HOTSPOT - You have the following custom role-based access control (RBAC) role. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:
For Me N,Y,Y.
Microsoft.Compute/virtualMachines/* Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines.
You can argue that 2 is no because you need to write to a resource group and this doesn't exist: Microsoft.Resources/subscriptions/resourceGroups/write
Users that are assigned to Role1 can assign Role1 to user = No ( notAction = Authorization/elevateAccess/Action )
User that are assigned Role1 can deploy new virtual machine = Yes ( action = Compute/virtualMachine/* )
Users that are assigned in Role1 can set a static IP address to a virtual machine = Yes ( action = Network/networkinterface/* )
N-Y-Y
Box 1: N
Microsoft.Authorization notAction - user can't assign roles
Box 2: Yes
Role1 in this question has the attributes needed by "Virtual Machine Contributor role" necessary to create VMs, including Microsoft.Resource attributes as below:
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Therefore, Role1 can indeed create VMs
Reference:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/compute#virtual-machine-contributor
Box 3: Yes - static IP shall be under NIC, and user has Microsoft.Network/networkInterfaces/*
N-Y-Y
Users that are assigned Role1 can assign Role1 to users: no, because "Microsoft.Authorization/elevateAccess/Action" is under "notAction".
Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#notactions
Users that are assigned Role1 can deploy new virtual machines: yes, because onder "actions" we have "Microsoft.Resources/deployments/*".
Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/compute#virtual-machine-contributor
Users that are assigned Role1 can set a static IP address on a virtual machine: yes, because onder "actions" we have "Microsoft.Network/networkinterfaces/*".
Source: https://docs.metallic.io/metallic/azure_resource_provider_usage.html
I think the answer is No-No-Yes. The key word is “notAction”
It says Role1 can not do these:
“notAction”: [
“Microsoft.Authorization/*/Delete”,
“Microsoft.Authorization/*/Write”,
“Microsoft.Authorization/elevateAccess/Action”
I say Yes to Role1 can set a static IP address on a virtual machine, because it does not say you can not do it in "notAction"
Users that are assigned Role1 can assign Role1 to users: No (due to a lack of specific roleAssignments permissions and notActions restrictions).
Users that are assigned Role1 can deploy new virtual machines: Yes (supported by "Microsoft.Compute/virtualMachines/*").
Users that are assigned Role1 can set a static IP address on a virtual machine: Yes (supported by "Microsoft.Network/networkInterfaces/*").
Box 1: N
Because doesn't have:
Microsoft.Authorization/*/Write - Create roles, role assignments, policy assignments, policy definitions and policy set definitions
Box 2; Yes
Has been assigned;
Microsoft.Compute/virtualMachines/* - Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines.
Box 3: Y
Has been assigned;
Microsoft.Network/networkInterfaces/* - Create and manage network interfaces
See;
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
I think it should be NNY. The user cannot assign to the role1 other users since ms.auth/*/write is not allowed. The user cannot create a VM since she is a reader at the RG level. The user with the Reader role on a resource group does not have permission to create a virtual machine (VM) within that resource group. The Reader role is a read-only role that only allows the user to view the resources and their configurations within the resource group. However, she can modify the IP address of the existing VM because she is a VM Contributor.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
fabio79
Highly Voted 2 years, 6 months agodjhyfdgjk
11 months, 4 weeks agodendenp
6 months, 1 week agohumnahibataynge
2 years, 6 months agolebowski
2 years, 5 months agoDhanishetty
2 years, 2 months agoklexams
Highly Voted 2 years, 4 months agoDankho
Most Recent 4 months, 2 weeks agoDankho
4 months, 2 weeks agoDankho
4 months, 2 weeks ago[Removed]
5 months agojoolitan
5 months, 2 weeks ago[Removed]
6 months, 3 weeks agoSofiaLorean
8 months, 4 weeks agoForkbeard
9 months, 2 weeks agoLovelyGroovey
10 months, 2 weeks agoAmir1909
11 months, 2 weeks agoKotNinja
1 year, 4 months agoJosete1106
1 year, 7 months agoRandomNickname
1 year, 8 months agofriendlyvlad
1 year, 9 months agoSIAMIANJI
1 year, 9 months agoSIAMIANJI
1 year, 10 months ago