Exam SC-300 topic 1 question 72 discussion

You need two role assignments, one for RG1 and other for RG2. If you make just one assignment for both of the Resource groups, User1 will have Virtual machine & Storage account creating rights in both resource groups. If you put the scope on Subscription or Management group that has these Resource groups, the resource groups will inherit the role assignment from higher level (parent) resource. You can make a custom role for RG1 with permissions shown below: */read - View all resources Microsoft.Compute/virtualMachines/restart/action - Restart virtual machines. Microsoft.Compute/virtualMachines/write - Creates a new virtual machine or updates an existing virtual machine. Microsoft.Storage/storageAccounts/write - Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. For RG2 you should make custom role with these permissions: */read - View all resources Microsoft.Compute/virtualMachines/restart/action - Restart virtual machines.

A. 1: Assigning a single role likely wouldn't provide all the required permissions. B. 2: It might be possible with two roles, but achieving granular control for resource group specific actions requires more than one. C. 3: This is the most likely scenario. We need separate role assignments for broader and specific resource group permissions. D. 4: While possible, 3 roles should be sufficient to achieve the desired outcome. Here's a breakdown of the minimum required RBAC role assignments: Reader role: This grants User1 the ability to view all resources across the subscription, fulfilling the first requirement. Contributor role for RG1: This grants User1 permission to create virtual machines and storage accounts within resource group RG1, addressing the needs for resource creation in a specific group. Virtual Machine Contributor role: This grants User1 the ability to restart virtual machines across the subscription, fulfilling the third requirement.

Can be done with 2 custom role assignments. The question doesn't explicitly state that only in-built roles can be used.

This is a retarded question. It can be either 3 or 4

Minimum Number of Role Assignments: To meet these requirements, User1 needs a combination of Reader, Virtual Machine Contributor, and Storage Account Contributor roles. Since there is overlap in the roles that allow User1 to restart VMs and create VMs, we can optimize the number of role assignments. Reader role at the subscription level. Virtual Machine Contributor role at RG1 (to allow both VM creation and VM restart in RG1). Storage Account Contributor role at RG1. Conclusion: The minimum number of role assignments required is 3. Thus, the correct answer is: C. 3

2 RBAC roles are sufficient to perform what in case.

Answer has to be C View all resources: READER role Restart virtual machines (it means RG1 and RG2 machines): VM contributor role Create VM/Storage accounts in RG1: Contributor role for RG1

2 roles are sufficient: - Reader on the subscription level. It fulfills the 1st requirement. - Contributor or Owner on RG1, which fulfills the 2nd requirement - There is nothing to do with RG2 because it's empty (I assume). So, no role should be assigned.

To enable User1 to perform the specified tasks in Azure, you would need at least three role-based access control (RBAC) role assignments: Reader Role: This role allows User1 to view all resources in both resource groups, RG1 and RG2. Virtual Machine Contributor Role: This role permits User1 to restart virtual machines. It should be assigned at the scope of both RG1 and RG2 to cover all virtual machines. Contributor Role for RG1: This role allows User1 to create virtual machines and storage accounts, but it should be assigned specifically to RG1 only. Therefore, the minimum number of RBAC role assignments required is 3, making option C the correct answer.

It's 2 (B), by adding custom role/s.

3 roles Assign User1 the "Reader" role at the subscription level to view all resources. Assign User1 the "Virtual Machine Contributor" role at the RG1 level to restart virtual machines and create virtual machines in RG1 only. Assign User1 the "Storage Account Contributor" role at the RG1 level to create storage accounts in RG1 only.

If least privilege is not a concern then you just need one role - Contributor for both R1 and R2 However, I believe we will always want least privileges and in that case you will need three RBAC roles: Reader - to view all resources in r1 and r2 as there are other resources besides VMs and SAs in the RGs. VM Contributor - To create & restart VMs Storage Account Contributor - To create storage accounts

technically 1 role is possible since the question doesn't require the use of the least privileges the role of contributor could suffice?

You can TECHNICALLY provide all of it is requested with 2 roles (which the question is asking for) but if you wanted to be as strict as possible 4 roles would be the best IMO.