locked
Is there an easy way to block deletion of Blobs within a Container using RBAC? RRS feed

  • Question

  • I have a need to block users from deleting Blobs once created. These users have a RBAC of Storage Blob Data Contributor. I want these users to have all the permissions in this role, except Delete. These user access storage via Azure Explorer exclusively, not through the Portal.

    I've looked at Immutable storage Access Policy but I don't think that will be workable due to the dynamic creation of Containers and Blobs.I've also looked at creating a Custom RBAC, but it's too complicated for me, at this point anyway, and my need is rather urgent.

    Any help would be appreciated.

    Thanks!

    Chris


    Monday, January 27, 2020 11:08 PM

All replies

  • Hi Chris,

    have you tried creating a custom role that includes

    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"

    as part of "NotDataActions"?

    More at https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions

    hth
    Marcin

    Monday, January 27, 2020 11:42 PM
  • I'm studying this, yes. I've got the basics of the definitions and actions down, but actually creating a role is something that is going to take me a while. I'm trying to figure out PowerShell.

    I was looking for something a bit easier given a certain urgency.

    Thanks for the info.

    Chris

    Tuesday, January 28, 2020 3:04 AM
  • @OldGuyStillTry The below mentioned article may help you in your scenario, You can customize your own script. For more information refer here:  https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-powershell

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.  
      ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Tuesday, January 28, 2020 12:08 PM
  • Hi Chris,

    You can simply copy the definition of the RBAC role you are currently using to grant permission to Azure Storage and add the single NotData action entry to it. Obviously you will need to change the value of IsCustom attribute to true, remove existing GUID (that will get automatically regenerated once you create the role definition), and set the scope to your Azure subscription

    hth
    Marcin

    Tuesday, January 28, 2020 12:42 PM
  • @Chris Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Thursday, February 6, 2020 3:30 AM
  •  Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

    Tuesday, February 18, 2020 4:05 PM