{ "swagger": "2.0", "info": { "title": "PolicyClient", "version": "2019-06-01", "description": "To manage and control access to your resources, you can define customized policies and assign them at a scope." }, "host": "management.azure.com", "schemes": [ "https" ], "consumes": [ "application/json" ], "produces": [ "application/json" ], "security": [ { "azure_auth": [ "user_impersonation" ] } ], "securityDefinitions": { "azure_auth": { "type": "oauth2", "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", "flow": "implicit", "description": "Azure Active Directory OAuth2 Flow", "scopes": { "user_impersonation": "impersonate your user account" } } }, "paths": { "/{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}": { "delete": { "tags": [ "PolicyAssignments" ], "operationId": "PolicyAssignments_Delete", "summary": "Deletes a policy assignment.", "description": "This operation deletes a policy assignment, given its name and the scope it was created in. The scope of a policy assignment is the part of its ID preceding '/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'.", "x-ms-examples": { "Delete a policy assignment": { "$ref": "./examples/deletePolicyAssignment.json" } }, "parameters": [ { "name": "scope", "in": "path", "required": true, "type": "string", "description": "The scope of the policy assignment. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'", "x-ms-skip-url-encoding": true }, { "name": "policyAssignmentName", "in": "path", "required": true, "type": "string", "description": "The name of the policy assignment to delete." }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK - Returns information about the deleted assignment.", "schema": { "$ref": "#/definitions/PolicyAssignment" } }, "204": { "description": "No Content - the policy assignment doesn't exist." }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/ErrorResponse" } } } }, "put": { "tags": [ "PolicyAssignments" ], "operationId": "PolicyAssignments_Create", "summary": "Creates or updates a policy assignment.", "description": " This operation creates or updates a policy assignment with the given scope and name. Policy assignments apply to all resources contained within their scope. For example, when you assign a policy at resource group scope, that policy applies to all resources in the group.", "x-ms-examples": { "Create or update a policy assignment": { "$ref": "./examples/createPolicyAssignment.json" }, "Create or update a policy assignment with a managed identity": { "$ref": "./examples/createPolicyAssignmentWithIdentity.json" }, "Create or update a policy assignment without enforcing policy effect during resource creation or update.": { "$ref": "./examples/createPolicyAssignmentWithoutEnforcement.json" } }, "parameters": [ { "name": "scope", "in": "path", "required": true, "type": "string", "description": "The scope of the policy assignment. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'", "x-ms-skip-url-encoding": true }, { "name": "policyAssignmentName", "in": "path", "required": true, "type": "string", "description": "The name of the policy assignment." }, { "name": "parameters", "in": "body", "required": true, "schema": { "$ref": "#/definitions/PolicyAssignment" }, "description": "Parameters for the policy assignment." }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "201": { "description": "Created - Returns information about the new policy assignment.", "schema": { "$ref": "#/definitions/PolicyAssignment" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/ErrorResponse" } } } }, "get": { "tags": [ "PolicyAssignments" ], "operationId": "PolicyAssignments_Get", "summary": "Retrieves a policy assignment.", "description": "This operation retrieves a single policy assignment, given its name and the scope it was created at.", "x-ms-examples": { "Retrieve a policy assignment": { "$ref": "./examples/getPolicyAssignment.json" }, "Retrieve a policy assignment with a managed identity": { "$ref": "./examples/getPolicyAssignmentWithIdentity.json" } }, "parameters": [ { "name": "scope", "in": "path", "required": true, "type": "string", "description": "The scope of the policy assignment. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'", "x-ms-skip-url-encoding": true }, { "name": "policyAssignmentName", "in": "path", "required": true, "type": "string", "description": "The name of the policy assignment to get." }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK - Returns information about the policy assignment.", "schema": { "$ref": "#/definitions/PolicyAssignment" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/ErrorResponse" } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Authorization/policyAssignments": { "get": { "tags": [ "PolicyAssignments" ], "operationId": "PolicyAssignments_ListForResourceGroup", "summary": "Retrieves all policy assignments that apply to a resource group.", "description": "This operation retrieves the list of all policy assignments associated with the given resource group in the given subscription that match the optional given $filter. Valid values for $filter are: 'atScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, the unfiltered list includes all policy assignments associated with the resource group, including those that apply directly or apply from