Create new resources manually on managed resource groups
I'd like to know if its possible to make changes on a manged resource group - meaning the customer being able to deploy new resources on the managed resource group? I know that the managed applications have a deny asssignment.
Additionally, it is possible to get the managed resource group name and application name as output on the createUiDefinition?
Thanks in advance
By default, a ManagedApplication only gives the user read access to the managed resource group. This permission is defined as */read. You can give additional permissions via AllowedActions (eg. give access to all Storage options via Microsoft.Storage/storageAccounts/*).
The Managed Resource Group name and location are available to the ARM template via the resourceGroup() function.
The application name is available post deployment. You can also simply ask the user for the name to display in a separate box, allowing them to duplicate the string as necessary.
Hi @scseely thanks for your answer
I've added on the Customer Allowed actions `/write` permissions but when I try to deploy something I receive the following error:
The client ... with object id '.. has permission to perform action '*/write' on scope '/resourceGroups/mrg**/'; however, the access is denied because of the deny assignment with name 'System deny assignment created by managed application
It's possible that the deny assignment overrides the permission?
Hi @FlorOtero ,
thank you for the additional details!
I moved your query in the Microsoft AppSource and Azure Marketplace forum for more visibility.
While I don`t have this level of information, hopefully partners and SMEs on this forum can advise.
Hi @Andra, thanks for your answer
My need is to publish managed applications on the commertial marketplace, but I need for the clients to be able to deploy extra resources on the managed resource group created by the managed application. Is there a way to enable this on the partner center? Or any configuration? I'm aware that the resource group is by default created with a System Deny Assignment policy.
Hi @santhosh, thanks for your answer
I've added `/write` permissions but when I try to deploy something I receive the following error
The client ... with object id '.. has permission to perform action '*/write' on scope '/resourceGroups/mrg****/'; however, the access is denied because of the deny assignment with name 'System deny assignment created by managed application