In Azure, how to prevent a user create a Network Interface Card but not modify it?

MoonHorse

10/11/22, 8:09 AM

I want to give a specific RBAC to a user so that he can create a NIC but not to modify. As a matter of fact, what it is aimed is that he shouldn't have permission to change the dynamic ip to static ip and change the ip address of the NIC.

I have checked the RBACs of NIC, but it seems that if he has Microsoft.Network/networkInterfaces/write permission , he can create a network interface or update an existing network interface. So this Rbac is not as detailed as i want. I have also tried to give all permissions but not Microsoft.Network/networkInterfaces/read. In that case, the NIC can be created but i can neither see the ip of the nic nor ssh/rdp to the VM. So it is not a solution for me.

I have checked the built-in Azure Policies, but there isn't nothing good for my needs.

Any idea?

1 + 0

networking

nic

rbac

azure

azure-policies

Score:1

Server

Sam Cogan

10/11/22, 8:46 AM

It is not possible for someone to have permissions to create a resource but not edit it, as it is all contained under the write permission.

Your best bet would be to use Azure Policy to define a policy that doesn't allow static IP addresses.

0 + 3

MoonHorse

10/11/22, 9:06 AM

do you have some tips to create a policy to deny static IP addresses?

MoonHorse

10/11/22, 9:10 AM

i see that to deny public ip, this condition is set: "not": { "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id", "notLike": "*" } . Where can i find the properties of ipconfigurations?

Sam Cogan

10/11/22, 1:35 PM

https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networkinterfaces?tabs=json

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: In Azure, how to prevent a user create a Network Interface Card but not modify it?

TH: ใน Azure จะป้องกันไม่ให้ผู้ใช้สร้าง Network Interface Card แต่ไม่แก้ไขได้อย่างไร

RO: În Azure, cum să împiedicați un utilizator să creeze o placă de interfață de rețea, dar să nu o modifice?

RU: Как в Azure запретить пользователю создавать карту сетевого интерфейса, но не изменять ее?

VI: Trong Azure, làm cách nào để ngăn người dùng tạo Thẻ giao diện mạng nhưng không sửa đổi nó?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.