{ "properties": { "roleName": "Hydra - Resource Access Role", "description": "A fine-tuned role to allow the SP or managed identity of Hydra to operate AVD.", "assignableScopes": [ "/subscriptions/dcdce2ee-c9c0-4765-acd5-197126d21978", "/subscriptions/8c548bd3-06d3-4b10-838a-67a4cd58524d" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read", "Microsoft.AzureStackHCI/Clusters/Read", "Microsoft.AzureStackHCI/GalleryImages/*", "Microsoft.AzureStackHCI/LogicalNetworks/join/action", "Microsoft.AzureStackHCI/LogicalNetworks/Read", "Microsoft.AzureStackHCI/MarketplaceGalleryImages/*", "Microsoft.AzureStackHCI/NetworkInterfaces/*", "Microsoft.AzureStackHCI/NetworkSecurityGroups/Read", "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read", "Microsoft.AzureStackHCI/VirtualHardDisks/*", "Microsoft.AzureStackHCI/virtualMachineInstances/*", "Microsoft.AzureStackHCI/VirtualMachines/*", "Microsoft.AzureStackHCI/VirtualNetworks/join/action", "Microsoft.AzureStackHCI/VirtualNetworks/Read", "Microsoft.Compute/availabilitySets/*", "Microsoft.Compute/cloudServices/*", "Microsoft.Compute/diskAccesses/*", "Microsoft.Compute/diskEncryptionSets/read", "Microsoft.Compute/diskEncryptionSets/write", "Microsoft.Compute/disks/*", "Microsoft.Compute/galleries/applications/*", "Microsoft.Compute/galleries/images/*", "Microsoft.Compute/galleries/read", "Microsoft.Compute/galleries/share/action", "Microsoft.Compute/galleries/write", "Microsoft.Compute/images/*", "Microsoft.Compute/locations/*", "Microsoft.Compute/operations/read", "Microsoft.Compute/restorePointCollections/*", "Microsoft.Compute/sharedVMExtensions/*", "Microsoft.Compute/sharedVMImages/*", "Microsoft.Compute/skus/read", "Microsoft.Compute/snapshots/*", "Microsoft.Compute/virtualMachines/*", "Microsoft.Compute/virtualMachineScaleSets/*", "Microsoft.DesktopVirtualization/*", "Microsoft.ExtendedLocation/customLocations/deploy/action", "Microsoft.ExtendedLocation/customLocations/Read", "Microsoft.HybridCompute/licenses/*", "Microsoft.HybridCompute/locations/*", "Microsoft.HybridCompute/machines/*", "Microsoft.HybridCompute/operations/*", "Microsoft.HybridCompute/osType/*", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/DataCollectionEndpoints/*", "Microsoft.Insights/DataCollectionRules/*", "Microsoft.Insights/DataCollectionRuleAssociations/*", "Microsoft.KeyVault/vaults/read", "Microsoft.KeyVault/vaults/deploy/*", "Microsoft.Network/applicationGateways/backendAddressPools/join/action", "Microsoft.Network/applicationSecurityGroups/*", "Microsoft.Network/loadBalancers/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/inboundNatPools/join/action", "Microsoft.Network/loadBalancers/inboundNatRules/join/action", "Microsoft.Network/loadBalancers/probes/join/action", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/locations/*", "Microsoft.Network/networkInterfaces/*", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/virtualMachines/read", "Microsoft.OperationalInsights/*", "Microsoft.RecoveryServices/locations/*", "Microsoft.Resources/*/read", "Microsoft.ResourceGraph/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.SerialConsole/serialPorts/connect/action", "Microsoft.Storage/storageAccounts/fileServices/read", "Microsoft.Storage/storageAccounts/fileServices/shares/write", "Microsoft.Storage/storageAccounts/fileServices/shares/read", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/read",                    "Microsoft.Insights/diagnosticSettings/*"                ],                "notActions": [],                "dataActions": [                    "Microsoft.KeyVault/vaults/keys/wrap/action",                    "Microsoft.KeyVault/vaults/keys/encrypt/action",                    "Microsoft.KeyVault/vaults/keys/read",                    "Microsoft.KeyVault/vaults/secrets/setSecret/action",                    "Microsoft.Insights/Metrics/Write",                    "Microsoft.Insights/Telemetry/Write"                ],                "notDataActions": []            }        ]    }}