{ "swagger": "2.0", "info": { "title": "AuthorizationManagementClient", "version": "2018-01-01-preview", "description": "Role based access control provides you a way to apply granular level policy administration down to individual resources or resource groups. These operations allow you to manage role definitions. A role definition describes the set of actions that can be performed on resources." }, "host": "management.azure.com", "schemes": [ "https" ], "consumes": [ "application/json" ], "produces": [ "application/json" ], "security": [ { "azure_auth": [ "user_impersonation" ] } ], "securityDefinitions": { "azure_auth": { "type": "oauth2", "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", "flow": "implicit", "description": "Azure Active Directory OAuth2 Flow", "scopes": { "user_impersonation": "impersonate your user account" } } }, "paths": { "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Authorization/permissions": { "get": { "tags": [ "Permissions" ], "operationId": "Permissions_ListForResourceGroup", "description": "Gets all permissions the caller has for a resource group.", "parameters": [ { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "OK - Returns an array of permissions.", "schema": { "$ref": "#/definitions/PermissionGetResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ErrorResponse" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-examples": { "List permissions for resource group": { "$ref": "./examples/GetPermissions.json" } } } }, "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/permissions": { "get": { "tags": [ "Permissions" ], "operationId": "Permissions_ListForResource", "description": "Gets all permissions the caller has for a resource.", "parameters": [ { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ResourceGroupNameParameter" }, { "$ref": "../2020-10-01-preview/common-types.json#/parameters/ResourceProviderNamespaceParameter" }, { "name": "parentResourcePath", "in": "path", "required": true, "type": "string", "description": "The parent resource identity.", "x-ms-skip-url-encoding": true }, { "name": "resourceType", "in": "path", "required": true, "type": "string", "description": "The resource type of the resource.", "x-ms-skip-url-encoding": true }, { "name": "resourceName", "in": "path", "required": true, "type": "string", "description": "The name of the resource to get the permissions for." }, { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" }, { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "OK - Returns an array of permissions.", "schema": { "$ref": "#/definitions/PermissionGetResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ErrorResponse" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-examples": { "List permissions for resource": { "$ref": "./examples/GetResourcePermissions.json" } } } }, "/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}": { "delete": { "tags": [ "RoleDefinitions" ], "operationId": "RoleDefinitions_Delete", "description": "Deletes a role definition.", "parameters": [ { "name": "scope", "in": "path", "required": true, "type": "string", "description": "The scope of the role definition.", "x-ms-skip-url-encoding": true }, { "name": "roleDefinitionId", "in": "path", "required": true, "type": "string", "description": "The ID of the role definition to delete." }, { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK - Returns information about the role definition.", "schema": { "$ref": "#/definitions/RoleDefinition" } }, "204": { "description": "Role definition already deleted or does not exist." }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ErrorResponse" } } }, "x-ms-examples": { "Delete role definition": { "$ref": "./examples/DeleteRoleDefinition.json" } } }, "get": { "tags": [ "RoleDefinitions" ], "operationId": "RoleDefinitions_Get", "description": "Get role definition by name (GUID).", "parameters": [ { "name": "scope", "in": "path", "required": true, "type": "string", "description": "The scope of the role definition.", "x-ms-skip-url-encoding": true }, { "name": "roleDefinitionId", "in": "path", "required": true, "type": "string", "description": "The ID of the role definition." }, { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK - Returns information about the role definition.", "schema": { "$ref": "#/definitions/RoleDefinition" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ErrorResponse" } } }, "x-ms-examples": { "Get role definition by name": { "$ref": "./examples/GetRoleDefinitionByName.json" } } }, "put": { "tags": [ "RoleDefinitions" ], "operationId": "RoleDefinitions_CreateOrUpdate", "description": "Creates or updates a role definition.", "parameters": [ { "name": "scope", "in": "path", "required": true, "type": "string", "description": "The scope of the role definition.", "x-ms-skip-url-encoding": true }, { "name": "roleDefinitionId", "in": "path", "required": true, "type": "string", "description": "The ID of the role definition." }, { "name": "roleDefinition", "in": "body", "required": true, "schema": { "$ref": "#/definitions/RoleDefinition" }, "description": "The values for the role definition." }, { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" } ], "responses": { "201": { "description": "OK - Returns information about the role definition.", "schema": { "$ref": "#/definitions/RoleDefinition" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ErrorResponse" } } }, "x-ms-examples": { "Create role definition": { "$ref": "./examples/PutRoleDefinition.json" } } } }, "/{scope}/providers/Microsoft.Authorization/roleDefinitions": { "get": { "tags": [ "RoleDefinitions" ], "operationId": "RoleDefinitions_List", "description": "Get