I want to allow certain development team members access to the Azure Web App Development Tools.
Preferably only the App Service Editor. I know I can grant "Website Contributor", but I'd prefer to narrow the scope down to only this area.
Allowing access to "config" doesn't do it. Below is my custom role JSON. Is there a way to add access to App Service Editor only or must I grant Website Contributor?
{
"id": "/subscriptions/xxxxx/providers/Microsoft.Authorization/roleDefinitions/xxx",
"properties": {
"roleName": "xDevRole",
"description": "Actions developers may perform",
"assignableScopes": [
"/subscriptions/xxxx",
"/subscriptions/xxx"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*",
"microsoft.web/sites/config/appsettings/read",
"Microsoft.Web/sites/config/Read",
"Microsoft.Web/sites/config/list/Action",
"microsoft.web/sites/config/web/appsettings/read",
"microsoft.web/sites/config/web/connectionstrings/read",
"microsoft.web/sites/config/snapshots/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Note that, App Service Editor relies on several underlying API operations for both retrieving and modifying configuration settings, files, and directories within the App Service that requires "Microsoft.Web/sites/*"
action to access.
For narrowing down the access, collect the actions of the operations that you don't want user to perform and add them under "notActions" section of custom role JSON as an alternative:
{
"properties": {
"roleName": "AppServiceEditorRole",
"description": "Custom role to allow access to App Service Editor, basic web app management, and configuration",
"assignableScopes": [
"/subscriptions/xxxxxxxxx"
],
"permissions": [
{
"actions": [
"Microsoft.Web/sites/*",
"Microsoft.Support/*",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
],
"notActions": [
"Microsoft.Web/sites/Delete",
"Microsoft.Web/sites/stop/Action",
"Microsoft.Web/sites/extensions/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
Assigning above custom role to users will allow them access to App Service Editor but restricts access on stopping and deleting web application and it's extensions like this:
App Service Editor access:
Stop
& Delete
greyed out:
Delete extension option greyed out: