RBAC Role for least privilege

[wsmelton]

Is your feature request related to a problem? Please describe. With normal Resource Group deployments, you are not required to have write access to the resource group to say add RBAC permission to a resource in the given Resource Group. This only requires User Access Administrator role.

With Deployment Stacks this is a new permission that must be granted at the given scope you are working from. In my case it is a Resource Group for deploying a RBAC role for Private DNS Zone Contributor. I'm only given User Access Administrator role as that is the least privilege allowed for managing RBAC permissions via Bicep.

With Deployment Stack though they all fail since Microsoft.Resources/deploymentStacks/write isn't part of User Access Administrator role.

Describe the solution you'd like I would have expected RBAC roles to be made available for preview but whether it is just a Deployment Stack Contributor role or something that gives an automation account/user permission to read and write to those resources works for me.

Describe alternatives you've considered None as we (company) are not interested in managing custom roles for every new feature in Azure 😜

Additional context

[snarkywolverine]

Hi @wsmelton!

I think that makes a lot of sense. Since we are adding additional permissions - see #163 - we'll also be adding Deployment Stack Owner and Contributor roles in the next few weeks.

[snarkywolverine]

Role Definitions are rolling out this week. There are two built-ins:

1. Deployment Stack Owner - Can create, modify, and delete all stacks
2. Deployment Stack Contributor - Can create, modify, and delete stacks that do not have any DenySettings. See #163 for the specific scenarios that would be blocked by the contributor.

[snarkywolverine]

@wsmelton The built-in roles should now be available in Public Azure.