD ...
In order to perform role assignment without modifying the role assignment command the AzDO service principal needs access to the AD Graph API. This is needed to fetch the object Id of the asignee ...
Follow the below steps to assign the custom RBAC role to App Registration in the portal. Go To Subscription Resource -> Click on IAM in the left panel -> Click on Add custom role as below. 2. After clicking Add custom role, it will be redirected to a new page for creating a custom role. Give a sample role name in Basics Tab -> go to the ...
Description of role assignment. properties.principalId string The principal ID. properties.principalType Principal Type. User The principal type of the assigned principal ID. properties.roleDefinitionId string The role definition ID. properties.scope string The role assignment scope. properties.updatedBy string
I am trying to delete a role assignment at the root level in Azure using the REST API. Specifically, I want to remove the Owner role from a user with the email address "[email protected]" I have gathered the object ID of the user and the role definition ID of the Owner role.Now, I'm looking for guidance on how to construct a DELETE request URL.
Azure Role Assignment. Add the following attributes to your schema using the Create New Schema IdentityNow REST API. Note For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.
Azure Administrators often come across challenges while tracking multiple Azure role assignments and removals. At present Azure provides Activity Logs but they make less sense to non-techsavy stakeholders. For example it includes Role Id, Principal Id but doesn't indicate Role names and Principal names which can make the report more readable ...
Description of role assignment. properties.principalId string The principal ID. properties.principalType Principal Type. User The principal type of the assigned principal ID. properties.roleDefinitionId string The role definition ID. properties.scope string The role assignment scope. properties.updatedBy string
I am trying to add a user role to a subscription in Azure using REST API following this documentation. I got a bearer token with my login and passed it as a header Authorization parameter. Gave all the values as described in the doc; PFA REST API call I performed. API response says below;