all role definitions that are applicable at scope and above.", "parameters": [ { "name": "scope", "in": "path", "required": true, "type": "string", "description": "The scope of the role definition.", "x-ms-skip-url-encoding": true }, { "name": "$filter", "in": "query", "required": false, "type": "string", "description": "The filter to apply on the operation. Use atScopeAndBelow filter to search below the given scope as well." }, { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK - Returns an array of role definitions.", "schema": { "$ref": "#/definitions/RoleDefinitionListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ErrorResponse" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-odata": "#/definitions/RoleDefinitionFilter", "x-ms-examples": { "List role definition for scope": { "$ref": "./examples/GetRoleDefinitionAtScope.json" } } } } }, "x-ms-paths": { "/{roleId}?disambiguation_dummy": { "get": { "tags": [ "RoleDefinitions" ], "operationId": "RoleDefinitions_GetById", "description": "Gets a role definition by ID.", "parameters": [ { "name": "roleId", "in": "path", "required": true, "type": "string", "description": "The fully qualified role definition ID. Use the format, /subscriptions/{guid}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId} for subscription level role definitions, or /providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId} for tenant level role definitions.", "x-ms-skip-url-encoding": true }, { "$ref": "../../../../../common-types/resource-management/v2/types.json#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK - Returns information about the role definition.", "schema": { "$ref": "#/definitions/RoleDefinition" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "../../../../../common-types/resource-management/v2/types.json#/definitions/ErrorResponse" } } }, "x-ms-examples": { "Get role definition by ID": { "$ref": "./examples/GetRoleDefinitionById.json" } } } } }, "definitions": { "RoleDefinitionFilter": { "properties": { "roleName": { "type": "string", "description": "Returns role definition with the specific name." }, "type": { "type": "string", "description": "Returns role definition with the specific type." } }, "type": "object", "description": "Role Definitions filter" }, "RoleDefinitionProperties": { "properties": { "roleName": { "type": "string", "description": "The role name." }, "description": { "type": "string", "description": "The role definition description." }, "type": { "type": "string", "description": "The role type.", "x-ms-client-name": "roleType" }, "permissions": { "type": "array", "items": { "$ref": "#/definitions/Permission" }, "x-ms-identifiers": [], "description": "Role definition permissions." }, "assignableScopes": { "type": "array", "items": { "type": "string" }, "description": "Role definition assignable scopes." } }, "type": "object", "description": "Role definition properties." }, "RoleDefinition": { "properties": { "id": { "type": "string", "readOnly": true, "description": "The role definition ID." }, "name": { "type": "string", "readOnly": true, "description": "The role definition name." }, "type": { "type": "string", "readOnly": true, "description": "The role definition type." }, "properties": { "x-ms-client-flatten": true, "$ref": "#/definitions/RoleDefinitionProperties", "description": "Role definition properties." } }, "type": "object", "description": "Role definition." }, "RoleDefinitionListResult": { "properties": { "value": { "type": "array", "items": { "$ref": "#/definitions/RoleDefinition" }, "description": "Role definition list." }, "nextLink": { "type": "string", "description": "The URL to use for getting the next set of results." } }, "type": "object", "description": "Role definition list operation result." }, "PermissionGetResult": { "properties": { "value": { "type": "array", "items": { "$ref": "#/definitions/Permission" }, "x-ms-identifiers": [], "description": "An array of permissions." }, "nextLink": { "type": "string", "description": "The URL to use for getting the next set of results." } }, "type": "object", "description": "Permissions information." }, "Permission": { "properties": { "actions": { "type": "array", "items": { "type": "string" }, "description": "Allowed actions." }, "notActions": { "type": "array", "items": { "type": "string" }, "description": "Denied actions." }, "dataActions": { "type": "array", "items": { "type": "string" }, "description": "Allowed Data actions." }, "notDataActions": { "type": "array", "items": { "type": "string" }, "description": "Denied Data actions." } }, "type": "object", "description": "Role definition permissions." } }, "parameters": { "FilterParameter": { "name": "$filter", "in": "query", "required": false, "type": "string", "description": "The filter to apply on the operation. Use $filter=atScope() to return all deny assignments at or above the scope. Use $filter=denyAssignmentName eq '{name}' to search deny assignments by name at specified scope. Use $filter=principalId eq '{id}' to return all deny assignments at, above and below the scope for the specified principal. Use $filter=gdprExportPrincipalId eq '{id}' to return all deny assignments at, above and below the scope for the specified principal. This filter is different from the principalId filter as it returns not only those deny assignments that contain the specified principal is the Principals list but also those deny assignments that contain the specified principal is the ExcludePrincipals list. Additionally, when gdprExportPrincipalId filter is used, only the deny assignment name and description properties are returned.", "x-ms-parameter-location": "method" } } }