AzRoleAdvertizer

last sync: 2025-Aug-01 17:22:47 UTC

Service Group Administrator

Azure BuiltIn RBAC Role definition

Name

Service Group Administrator
Microsoft Learn

4e50c84c-c78e-4e37-b47e-e60ffea0a775

Description

Role Definition for administrator of a Service Group

Category

Management and governance
Microsoft Learn

CreatedOn

2024-10-18 18:43:56 UTC

UpdatedOn

2025-03-28 19:00:58 UTC

Assignable scopes

/providers/Microsoft.Management/serviceGroups

Permissions summary

Effective control plane and data plane operations: 16892 (unique operations)
•action: 3867
•delete: 2584
•read: 7233
•write: 3208

Actions: 3
Resolved control plane operations from Actions: 16894
Effective control plane operations: 16892
•action: 3867
•delete: 2584
•read: 7233
•write: 3208

NotActions: 2
Resolved control plane operations from NotActions: 2
Effective denied control plane operations: 2

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3587

Actions

Operation	Description
*	wildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditioned	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditioned	Create a role assignment at the specified scope.

NotActions

Operation	Description
Microsoft.Authorization/roleAssignments/delete	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write	Create a role assignment at the specified scope.

DataActions

n/a

NotDataActions

n/a

Used in
BuiltIn Policy

none

History

Date/Time (UTC ymd) (i)	Change	Change detail
2024-10-18 17:51:46	add: Role	4e50c84c-c78e-4e37-b47e-e60ffea0a775

JSON

api-version=2023-07-01-preview

Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            4e50c84c-c78e-4e37-b47e-e60ffea0a775 (Service Group Administrator),
            32e6a4ec-6095-4e37-b54b-12aa350ba81f (Service Group Contributor),
            de754d53-652d-4c75-a67f-1e48d8b49c97 (Service Group Reader)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            4e50c84c-c78e-4e37-b47e-e60ffea0a775 (Service Group Administrator),
            32e6a4ec-6095-4e37-b54b-12aa350ba81f (Service Group Contributor),
            de754d53-652d-4c75-a67f-1e48d8b49c97 (Service Group Reader)
            }
        )
    )