containing scopes, as well as any applied to resources contained within the resource group. If $filter=atScope() is provided, the returned list includes all policy assignments that apply to the resource group, which is everything in the unfiltered list except those applied to resources contained within the resource group. If $filter=policyDefinitionId eq '{value}' is provided, the returned list includes all policy assignments of the policy definition whose id is {value} that apply to the resource group.", "x-ms-examples": { "List policy assignments that apply to a resource group": { "$ref": "./examples/listPolicyAssignmentsForResourceGroup.json" } }, "parameters": [ { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "description": "The name of the resource group that contains policy assignments.", "pattern": "^[-\\w\\._\\(\\)]+$", "minLength": 1, "maxLength": 90 }, { "name": "$filter", "in": "query", "required": false, "type": "string", "description": "The filter to apply on the operation. Valid values for $filter are: 'atScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, no filtering is performed.", "x-ms-skip-url-encoding": true }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "OK - Returns an array of policy assignments.", "schema": { "$ref": "#/definitions/PolicyAssignmentListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/ErrorResponse" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName}/providers/Microsoft.Authorization/policyAssignments": { "get": { "tags": [ "PolicyAssignments" ], "operationId": "PolicyAssignments_ListForResource", "summary": "Retrieves all policy assignments that apply to a resource.", "description": "This operation retrieves the list of all policy assignments associated with the specified resource in the given resource group and subscription that match the optional given $filter. Valid values for $filter are: 'atScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, the unfiltered list includes all policy assignments associated with the resource, including those that apply directly or from all containing scopes, as well as any applied to resources contained within the resource. If $filter=atScope() is provided, the returned list includes all policy assignments that apply to the resource, which is everything in the unfiltered list except those applied to resources contained within the resource. If $filter=policyDefinitionId eq '{value}' is provided, the returned list includes all policy assignments of the policy definition whose id is {value} that apply to the resource. Three parameters plus the resource name are used to identify a specific resource. If the resource is not part of a parent resource (the more common case), the parent resource path should not be provided (or provided as ''). For example a web app could be specified as ({resourceProviderNamespace} == 'Microsoft.Web', {parentResourcePath} == '', {resourceType} == 'sites', {resourceName} == 'MyWebApp'). If the resource is part of a parent resource, then all parameters should be provided. For example a virtual machine DNS name could be specified as ({resourceProviderNamespace} == 'Microsoft.Compute', {parentResourcePath} == 'virtualMachines/MyVirtualMachine', {resourceType} == 'domainNames', {resourceName} == 'MyComputerName'). A convenient alternative to providing the namespace and type name separately is to provide both in the {resourceType} parameter, format: ({resourceProviderNamespace} == '', {parentResourcePath} == '', {resourceType} == 'Microsoft.Web/sites', {resourceName} == 'MyWebApp').", "deprecated": false, "x-ms-examples": { "List all policy assignments that apply to a resource": { "$ref": "./examples/listPolicyAssignmentsForResource.json" } }, "parameters": [ { "name": "resourceGroupName", "in": "path", "required": true, "type": "string", "description": "The name of the resource group containing the resource.", "pattern": "^[-\\w\\._\\(\\)]+$", "minLength": 1, "maxLength": 90 }, { "name": "resourceProviderNamespace", "in": "path", "required": true, "type": "string", "description": "The namespace of the resource provider. For example, the namespace of a virtual machine is Microsoft.Compute (from Microsoft.Compute/virtualMachines)" }, { "name": "parentResourcePath", "in": "path", "required": true, "type": "string", "description": "The parent resource path. Use empty string if there is none.", "x-ms-skip-url-encoding": true }, { "name": "resourceType", "in": "path", "required": true, "type": "string", "description": "The resource type name. For example the type name of a web app is 'sites' (from Microsoft.Web/sites).", "x-ms-skip-url-encoding": true }, { "name": "resourceName", "in": "path", "required": true, "type": "string", "description": "The name of the resource." }, { "name": "$filter", "in": "query", "required": false, "type": "string", "description": "The filter to apply on the operation. Valid values for $filter are: 'atScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, no filtering is performed." }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "OK - Returns an array of policy assignments.", "schema": { "$ref": "#/definitions/PolicyAssignmentListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/ErrorResponse" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-odata": "#/definitions/PolicyAssignment" } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments": { "get": { "tags": [ "PolicyAssignments" ], "operationId": "PolicyAssignments_List", "summary": "Retrieves all policy assignments that apply to a subscription.", "description": "This operation retrieves the list of all policy assignments associated with the given subscription that match the optional given $filter. Valid values for $filter are: 'atScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, the unfiltered list includes all policy assignments associated with the subscription, including those that apply directly or from management groups that contain the given subscription, as well as any applied to objects contained within the subscription. If $filter=atScope() is provided, the returned list includes all policy assignments that apply to the subscription, which is everything in the unfiltered list except those applied to objects contained within the subscription. If $filter=policyDefinitionId eq '{value}' is provided, the returned list includes all policy assignments of the policy definition whose id is {value}.", "x-ms-examples": { "List policy assignments that apply to a subscription": { "$ref": "./examples/listPolicyAssignments.json" } }, "parameters": [ { "name": "$filter", "in": "query", "required": false, "type": "string", "description": "The filter to apply on the operation. Valid values for $filter are: 'atScope()' or 'policyDefinitionId eq '{value}''. If $filter is not provided, no filtering is performed." }, { "$ref": "#/parameters/ApiVersionParameter" }, { "$ref": "#/parameters/SubscriptionIdParameter" } ], "responses": { "200": { "description": "OK - Returns an array of policy assignments.", "schema": { "$ref": "#/definitions/PolicyAssignmentListResult" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/ErrorResponse" } } }, "x-ms-pageable": { "nextLinkName": "nextLink" }, "x-ms-odata": "#/definitions/PolicyAssignment" } }, "/{policyAssignmentId}": { "delete": { "tags": [ "PolicyAssignments" ], "operationId": "PolicyAssignments_DeleteById", "summary": "Deletes a policy assignment.", "description": "This operation deletes the policy with the given ID. Policy assignment IDs have this format: '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'. Valid formats for {scope} are: '/providers/Microsoft.Management/managementGroups/{managementGroup}' (management group), '/subscriptions/{subscriptionId}' (subscription), '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}' (resource group), or '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}' (resource).", "x-ms-examples": { "Delete a policy assignment by ID": { "$ref": "./examples/deletePolicyAssignmentById.json" } }, "parameters": [ { "name": "policyAssignmentId", "in": "path", "required": true, "type": "string", "description": "The ID of the policy assignment to delete. Use the format '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'.", "x-ms-skip-url-encoding": true }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK - Returns information about the policy assignment.", "schema": { "$ref": "#/definitions/PolicyAssignment" } }, "204": { "description": "No Content - the policy assignment doesn't exist." }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/ErrorResponse" } } } }, "put": { "tags": [ "PolicyAssignments" ], "operationId": "PolicyAssignments_CreateById", "summary": "Creates or updates a policy assignment.", "description": "This operation creates or updates the policy assignment with the given ID. Policy assignments made on a scope apply to all resources contained in that scope. For example, when you assign a policy to a resource group that policy applies to all resources in the group. Policy assignment IDs have this format: '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'.", "x-ms-examples": { "Create or update policy assignment by ID": { "$ref": "./examples/createPolicyAssignmentById.json" }, "Create or update policy assignment with a managed identity by ID": { "$ref": "./examples/createPolicyAssignmentWithIdentityById.json" } }, "parameters": [ { "name": "policyAssignmentId", "in": "path", "required": true, "type": "string", "description": "The ID of the policy assignment to create. Use the format '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'.", "x-ms-skip-url-encoding": true }, { "name": "parameters", "in": "body", "required": true, "schema": { "$ref": "#/definitions/PolicyAssignment" }, "description": "Parameters for policy assignment." }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "201": { "description": "Created - Returns information about the policy assignment.", "schema": { "$ref": "#/definitions/PolicyAssignment" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/ErrorResponse" } } } }, "get": { "tags": [ "PolicyAssignments" ], "operationId": "PolicyAssignments_GetById", "summary": "Retrieves the policy assignment with the given ID.", "description": "The operation retrieves the policy assignment with the given ID. Policy assignment IDs have this format: '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'. Valid scopes are: management group (format: '/providers/Microsoft.Management/managementGroups/{managementGroup}'), subscription (format: '/subscriptions/{subscriptionId}'), resource