Azure Permission - needed for creating resource group - RBAC

kannan Eswar picture kannan Eswar · Sep 19, 2017 · Viewed 7.3k times · Source

I have assigned with Owner role to a resource group. I am unable to create a new resource group.

For creating a resource group whether I need owner/contributor role to subscription?

And When a user is assigned with Owner and Reader role, which role controls the user access?

Answer

JohnC picture JohnC · Feb 18, 2019

OP asks for RBAC permissions necesssary to create a new resource group. @jason-ye suggests subscription Owner role. This is more permissions than necessary hence not a good answer for production or related environments.

Per Built-in roles for Azure resources, Contributor role on subscription is sufficient to create all resources, including resource groups. Following are the permissions assignments for Contributor role, "*" means everything, some things are explicitly denied:

Actions  
*
NotActions  
Microsoft.Authorization/*/Delete 
Microsoft.Authorization/*/Write 
Microsoft.Authorization/elevateAccess/Action 
Microsoft.Blueprint/blueprintAssignments/write 
Microsoft.Blueprint/blueprintAssignments/delete 

I would like a means to grant "Create New Resource Group" without granting "*" to existing resources.

Update: Based on Azure built-in [RBAC] roles, there is no other built-in role that provides the necessary permission to create (or write) resource groups.

However, now that Azure supports custom RBAC roles, you can create a custom role with the Microsoft.Resources resource provider operation

Microsoft.Resources/subscriptions/resourceGroups/write 

which would provide the least privileges to achieve the desired result.