Azure-docs: Assigning user as contributor to Azure Function at resource level and not Resource Group level?
In Logic App there is a resource level Role like - Logic App Contributor.
However, for Web App, there is no such role. But one can only assign a user to Web App as a contributor and reader in the Resource group. What about Functions based on consumption plan or based on Web App? There is no role for Function App like Logic App Contributor. So what is the recommendation in this case and how do I restrict a user from doing any edit outside of function but allow him to add and delete the functions in function app?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 1e21d4b9-f574-e01d-8676-fb23d6a4ab67
- Version Independent ID: 85e74a1b-3bb3-8bdd-8fca-38256c8a46c1
- Content: What is role-based access control (RBAC) for Azure resources?
- Content Source: articles/role-based-access-control/overview.md
- Service: role-based-access-control
- GitHub Login: @rolyon
- Microsoft Alias: rolyon
Anand-Moghe
All 4 comments
@Anand-Moghe
Thanks for your feedback! We will investigate and update as appropriate.
MarileeTurscak-MSFT
on 12 Aug 2019
I tested in my tenant with a function app and it appeared to work. You just add the user as a Contributor only within that function app.
My test user is able to contribute on the function app but not on anything else in the tenant. If you wanted you could also create custom roles and just set the scope at the resource/function app level.
This appears to be the hierarchy:
Subscriptions
-> Subscription
-> Access control (IAM)
-> Roles
-> Contributor
-> Permissions
-> Microsoft Web Apps
-> Web App
-> Function App
-> …
-> Web Apps Functions
Let me know if you still have issues.
MarileeTurscak-MSFT
on 14 Aug 2019
@MarileeTurscak-MSFT Thank you very very much 👍 !!!
Anand-Moghe
on 14 Aug 2019
Related issues
monteledwards
·
3Comments
varma31
·
3Comments
bityob
·
3Comments
mrdfuse
·
3Comments
behnam89
·
3Comments