none
Error Creating Custom Role

    Question

  • All,

    I'm trying to create a custom role for the ONTAP Cloud Manager. NetApp provided a sample scrip which I've edited based on the recommendations here:

    https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-azure-cli

    I continue to get the following when using Azure CLI to precess the json file:

    MacBookPro:Desktop jasonlegendre$ azure role create --inputfile Policy_for_Cloud_Manager_Azure_3.1.json info: Executing command role create error: Deserializing the input role definition failed error: Error information has been recorded to /Users/jasonlegendre/.azure/azure.err error: role create command failed

    JSON File Copied below

    {
      "Name": "OnCommand Cloud Manager Operator",
      “Id”: “d4ebc8c5-2ba6-4e46-9784-8c3cd8d2f8e6”,
      “IsCustom”: true,
      "Description": "OnCommand Cloud Manager Permissions.”,
      "Actions": [
        "Microsoft.Compute/disks/delete",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/locations/operations/read",
        "Microsoft.Compute/locations/vmSizes/read",
        "Microsoft.Compute/operations/read",
        "Microsoft.Compute/virtualMachines/instanceView/read",
        "Microsoft.Compute/virtualMachines/powerOff/action",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/deallocate/action",
        "Microsoft.Compute/virtualMachines/vmSizes/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Network/locations/operationResults/read",
        "Microsoft.Network/locations/operations/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
        "Microsoft.Network/virtualNetworks/virtualMachines/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/resources/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Storage/checknameavailability/read",
        "Microsoft.Storage/operations/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/regeneratekey/action",
        "Microsoft.Storage/storageAccounts/write"
      ],
      "NotActions": [

    ],
      "AssignableScopes": [
        “/subscriptions/**************”
      ]
    }


    Wednesday, March 15, 2017 10:30 PM

All replies

  • Can you try without the Id property?

    Thursday, March 16, 2017 5:27 PM
    Moderator
  • Thank you Sadiqh,

    Initially I did try without it. I later added it when troubleshooting this issue.

    Below is the file as it came from NetApp. I just add the Azure Subscription to the AssignableScopes sections per the documentation.

    https://mysupport.netapp.com/info/web/ECMP11022837.html

    ---------------------------------------------------------------------

    {
      "Name": "OnCommand Cloud Manager Operator",
      "Actions": [
        "Microsoft.Compute/disks/delete",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/locations/operations/read",
        "Microsoft.Compute/locations/vmSizes/read",
        "Microsoft.Compute/operations/read",
        "Microsoft.Compute/virtualMachines/instanceView/read",
        "Microsoft.Compute/virtualMachines/powerOff/action",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/deallocate/action",
        "Microsoft.Compute/virtualMachines/vmSizes/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Network/locations/operationResults/read",
        "Microsoft.Network/locations/operations/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
        "Microsoft.Network/virtualNetworks/virtualMachines/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/resources/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Storage/checknameavailability/read",
        "Microsoft.Storage/operations/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/regeneratekey/action",
        "Microsoft.Storage/storageAccounts/write"
      ],
      "NotActions": [],
      "AssignableScopes": [
        "/"
      ],
      "Description": "OnCommand Cloud Manager Permissions"
    }

    Sunday, March 19, 2017 1:26 PM
  • The subscription value is set to “/” which is not allowed for custom roles, as this needs to be a valid subscription.

    Try to replace subscription value and create custom role as below.

    New-AzureRmRoleDefinition -InputFile "C:\temp\CustomRole.txt"

    Thursday, March 30, 2017 3:14 PM
    Moderator