Resource Type: Azure > IAM > Role Definition

The Role Definition resource type is a set of permissions that can be assigned to users, groups, or services in Azure. This helps to control who has access to what resources and what actions they can perform.

Resource Context

Role Definition is a part of the IAM service.

Each Role Definition lives under a Subscription.

Controls

The primary controls for Azure > IAM > Role Definition are:

It is also targeted by these controls:

Azure > CIS v1 > 1 Identity and Access Management > 1.23 Ensure that no custom subscription owner roles are created (Scored)
Azure > CIS v1.2 > 1 - Identity and Access Management > 1.21 - Ensure that no custom subscription owner roles are created (Scored)
Azure > CIS v1.2 > 1 - Identity and Access Management > 1.23 - Ensure Custom Role is assigned for Administering Resource Locks (Not Scored)
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.23 - Ensure That No Custom Subscription Administrator Roles Exist
Azure > CIS v2.0 > 01 - Identity and Access Management > 1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks

In Your Workspace

Developers

Resource Type URI

tmod:@turbot/azure-iam#/resource/types/roleDefinition

Category URI

tmod:@turbot/turbot#/resource/categories/iam

GraphQL

query resource(id: "tmod:@turbot/azure-iam#/resource/types/roleDefinition") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/azure-iam#/resource/types/roleDefinition'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/azure-iam#/resource/types/roleDefinition"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure-iam#/resource/types/roleDefinition';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure-iam#/resource/types/roleDefinition"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure-iam#/resource/types/roleDefinition' and notification_type in ('resource_updated', 'resource_created');