In this how-to guide, you learn how to create a custom role for Service Operators. A custom role provides the necessary permissions to access Azure Operator Service Manager (AOSM) Publisher resources when deploying a Site Network Service (SNS).
Prerequisites
Contact your Microsoft account team to register your Azure subscription for access to Azure Operator Service Manager (AOSM) or express your interest through the partner registration form.
Decide the scope that you want the role to be assignable to:
If the publisher resources are in a single resource group, you can use the assignable scope of that resource group.
If the publisher resources are spread across multiple resource groups within a single subscription, you must use the assignable scope of that subscription.
If the publisher resources are spread across multiple subscriptions, you must create a custom role assignable to each of these subscriptions.
As an example, you can use the following sample as the main.bicep template. This sample creates the role with subscription-wide assignable scope.
targetScope = 'subscription'
@description('Array of actions for the roleDefinition')
param actions array = [
'Microsoft.HybridNetwork/Publishers/NetworkFunctionDefinitionGroups/NetworkFunctionDefinitionVersions/use/action'
'Microsoft.HybridNetwork/Publishers/NetworkFunctionDefinitionGroups/NetworkFunctionDefinitionVersions/read'
'Microsoft.HybridNetwork/Publishers/NetworkServiceDesignGroups/NetworkServiceDesignVersions/use/action'
'Microsoft.HybridNetwork/Publishers/NetworkServiceDesignGroups/NetworkServiceDesignVersions/read'
'Microsoft.HybridNetwork/Publishers/ConfigurationGroupSchemas/read'
]
@description('Array of notActions for the roleDefinition')
param notActions array = []
@description('Friendly name of the role definition')
param roleName string = 'Custom Role - AOSM Service Operator access to Publisher'
@description('Detailed description of the role definition')
param roleDescription string = 'Provides read and use access to AOSM Publisher resources'
var roleDefName = guid(subscription().id, string(actions), string(notActions))
resource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
name: roleDefName
properties: {
roleName: roleName
description: roleDescription
type: 'customRole'
permissions: [
{
actions: actions
notActions: notActions
}
]
assignableScopes: [
subscription().id
]
}
}
When you deploy the template, it should be deployed in the same subscription as the Publisher resources.
az login
az account set --subscription <publisher subscription>
az deployment sub create --location <location> --name customRole --template-file main.bicep
Explore how to use built-in Azure roles, managed identities, and RBAC-policy to control access to Azure resources. Identity is the key to secure solutions.