last sync: 2024-Dec-05 18:53:40 UTC

Azure Stack HCI Administrator

Azure BuiltIn RBAC Role definition

NameAzure Stack HCI Administrator
Idbda0d508-adf1-4af0-9c28-88919fc3ae06
DescriptionGrants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader
CreatedOn2023-02-03 05:08:48 UTC
UpdatedOn2024-08-08 05:12:21 UTC
History
Date/Time (UTC ymd) (i) Change Change detail
2024-08-08 18:19:52 change: Actions Actions: 'add Microsoft.AzureStackHCI/NetworkSecurityGroups/Read; add Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read; add Microsoft.AzureStackHCI/NetworkSecurityGroups/Write; add Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write; add Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete; add Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete; add Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action'
2023-11-28 19:20:58 change: Actions Actions: 'add Microsoft.ResourceConnector/appliances/listKeys/action; add Microsoft.AzureStackHCI/StorageContainers/Write; add Microsoft.AzureStackHCI/StorageContainers/Read'
2023-11-10 19:40:28 change: DisplayName, Description, Actions New DisplayName: 'Azure Stack HCI Administrator'
Old DisplayName: 'Azure Stack HCI registration role',
New Description: 'Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader'
Old Description: 'Custom Azure role to allow subscription-level access to register Azure Stack HCI',
Actions: 'add Microsoft.GuestConfiguration/guestConfigurationAssignments/read; add Microsoft.Authorization/roleAssignments/write; add Microsoft.Authorization/roleAssignments/delete; add Microsoft.Authorization/*/read; add Microsoft.Resources/deployments/*; add Microsoft.Resources/subscriptions/read; add Microsoft.Management/managementGroups/read; add Microsoft.Support/*; add Microsoft.AzureStackHCI/*; add Microsoft.Insights/AlertRules/Write; add Microsoft.Insights/AlertRules/Delete; add Microsoft.Insights/AlertRules/Read; add Microsoft.Insights/AlertRules/Activated/Action; add Microsoft.Insights/AlertRules/Resolved/Action; add Microsoft.Insights/AlertRules/Throttled/Action; add Microsoft.Insights/AlertRules/Incidents/Read; add Microsoft.Resources/subscriptions/resourcegroups/deployments/read; add Microsoft.Resources/subscriptions/resourcegroups/deployments/write; add Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read; add Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read; add Microsoft.ResourceHealth/availabilityStatuses/read; add Microsoft.Resources/subscriptions/read; add Microsoft.Resources/subscriptions/operationresults/read; add Microsoft.HybridCompute/machines/read; add Microsoft.HybridCompute/machines/write; add Microsoft.HybridCompute/machines/delete; add Microsoft.HybridCompute/machines/UpgradeExtensions/action; add Microsoft.HybridCompute/machines/assessPatches/action; add Microsoft.HybridCompute/machines/installPatches/action; add Microsoft.HybridCompute/machines/extensions/read; add Microsoft.HybridCompute/machines/extensions/write; add Microsoft.HybridCompute/machines/extensions/delete; add Microsoft.HybridCompute/operations/read; add Microsoft.HybridCompute/locations/operationresults/read; add Microsoft.HybridCompute/locations/operationstatus/read; add Microsoft.HybridCompute/machines/patchAssessmentResults/read; add Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read; add Microsoft.HybridCompute/machines/patchInstallationResults/read; add Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read; add Microsoft.HybridCompute/locations/updateCenterOperationResults/read; add Microsoft.HybridCompute/machines/hybridIdentityMetadata/read; add Microsoft.HybridCompute/osType/agentVersions/read; add Microsoft.HybridCompute/osType/agentVersions/latest/read; add Microsoft.HybridCompute/machines/runcommands/read; add Microsoft.HybridCompute/machines/runcommands/write; add Microsoft.HybridCompute/machines/runcommands/delete; add Microsoft.HybridCompute/machines/licenseProfiles/read; add Microsoft.HybridCompute/machines/licenseProfiles/write; add Microsoft.HybridCompute/machines/licenseProfiles/delete; add Microsoft.HybridCompute/licenses/read; add