marsontret
commented
4 months ago What was your experience trying to handle this using Azure Policy and or RBAC? I feel like those services would be a better fit for handling this type of restriction?
Open assaf-grth opened 4 months ago
marsontret
commented
4 months ago What was your experience trying to handle this using Azure Policy and or RBAC? I feel like those services would be a better fit for handling this type of restriction?
azcloudfarmer
commented
4 months ago Hello @assaf-grth - data plane resources are outside of the scope of deployment stacks deny assignments. Can you share more details around the scenario with blob storage where deny assignments are needed? I'm wondering if access to these resources can be prevented via RBAC instead.
assaf-grth
commented
4 months ago Thanks for the update @azcloudfarmer In our use case, devops team has permissive access to the account due to the nature of their work and we would like to prevent accidental deletes of data including the ability to bypass the deletes due to security reasons of leaking permissions from a hacked user We would require that specific users with right access (at management group level for example) be able to bypass the delete deny (these users are highly monitored and secured) so features such as immutable storage will not make it
Will this feature be part of the product roadmap? Is there any other service allowing such level of denial?
azcloudfarmer
commented
3 months ago Hello @assaf-grth - thanks for the details. At the moment Dataplane Resources are out-of-scope for Deployment Stacks deny settings. Marking as 'needs-upvote' to track the feature request in this issue.
Is your feature request related to a problem? Please describe. I would like to use the deployment stack feature to deny the ability to delete blobs from a storage account
Describe the solution you'd like I would expect the service to deny data plane actions in addition to control plane actions
Describe alternatives you've considered
Additional context