AzRoleAdvertizer

last sync: 2025-Apr-29 17:15:48 UTC

Service Group Administrator

Azure BuiltIn RBAC Role definition

Name

Service Group Administrator

4e50c84c-c78e-4e37-b47e-e60ffea0a775

Description

Role Definition for administrator of a Service Group

Category

None

CreatedOn

2024-10-17 18:32:17 UTC

UpdatedOn

2025-03-27 18:54:03 UTC

Assignable scopes

/providers/Microsoft.Management/serviceGroups

Permissions summary

Effective control plane and data plane operations: 16488 (unique operations)
•action: 3718
•delete: 2537
•read: 7096
•write: 3137

Actions: 3
Resolved control plane operations from Actions: 16490
Effective control plane operations: 16488
•action: 3718
•delete: 2537
•read: 7096
•write: 3137

NotActions: 2
Resolved control plane operations from NotActions: 2
Effective denied control plane operations: 2

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3371

Actions

Operation	Description
*	wildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditioned	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditioned	Create a role assignment at the specified scope.

NotActions

Operation	Description
Microsoft.Authorization/roleAssignments/delete	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write	Create a role assignment at the specified scope.

DataActions

n/a

NotDataActions

n/a

Used in
BuiltIn Policy

none

History

Date/Time (UTC ymd) (i)	Change	Change detail
2024-10-18 17:51:46	add: Role	4e50c84c-c78e-4e37-b47e-e60ffea0a775

JSON

api-version=2023-07-01-preview

Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            4e50c84c-c78e-4e37-b47e-e60ffea0a775 (Service Group Administrator),
            32e6a4ec-6095-4e37-b54b-12aa350ba81f (Service Group Contributor),
            de754d53-652d-4c75-a67f-1e48d8b49c97 (Service Group Reader)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            4e50c84c-c78e-4e37-b47e-e60ffea0a775 (Service Group Administrator),
            32e6a4ec-6095-4e37-b54b-12aa350ba81f (Service Group Contributor),
            de754d53-652d-4c75-a67f-1e48d8b49c97 (Service Group Reader)
            }
        )
    )