last sync: 2025-Jul-25 17:39:33 UTC

Azure Sphere Owner

Azure BuiltIn RBAC Role definition

NameAzure Sphere Owner
Id5a382001-fe36-41ff-bba4-8bf06bd54da9
DescriptionAllows user read and write access to Azure Sphere resources and RBAC configuration, includes an ABAC condition to constrain role assignments.
CategoryNone
CreatedOn2024-02-01 23:40:30 UTC
UpdatedOn2024-03-12 15:09:00 UTC
Permissions summary Effective control plane and data plane operations: 103 (unique operations)
•action: 25
•delete: 10
•read: 56
•write: 12

Actions: 15
Resolved control plane operations from Actions: 103
Effective control plane operations: 103
•action: 25
•delete: 10
•read: 56
•write: 12

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16775

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3579
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Authorization/roleAssignments/deleteDelete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/writeCreate a role assignment at the specified scope.
Microsoft.AzureSphere/*wildcarded / no description
Microsoft.Insights/alertRules/*wildcarded / no description
Microsoft.Insights/DiagnosticSettings/*wildcarded / no description
Microsoft.Insights/DiagnosticSettingsCategories/ReadRead diagnostic settings categories
Microsoft.Management/managementGroups/readList management groups for the authenticated user.
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
Microsoft.Support/*wildcarded / no description
NotActions n/a
DataActions n/a
NotDataActions n/a
Used in
BuiltIn Policy
none
History
Date/Time (UTC ymd) (i) Change Change detail
2024-03-13 20:05:30 change: Actions Actions: 'add Microsoft.Insights/DiagnosticSettings/*; add Microsoft.Insights/DiagnosticSettingsCategories/Read'
2024-02-05 19:34:05 add: Role 5a382001-fe36-41ff-bba4-8bf06bd54da9
JSON
api-version=2023-07-01-preview
{9 items
  • roleName: "Azure Sphere Owner",
  • type: "BuiltInRole",
  • description: "Allows user read and write access to Azure Sphere resources and RBAC configuration, includes an ABAC condition to constrain role assignments.",
  • assignableScopes: [1 item
    • "/"
    ],
  • permissions: [3 items
    • {4 items
      • actions: [13 items
        • "Microsoft.AzureSphere/*",
        • "Microsoft.Authorization/*/read",
        • "Microsoft.Resources/deployments/*",
        • "Microsoft.Resources/subscriptions/resourceGroups/read",
        • "Microsoft.Insights/alertRules/*",
        • "Microsoft.Authorization/*/read",
        • "Microsoft.Resources/subscriptions/resourceGroups/read",
        • "Microsoft.Resources/subscriptions/read",
        • "Microsoft.Management/managementGroups/read",
        • "Microsoft.Resources/deployments/*",
        • "Microsoft.Support/*",
        • "Microsoft.Insights/DiagnosticSettings/*",
        • "Microsoft.Insights/DiagnosticSettingsCategories/Read"
        ],
      • notActions: [],
      • dataActions: [],
      • notDataActions: []
      },
    • {6 items
      • actions: [1 item
        • "Microsoft.Authorization/roleAssignments/write"
        ],
      • notActions: [],
      • dataActions: [],
      • notDataActions: [],
      • conditionVersion: "2.0",
      • condition: "@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{8b9dfcab4b774632a6df94bd07820648,c8ae62795a0b4cb2b3f0d4d62845742c,6d994134994b4a599974f479f0b227fb,5a382001fe3641ffbba48bf06bd54da9,749f88d5cbae40b8bcfce573ddc772fa,43d0d8ad25c7471493378ba259a9fe05}"
      },
    • {6 items
      • actions: [1 item
        • "Microsoft.Authorization/roleAssignments/delete"
        ],
      • notActions: [],
      • dataActions: [],
      • notDataActions: [],
      • conditionVersion: "2.0",
      • condition: "@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{8b9dfcab4b774632a6df94bd07820648,c8ae62795a0b4cb2b3f0d4d62845742c,6d994134994b4a599974f479f0b227fb,5a382001fe3641ffbba48bf06bd54da9,749f88d5cbae40b8bcfce573ddc772fa,43d0d8ad25c7471493378ba259a9fe05}"
      }
    ],
  • createdOn: "2024-02-01T23:40:30.7387663Z",
  • updatedOn: "2024-03-12T15:09:00.907512Z",
  • createdBy: null,
  • updatedBy: null
}
Condition
     @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
    8b9dfcab-4b77-4632-a6df-94bd07820648 (Azure Sphere Contributor),
    c8ae6279-5a0b-4cb2-b3f0-d4d62845742c (Azure Sphere Reader),
    6d994134-994b-4a59-9974-f479f0b227fb (Azure Sphere Publisher),
    5a382001-fe36-41ff-bba4-8bf06bd54da9 (Azure Sphere Owner),
    749f88d5-cbae-40b8-bcfc-e573ddc772fa (Monitoring Contributor),
    43d0d8ad-25c7-4714-9337-8ba259a9fe05 (Monitoring Reader)
    }
     @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
    8b9dfcab-4b77-4632-a6df-94bd07820648 (Azure Sphere Contributor),
    c8ae6279-5a0b-4cb2-b3f0-d4d62845742c (Azure Sphere Reader),
    6d994134-994b-4a59-9974-f479f0b227fb (Azure Sphere Publisher),
    5a382001-fe36-41ff-bba4-8bf06bd54da9 (Azure Sphere Owner),
    749f88d5-cbae-40b8-bcfc-e573ddc772fa (Monitoring Contributor),
    43d0d8ad-25c7-4714-9337-8ba259a9fe05 (Monitoring Reader)
    }