I want to allow certain development team members access to the Azure Web App Development Tools.
Preferably only the App Service Editor. I know I can grant "Website Contributor", but I'd prefer to narrow the scope down to only this area.
Allowing access to "config" doesn't do it. Below is my custom role JSON. Is there a way to add access to App Service Editor only or must I grant Website Contributor?
{
"id": "/subscriptions/xxxxx/providers/Microsoft.Authorization/roleDefinitions/xxx",
"properties": {
"roleName": "xDevRole",
"description": "Actions developers may perform",
"assignableScopes": [
"/subscriptions/xxxx",
"/subscriptions/xxx"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*",
"microsoft.web/sites/config/appsettings/read",
"Microsoft.Web/sites/config/Read",
"Microsoft.Web/sites/config/list/Action",
"microsoft.web/sites/config/web/appsettings/read",
"microsoft.web/sites/config/web/connectionstrings/read",
"microsoft.web/sites/config/snapshots/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
I want to allow certain development team members access to the Azure Web App Development Tools.
Preferably only the App Service Editor. I know I can grant "Website Contributor", but I'd prefer to narrow the scope down to only this area.
Allowing access to "config" doesn't do it. Below is my custom role JSON. Is there a way to add access to App Service Editor only or must I grant Website Contributor?
{
"id": "/subscriptions/xxxxx/providers/Microsoft.Authorization/roleDefinitions/xxx",
"properties": {
"roleName": "xDevRole",
"description": "Actions developers may perform",
"assignableScopes": [
"/subscriptions/xxxx",
"/subscriptions/xxx"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*",
"microsoft.web/sites/config/appsettings/read",
"Microsoft.Web/sites/config/Read",
"Microsoft.Web/sites/config/list/Action",
"microsoft.web/sites/config/web/appsettings/read",
"microsoft.web/sites/config/web/connectionstrings/read",
"microsoft.web/sites/config/snapshots/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
1 Answer
Reset to default 0Note that, App Service Editor relies on several underlying API operations for both retrieving and modifying configuration settings, files, and directories within the App Service that requires "Microsoft.Web/sites/*" action to access.
For narrowing down the access, collect the actions of the operations that you don't want user to perform and add them under "notActions" section of custom role JSON as an alternative:
{
"properties": {
"roleName": "AppServiceEditorRole",
"description": "Custom role to allow access to App Service Editor, basic web app management, and configuration",
"assignableScopes": [
"/subscriptions/xxxxxxxxx"
],
"permissions": [
{
"actions": [
"Microsoft.Web/sites/*",
"Microsoft.Support/*",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
],
"notActions": [
"Microsoft.Web/sites/Delete",
"Microsoft.Web/sites/stop/Action",
"Microsoft.Web/sites/extensions/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
Assigning above custom role to users will allow them access to App Service Editor but restricts access on stopping and deleting web application and it's extensions like this:
App Service Editor access:
Stop & Delete greyed out:
Delete extension option greyed out:
"microsoft.web/sites/*"action in custom role json for accessing Development Tools. There is no other way as there is no direct action available to give access to App Service Editor in particular. – Sridevi Commented Nov 28, 2024 at 12:39