Docs Home
This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Azure Native v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi
azure-native.authorization.RoleManagementPolicy
Explore with Pulumi AI
This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Azure Native v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi
Role management policy
Uses Azure REST API version 2024-09-01-preview.
Other available API versions: 2020-10-01, 2020-10-01-preview, 2024-02-01-preview.
Example Usage
PatchPartialRoleManagementPolicy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules =
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_Admin_Eligibility",
IsExpirationRequired = false,
MaximumDuration = "P180D",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_Admin_Eligibility",
IsExpirationRequired: false,
MaximumDuration: "P180D",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_Admin_Eligibility")
.isExpirationRequired(false)
.maximumDuration("P180D")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy("roleManagementPolicy", {
roleManagementPolicyName: "570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules: [
{
id: "Expiration_Admin_Eligibility",
isExpirationRequired: false,
maximumDuration: "P180D",
ruleType: "RoleManagementPolicyExpirationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
{
id: "Notification_Admin_Admin_Eligibility",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["admin_admin_eligible@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Admin,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
],
scope: "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
import pulumi
import pulumi_azure_native as azure_native
role_management_policy = azure_native.authorization.RoleManagementPolicy("roleManagementPolicy",
role_management_policy_name="570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules=[
{
"id": "Expiration_Admin_Eligibility",
"is_expiration_required": False,
"maximum_duration": "P180D",
"rule_type": "RoleManagementPolicyExpirationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
{
"id": "Notification_Admin_Admin_Eligibility",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["admin_admin_eligible@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.ADMIN,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
],
scope="providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
resources:
roleManagementPolicy:
type: azure-native:authorization:RoleManagementPolicy
properties:
roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a
rules:
- id: Expiration_Admin_Eligibility
isExpirationRequired: false
maximumDuration: P180D
ruleType: RoleManagementPolicyExpirationRule
target:
caller: Admin
level: Eligibility
operations:
- All
- id: Notification_Admin_Admin_Eligibility
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- admin_admin_eligible@test.com
notificationType: Email
recipientType: Admin
ruleType: RoleManagementPolicyNotificationRule
target:
caller: Admin
level: Eligibility
operations:
- All
scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368
PatchRoleManagementPolicy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules =
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_Admin_Eligibility",
IsExpirationRequired = false,
MaximumDuration = "P180D",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Requestor_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"requestor_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Requestor,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Approver_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"approver_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Approver,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyEnablementRuleArgs
{
EnabledRules = new() { },
Id = "Enablement_Admin_Eligibility",
RuleType = "RoleManagementPolicyEnablementRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_Admin_Assignment",
IsExpirationRequired = false,
MaximumDuration = "P90D",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyEnablementRuleArgs
{
EnabledRules = new[]
{
AzureNative.Authorization.EnablementRules.Justification,
AzureNative.Authorization.EnablementRules.MultiFactorAuthentication,
},
Id = "Enablement_Admin_Assignment",
RuleType = "RoleManagementPolicyEnablementRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_Admin_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_admin_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Requestor_Admin_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"requestor_admin_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Requestor,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Approver_Admin_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"approver_admin_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Approver,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_EndUser_Assignment",
IsExpirationRequired = true,
MaximumDuration = "PT7H",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyEnablementRuleArgs
{
EnabledRules = new[]
{
AzureNative.Authorization.EnablementRules.Justification,
AzureNative.Authorization.EnablementRules.MultiFactorAuthentication,
AzureNative.Authorization.EnablementRules.Ticketing,
},
Id = "Enablement_EndUser_Assignment",
RuleType = "RoleManagementPolicyEnablementRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyApprovalRuleArgs
{
Id = "Approval_EndUser_Assignment",
RuleType = "RoleManagementPolicyApprovalRule",
Setting = new AzureNative.Authorization.Inputs.ApprovalSettingsArgs
{
ApprovalMode = AzureNative.Authorization.ApprovalMode.SingleStage,
ApprovalStages = new[]
{
new AzureNative.Authorization.Inputs.ApprovalStageArgs
{
ApprovalStageTimeOutInDays = 1,
EscalationTimeInMinutes = 0,
IsApproverJustificationRequired = true,
IsEscalationEnabled = false,
PrimaryApprovers = new[]
{
new AzureNative.Authorization.Inputs.UserSetArgs
{
Description = "amansw_new_group",
Id = "2385b0f3-5fa9-43cf-8ca4-b01dc97298cd",
IsBackup = false,
UserType = AzureNative.Authorization.UserType.Group,
},
new AzureNative.Authorization.Inputs.UserSetArgs
{
Description = "amansw_group",
Id = "2f4913c9-d15b-406a-9946-1d66a28f2690",
IsBackup = false,
UserType = AzureNative.Authorization.UserType.Group,
},
},
},
},
IsApprovalRequired = true,
IsApprovalRequiredForExtension = false,
IsRequestorJustificationRequired = true,
},
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyAuthenticationContextRuleArgs
{
ClaimValue = "",
Id = "AuthenticationContext_EndUser_Assignment",
IsEnabled = false,
RuleType = "RoleManagementPolicyAuthenticationContextRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_EndUser_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_enduser_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Requestor_EndUser_Assignment",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"requestor_enduser_member@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Requestor,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Approver_EndUser_Assignment",
IsDefaultRecipientsEnabled = true,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Approver,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "EndUser",
Level = "Assignment",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyPimOnlyModeRuleArgs
{
Id = "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings = new AzureNative.Authorization.Inputs.PIMOnlyModeSettingsArgs
{
ExcludedAssignmentTypes = new[]
{
AzureNative.Authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget,
},
Excludes = new[]
{
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type = AzureNative.Authorization.UserType.User,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type = AzureNative.Authorization.UserType.Group,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "0000103d-1fc2-4ac8-81de-71517765655c",
Type = AzureNative.Authorization.UserType.ServicePrincipal,
},
},
Mode = AzureNative.Authorization.PIMOnlyMode.Enabled,
},
RuleType = "RoleManagementPolicyPimOnlyModeRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
EnforcedSettings = new[]
{
"all",
},
InheritableSettings = new[]
{
"all",
},
Level = "Assignment",
Operations = new[]
{
"all",
},
TargetObjects = new() { },
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_Admin_Eligibility",
IsExpirationRequired: false,
MaximumDuration: "P180D",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Requestor_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"requestor_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeRequestor,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Approver_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"approver_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeApprover,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyEnablementRule{
EnabledRules: []authorization.EnablementRules{},
Id: "Enablement_Admin_Eligibility",
RuleType: "RoleManagementPolicyEnablementRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_Admin_Assignment",
IsExpirationRequired: false,
MaximumDuration: "P90D",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyEnablementRule{
EnabledRules: []authorization.EnablementRules{
authorization.EnablementRulesJustification,
authorization.EnablementRulesMultiFactorAuthentication,
},
Id: "Enablement_Admin_Assignment",
RuleType: "RoleManagementPolicyEnablementRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_Admin_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_admin_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Requestor_Admin_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"requestor_admin_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeRequestor,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Approver_Admin_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"approver_admin_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeApprover,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_EndUser_Assignment",
IsExpirationRequired: true,
MaximumDuration: "PT7H",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyEnablementRule{
EnabledRules: []authorization.EnablementRules{
authorization.EnablementRulesJustification,