Microsoft.HybridCompute/licenses/write; add Microsoft.HybridCompute/licenses/delete; add Microsoft.ResourceConnector/register/action; add Microsoft.ResourceConnector/appliances/read; add Microsoft.ResourceConnector/appliances/write; add Microsoft.ResourceConnector/appliances/delete; add Microsoft.ResourceConnector/locations/operationresults/read; add Microsoft.ResourceConnector/locations/operationsstatus/read; add Microsoft.ResourceConnector/appliances/listClusterUserCredential/action; add Microsoft.ResourceConnector/operations/read; add Microsoft.ExtendedLocation/register/action; add Microsoft.ExtendedLocation/customLocations/read; add Microsoft.ExtendedLocation/customLocations/deploy/action; add Microsoft.ExtendedLocation/customLocations/write; add Microsoft.ExtendedLocation/customLocations/delete; add Microsoft.EdgeMarketplace/offers/read; add Microsoft.EdgeMarketplace/publishers/read; add Microsoft.Kubernetes/register/action; add Microsoft.KubernetesConfiguration/register/action; add Microsoft.KubernetesConfiguration/extensions/write; add Microsoft.KubernetesConfiguration/extensions/read; add Microsoft.KubernetesConfiguration/extensions/delete; add Microsoft.KubernetesConfiguration/extensions/operations/read; add Microsoft.KubernetesConfiguration/namespaces/read; add Microsoft.KubernetesConfiguration/operations/read; add Microsoft.HybridContainerService/register/action'
2023-03-29 17:43:30 change: Actions Actions: 'add Microsoft.Resources/subscriptions/resourceGroups/delete'
2023-03-16 18:42:42 change: Actions Actions: 'add Microsoft.HybridCompute/register/action; add Microsoft.GuestConfiguration/register/action; add Microsoft.Resources/subscriptions/resourceGroups/read; add Microsoft.Resources/subscriptions/resourceGroups/write; add Microsoft.HybridConnectivity/register/action'
2023-02-06 18:40:05 add: Role bda0d508-adf1-4af0-9c28-88919fc3ae06
Permissions summary Effective control plane and data plane operations: 215 (unique operations)
•Action: 50
•delete: 31
•read: 101
•write: 33

Actions: 96
Resolved control plane operations from Actions: 215
Effective control plane operations: 215
•Action: 50
•delete: 31
•read: 101
•write: 33

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 15977

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3303
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditionedDelete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditionedCreate a role assignment at the specified scope.
Microsoft.AzureStackHCI/*wildcarded / no description
Microsoft.AzureStackHCI/clusters/*wildcarded / no description
Microsoft.AzureStackHCI/NetworkSecurityGroups/DeleteDeletes a network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/join/actionJoins network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/ReadGets/Lists a network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/DeleteDeletes a security rule resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/ReadGets/Lists security rule resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/WriteCreates/Updates security rule resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/WriteCreates/Updates a network security group resource
Microsoft.AzureStackHCI/register/actionno description given
Microsoft.AzureStackHCI/StorageContainers/ReadGets/Lists storage containers resource
Microsoft.AzureStackHCI/StorageContainers/WriteCreates/Updates storage containers resource
Microsoft.AzureStackHCI/Unregister/Actionno description given
Microsoft.EdgeMarketplace/offers/readGet a Offer
Microsoft.EdgeMarketplace/publishers/readGet a Publisher
Microsoft.ExtendedLocation/customLocations/deleteDeletes Custom Location resource
Microsoft.ExtendedLocation/customLocations/deploy/actionDeploy permissions to a Custom Location resource
Microsoft.ExtendedLocation/customLocations/readGets an Custom Location resource
Microsoft.ExtendedLocation/customLocations/writeCreates or Updates Custom Location resource
Microsoft.ExtendedLocation/register/actionRegisters the subscription for Custom Location resource provider and enables the creation of Custom Location.
