Adding additional role assigments, resource group?

[baatch]

I'm following along the guide on Adding additional role assigments and it is a little confusing:

https://github.com/Azure/data-management-zone/blob/main/docs/EnterpriseScaleAnalytics-ServicePrincipal.md#adding-additional-role-assigments

for the last part about # Resource group scope level assignment, there is no mention or explanation about which resource group this refers to?

[marvinbuss]

Thanks for the feedback @baatch! Happy to make this easier to understand but before doing so I need some more feedback from you. :)

In this section we are creating a service principle as well as a Contributor role assignment to the subscription. In this section we are asking users to create an additional User Access Administrator role assignment of the same service principle to the same subscription.

Below, we are just providing all the commands required to create a role assignments at Resource Scope, Resource Group and sub-resource level. For simplicity reasons, we have the same commands in all our repos. A user now needs to look into the table to understand at what scope the role assignment must be created (in this case Resource Scope) and then pick the right command (Azure CLI or PowerShell). Finally, the user must insert the details into the sample command and execute it.

In this scenario, you must select the command for a Resource Scope level role assignment. Hence, you must select the following Azure CLI command:

# Resource Scope level assignment
az role assignment create \
  --assignee "{servicePrincipalObjectId}" \
  --role "{roleName}" \
  --scopes "{scope}"

OR the following PowerShell command:

# For Resource Scope level assignment
New-AzRoleAssignment `
  -ObjectId $spObjectId `
  -RoleDefinitionName "{roleName}" `
  -Scope "{scope}"

Then you must replace some of the placeholders. Let's use PowerShell as an example:

# For Resource Scope level assignment
New-AzRoleAssignment `
  -ObjectId "{your-sp-object-id}" `
  -RoleDefinitionName "User Access Administrator" `
  -Scope "/subscriptions/{your-data-management-zone-subscriptionId}"

Finally, you execute the command to add the role assignment.

What can we improve in detail to make this easier consumable?

[baatch]

@marvinbuss thanks again for your reply and clarification.

I think it is just me not understanding that role assignment could be done on resource scope level and/or resource group scope level.

I think you could add text to describe that you can do role assignment on either of the 2 options and then show the code for earch of the 2 options so it is more clear that you only need to run 1 of the 2 commands.

Also clear examples with values could be helpful when trying to follow the examples to replace the values in {}

Just my 2 cents.

[baatch]

Also maybe there this is a typo?

(Resource Scope) /subscriptions/{{datalandingzone}subscriptionId}

Shouldn't it be {{datamanagementzone}subscriptionId} ?

[marvinbuss]

Also maybe there this is a typo?

(Resource Scope) /subscriptions/{{datalandingzone}subscriptionId}

Shouldn't it be {{datamanagementzone}subscriptionId} ?

Yes, you are right, this is a typo. Would you like to open a PR to fix this yourself?

@marvinbuss thanks again for your reply and clarification.

I think it is just me not understanding that role assignment could be done on resource scope level and/or resource group scope level.

I think you could add text to describe that you can do role assignment on either of the 2 options and then show the code for earch of the 2 options so it is more clear that you only need to run 1 of the 2 commands.

Also clear examples with values could be helpful when trying to follow the examples to replace the values in {}

Just my 2 cents.

Let me think about this. Maybe we should just include the required commands with the correct placeholders to simplify the setup for users. In the Data Landing Zone, this will increase the length of the article a bit more but let me think about how we can improve that. Could you please open an Issue to request this change?

[baatch]

@marvinbuss thanks again. PR and issue opened.

[marvinbuss]

Thanks @baatch. Can you mark this thread as answer?
Since we have an issue for tracking the implementation, we can probably close this discussion?!