group (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}', or resource (format: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/[{parentResourcePath}/]{resourceType}/{resourceName}'.", "x-ms-examples": { "Retrieve a policy assignment by ID": { "$ref": "./examples/getPolicyAssignmentById.json" }, "Retrieve a policy assignment with a managed identity by ID": { "$ref": "./examples/getPolicyAssignmentWithIdentityById.json" } }, "parameters": [ { "name": "policyAssignmentId", "in": "path", "required": true, "type": "string", "description": "The ID of the policy assignment to get. Use the format '{scope}/providers/Microsoft.Authorization/policyAssignments/{policyAssignmentName}'.", "x-ms-skip-url-encoding": true }, { "$ref": "#/parameters/ApiVersionParameter" } ], "responses": { "200": { "description": "OK - Returns information about the policy assignment.", "schema": { "$ref": "#/definitions/PolicyAssignment" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "$ref": "#/definitions/ErrorResponse" } } } } } }, "definitions": { "PolicyAssignmentProperties": { "properties": { "displayName": { "type": "string", "description": "The display name of the policy assignment." }, "policyDefinitionId": { "type": "string", "description": "The ID of the policy definition or policy set definition being assigned." }, "scope": { "type": "string", "description": "The scope for the policy assignment." }, "notScopes": { "type": "array", "items": { "type": "string" }, "description": "The policy's excluded scopes." }, "parameters": { "type": "object", "description": "Required if a parameter is used in policy rule." }, "description": { "type": "string", "description": "This message will be part of response in case of policy violation." }, "metadata": { "type": "object", "description": "The policy assignment metadata." }, "enforcementMode": { "type": "string", "description": "The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.", "enum": [ "Default", "DoNotEnforce" ], "x-ms-enum": { "name": "enforcementMode", "modelAsString": true, "values": [ { "value": "Default", "description": "The policy effect is enforced during resource creation or update." }, { "value": "DoNotEnforce", "description": "The policy effect is not enforced during resource creation or update." } ] } } }, "description": "The policy assignment properties." }, "PolicySku": { "properties": { "name": { "type": "string", "description": "The name of the policy sku. Possible values are A0 and A1." }, "tier": { "type": "string", "description": "The policy sku tier. Possible values are Free and Standard." } }, "required": [ "name" ], "description": "The policy sku. This property is optional, obsolete, and will be ignored." }, "PolicyAssignment": { "properties": { "properties": { "x-ms-client-flatten": true, "$ref": "#/definitions/PolicyAssignmentProperties", "description": "Properties for the policy assignment." }, "id": { "type": "string", "description": "The ID of the policy assignment.", "readOnly": true }, "type": { "type": "string", "description": "The type of the policy assignment.", "readOnly": true }, "name": { "type": "string", "description": "The name of the policy assignment.", "readOnly": true }, "sku": { "$ref": "#/definitions/PolicySku", "description": "The policy sku. This property is optional, obsolete, and will be ignored." }, "location": { "type": "string", "description": "The location of the policy assignment. Only required when utilizing managed identity." }, "identity": { "$ref": "#/definitions/Identity", "description": "The managed identity associated with the policy assignment." } }, "description": "The policy assignment.", "x-ms-azure-resource": true }, "PolicyAssignmentListResult": { "properties": { "value": { "type": "array", "items": { "$ref": "#/definitions/PolicyAssignment" }, "description": "An array of policy assignments." }, "nextLink": { "type": "string", "description": "The URL to use for getting the next set of results." } }, "description": "List of policy assignments." }, "Identity": { "properties": { "principalId": { "readOnly": true, "type": "string", "description": "The principal ID of the resource identity." }, "tenantId": { "readOnly": true, "type": "string", "description": "The tenant ID of the resource identity." }, "type": { "type": "string", "description": "The identity type.", "enum": [ "SystemAssigned", "None" ], "x-ms-enum": { "name": "ResourceIdentityType", "modelAsString": false } } }, "description": "Identity for the resource." }, "ErrorResponse": { "description": "Error response indicates Azure Resource Manager is not able to process the incoming request. The reason is provided in the error message.", "type": "object", "properties": { "httpStatus": { "description": "Http status code.", "type": "string" }, "errorCode": { "description": "Error code.", "type": "string" }, "errorMessage": { "description": "Error message indicating why the operation failed.", "type": "string" } } } }, "parameters": { "SubscriptionIdParameter": { "name": "subscriptionId", "in": "path", "required": true, "type": "string", "description": "The ID of the target subscription." }, "ApiVersionParameter": { "name": "api-version", "in": "query", "required": true, "type": "string", "description": "The API version to use for the operation." } } }