Question

Your company is evaluating role-based access control (RBAC) in Azure. If a user has the Reader role at the Azure subscription level, can you remove the user from the Reader role at the resource group level?

Answer 1

To remove a user from the Reader role at the Azure resource group level, despite having the role at the subscription level, navigate to the 'Access control (IAM)' section of the resource group, find the user, and use the 'Remove role assignment' option. The removal at this level does not affect the user's subscription-level access.

Step-by-step explanation:

The question relates to role-based access control (RBAC) in Azure, which is a mechanism to manage user access to resources based on their role within an organization. Within Azure, if a user is assigned the Reader role at the subscription level, they inherit that role across all resources within the subscription, including resource groups. However, you can alter the user's access level for more granular control at the resource group level.

To remove a user from the Reader role at the resource group level, you need to follow these steps:

1. Navigate to the resource group in the Azure portal.
2. Access the 'Access control (IAM)' section.
3. Find the user you want to modify the access level for.
4. Click on the 'Remove role assignment' option to remove the user from the Reader role specifically for that resource group.

This action does not affect the user's Reader role assignment at the subscription level; it merely provides an exception at the resource group level, allowing you to enforce more restrictive access policies where necessary.