Microsoft.GuestConfiguration/guestConfigurationAssignments/readGet guest configuration assignment.
Microsoft.GuestConfiguration/register/actionRegisters the subscription for the Microsoft.GuestConfiguration resource provider.
Microsoft.HybridCompute/licenses/deleteDeletes an Azure Arc licenses
Microsoft.HybridCompute/licenses/readReads any Azure Arc licenses
Microsoft.HybridCompute/licenses/writeInstalls or Updates an Azure Arc licenses
Microsoft.HybridCompute/locations/operationresults/readReads the status of an operation on Microsoft.HybridCompute Resource Provider
Microsoft.HybridCompute/locations/operationstatus/readReads the status of an operation on Microsoft.HybridCompute Resource Provider
Microsoft.HybridCompute/locations/updateCenterOperationResults/readReads the status of an update center operation on machines
Microsoft.HybridCompute/machines/assessPatches/actionAssesses any Azure Arc machines to get missing software patches
Microsoft.HybridCompute/machines/deleteDeletes an Azure Arc machines
Microsoft.HybridCompute/machines/extensions/deleteDeletes an Azure Arc extensions
Microsoft.HybridCompute/machines/extensions/readReads any Azure Arc extensions
Microsoft.HybridCompute/machines/extensions/writeInstalls or Updates an Azure Arc extensions
Microsoft.HybridCompute/machines/hybridIdentityMetadata/readRead any Azure Arc machines's Hybrid Identity Metadata
Microsoft.HybridCompute/machines/installPatches/actionInstalls patches on any Azure Arc machines
Microsoft.HybridCompute/machines/licenseProfiles/deleteDeletes an Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/readReads any Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/writeInstalls or Updates an Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/patchAssessmentResults/readReads any Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/readReads any Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/readReads any Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/readReads any Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/machines/readRead any Azure Arc machines
Microsoft.HybridCompute/machines/runcommands/deleteDeletes an Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/readReads any Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/writeInstalls or Updates an Azure Arc runcommands
Microsoft.HybridCompute/machines/UpgradeExtensions/actionUpgrades Extensions on Azure Arc machines
Microsoft.HybridCompute/machines/writeWrites an Azure Arc machines
Microsoft.HybridCompute/operations/readRead all Operations for Azure Arc for Servers
Microsoft.HybridCompute/osType/agentVersions/latest/readno description given
Microsoft.HybridCompute/osType/agentVersions/readno description given
Microsoft.HybridCompute/register/actionRegisters the subscription for the Microsoft.HybridCompute Resource Provider
Microsoft.HybridConnectivity/register/actionRegister the subscription for Microsoft.HybridConnectivity
Microsoft.HybridContainerService/register/actionRegister the subscription for Microsoft.HybridContainerService
Microsoft.Insights/AlertRules/Activated/ActionClassic metric alert activated
Microsoft.Insights/AlertRules/DeleteDelete a classic metric alert
Microsoft.Insights/AlertRules/Incidents/ReadRead a classic metric alert incident
Microsoft.Insights/AlertRules/ReadRead a classic metric alert
Microsoft.Insights/AlertRules/Resolved/ActionClassic metric alert resolved
Microsoft.Insights/AlertRules/Throttled/ActionClassic metric alert rule throttled
Microsoft.Insights/AlertRules/WriteCreate or update a classic metric alert
Microsoft.Kubernetes/register/actionRegisters Subscription with Microsoft.Kubernetes resource provider
Microsoft.KubernetesConfiguration/extensions/deleteDeletes extension instance resource.
Microsoft.KubernetesConfiguration/extensions/operations/readGets Async Operation status.
Microsoft.KubernetesConfiguration/extensions/readGets extension instance resource.
Microsoft.KubernetesConfiguration/extensions/writeCreates or updates extension resource.
