0

I want to give a specific RBAC to a user so that he can create a NIC but not to modify. As a matter of fact, what it is aimed is that he shouldn't have permission to change the dynamic ip to static ip and change the ip address of the NIC.

I have checked the RBACs of NIC, but it seems that if he has Microsoft.Network/networkInterfaces/write permission , he can create a network interface or update an existing network interface. So this Rbac is not as detailed as i want. enter image description here I have also tried to give all permissions but not Microsoft.Network/networkInterfaces/read. In that case, the NIC can be created but i can neither see the ip of the nic nor ssh/rdp to the VM. So it is not a solution for me.

I have checked the built-in Azure Policies, but there isn't nothing good for my needs.

Any idea?

MoonHorse
  • 107
  • 7

1 Answers1

1

It is not possible for someone to have permissions to create a resource but not edit it, as it is all contained under the write permission.

Your best bet would be to use Azure Policy to define a policy that doesn't allow static IP addresses.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • do you have some tips to create a policy to deny static IP addresses? – MoonHorse Jun 11 '21 at 09:06
  • i see that to deny public ip, this condition is set: "not": { "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id", "notLike": "*" } . Where can i find the properties of ipconfigurations? – MoonHorse Jun 11 '21 at 09:10
  • 1
    https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networkinterfaces?tabs=json – Sam Cogan Jun 11 '21 at 13:35