authorization.EnablementRulesMultiFactorAuthentication,
authorization.EnablementRulesTicketing,
},
Id: "Enablement_EndUser_Assignment",
RuleType: "RoleManagementPolicyEnablementRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyApprovalRule{
Id: "Approval_EndUser_Assignment",
RuleType: "RoleManagementPolicyApprovalRule",
Setting: authorization.ApprovalSettings{
ApprovalMode: authorization.ApprovalModeSingleStage,
ApprovalStages: []authorization.ApprovalStage{
{
ApprovalStageTimeOutInDays: 1,
EscalationTimeInMinutes: 0,
IsApproverJustificationRequired: true,
IsEscalationEnabled: false,
PrimaryApprovers: []authorization.UserSet{
{
Description: "amansw_new_group",
Id: "2385b0f3-5fa9-43cf-8ca4-b01dc97298cd",
IsBackup: false,
UserType: authorization.UserTypeGroup,
},
{
Description: "amansw_group",
Id: "2f4913c9-d15b-406a-9946-1d66a28f2690",
IsBackup: false,
UserType: authorization.UserTypeGroup,
},
},
},
},
IsApprovalRequired: true,
IsApprovalRequiredForExtension: false,
IsRequestorJustificationRequired: true,
},
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyAuthenticationContextRule{
ClaimValue: "",
Id: "AuthenticationContext_EndUser_Assignment",
IsEnabled: false,
RuleType: "RoleManagementPolicyAuthenticationContextRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_EndUser_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_enduser_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Requestor_EndUser_Assignment",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"requestor_enduser_member@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeRequestor,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Approver_EndUser_Assignment",
IsDefaultRecipientsEnabled: true,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeApprover,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "EndUser",
Level: "Assignment",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyPimOnlyModeRule{
Id: "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings: authorization.PIMOnlyModeSettings{
ExcludedAssignmentTypes: []authorization.ExcludedPrincipalTypes{
authorization.ExcludedPrincipalTypesServicePrincipalsAsTarget,
},
Excludes: []authorization.UsersOrServicePrincipalSet{
{
Id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type: authorization.UserTypeUser,
},
{
Id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type: authorization.UserTypeGroup,
},
{
Id: "0000103d-1fc2-4ac8-81de-71517765655c",
Type: authorization.UserTypeServicePrincipal,
},
},
Mode: authorization.PIMOnlyModeEnabled,
},
RuleType: "RoleManagementPolicyPimOnlyModeRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
EnforcedSettings: []string{
"all",
},
InheritableSettings: []string{
"all",
},
Level: "Assignment",
Operations: []string{
"all",
},
TargetObjects: []interface{}{},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_Admin_Eligibility")
.isExpirationRequired(false)
.maximumDuration("P180D")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Requestor_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("requestor_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Requestor")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Approver_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("approver_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Approver")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyEnablementRuleArgs.builder()
.enabledRules()
.id("Enablement_Admin_Eligibility")
.ruleType("RoleManagementPolicyEnablementRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_Admin_Assignment")
.isExpirationRequired(false)
.maximumDuration("P90D")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyEnablementRuleArgs.builder()
.enabledRules(
"Justification",
"MultiFactorAuthentication")
.id("Enablement_Admin_Assignment")
.ruleType("RoleManagementPolicyEnablementRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_Admin_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_admin_member@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Requestor_Admin_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("requestor_admin_member@test.com")
.notificationType("Email")
.recipientType("Requestor")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Approver_Admin_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("approver_admin_member@test.com")
.notificationType("Email")
.recipientType("Approver")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_EndUser_Assignment")
.isExpirationRequired(true)
.maximumDuration("PT7H")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyEnablementRuleArgs.builder()
.enabledRules(
"Justification",
"MultiFactorAuthentication",
"Ticketing")
.id("Enablement_EndUser_Assignment")
.ruleType("RoleManagementPolicyEnablementRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyApprovalRuleArgs.builder()
.id("Approval_EndUser_Assignment")
.ruleType("RoleManagementPolicyApprovalRule")
.setting(ApprovalSettingsArgs.builder()
.approvalMode("SingleStage")
.approvalStages(ApprovalStageArgs.builder()
.approvalStageTimeOutInDays(1)
.escalationTimeInMinutes(0)
.isApproverJustificationRequired(true)
.isEscalationEnabled(false)
.primaryApprovers(
UserSetArgs.builder()
.description("amansw_new_group")
.id("2385b0f3-5fa9-43cf-8ca4-b01dc97298cd")
.isBackup(false)
.userType("Group")
.build(),
UserSetArgs.builder()
.description("amansw_group")
.id("2f4913c9-d15b-406a-9946-1d66a28f2690")
.isBackup(false)
.userType("Group")
.build())
.build())
.isApprovalRequired(true)
.isApprovalRequiredForExtension(false)
.isRequestorJustificationRequired(true)
.build())
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyAuthenticationContextRuleArgs.builder()
.claimValue("")
.id("AuthenticationContext_EndUser_Assignment")
.isEnabled(false)
.ruleType("RoleManagementPolicyAuthenticationContextRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_EndUser_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_enduser_member@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Requestor_EndUser_Assignment")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("requestor_enduser_member@test.com")
.notificationType("Email")
.recipientType("Requestor")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Approver_EndUser_Assignment")
.isDefaultRecipientsEnabled(true)
.notificationLevel("Critical")
.notificationType("Email")
.recipientType("Approver")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("EndUser")
.level("Assignment")
.operations("All")
.build())
.build(),
RoleManagementPolicyPimOnlyModeRuleArgs.builder()
.id("PIMOnlyMode_Admin_Assignment")
.pimOnlyModeSettings(PIMOnlyModeSettingsArgs.builder()
.excludedAssignmentTypes("ServicePrincipalsAsTarget")
.excludes(
UsersOrServicePrincipalSetArgs.builder()
.id("ec42a424-a0c0-4418-8788-d19bdeb03704")
.type("User")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("00029dfb-0218-4e7a-9a85-c15dc0c880bc")
.type("Group")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("0000103d-1fc2-4ac8-81de-71517765655c")
.type("ServicePrincipal")
.build())
.mode("Enabled")
.build())
.ruleType("RoleManagementPolicyPimOnlyModeRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.enforcedSettings("all")
.inheritableSettings("all")
.level("Assignment")
.operations("all")
.targetObjects()
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy("roleManagementPolicy", {
roleManagementPolicyName: "570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules: [
{
id: "Expiration_Admin_Eligibility",
isExpirationRequired: false,
maximumDuration: "P180D",
ruleType: "RoleManagementPolicyExpirationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
{
id: "Notification_Admin_Admin_Eligibility",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["admin_admin_eligible@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Admin,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
{
id: "Notification_Requestor_Admin_Eligibility",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["requestor_admin_eligible@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Requestor,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
{
id: "Notification_Approver_Admin_Eligibility",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["approver_admin_eligible@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Approver,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
{
enabledRules: [],
id: "Enablement_Admin_Eligibility",
ruleType: "RoleManagementPolicyEnablementRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
{
id: "Expiration_Admin_Assignment",
isExpirationRequired: false,
maximumDuration: "P90D",
ruleType: "RoleManagementPolicyExpirationRule",
target: {
caller: "Admin",
level: "Assignment",
operations: ["All"],
},
},
{
enabledRules: [
azure_native.authorization.EnablementRules.Justification,
azure_native.authorization.EnablementRules.MultiFactorAuthentication,
],
id: "Enablement_Admin_Assignment",
ruleType: "RoleManagementPolicyEnablementRule",
target: {
caller: "Admin",
level: "Assignment",
operations: ["All"],
},
},
{
id: "Notification_Admin_Admin_Assignment",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["admin_admin_member@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Admin,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "Admin",
level: "Assignment",
operations: ["All"],
},
},
{
id: "Notification_Requestor_Admin_Assignment",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["requestor_admin_member@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Requestor,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "Admin",
level: "Assignment",
operations: ["All"],
},
},
{
id: "Notification_Approver_Admin_Assignment",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["approver_admin_member@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Approver,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "Admin",
level: "Assignment",
operations: ["All"],
},
},
{
id: "Expiration_EndUser_Assignment",
isExpirationRequired: true,
maximumDuration: "PT7H",
ruleType: "RoleManagementPolicyExpirationRule",
target: {
caller: "EndUser",
level: "Assignment",
operations: ["All"],
},
},
{
enabledRules: [
azure_native.authorization.EnablementRules.Justification,
azure_native.authorization.EnablementRules.MultiFactorAuthentication,
azure_native.authorization.EnablementRules.Ticketing,
],
id: "Enablement_EndUser_Assignment",
ruleType: "RoleManagementPolicyEnablementRule",
target: {
caller: "EndUser",
level: "Assignment",
operations: ["All"],
},
},
{
id: "Approval_EndUser_Assignment",
ruleType: "RoleManagementPolicyApprovalRule",
setting: {
approvalMode: azure_native.authorization.ApprovalMode.SingleStage,
approvalStages: [{
approvalStageTimeOutInDays: 1,
escalationTimeInMinutes: 0,
isApproverJustificationRequired: true,
isEscalationEnabled: false,
primaryApprovers: [
{
description: "amansw_new_group",
id: "2385b0f3-5fa9-43cf-8ca4-b01dc97298cd",
isBackup: false,
userType: azure_native.authorization.UserType.Group,
},
{
description: "amansw_group",
id: "2f4913c9-d15b-406a-9946-1d66a28f2690",
isBackup: false,
userType: azure_native.authorization.UserType.Group,
},
],
}],
isApprovalRequired: true,
isApprovalRequiredForExtension: false,
isRequestorJustificationRequired: true,
},
target: {
caller: "EndUser",
level: "Assignment",
operations: ["All"],
},
},
{
claimValue: "",
id: "AuthenticationContext_EndUser_Assignment",
isEnabled: false,
ruleType: "RoleManagementPolicyAuthenticationContextRule",
target: {
caller: "EndUser",
level: "Assignment",
operations: ["All"],
},
},
{
id: "Notification_Admin_EndUser_Assignment",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["admin_enduser_member@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Admin,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "EndUser",
level: "Assignment",
operations: ["All"],
},
},
{
id: "Notification_Requestor_EndUser_Assignment",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["requestor_enduser_member@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Requestor,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "EndUser",
level: "Assignment",
operations: ["All"],
},
},
{
id: "Notification_Approver_EndUser_Assignment",
isDefaultRecipientsEnabled: true,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Approver,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "EndUser",
level: "Assignment",
operations: ["All"],
},
},
{
id: "PIMOnlyMode_Admin_Assignment",
pimOnlyModeSettings: {
excludedAssignmentTypes: [azure_native.authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget],
excludes: [
{
id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
type: azure_native.authorization.UserType.User,
},
{
id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
type: azure_native.authorization.UserType.Group,
},
{
id: "0000103d-1fc2-4ac8-81de-71517765655c",
type: azure_native.authorization.UserType.ServicePrincipal,
},
],
mode: azure_native.authorization.PIMOnlyMode.Enabled,
},
ruleType: "RoleManagementPolicyPimOnlyModeRule",
target: {
caller: "Admin",
enforcedSettings: ["all"],
inheritableSettings: ["all"],
level: "Assignment",
operations: ["all"],
targetObjects: [],
},
},
],
scope: "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
import pulumi
import pulumi_azure_native as azure_native
role_management_policy = azure_native.authorization.RoleManagementPolicy("roleManagementPolicy",
role_management_policy_name="570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules=[
{
"id": "Expiration_Admin_Eligibility",
"is_expiration_required": False,
"maximum_duration": "P180D",
"rule_type": "RoleManagementPolicyExpirationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
{
"id": "Notification_Admin_Admin_Eligibility",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["admin_admin_eligible@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.ADMIN,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
{
"id": "Notification_Requestor_Admin_Eligibility",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["requestor_admin_eligible@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.REQUESTOR,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
{
"id": "Notification_Approver_Admin_Eligibility",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["approver_admin_eligible@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.APPROVER,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
{
"enabled_rules": [],
"id": "Enablement_Admin_Eligibility",
"rule_type": "RoleManagementPolicyEnablementRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
{
"id": "Expiration_Admin_Assignment",
"is_expiration_required": False,
"maximum_duration": "P90D",
"rule_type": "RoleManagementPolicyExpirationRule",
"target": {
"caller": "Admin",
"level": "Assignment",
"operations": ["All"],
},
},
{
"enabled_rules": [
azure_native.authorization.EnablementRules.JUSTIFICATION,
azure_native.authorization.EnablementRules.MULTI_FACTOR_AUTHENTICATION,
],
"id": "Enablement_Admin_Assignment",
"rule_type": "RoleManagementPolicyEnablementRule",
"target": {
"caller": "Admin",
"level": "Assignment",
"operations": ["All"],
},
},
{
"id": "Notification_Admin_Admin_Assignment",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["admin_admin_member@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.ADMIN,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "Admin",
"level": "Assignment",
"operations": ["All"],
},
},
{
"id": "Notification_Requestor_Admin_Assignment",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["requestor_admin_member@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.REQUESTOR,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "Admin",
"level": "Assignment",
"operations": ["All"],
},
},
{
"id": "Notification_Approver_Admin_Assignment",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["approver_admin_member@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.APPROVER,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "Admin",
"level": "Assignment",
"operations": ["All"],
},
},
{
"id": "Expiration_EndUser_Assignment",
"is_expiration_required": True,
"maximum_duration": "PT7H",
"rule_type": "RoleManagementPolicyExpirationRule",
"target": {
"caller": "EndUser",
"level": "Assignment",
"operations": ["All"],
},
},
{
"enabled_rules": [
azure_native.authorization.EnablementRules.JUSTIFICATION,
azure_native.authorization.EnablementRules.MULTI_FACTOR_AUTHENTICATION,
azure_native.authorization.EnablementRules.TICKETING,
],
"id": "Enablement_EndUser_Assignment",
"rule_type": "RoleManagementPolicyEnablementRule",
"target": {
"caller": "EndUser",
"level": "Assignment",
"operations": ["All"],
},
},
{
"id": "Approval_EndUser_Assignment",
"rule_type": "RoleManagementPolicyApprovalRule",
"setting": {
"approval_mode": azure_native.authorization.ApprovalMode.SINGLE_STAGE,
"approval_stages": [{
"approval_stage_time_out_in_days": 1,
"escalation_time_in_minutes": 0,
"is_approver_justification_required": True,
"is_escalation_enabled": False,
"primary_approvers": [
{
"description": "amansw_new_group",
"id": "2385b0f3-5fa9-43cf-8ca4-b01dc97298cd",
"is_backup": False,
"user_type": azure_native.authorization.UserType.GROUP,
},
{
"description": "amansw_group",
"id": "2f4913c9-d15b-406a-9946-1d66a28f2690",
"is_backup": False,
"user_type": azure_native.authorization.UserType.GROUP,
},
],
}],
"is_approval_required": True,
"is_approval_required_for_extension": False,
"is_requestor_justification_required": True,
},
"target": {
"caller": "EndUser",
"level": "Assignment",
"operations": ["All"],
},
},
{
"claim_value": "",
"id": "AuthenticationContext_EndUser_Assignment",
"is_enabled": False,
"rule_type": "RoleManagementPolicyAuthenticationContextRule",
"target": {
"caller": "EndUser",
"level": "Assignment",
"operations": ["All"],
},
},
{
"id": "Notification_Admin_EndUser_Assignment",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["admin_enduser_member@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.ADMIN,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"level": "Assignment",
"operations": ["All"],
},
},
{
"id": "Notification_Requestor_EndUser_Assignment",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["requestor_enduser_member@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.REQUESTOR,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"level": "Assignment",
"operations": ["All"],
},
},
{
"id": "Notification_Approver_EndUser_Assignment",
"is_default_recipients_enabled": True,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.APPROVER,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "EndUser",
"level": "Assignment",
"operations": ["All"],
},
},
{
"id": "PIMOnlyMode_Admin_Assignment",
"pim_only_mode_settings": {
"excluded_assignment_types": [azure_native.authorization.ExcludedPrincipalTypes.SERVICE_PRINCIPALS_AS_TARGET],
"excludes": [
{
"id": "ec42a424-a0c0-4418-8788-d19bdeb03704",
"type": azure_native.authorization.UserType.USER,
},
{
"id": "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
"type": azure_native.authorization.UserType.GROUP,
},
{
"id": "0000103d-1fc2-4ac8-81de-71517765655c",
"type": azure_native.authorization.UserType.SERVICE_PRINCIPAL,
},
],
"mode": azure_native.authorization.PIMOnlyMode.ENABLED,
},
"rule_type": "RoleManagementPolicyPimOnlyModeRule",
"target": {
"caller": "Admin",
"enforced_settings": ["all"],
"inheritable_settings": ["all"],
"level": "Assignment",
"operations": ["all"],
"target_objects": [],
},
},
],
scope="providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
resources:
roleManagementPolicy:
type: azure-native:authorization:RoleManagementPolicy
properties:
roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a
rules:
- id: Expiration_Admin_Eligibility
isExpirationRequired: false
maximumDuration: P180D
ruleType: RoleManagementPolicyExpirationRule
target:
caller: Admin
level: Eligibility
operations:
- All
- id: Notification_Admin_Admin_Eligibility
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- admin_admin_eligible@test.com
notificationType: Email
recipientType: Admin
ruleType: RoleManagementPolicyNotificationRule
target:
caller: Admin
level: Eligibility
operations:
- All
- id: Notification_Requestor_Admin_Eligibility
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- requestor_admin_eligible@test.com
notificationType: Email
recipientType: Requestor
ruleType: RoleManagementPolicyNotificationRule
target:
caller: Admin
level: Eligibility
operations:
- All
- id: Notification_Approver_Admin_Eligibility
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- approver_admin_eligible@test.com
notificationType: Email
recipientType: Approver
ruleType: RoleManagementPolicyNotificationRule
target:
caller: Admin
level: Eligibility
operations:
- All
- enabledRules: []
id: Enablement_Admin_Eligibility
ruleType: RoleManagementPolicyEnablementRule
target:
caller: Admin
level: Eligibility
operations:
- All
- id: Expiration_Admin_Assignment
isExpirationRequired: false
maximumDuration: P90D
ruleType: RoleManagementPolicyExpirationRule
target:
caller: Admin
level: Assignment
operations:
- All
- enabledRules:
- Justification
- MultiFactorAuthentication
id: Enablement_Admin_Assignment
ruleType: RoleManagementPolicyEnablementRule
target:
caller: Admin
level: Assignment
operations:
- All
- id: Notification_Admin_Admin_Assignment
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- admin_admin_member@test.com
notificationType: Email
recipientType: Admin
ruleType: RoleManagementPolicyNotificationRule
target:
caller: Admin
level: Assignment
operations:
- All
- id: Notification_Requestor_Admin_Assignment
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- requestor_admin_member@test.com
notificationType: Email
recipientType: Requestor
ruleType: RoleManagementPolicyNotificationRule
target:
caller: Admin
level: Assignment
operations:
- All
- id: Notification_Approver_Admin_Assignment
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- approver_admin_member@test.com
notificationType: Email
recipientType: Approver
ruleType: RoleManagementPolicyNotificationRule
target:
caller: Admin
level: Assignment
operations:
- All
- id: Expiration_EndUser_Assignment
isExpirationRequired: true
maximumDuration: PT7H
ruleType: RoleManagementPolicyExpirationRule
target:
caller: EndUser
level: Assignment
operations:
- All
- enabledRules:
- Justification
- MultiFactorAuthentication
- Ticketing
id: Enablement_EndUser_Assignment
ruleType: RoleManagementPolicyEnablementRule
target:
caller: EndUser
level: Assignment
operations:
- All
- id: Approval_EndUser_Assignment
ruleType: RoleManagementPolicyApprovalRule
setting:
approvalMode: SingleStage
approvalStages:
- approvalStageTimeOutInDays: 1
escalationTimeInMinutes: 0
isApproverJustificationRequired: true
isEscalationEnabled: false
primaryApprovers:
- description: amansw_new_group
id: 2385b0f3-5fa9-43cf-8ca4-b01dc97298cd
isBackup: false
userType: Group
- description: amansw_group
id: 2f4913c9-d15b-406a-9946-1d66a28f2690
isBackup: false
userType: Group
isApprovalRequired: true
isApprovalRequiredForExtension: false
isRequestorJustificationRequired: true
target:
caller: EndUser
level: Assignment
operations:
- All
- claimValue: ""
id: AuthenticationContext_EndUser_Assignment
isEnabled: false
ruleType: RoleManagementPolicyAuthenticationContextRule
target:
caller: EndUser
level: Assignment
operations:
- All
- id: Notification_Admin_EndUser_Assignment
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- admin_enduser_member@test.com
notificationType: Email
recipientType: Admin
ruleType: RoleManagementPolicyNotificationRule
target:
caller: EndUser
level: Assignment
operations:
- All
- id: Notification_Requestor_EndUser_Assignment
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- requestor_enduser_member@test.com
notificationType: Email
recipientType: Requestor
ruleType: RoleManagementPolicyNotificationRule
target:
caller: EndUser
level: Assignment
operations:
- All
- id: Notification_Approver_EndUser_Assignment
isDefaultRecipientsEnabled: true
notificationLevel: Critical
notificationType: Email
recipientType: Approver
ruleType: RoleManagementPolicyNotificationRule
target:
caller: EndUser
level: Assignment
operations:
- All
- id: PIMOnlyMode_Admin_Assignment
pimOnlyModeSettings:
excludedAssignmentTypes:
- ServicePrincipalsAsTarget
excludes:
- id: ec42a424-a0c0-4418-8788-d19bdeb03704
type: User
- id: 00029dfb-0218-4e7a-9a85-c15dc0c880bc
type: Group
- id: 0000103d-1fc2-4ac8-81de-71517765655c
type: ServicePrincipal
mode: Enabled
ruleType: RoleManagementPolicyPimOnlyModeRule
target:
caller: Admin
enforcedSettings:
- all
inheritableSettings:
- all
level: Assignment
operations:
- all
targetObjects: []
scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368
PatchRoleManagementPolicyToEnablePIMOnlyMode
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules = new[]
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyPimOnlyModeRuleArgs
{
Id = "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings = new AzureNative.Authorization.Inputs.PIMOnlyModeSettingsArgs
{
ExcludedAssignmentTypes = new[]
{
AzureNative.Authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget,
},
Excludes = new[]
{
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type = AzureNative.Authorization.UserType.User,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type = AzureNative.Authorization.UserType.Group,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "0000103d-1fc2-4ac8-81de-71517765655c",
Type = AzureNative.Authorization.UserType.ServicePrincipal,
},
},
Mode = AzureNative.Authorization.PIMOnlyMode.Enabled,
},
RuleType = "RoleManagementPolicyPimOnlyModeRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
EnforcedSettings = new[]
{
"all",
},
InheritableSettings = new[]
{
"all",
},
Level = "Assignment",
Operations = new[]
{
"all",
},
TargetObjects = new() { },
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyPimOnlyModeRule{
Id: "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings: authorization.PIMOnlyModeSettings{
ExcludedAssignmentTypes: []authorization.ExcludedPrincipalTypes{
authorization.ExcludedPrincipalTypesServicePrincipalsAsTarget,
},
Excludes: []authorization.UsersOrServicePrincipalSet{
{
Id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type: authorization.UserTypeUser,
},
{
Id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type: authorization.UserTypeGroup,
},
{
Id: "0000103d-1fc2-4ac8-81de-71517765655c",
Type: authorization.UserTypeServicePrincipal,
},
},
Mode: authorization.PIMOnlyModeEnabled,
},
RuleType: "RoleManagementPolicyPimOnlyModeRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
EnforcedSettings: []string{
"all",
},
InheritableSettings: []string{
"all",
},
Level: "Assignment",
Operations: []string{
"all",
},
TargetObjects: []interface{}{},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(RoleManagementPolicyPimOnlyModeRuleArgs.builder()
.id("PIMOnlyMode_Admin_Assignment")
.pimOnlyModeSettings(PIMOnlyModeSettingsArgs.builder()
.excludedAssignmentTypes("ServicePrincipalsAsTarget")
.excludes(
UsersOrServicePrincipalSetArgs.builder()
.id("ec42a424-a0c0-4418-8788-d19bdeb03704")
.type("User")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("00029dfb-0218-4e7a-9a85-c15dc0c880bc")
.type("Group")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("0000103d-1fc2-4ac8-81de-71517765655c")
.type("ServicePrincipal")
.build())
.mode("Enabled")
.build())
.ruleType("RoleManagementPolicyPimOnlyModeRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.enforcedSettings("all")
.inheritableSettings("all")
.level("Assignment")
.operations("all")
.targetObjects()
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy("roleManagementPolicy", {
roleManagementPolicyName: "570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules: [{
id: "PIMOnlyMode_Admin_Assignment",
pimOnlyModeSettings: {
excludedAssignmentTypes: [azure_native.authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget],
excludes: [
{
id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
type: azure_native.authorization.UserType.User,
},
{
id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
type: azure_native.authorization.UserType.Group,
},
{
id: "0000103d-1fc2-4ac8-81de-71517765655c",
type: azure_native.authorization.UserType.ServicePrincipal,
},
],
mode: azure_native.authorization.PIMOnlyMode.Enabled,
},
ruleType: "RoleManagementPolicyPimOnlyModeRule",
target: {
caller: "Admin",
enforcedSettings: ["all"],
inheritableSettings: ["all"],
level: "Assignment",
operations: ["all"],
targetObjects: [],
},
}],
scope: "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
import pulumi
import pulumi_azure_native as azure_native
role_management_policy = azure_native.authorization.RoleManagementPolicy("roleManagementPolicy",
role_management_policy_name="570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules=[{
"id": "PIMOnlyMode_Admin_Assignment",
"pim_only_mode_settings": {
"excluded_assignment_types": [azure_native.authorization.ExcludedPrincipalTypes.SERVICE_PRINCIPALS_AS_TARGET],
"excludes": [
{
"id": "ec42a424-a0c0-4418-8788-d19bdeb03704",
"type": azure_native.authorization.UserType.USER,
},
{
"id": "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
"type": azure_native.authorization.UserType.GROUP,
},
{
"id": "0000103d-1fc2-4ac8-81de-71517765655c",
"type": azure_native.authorization.UserType.SERVICE_PRINCIPAL,
},
],
"mode": azure_native.authorization.PIMOnlyMode.ENABLED,
},
"rule_type": "RoleManagementPolicyPimOnlyModeRule",
"target": {
"caller": "Admin",
"enforced_settings": ["all"],
"inheritable_settings": ["all"],
"level": "Assignment",
"operations": ["all"],
"target_objects": [],
},
}],
scope="providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
resources:
roleManagementPolicy:
type: azure-native:authorization:RoleManagementPolicy
properties:
roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a
rules:
- id: PIMOnlyMode_Admin_Assignment
pimOnlyModeSettings:
excludedAssignmentTypes:
- ServicePrincipalsAsTarget
excludes:
- id: ec42a424-a0c0-4418-8788-d19bdeb03704
type: User
- id: 00029dfb-0218-4e7a-9a85-c15dc0c880bc
type: Group
- id: 0000103d-1fc2-4ac8-81de-71517765655c
type: ServicePrincipal
mode: Enabled
ruleType: RoleManagementPolicyPimOnlyModeRule
target:
caller: Admin
enforcedSettings:
- all
inheritableSettings:
- all
level: Assignment
operations:
- all
targetObjects: []
scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368
Create RoleManagementPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new RoleManagementPolicy(name: string, args: RoleManagementPolicyArgs, opts?: CustomResourceOptions);@overload
def RoleManagementPolicy(resource_name: str,
args: RoleManagementPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def RoleManagementPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
scope: Optional[str] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
is_organization_default: Optional[bool] = None,
role_management_policy_name: Optional[str] = None,
rules: Optional[Sequence[Union[RoleManagementPolicyApprovalRuleArgs, RoleManagementPolicyAuthenticationContextRuleArgs, RoleManagementPolicyEnablementRuleArgs, RoleManagementPolicyExpirationRuleArgs, RoleManagementPolicyNotificationRuleArgs, RoleManagementPolicyPimOnlyModeRuleArgs]]] = None)func NewRoleManagementPolicy(ctx *Context, name string, args RoleManagementPolicyArgs, opts ...ResourceOption) (*RoleManagementPolicy, error)public RoleManagementPolicy(string name, RoleManagementPolicyArgs args, CustomResourceOptions? opts = null)
public RoleManagementPolicy(String name, RoleManagementPolicyArgs args)
public RoleManagementPolicy(String name, RoleManagementPolicyArgs args, CustomResourceOptions options)
type: azure-native:authorization:RoleManagementPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RoleManagementPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RoleManagementPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RoleManagementPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RoleManagementPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RoleManagementPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var roleManagementPolicyResource = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicyResource", new()
{
Scope = "string",
Description = "string",
DisplayName = "string",
IsOrganizationDefault = false,
RoleManagementPolicyName = "string",
Rules = new[]
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyApprovalRuleArgs
{
RuleType = "RoleManagementPolicyApprovalRule",
Id = "string",
Setting = new AzureNative.Authorization.Inputs.ApprovalSettingsArgs
{
ApprovalMode = "string",
ApprovalStages = new[]
{
new AzureNative.Authorization.Inputs.ApprovalStageArgs
{
ApprovalStageTimeOutInDays = 0,
EscalationApprovers = new[]
{
new AzureNative.Authorization.Inputs.UserSetArgs
{
Description = "string",
Id = "string",
IsBackup = false,
UserType = "string",
},
},
EscalationTimeInMinutes = 0,
IsApproverJustificationRequired = false,
IsEscalationEnabled = false,
PrimaryApprovers = new[]
{
new AzureNative.Authorization.Inputs.UserSetArgs
{
Description = "string",
Id = "string",
IsBackup = false,
UserType = "string",
},
},
},
},
IsApprovalRequired = false,
IsApprovalRequiredForExtension = false,
IsRequestorJustificationRequired = false,
},
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "string",
EnforcedSettings = new[]
{
"string",
},
InheritableSettings = new[]
{
"string",
},
Level = "string",
Operations = new[]
{
"string",
},
TargetObjects = new[]
{
"string",
},
},
},
},
});
example, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicyResource", &authorization.RoleManagementPolicyArgs{
Scope: pulumi.String("string"),
Description: pulumi.String("string"),
DisplayName: pulumi.String("string"),
IsOrganizationDefault: pulumi.Bool(false),
RoleManagementPolicyName: pulumi.String("string"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyApprovalRule{
RuleType: "RoleManagementPolicyApprovalRule",
Id: "string",
Setting: authorization.ApprovalSettings{
ApprovalMode: "string",
ApprovalStages: []authorization.ApprovalStage{
{
ApprovalStageTimeOutInDays: 0,
EscalationApprovers: []authorization.UserSet{
{
Description: "string",
Id: "string",
IsBackup: false,
UserType: "string",
},
},
EscalationTimeInMinutes: 0,
IsApproverJustificationRequired: false,
IsEscalationEnabled: false,
PrimaryApprovers: []authorization.UserSet{
{
Description: "string",
Id: "string",
IsBackup: false,
UserType: "string",
},
},
},
},
IsApprovalRequired: false,
IsApprovalRequiredForExtension: false,
IsRequestorJustificationRequired: false,
},
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "string",
EnforcedSettings: []string{
"string",
},
InheritableSettings: []string{
"string",
},
Level: "string",
Operations: []string{
"string",
},
TargetObjects: []string{
"string",
},
},
},
},
})
var roleManagementPolicyResource = new RoleManagementPolicy("roleManagementPolicyResource", RoleManagementPolicyArgs.builder()
.scope("string")
.description("string")
.displayName("string")
.isOrganizationDefault(false)
.roleManagementPolicyName("string")
.rules(RoleManagementPolicyApprovalRuleArgs.builder()
.ruleType("RoleManagementPolicyApprovalRule")
.id("string")
.setting(ApprovalSettingsArgs.builder()
.approvalMode("string")
.approvalStages(ApprovalStageArgs.builder()
.approvalStageTimeOutInDays(0)
.escalationApprovers(UserSetArgs.builder()
.description("string")
.id("string")
.isBackup(false)
.userType("string")
.build())
.escalationTimeInMinutes(0)
.isApproverJustificationRequired(false)
.isEscalationEnabled(false)
.primaryApprovers(UserSetArgs.builder()
.description("string")
.id("string")
.isBackup(false)
.userType("string")
.build())
.build())
.isApprovalRequired(false)
.isApprovalRequiredForExtension(false)
.isRequestorJustificationRequired(false)
.build())
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("string")
.enforcedSettings("string")
.inheritableSettings("string")
.level("string")
.operations("string")
.targetObjects("string")
.build())
.build())
.build());
role_management_policy_resource = azure_native.authorization.RoleManagementPolicy("roleManagementPolicyResource",
scope="string",
description="string",
display_name="string",
is_organization_default=False,
role_management_policy_name="string",
rules=[{
"rule_type": "RoleManagementPolicyApprovalRule",
"id": "string",
"setting": {
"approval_mode": "string",
"approval_stages": [{
"approval_stage_time_out_in_days": 0,
"escalation_approvers": [{
"description": "string",
"id": "string",
"is_backup": False,
"user_type": "string",
}],
"escalation_time_in_minutes": 0,
"is_approver_justification_required": False,
"is_escalation_enabled": False,
"primary_approvers": [{
"description": "string",
"id": "string",
"is_backup": False,
"user_type": "string",
}],
}],
"is_approval_required": False,
"is_approval_required_for_extension": False,
"is_requestor_justification_required": False,
},
"target": {
"caller": "string",
"enforced_settings": ["string"],
"inheritable_settings": ["string"],
"level": "string",
"operations": ["string"],
"target_objects": ["string"],
},
}])
const roleManagementPolicyResource = new azure_native.authorization.RoleManagementPolicy("roleManagementPolicyResource", {
scope: "string",
description: "string",
displayName: "string",
isOrganizationDefault: false,
roleManagementPolicyName: "string",
rules: [{
ruleType: "RoleManagementPolicyApprovalRule",
id: "string",
setting: {
approvalMode: "string",
approvalStages: [{
approvalStageTimeOutInDays: 0,
escalationApprovers: [{
description: "string",
id: "string",
isBackup: false,
userType: "string",
}],
escalationTimeInMinutes: 0,
isApproverJustificationRequired: false,
isEscalationEnabled: false,
primaryApprovers: [{
description: "string",
id: "string",
isBackup: false,
userType: "string",
}],
}],
isApprovalRequired: false,
isApprovalRequiredForExtension: false,
isRequestorJustificationRequired: false,
},
target: {
caller: "string",
enforcedSettings: ["string"],
inheritableSettings: ["string"],
level: "string",
operations: ["string"],
targetObjects: ["string"],
},
}],
});
type: azure-native:authorization:RoleManagementPolicy
properties:
description: string
displayName: string
isOrganizationDefault: false
roleManagementPolicyName: string
rules:
- id: string
ruleType: RoleManagementPolicyApprovalRule
setting:
approvalMode: string
approvalStages:
- approvalStageTimeOutInDays: 0
escalationApprovers:
- description: string
id: string
isBackup: false
userType: string
escalationTimeInMinutes: 0
isApproverJustificationRequired: false
isEscalationEnabled: false
primaryApprovers:
- description: string
id: string
isBackup: false
userType: string
isApprovalRequired: false
isApprovalRequiredForExtension: false
isRequestorJustificationRequired: false
target:
caller: string
enforcedSettings:
- string
inheritableSettings:
- string
level: string
operations:
- string
targetObjects:
- string
scope: string
RoleManagementPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The RoleManagementPolicy resource accepts the following input properties:
- Scope string
- The role management policy scope.
- Description string
- The role management policy description.
- Display
Name string - The role management policy display name.
- Is
Organization boolDefault - The role management policy is default policy.
- Role
Management stringPolicy Name - The name (guid) of the role management policy to upsert.
- Rules List<object>
- The rule applied to the policy.
- Scope string
- The role management policy scope.
- Description string
- The role management policy description.
- Display
Name string - The role management policy display name.
- Is
Organization boolDefault - The role management policy is default policy.
- Role
Management stringPolicy Name - The name (guid) of the role management policy to upsert.
- Rules []interface{}
- The rule applied to the policy.
- scope String
- The role management policy scope.
- description String
- The role management policy description.
- display
Name String - The role management policy display name.
- is
Organization BooleanDefault - The role management policy is default policy.
- role
Management StringPolicy Name - The name (guid) of the role management policy to upsert.
- rules List<Object>
- The rule applied to the policy.
- scope string
- The role management policy scope.
- description string
- The role management policy description.
- display
Name string - The role management policy display name.
- is
Organization booleanDefault - The role management policy is default policy.
- role
Management stringPolicy Name - The name (guid) of the role management policy to upsert.
- rules
(Role
Management Policy Approval Rule | Role Management Policy Authentication Context Rule Args | Role Management Policy Enablement Rule Args | Role Management Policy Expiration Rule Args | Role Management Policy Notification Rule Args | Role Management Policy Pim Only Mode Rule Args)[] - The rule applied to the policy.
- scope str
- The role management policy scope.
- description str
- The role management policy description.
- display_
name str - The role management policy display name.
- is_
organization_ booldefault - The role management policy is default policy.
- role_
management_ strpolicy_ name - The name (guid) of the role management policy to upsert.
- rules
Sequence[Union[Role
Management Policy Approval Rule Args, Role Management Policy Authentication Context Rule Args, Role Management Policy Enablement Rule Args, Role Management Policy Expiration Rule Args, Role Management Policy Notification Rule Args, Role Management Policy Pim Only Mode Rule Args]] - The rule applied to the policy.
- scope String
- The role management policy scope.
- description String
- The role management policy description.
- display
Name String - The role management policy display name.
- is
Organization BooleanDefault - The role management policy is default policy.
- role
Management StringPolicy Name - The name (guid) of the role management policy to upsert.
- rules List<Property Map | Property Map | Property Map | Property Map | Property Map | Property Map>
- The rule applied to the policy.
Outputs
All input properties are implicitly available as output properties. Additionally, the RoleManagementPolicy resource produces the following output properties:
- Effective
Rules List<object> - The readonly computed rule applied to the policy.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Modified Pulumi.By Azure Native. Authorization. Outputs. Principal Response - The name of the entity last modified it
- Last
Modified stringDate Time - The last modified date time.
- Name string
- The role management policy name.
- Policy
Properties Pulumi.Azure Native. Authorization. Outputs. Policy Properties Response - Additional properties of scope
- Type string
- The role management policy type.
- Effective
Rules []interface{} - The readonly computed rule applied to the policy.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Modified PrincipalBy Response - The name of the entity last modified it
- Last
Modified stringDate Time - The last modified date time.
- Name string
- The role management policy name.
- Policy
Properties PolicyProperties Response - Additional properties of scope
- Type string
- The role management policy type.
- effective
Rules List<Object> - The readonly computed rule applied to the policy.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Modified PrincipalBy Response - The name of the entity last modified it
- last
Modified StringDate Time - The last modified date time.
- name String
- The role management policy name.
- policy
Properties PolicyProperties Response - Additional properties of scope
- type String
- The role management policy type.
- effective
Rules (RoleManagement Policy Approval Rule Response | Role Management Policy Authentication Context Rule Response | Role Management Policy Enablement Rule Response | Role Management Policy Expiration Rule Response | Role Management Policy Notification Rule Response | Role Management Policy Pim Only Mode Rule Response)[] - The readonly computed rule applied to the policy.
- id string
- The provider-assigned unique ID for this managed resource.
- last
Modified PrincipalBy Response - The name of the entity last modified it
- last
Modified stringDate Time - The last modified date time.
- name string
- The role management policy name.
- policy
Properties PolicyProperties Response - Additional properties of scope
- type string
- The role management policy type.
- effective_
rules Sequence[Any] - The readonly computed rule applied to the policy.
- id str
- The provider-assigned unique ID for this managed resource.
- last_
modified_ Principalby Response - The name of the entity last modified it
- last_
modified_ strdate_ time - The last modified date time.
- name str
- The role management policy name.
- policy_
properties PolicyProperties Response - Additional properties of scope
- type str
- The role management policy type.
- effective
Rules List<Property Map | Property Map | Property Map | Property Map | Property Map | Property Map> - The readonly computed rule applied to the policy.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Modified Property MapBy - The name of the entity last modified it
- last
Modified StringDate Time - The last modified date time.
- name String
- The role management policy name.
- policy
Properties Property Map - Additional properties of scope
- type String
- The role management policy type.
Supporting Types
ApprovalMode, ApprovalModeArgs
- Single
Stage - SingleStage
- Serial
- Serial
- Parallel
- Parallel
- No
Approval - NoApproval
- Approval
Mode Single Stage - SingleStage
- Approval
Mode Serial - Serial
- Approval
Mode Parallel - Parallel
- Approval
Mode No Approval - NoApproval
- Single
Stage - SingleStage
- Serial
- Serial
- Parallel
- Parallel
- No
Approval - NoApproval
- Single
Stage - SingleStage
- Serial
- Serial
- Parallel
- Parallel
- No
Approval - NoApproval
- SINGLE_STAGE
- SingleStage
- SERIAL
- Serial
- PARALLEL
- Parallel
- NO_APPROVAL
- NoApproval
- "Single
Stage" - SingleStage
- "Serial"
- Serial
- "Parallel"
- Parallel
- "No
Approval" - NoApproval
ApprovalSettings, ApprovalSettingsArgs
- Approval
Mode string | Pulumi.Azure Native. Authorization. Approval Mode - The type of rule
- Approval
Stages List<Pulumi.Azure Native. Authorization. Inputs. Approval Stage> - The approval stages of the request.
- Is
Approval boolRequired - Determines whether approval is required or not.
- Is
Approval boolRequired For Extension - Determines whether approval is required for assignment extension.
- Is
Requestor boolJustification Required - Determine whether requestor justification is required.
- Approval
Mode string | ApprovalMode - The type of rule
- Approval
Stages []ApprovalStage - The approval stages of the request.
- Is
Approval boolRequired - Determines whether approval is required or not.
- Is
Approval boolRequired For Extension - Determines whether approval is required for assignment extension.
- Is
Requestor boolJustification Required - Determine whether requestor justification is required.
- approval
Mode String | ApprovalMode - The type of rule
- approval
Stages List<ApprovalStage> - The approval stages of the request.
- is
Approval BooleanRequired - Determines whether approval is required or not.
- is
Approval BooleanRequired For Extension - Determines whether approval is required for assignment extension.
- is
Requestor BooleanJustification Required - Determine whether requestor justification is required.
- approval
Mode string | ApprovalMode - The type of rule
- approval
Stages ApprovalStage[] - The approval stages of the request.
- is
Approval booleanRequired - Determines whether approval is required or not.
- is
Approval booleanRequired For Extension - Determines whether approval is required for assignment extension.
- is
Requestor booleanJustification Required - Determine whether requestor justification is required.
- approval_
mode str | ApprovalMode - The type of rule
- approval_
stages Sequence[ApprovalStage] - The approval stages of the request.
- is_
approval_ boolrequired - Determines whether approval is required or not.
- is_
approval_ boolrequired_ for_ extension - Determines whether approval is required for assignment extension.
- is_
requestor_ booljustification_ required - Determine whether requestor justification is required.
- approval
Mode String | "SingleStage" | "Serial" | "Parallel" | "No Approval" - The type of rule
- approval
Stages List<Property Map> - The approval stages of the request.
- is
Approval BooleanRequired - Determines whether approval is required or not.
- is
Approval BooleanRequired For Extension - Determines whether approval is required for assignment extension.
- is
Requestor BooleanJustification Required - Determine whether requestor justification is required.
ApprovalSettingsResponse, ApprovalSettingsResponseArgs
- Approval
Mode string - The type of rule
- Approval
Stages List<Pulumi.Azure Native. Authorization. Inputs. Approval Stage Response> - The approval stages of the request.
- Is
Approval boolRequired - Determines whether approval is required or not.
- Is
Approval boolRequired For Extension - Determines whether approval is required for assignment extension.
- Is
Requestor boolJustification Required - Determine whether requestor justification is required.
- Approval
Mode string - The type of rule
- Approval
Stages []ApprovalStage Response - The approval stages of the request.
- Is
Approval boolRequired - Determines whether approval is required or not.
- Is
Approval boolRequired For Extension - Determines whether approval is required for assignment extension.
- Is
Requestor boolJustification Required - Determine whether requestor justification is required.
- approval
Mode String - The type of rule
- approval
Stages List<ApprovalStage Response> - The approval stages of the request.
- is
Approval BooleanRequired - Determines whether approval is required or not.
- is
Approval BooleanRequired For Extension - Determines whether approval is required for assignment extension.
- is
Requestor BooleanJustification Required - Determine whether requestor justification is required.
- approval
Mode string - The type of rule
- approval
Stages ApprovalStage Response[] - The approval stages of the request.
- is
Approval booleanRequired - Determines whether approval is required or not.
- is
Approval booleanRequired For Extension - Determines whether approval is required for assignment extension.
- is
Requestor booleanJustification Required - Determine whether requestor justification is required.
- approval_
mode str - The type of rule
- approval_
stages Sequence[ApprovalStage Response] - The approval stages of the request.
- is_
approval_ boolrequired - Determines whether approval is required or not.
- is_
approval_ boolrequired_ for_ extension - Determines whether approval is required for assignment extension.
- is_
requestor_ booljustification_ required - Determine whether requestor justification is required.
- approval
Mode String - The type of rule
- approval
Stages List<Property Map> - The approval stages of the request.
- is
Approval BooleanRequired - Determines whether approval is required or not.
- is
Approval BooleanRequired For Extension - Determines whether approval is required for assignment extension.
- is
Requestor BooleanJustification Required - Determine whether requestor justification is required.
ApprovalStage, ApprovalStageArgs
- Approval
Stage intTime Out In Days - The time in days when approval request would be timed out
- Escalation
Approvers List<Pulumi.Azure Native. Authorization. Inputs. User Set> - The escalation approver of the request.
- Escalation
Time intIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- Is
Approver boolJustification Required - Determines whether approver need to provide justification for his decision.
- Is
Escalation boolEnabled - The value determine whether escalation feature is enabled.
- Primary
Approvers List<Pulumi.Azure Native. Authorization. Inputs. User Set> - The primary approver of the request.
- Approval
Stage intTime Out In Days - The time in days when approval request would be timed out
- Escalation
Approvers []UserSet - The escalation approver of the request.
- Escalation
Time intIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- Is
Approver boolJustification Required - Determines whether approver need to provide justification for his decision.
- Is
Escalation boolEnabled - The value determine whether escalation feature is enabled.
- Primary
Approvers []UserSet - The primary approver of the request.
- approval
Stage IntegerTime Out In Days - The time in days when approval request would be timed out
- escalation
Approvers List<UserSet> - The escalation approver of the request.
- escalation
Time IntegerIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- is
Approver BooleanJustification Required - Determines whether approver need to provide justification for his decision.
- is
Escalation BooleanEnabled - The value determine whether escalation feature is enabled.
- primary
Approvers List<UserSet> - The primary approver of the request.
- approval
Stage numberTime Out In Days - The time in days when approval request would be timed out
- escalation
Approvers UserSet[] - The escalation approver of the request.
- escalation
Time numberIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- is
Approver booleanJustification Required - Determines whether approver need to provide justification for his decision.
- is
Escalation booleanEnabled - The value determine whether escalation feature is enabled.
- primary
Approvers UserSet[] - The primary approver of the request.
- approval_
stage_ inttime_ out_ in_ days - The time in days when approval request would be timed out
- escalation_
approvers Sequence[UserSet] - The escalation approver of the request.
- escalation_
time_ intin_ minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- is_
approver_ booljustification_ required - Determines whether approver need to provide justification for his decision.
- is_
escalation_ boolenabled - The value determine whether escalation feature is enabled.
- primary_
approvers Sequence[UserSet] - The primary approver of the request.
- approval
Stage NumberTime Out In Days - The time in days when approval request would be timed out
- escalation
Approvers List<Property Map> - The escalation approver of the request.
- escalation
Time NumberIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- is
Approver BooleanJustification Required - Determines whether approver need to provide justification for his decision.
- is
Escalation BooleanEnabled - The value determine whether escalation feature is enabled.
- primary
Approvers List<Property Map> - The primary approver of the request.
ApprovalStageResponse, ApprovalStageResponseArgs
- Approval
Stage intTime Out In Days - The time in days when approval request would be timed out
- Escalation
Approvers List<Pulumi.Azure Native. Authorization. Inputs. User Set Response> - The escalation approver of the request.
- Escalation
Time intIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- Is
Approver boolJustification Required - Determines whether approver need to provide justification for his decision.
- Is
Escalation boolEnabled - The value determine whether escalation feature is enabled.
- Primary
Approvers List<Pulumi.Azure Native. Authorization. Inputs. User Set Response> - The primary approver of the request.
- Approval
Stage intTime Out In Days - The time in days when approval request would be timed out
- Escalation
Approvers []UserSet Response - The escalation approver of the request.
- Escalation
Time intIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- Is
Approver boolJustification Required - Determines whether approver need to provide justification for his decision.
- Is
Escalation boolEnabled - The value determine whether escalation feature is enabled.
- Primary
Approvers []UserSet Response - The primary approver of the request.
- approval
Stage IntegerTime Out In Days - The time in days when approval request would be timed out
- escalation
Approvers List<UserSet Response> - The escalation approver of the request.
- escalation
Time IntegerIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- is
Approver BooleanJustification Required - Determines whether approver need to provide justification for his decision.
- is
Escalation BooleanEnabled - The value determine whether escalation feature is enabled.
- primary
Approvers List<UserSet Response> - The primary approver of the request.
- approval
Stage numberTime Out In Days - The time in days when approval request would be timed out
- escalation
Approvers UserSet Response[] - The escalation approver of the request.
- escalation
Time numberIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- is
Approver booleanJustification Required - Determines whether approver need to provide justification for his decision.
- is
Escalation booleanEnabled - The value determine whether escalation feature is enabled.
- primary
Approvers UserSet Response[] - The primary approver of the request.
- approval_
stage_ inttime_ out_ in_ days - The time in days when approval request would be timed out
- escalation_
approvers Sequence[UserSet Response] - The escalation approver of the request.
- escalation_
time_ intin_ minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- is_
approver_ booljustification_ required - Determines whether approver need to provide justification for his decision.
- is_
escalation_ boolenabled - The value determine whether escalation feature is enabled.
- primary_
approvers Sequence[UserSet Response] - The primary approver of the request.
- approval
Stage NumberTime Out In Days - The time in days when approval request would be timed out
- escalation
Approvers List<Property Map> - The escalation approver of the request.
- escalation
Time NumberIn Minutes - The time in minutes when the approval request would be escalated if the primary approver does not approve
- is
Approver BooleanJustification Required - Determines whether approver need to provide justification for his decision.
- is
Escalation BooleanEnabled - The value determine whether escalation feature is enabled.
- primary
Approvers List<Property Map> - The primary approver of the request.
EnablementRules, EnablementRulesArgs
- Multi
Factor Authentication - MultiFactorAuthentication
- Justification
- Justification
- Ticketing
- Ticketing
- Enablement
Rules Multi Factor Authentication - MultiFactorAuthentication
- Enablement
Rules Justification - Justification
- Enablement
Rules Ticketing - Ticketing
- Multi
Factor Authentication - MultiFactorAuthentication
- Justification
- Justification
- Ticketing
- Ticketing
- Multi
Factor Authentication - MultiFactorAuthentication
- Justification
- Justification
- Ticketing
- Ticketing
- MULTI_FACTOR_AUTHENTICATION
- MultiFactorAuthentication
- JUSTIFICATION
- Justification
- TICKETING
- Ticketing
- "Multi
Factor Authentication" - MultiFactorAuthentication
- "Justification"
- Justification
- "Ticketing"
- Ticketing
ExcludedPrincipalTypes, ExcludedPrincipalTypesArgs
- Service
Principals As Target - ServicePrincipalsAsTarget
- Service
Principals As Requestor - ServicePrincipalsAsRequestor
- Excluded
Principal Types Service Principals As Target - ServicePrincipalsAsTarget
- Excluded
Principal Types Service Principals As Requestor - ServicePrincipalsAsRequestor
- Service
Principals As Target - ServicePrincipalsAsTarget
- Service
Principals As Requestor - ServicePrincipalsAsRequestor
- Service
Principals As Target - ServicePrincipalsAsTarget
- Service
Principals As Requestor - ServicePrincipalsAsRequestor
- SERVICE_PRINCIPALS_AS_TARGET
- ServicePrincipalsAsTarget
- SERVICE_PRINCIPALS_AS_REQUESTOR
- ServicePrincipalsAsRequestor
- "Service
Principals As Target" - ServicePrincipalsAsTarget
- "Service
Principals As Requestor" - ServicePrincipalsAsRequestor
NotificationDeliveryMechanism, NotificationDeliveryMechanismArgs
- Notification
Delivery Mechanism Email
- "Email"
NotificationLevel, NotificationLevelArgs
- None
- None
- Critical
- Critical
- All
- All
- Notification
Level None - None
- Notification
Level Critical - Critical
- Notification
Level All - All
- None
- None
- Critical
- Critical
- All
- All
- None
- None
- Critical
- Critical
- All
- All
- NONE
- None
- CRITICAL
- Critical
- ALL
- All
- "None"
- None
- "Critical"
- Critical
- "All"
- All
PIMOnlyMode, PIMOnlyModeArgs
- Disabled
- Disabled
- Enabled
- Enabled
- Report
Only - ReportOnly
- PIMOnly
Mode Disabled - Disabled
- PIMOnly
Mode Enabled - Enabled
- PIMOnly
Mode Report Only - ReportOnly
- Disabled
- Disabled
- Enabled
- Enabled
- Report
Only - ReportOnly
- Disabled
- Disabled
- Enabled
- Enabled
- Report
Only - ReportOnly
- DISABLED
- Disabled
- ENABLED
- Enabled
- REPORT_ONLY
- ReportOnly
- "Disabled"
- Disabled
- "Enabled"
- Enabled
- "Report
Only" - ReportOnly
PIMOnlyModeSettings, PIMOnlyModeSettingsArgs
- Excluded
Assignment List<Union<string, Pulumi.Types Azure Native. Authorization. Excluded Principal Types>> - The list of excluded assignment types allowed.
- Excludes
List<Pulumi.
