azure-docs
azure-docs copied to clipboard
MicrosoftDocs
Statement on inherited readability
Where it states
All Policy objects, including definitions, initiatives, and assignments, will be readable to all roles over its scope. For example, a Policy assignment scoped to an Azure subscription will be readable by all role holders at the subscription scope and below.
This is correct for definitions and initiatives but does NOT appear to be correct for assignments.
If I assign a identity a role at a resource group level, that identity is able to access details on initiatives applied to the subscription the resource group is in, it is also able to look at any customer definitions at either a management group or a subscription scope however if I execute the PolicyAssignments_ListForResourceGroup, PolicyAssignments_ListForResource or PolicyAssignments_List apis then I just get a 200 response with
{
"value": []
}
I have to grant the role the Microsoft.Authorization/policyAssignments/read action at the appropriate scope to be able to view the policy assignment.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 07fab47b-3b7a-c02e-c863-2c60f0e06f94
- Version Independent ID: f1643e7a-14eb-c372-8099-2f412c954717
- Content: Overview of Azure Policy - Azure Policy
- Content Source: articles/governance/policy/overview.md
- Service: azure-policy
- GitHub Login: @davidsmatlak
- Microsoft Alias: davidsmatlak
@tyson-trust Thanks for your feedback! We will investigate and update as appropriate.
I created an internal work item to review the article and I'll post a comment after the article is reviewed. I'm closing this issue.
#please-close