I have a problem with permissions and roles. I need to give read-only access to all logs in my infrastructure to a user. My infrastructure is done by different Management groups:
I am working at Techical area management group level... it is like i am working at root level.
Initially, the user had the Reader role. Now I have given him a lot of *** reader roles. At the end I have given him also some contributor role. But no success:
Now, when he tries to open some log I receive this error:
The client '' with object id '' does not have authorization to perform action 'microsoft.web/sites/config/list/action' over scope '/subscriptions//resourcegroups/-rg-westeu/providers/microsoft.web/sites/*****-func-westeu/config/appSettings' or the scope is invalid. If access was recently granted, please refresh your credentials.
The error is about listing appSettings.
Well, honestly I do not understand why he need that kind of permission. However, which is the minimum role I can give him for that permission? Does a way exist to know hich role has some permissions?
Thank you
As mentioned in the MSDoc,
Application Insights Component Contributorrole has an option toRead Transactions.You can check the same in
Roles=>Application Insights Component ContributorCreate a new custom role with the action
Microsoft.Insights/transactions/readand assign this custom role to the user.Make sure you have
ownerorUser access Adminrole to create a custom role.Here Iam creating the custom role on
Resource Group level.Navigate to your
Resource Group=>Access control (IAM)=> click onAdd=>Add custom role.Application Insights Component Contributorrole =>Review + create.Refer this Azure built-in roles for more info.