Virtual Machine Data Access Administrator (preview) - Azure Built-in Role Definition (66f75aeb-eabe-4b70-9f1e-c350c4c9ad04)

Role Information

Details and metadata

Role ID

66f75aeb-eabe-4b70-9f1e-c350c4c9ad04

Type

BuiltInRole

Last Updated (Azure)

2023-11-02 15:17:56

Change History

Track all modifications to this role

Updated On

Event Type

Summary & Details

2023-11-02 15:17:56

Initial Scan

Show full JSON

{
  "properties": {
    "roleName": "Virtual Machine Data Access Administrator (preview)",
    "type": "BuiltInRole",
    "description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/write",
          "Microsoft.Authorization/roleAssignments/delete",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Management/managementGroups/read",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/loadBalancers/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Compute/virtualMachines/*/read",
          "Microsoft.HybridCompute/machines/*/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Support/*"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52}))",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2023-08-09T15:43:47.334Z",
    "updatedOn": "2023-11-02T15:17:56.785Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "66f75aeb-eabe-4b70-9f1e-c350c4c9ad04"
}

2023-11-02 15:17:56 Initial Scan

View details

{
  "properties": {
    "roleName": "Virtual Machine Data Access Administrator (preview)",
    "type": "BuiltInRole",
    "description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/write",
          "Microsoft.Authorization/roleAssignments/delete",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Management/managementGroups/read",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/loadBalancers/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Compute/virtualMachines/*/read",
          "Microsoft.HybridCompute/machines/*/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Support/*"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52}))",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2023-08-09T15:43:47.334Z",
    "updatedOn": "2023-11-02T15:17:56.785Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "66f75aeb-eabe-4b70-9f1e-c350c4c9ad04"
}

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Virtual Machine Data Access Administrator (preview)",
    "type": "BuiltInRole",
    "description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/roleAssignments/write",
          "Microsoft.Authorization/roleAssignments/delete",
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Management/managementGroups/read",
          "Microsoft.Network/publicIPAddresses/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/loadBalancers/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Compute/virtualMachines/*/read",
          "Microsoft.HybridCompute/machines/*/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Support/*"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": [],
        "Condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52}))",
        "ConditionVersion": "2.0"
      }
    ],
    "createdOn": "2023-08-09T15:43:47.334Z",
    "updatedOn": "2023-11-02T15:17:56.785Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "66f75aeb-eabe-4b70-9f1e-c350c4c9ad04"
}

Effective Permissions

Operations granted by this role (81 total)

Conditional Permissions

This role has conditions that may restrict effective permissions based on context (e.g., resource attributes, request properties).

Permission Patterns (from role definition)

Actions 14 patterns

Microsoft.Authorization/roleAssignments/write Microsoft.Authorization/roleAssignments/delete Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/read Microsoft.Management/managementGroups/read Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/read Microsoft.Network/loadBalancers/read Microsoft.Network/networkInterfaces/read Microsoft.Compute/virtualMachines/*/read Microsoft.HybridCompute/machines/*/read Microsoft.Resources/deployments/* Microsoft.Support/*

Control Plane Operations (81)

Data Plane Operations (0)

No data plane operations granted