Skip to content

Provide functionality to assign a role to a resource group based on the ObjectId #150

New issue
New issue
Open
Open
Provide functionality to assign a role to a resource group based on the ObjectId#150
Labels
area:securityAll issues related to Azure Securityfeature-suggestionAll issues related suggestion of a new feature. These are nice to haves but not customer requests
Milestone
v1.7.0
@mbraekman

Description

@mbraekman
mbraekman
opened on Mar 26, 2021

Is your feature request related to a problem? Please describe.
Currently, the script New-AzResourceGroupRoleAssignment allows you to assign a role to a specific resource group for a resource/service.
While this is a start, one could also require the capability of assigning a specific role to a resource group in name of a user/group/...
In this case, it would be interesting to provide the capability to pass along an ObjectId instead of the resourceGroupName/resourceName-combination

Describe the solution you'd like
Can we extend the current function New-AzResourceGroupRoleAssignment to allow either passing along the ObjectId OR the ResourceGroupName/ResourceName-combo?
Using a ParameterSetName we should be able to force the user to either provide the ObjectId or the ResourceGroupName/ResourceName.

Meaning the script will either perform the lookup for ObjectId itself (if it's a resource/service), or use the provided ObjectId to assign a new role.

Describe alternatives you've considered
Alternately, this would mean having a separate script to make this possible.

Additional context
We might have to modify the parameter-definition to something as follows (based on a first quick test): see below.
However, I would've hoped it to be possible to keep the exception-throwing as part of the parameter-definition in itself. (--> to be investigated)

[CmdletBinding(DefaultParametersetName='None')] 
param (
    [Parameter(Mandatory = $true)][string] $TargetResourceGroupName = $(throw "Target resource group name to which access should be granted is required"),
    [Parameter(ParameterSetName='Resource',Mandatory = $true)][string] $ResourceGroupName,
    [Parameter(ParameterSetName='Resource',Mandatory = $true)][string] $ResourceName,
    [Parameter(Mandatory = $true)][string] $RoleDefinitionName = $(throw "Name of the role definition is required"),
    [Parameter(ParameterSetName='Object',Mandatory = $true)][string] $ObjectId
)
    
$ParamSetName = $PsCmdLet.ParameterSetName

if($ParamSetName -eq 'Resource')
{
    if(-not($ResourceGroupName))
    {
        throw "Resource group name where the resource is located which should be granted access is required"
    }
    if(-not($ResourceName))
    {
        throw "Name of the resource which should be granted access is required"
    }
}
elseif($ParamSetName -eq 'Object')
{
    if(-not($ObjectId))
    {
        throw "The ObjectId of the resource that needs to get a role assigned."
    }
}
else
{
    throw "Please provide either the ObjectId- or the ResourceGroupName/ResourceName-parameters."
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:securityAll issues related to Azure Securityfeature-suggestionAll issues related suggestion of a new feature. These are nice to haves but not customer requests

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions