PSAutoRBAC

1.1.0

Data/RoleActionMap.psd1

                                @{

    # ------------------------------------------------------------------------

    # PSAutoRBAC offline role <- action reverse map

    # ------------------------------------------------------------------------

    # Maps an Azure control-plane action pattern (key, '*' wildcard allowed) to

    # the built-in role(s) that include it, in least-privilege order. Used by

    # ConvertTo-RBACRole as a fallback when live Get-AzRoleDefinition is not

    # available (offline / CI), to turn an action parsed from an AuthorizationFailed

    # into a grantable role name.

    #

    # This is a deliberately small, high-signal table - not a mirror of every

    # built-in role. When Az.Resources is present, live role definitions are used

    # instead and are authoritative.

    # ------------------------------------------------------------------------

    '*/read'                                                          = @('Reader')

    'Microsoft.Resources/subscriptions/resourceGroups/read'          = @('Reader')

    'Microsoft.Resources/subscriptions/resourceGroups/write'         = @('Contributor')

    'Microsoft.Resources/subscriptions/resourceGroups/delete'        = @('Contributor')

    'Microsoft.Resources/deployments/*'                              = @('Contributor')

    'Microsoft.Storage/storageAccounts/write'                        = @('Storage Account Contributor', 'Contributor')

    'Microsoft.Storage/*'                                            = @('Storage Account Contributor', 'Contributor')

    'Microsoft.KeyVault/vaults/write'                                = @('Contributor')

    'Microsoft.Compute/virtualMachines/write'                        = @('Virtual Machine Contributor', 'Contributor')

    'Microsoft.Network/*'                                            = @('Network Contributor', 'Contributor')

    'Microsoft.Authorization/roleAssignments/write'                  = @('Role Based Access Control Administrator', 'User Access Administrator', 'Owner')

    'Microsoft.Authorization/roleAssignments/delete'                 = @('Role Based Access Control Administrator', 'User Access Administrator', 'Owner')

    'Microsoft.Authorization/policyAssignments/write'                = @('Resource Policy Contributor')

    'Microsoft.Authorization/*'                                      = @('User Access Administrator', 'Owner')

    'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'  = @('Storage Blob Data Reader')

    'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write' = @('Storage Blob Data Contributor')

    '*/write'                                                        = @('Contributor')

    '*/delete'                                                       = @('Contributor')

    '*/action'                                                       = @('Contributor')

}