Microsoft.KubernetesConfiguration/namespaces/readGet Namespace Resource
Microsoft.KubernetesConfiguration/operations/readGets available operations of the Microsoft.KubernetesConfiguration resource provider.
Microsoft.KubernetesConfiguration/register/actionRegisters subscription to Microsoft.KubernetesConfiguration resource provider.
Microsoft.Management/managementGroups/readList management groups for the authenticated user.
Microsoft.ResourceConnector/appliances/deleteDeletes Appliance resource
Microsoft.ResourceConnector/appliances/listClusterUserCredential/actionGet an appliance cluster user credential
Microsoft.ResourceConnector/appliances/listKeys/actionGet an appliance cluster customer user keys
Microsoft.ResourceConnector/appliances/readGets an Appliance resource
Microsoft.ResourceConnector/appliances/writeCreates or Updates Appliance resource
Microsoft.ResourceConnector/locations/operationresults/readGet result of Appliance operation
Microsoft.ResourceConnector/locations/operationsstatus/readGet result of Appliance operation
Microsoft.ResourceConnector/operations/readGets list of Available Operations for Appliances
Microsoft.ResourceConnector/register/actionRegisters the subscription for Appliances resource provider and enables the creation of Appliance.
Microsoft.ResourceHealth/availabilityStatuses/readGets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/subscriptions/operationresults/readGet the subscription operation results.
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/deleteDeletes a resource group and all its resources.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/readGets or lists deployment operations.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/readGets or lists deployment operation statuses.
Microsoft.Resources/subscriptions/resourcegroups/deployments/readGets or lists deployments.
Microsoft.Resources/subscriptions/resourcegroups/deployments/writeCreates or updates an deployment.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
Microsoft.Resources/subscriptions/resourceGroups/writeCreates or updates a resource group.
Microsoft.Support/*wildcarded / no description
NotActions n/a
DataActions n/a
NotDataActions n/a
Used in
BuiltIn Policy
none
JSON
api-version=2023-07-01-preview
Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            f5819b54-e033-4d82-ac66-4fec3cbf3f4c (Azure Connected Machine Resource Manager),
            cd570a14-e51a-42ad-bac8-bafd67325302 (Azure Connected Machine Resource Administrator),
            b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 (Azure Connected Machine Onboarding),
            4b3fe76c-f777-4d24-a2d7-b027b0f7b273 (Azure Stack HCI VM Reader),
            874d1c73-6003-4e60-a13a-cb31ea190a85 (Azure Stack HCI VM Contributor),
            865ae368-6a45-4bd1-8fbf-0d5151f56fc1 (Azure Stack HCI Device Management Role),
            7b1f81f9-4196-4058-8aae-762e593270df (Azure Resource Bridge Deployment Role),
            4633458b-17de-408a-b874-0445c86b69e6 (Key Vault Secrets User),
            c99c945f-8bd1-4fb1-a903-01460aae6068 (Azure Stack HCI Connected InfraVMs)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            f5819b54-e033-4d82-ac66-4fec3cbf3f4c (Azure Connected Machine Resource Manager),
            cd570a14-e51a-42ad-bac8-bafd67325302 (Azure Connected Machine Resource Administrator),
            b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 (Azure Connected Machine Onboarding),
            4b3fe76c-f777-4d24-a2d7-b027b0f7b273 (Azure Stack HCI VM Reader),
            874d1c73-6003-4e60-a13a-cb31ea190a85 (Azure Stack HCI VM Contributor),
            865ae368-6a45-4bd1-8fbf-0d5151f56fc1 (Azure Stack HCI Device Management Role),
            7b1f81f9-4196-4058-8aae-762e593270df (Azure Resource Bridge Deployment Role),
            4633458b-17de-408a-b874-0445c86b69e6 (Key Vault Secrets User),
            c99c945f-8bd1-4fb1-a903-01460aae6068 (Azure Stack HCI Connected InfraVMs)
            }
        )
    )