I have azure apim premium instance and I want to provide a specific ad group users with access to approve the subscription requests. How can i give this group read access and subscription approval access rights via RBAC? is there a specific custom rbac permission I should create?
I have one APIM service named sriapimdemo
with below subscriptions in it like this:
To activate/approve subscription requests, you can create custom RBAC by including
Microsoft.ApiManagement/service/subscriptions/write
action with all other read permissions.
I created one custom RBAC role named Subscription Approver with below permissions:
Sample.json:
{
"id": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxxx",
"properties": {
"roleName": "Subscription Approver",
"description": "Approves subscriptions in APIM",
"assignableScopes": [
"/subscriptions/subId"
],
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*/read",
"Microsoft.ApiManagement/service/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.ApiManagement/service/subscriptions/write"
],
"notActions": [
"Microsoft.ApiManagement/service/users/keys/read"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
I assigned this custom RBAC role to one user under the APIM resource like this:
Now, I signed in with that user and clicked on Activate
option of suspended subscription:
When I refreshed the page, subscription activated successfully as below: