Closed vegazbabz closed 6 months ago
@vegazbabz Thanks for your feedback! We will investigate and update as appropriate.
The storage account back contributor has read access to authorization but not write or delete.
The storage account back contributor has read access to authorization but not write or delete. #please-close
@tfitzmac you are incorrect. @KrishnaG-MSFT FYI. The link you provided is for "Backup Contributor" it is NOT the same as "Storage Account Backup Contributor".
"To create or delete management locks, you need access to Microsoft.Authorization/ or Microsoft.Authorization/locks/ actions. Only the Owner and the User Access Administrator built-in roles can create and delete management locks." https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#who-can-create-or-delete-locks
This is exactly what you have with the "Storage Account Backup Contributor". I have tested it and it can be used to create resource locks.
To replicate, you can try to create a DINE policy using https://github.com/Azure/Community-Policy/blob/main/policyDefinitions/Regulatory%20Compliance/deploy-cannotdelete-resource-lock-on-resource-groups/azurepolicy.json - replace the roleDefinitionIds with Contributor AND Storage Account Backup Contributor. Run a remediation - this will add the resource locks.
@vegazbabz - thanks for that info. I have updated the doc so it no longer states that Owner and User Access Administrator are the only roles with the required access. I mention some specialized roles also have access but did not go into details about which specialized roles have access.
It seems like this role can also manage locks: [Storage Account Backup Contributor]. Although, it is not the intention of the role, it still has the correct actions to read, write, and delete locks if the role is assigned on a higher scope than just a resource group with the storage account(s).
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.