Azure Permission - needed for creating resource group - RBAC
I have assigned with Owner role to a resource group. I am unable to create a new resource group.
For creating a resource group whether I need owner/contributor role to subscription?
And When a user is assigned with Owner and Reader role, which role controls the user access?
Answer
OP asks for RBAC permissions necesssary to create a new resource group. @jason-ye suggests subscription Owner role. This is more permissions than necessary hence not a good answer for production or related environments.
Per Built-in roles for Azure resources, Contributor role on subscription is sufficient to create all resources, including resource groups. Following are the permissions assignments for Contributor role, "*" means everything, some things are explicitly denied:
Actions
*
NotActions
Microsoft.Authorization/*/Delete
Microsoft.Authorization/*/Write
Microsoft.Authorization/elevateAccess/Action
Microsoft.Blueprint/blueprintAssignments/write
Microsoft.Blueprint/blueprintAssignments/delete
I would like a means to grant "Create New Resource Group" without granting "*" to existing resources.
Update: Based on Azure built-in [RBAC] roles, there is no other built-in role that provides the necessary permission to create (or write) resource groups.
However, now that Azure supports custom RBAC roles, you can create a custom role with the Microsoft.Resources resource provider operation
Microsoft.Resources/subscriptions/resourceGroups/write
which would provide the least privileges to achieve the desired result.