|
1182 | 1182 | </command:details> |
1183 | 1183 | <maml:description> |
1184 | 1184 | <maml:para> |
1185 | | - The Get-AzureRmProviderOperation gets the operations exposed by Azure resource providers. Operations can be composed to create custom roles in Azure RBAC. The command takes as input an action string (with possible wildcard(*) character(s)) which determines the action details to display. |
| 1185 | + The Get-AzureRmProviderOperation gets the operations exposed by Azure resource providers. Operations can be composed to create custom roles in Azure RBAC. The command takes as input an operation search string (with possible wildcard(*) character(s)) which determines the operations details to display. |
| 1186 | + </maml:para> |
| 1187 | + <maml:para> |
1186 | 1188 | Use Get-AzureRmProviderOperation * to get all operations for all Azure resource providers. |
| 1189 | + </maml:para> |
| 1190 | + <maml:para> |
1187 | 1191 | Use Get-AzureRmProviderOperation Microsoft.Compute/* to get all operations of Microsoft.Compute resource provider. |
1188 | 1192 | </maml:para> |
1189 | 1193 | </maml:description> |
|
1193 | 1197 | <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue)" position="0"> |
1194 | 1198 | <maml:name>OperationSearchString</maml:name> |
1195 | 1199 | <maml:description> |
1196 | | - <maml:para>The action string (with possible wildcard (*) characters)</maml:para> |
| 1200 | + <maml:para>The operation search string (with possible wildcard (*) characters)</maml:para> |
1197 | 1201 | </maml:description> |
1198 | 1202 | <command:parameterValue required="true" variableLength="false">String</command:parameterValue> |
1199 | 1203 | </command:parameter> |
|
1217 | 1221 | <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue)" position="0"> |
1218 | 1222 | <maml:name>OperationSearchString</maml:name> |
1219 | 1223 | <maml:description> |
1220 | | - <maml:para>The action string (with possible wildcard (*) characters)</maml:para> |
| 1224 | + <maml:para>The operation search string (with possible wildcard (*) characters)</maml:para> |
1221 | 1225 | </maml:description> |
1222 | 1226 | <command:parameterValue required="true" variableLength="false">String</command:parameterValue> |
1223 | 1227 | <dev:type> |
|
1250 | 1254 | </dev:type> |
1251 | 1255 | <dev:defaultValue></dev:defaultValue> |
1252 | 1256 | </command:parameter> |
1253 | | - <command:parameter required="true" variableLength="false" globbing="false" pipelineInput="true (ByValue)" position="0"> |
1254 | | - <maml:name>ActionString</maml:name> |
1255 | | - <maml:description> |
1256 | | - <maml:para>The action string (with possible wildcard (*) characters)</maml:para> |
1257 | | - </maml:description> |
1258 | | - <command:parameterValue required="true" variableLength="false">string</command:parameterValue> |
1259 | | - <dev:type> |
1260 | | - <maml:name>string</maml:name> |
1261 | | - <maml:uri/> |
1262 | | - </dev:type> |
1263 | | - <dev:defaultValue></dev:defaultValue> |
1264 | | - </command:parameter> |
1265 | 1257 | <command:parameter required="false" variableLength="false" globbing="false" pipelineInput="false" position="named"> |
1266 | 1258 | <maml:name>Profile</maml:name> |
1267 | 1259 | <maml:description> |
@@ -6103,23 +6095,32 @@ Resources : |
6103 | 6095 | </command:details> |
6104 | 6096 | <maml:description> |
6105 | 6097 | <maml:para>The New-AzureRmRoleDefinition cmdlet creates a custom role in Azure Role-Based Access Control. Provide a role definition as an input to the command as a JSON file or a PSRoleDefinition object. </maml:para> |
| 6098 | + <maml:para>The input role definition MUST contain the following properties:</maml:para> |
6106 | 6099 | <maml:para> |
6107 | | - The input role definition MUST contain the following properties: |
6108 | 6100 | 1) DisplayName: the name of the custom role |
| 6101 | + </maml:para> |
| 6102 | + <maml:para> |
6109 | 6103 | 2) Description: a short description of the role that summarizes the access that the role grants. |
| 6104 | + </maml:para> |
| 6105 | + <maml:para> |
6110 | 6106 | 3) Actions: the set of operations to which the custom role grants access. Use Get-AzureRmProviderOperations to get the operation for Azure resource providers that can be secured using Azure RBAC. Following are some valid operation strings |
6111 | 6107 | • “*/read” grants access to read operations of all Azure resource providers. |
6112 | 6108 | • “Microsoft.Network/*/read” grants access to read operations for all resource types in the Microsoft.Network resource provider of Azure. |
6113 | 6109 | • “Microsoft.Compute/virtualMachines/*” grants access to all operations of virtual machines and its child resource types. |
| 6110 | + </maml:para> |
| 6111 | + <maml:para> |
6114 | 6112 | 4) AssignableScopes: the set of scopes (Azure subscriptions or resource groups) in which the custom role will be available for assignment. Using AssignableScopes you can make the custom role available for assignment in only the subscriptions or resource groups that need it, and not clutter the user experience for the rest of the subscriptions or resource groups. Following are some valid assignable scopes |
6115 | 6113 | • “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”, “/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624”: makes the role available for assignment in two subscriptions. |
6116 | 6114 | • “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”: makes the role available for assignment in a single subscription. |
6117 | 6115 | • “/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network”: makes the role available for assignment only in the Network resource group. |
6118 | 6116 | </maml:para> |
| 6117 | + <maml:para></maml:para> |
6119 | 6118 | <maml:para> |
6120 | 6119 | The input role definition MAY contain the following properties: |
6121 | 6120 | </maml:para> |
6122 | | - <maml:para>1) NotActions: the set of operations that must be excluded from the Actions to determine the effective actions for the custom role. If there is a specific operation that you do not wish to grant access to in a custom role, it is convenient to use NotActions to exclude it, rather than specifying all operations other than that specific operation in Actions.</maml:para> |
| 6121 | + <maml:para> |
| 6122 | + 1) NotActions: the set of operations that must be excluded from the Actions to determine the effective actions for the custom role. If there is a specific operation that you do not wish to grant access to in a custom role, it is convenient to use NotActions to exclude it, rather than specifying all operations other than that specific operation in Actions. |
| 6123 | + </maml:para> |
6123 | 6124 | <maml:para>NOTE: If a user is assigned a role that specifies an operation in NotActions and also assigned another role grants access to the same operation – the user will be able to perform that operation. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed operations when specific operations need to be excluded.</maml:para> |
6124 | 6125 | <maml:para> |
6125 | 6126 | Following is a sample json role definition that can be provided as input |
|
0 commit comments