Azure Native. Authorization. Inputs. Users Or Service Principal Set> - The list of excluded entities that the rule does not apply to.
- Mode
string | Pulumi.
Azure Native. Authorization. PIMOnly Mode - Determines whether the setting is enabled, disabled or report only.
- Excluded
Assignment []stringTypes - The list of excluded assignment types allowed.
- Excludes
[]Users
Or Service Principal Set - The list of excluded entities that the rule does not apply to.
- Mode
string | PIMOnly
Mode - Determines whether the setting is enabled, disabled or report only.
- excluded
Assignment List<Either<String,ExcludedTypes Principal Types>> - The list of excluded assignment types allowed.
- excludes
List<Users
Or Service Principal Set> - The list of excluded entities that the rule does not apply to.
- mode
String | PIMOnly
Mode - Determines whether the setting is enabled, disabled or report only.
- excluded
Assignment (string | ExcludedTypes Principal Types)[] - The list of excluded assignment types allowed.
- excludes
Users
Or Service Principal Set[] - The list of excluded entities that the rule does not apply to.
- mode
string | PIMOnly
Mode - Determines whether the setting is enabled, disabled or report only.
- excluded_
assignment_ Sequence[Union[str, Excludedtypes Principal Types]] - The list of excluded assignment types allowed.
- excludes
Sequence[Users
Or Service Principal Set] - The list of excluded entities that the rule does not apply to.
- mode
str | PIMOnly
Mode - Determines whether the setting is enabled, disabled or report only.
- excluded
Assignment List<String | "ServiceTypes Principals As Target" | "Service Principals As Requestor"> - The list of excluded assignment types allowed.
- excludes List<Property Map>
- The list of excluded entities that the rule does not apply to.
- mode
String | "Disabled" | "Enabled" | "Report
Only" - Determines whether the setting is enabled, disabled or report only.
PIMOnlyModeSettingsResponse, PIMOnlyModeSettingsResponseArgs
- Excluded
Assignment List<string>Types - The list of excluded assignment types allowed.
- Excludes
List<Pulumi.
Azure Native. Authorization. Inputs. Users Or Service Principal Set Response> - The list of excluded entities that the rule does not apply to.
- Mode string
- Determines whether the setting is enabled, disabled or report only.
- Excluded
Assignment []stringTypes - The list of excluded assignment types allowed.
- Excludes
[]Users
Or Service Principal Set Response - The list of excluded entities that the rule does not apply to.
- Mode string
- Determines whether the setting is enabled, disabled or report only.
- excluded
Assignment List<String>Types - The list of excluded assignment types allowed.
- excludes
List<Users
Or Service Principal Set Response> - The list of excluded entities that the rule does not apply to.
- mode String
- Determines whether the setting is enabled, disabled or report only.
- excluded
Assignment string[]Types - The list of excluded assignment types allowed.
- excludes
Users
Or Service Principal Set Response[] - The list of excluded entities that the rule does not apply to.
- mode string
- Determines whether the setting is enabled, disabled or report only.
- excluded_
assignment_ Sequence[str]types - The list of excluded assignment types allowed.
- excludes
Sequence[Users
Or Service Principal Set Response] - The list of excluded entities that the rule does not apply to.
- mode str
- Determines whether the setting is enabled, disabled or report only.
- excluded
Assignment List<String>Types - The list of excluded assignment types allowed.
- excludes List<Property Map>
- The list of excluded entities that the rule does not apply to.
- mode String
- Determines whether the setting is enabled, disabled or report only.
PolicyPropertiesResponse, PolicyPropertiesResponseArgs
- Scope
Pulumi.
Azure Native. Authorization. Inputs. Policy Properties Response Scope - Details of the resource scope
- Scope
Policy
Properties Response Scope - Details of the resource scope
- scope
Policy
Properties Response Scope - Details of the resource scope
- scope
Policy
Properties Response Scope - Details of the resource scope
- scope
Policy
Properties Response Scope - Details of the resource scope
- scope Property Map
- Details of the resource scope
PolicyPropertiesResponseScope, PolicyPropertiesResponseScopeArgs
- Display
Name string - Display name of the resource
- Id string
- Scope id of the resource
- Type string
- Type of the resource
- Display
Name string - Display name of the resource
- Id string
- Scope id of the resource
- Type string
- Type of the resource
- display
Name String - Display name of the resource
- id String
- Scope id of the resource
- type String
- Type of the resource
- display
Name string - Display name of the resource
- id string
- Scope id of the resource
- type string
- Type of the resource
- display_
name str - Display name of the resource
- id str
- Scope id of the resource
- type str
- Type of the resource
- display
Name String - Display name of the resource
- id String
- Scope id of the resource
- type String
- Type of the resource
PrincipalResponse, PrincipalResponseArgs
- Display
Name string - The name of the principal made changes
- Email string
- Email of principal
- Id string
- The id of the principal made changes
- Type string
- Type of principal such as user , group etc
- Display
Name string - The name of the principal made changes
- Email string
- Email of principal
- Id string
- The id of the principal made changes
- Type string
- Type of principal such as user , group etc
- display
Name String - The name of the principal made changes
- email String
- Email of principal
- id String
- The id of the principal made changes
- type String
- Type of principal such as user , group etc
- display
Name string - The name of the principal made changes
- email string
- Email of principal
- id string
- The id of the principal made changes
- type string
- Type of principal such as user , group etc
- display_
name str - The name of the principal made changes
- email str
- Email of principal
- id str
- The id of the principal made changes
- type str
- Type of principal such as user , group etc
- display
Name String - The name of the principal made changes
- email String
- Email of principal
- id String
- The id of the principal made changes
- type String
- Type of principal such as user , group etc
RecipientType, RecipientTypeArgs
- Requestor
- Requestor
- Approver
- Approver
- Admin
- Admin
- Recipient
Type Requestor - Requestor
- Recipient
Type Approver - Approver
- Recipient
Type Admin - Admin
- Requestor
- Requestor
- Approver
- Approver
- Admin
- Admin
- Requestor
- Requestor
- Approver
- Approver
- Admin
- Admin
- REQUESTOR
- Requestor
- APPROVER
- Approver
- ADMIN
- Admin
- "Requestor"
- Requestor
- "Approver"
- Approver
- "Admin"
- Admin
RoleManagementPolicyApprovalRule, RoleManagementPolicyApprovalRuleArgs
- Id string
- The id of the rule.
- Setting
Pulumi.
Azure Native. Authorization. Inputs. Approval Settings - The approval setting
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target - The target of the current rule.
- Id string
- The id of the rule.
- Setting
Approval
Settings - The approval setting
- Target
Role
Management Policy Rule Target - The target of the current rule.
- id String
- The id of the rule.
- setting
Approval
Settings - The approval setting
- target
Role
Management Policy Rule Target - The target of the current rule.
- id string
- The id of the rule.
- setting
Approval
Settings - The approval setting
- target
Role
Management Policy Rule Target - The target of the current rule.
- id str
- The id of the rule.
- setting
Approval
Settings - The approval setting
- target
Role
Management Policy Rule Target - The target of the current rule.
- id String
- The id of the rule.
- setting Property Map
- The approval setting
- target Property Map
- The target of the current rule.
RoleManagementPolicyApprovalRuleResponse, RoleManagementPolicyApprovalRuleResponseArgs
- Id string
- The id of the rule.
- Setting
Pulumi.
Azure Native. Authorization. Inputs. Approval Settings Response - The approval setting
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target Response - The target of the current rule.
- Id string
- The id of the rule.
- Setting
Approval
Settings Response - The approval setting
- Target
Role
Management Policy Rule Target Response - The target of the current rule.
- id String
- The id of the rule.
- setting
Approval
Settings Response - The approval setting
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- id string
- The id of the rule.
- setting
Approval
Settings Response - The approval setting
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- id str
- The id of the rule.
- setting
Approval
Settings Response - The approval setting
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- id String
- The id of the rule.
- setting Property Map
- The approval setting
- target Property Map
- The target of the current rule.
RoleManagementPolicyAuthenticationContextRule, RoleManagementPolicyAuthenticationContextRuleArgs
- Claim
Value string - The claim value.
- Id string
- The id of the rule.
- Is
Enabled bool - The value indicating if rule is enabled.
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target - The target of the current rule.
- Claim
Value string - The claim value.
- Id string
- The id of the rule.
- Is
Enabled bool - The value indicating if rule is enabled.
- Target
Role
Management Policy Rule Target - The target of the current rule.
- claim
Value String - The claim value.
- id String
- The id of the rule.
- is
Enabled Boolean - The value indicating if rule is enabled.
- target
Role
Management Policy Rule Target - The target of the current rule.
- claim
Value string - The claim value.
- id string
- The id of the rule.
- is
Enabled boolean - The value indicating if rule is enabled.
- target
Role
Management Policy Rule Target - The target of the current rule.
- claim_
value str - The claim value.
- id str
- The id of the rule.
- is_
enabled bool - The value indicating if rule is enabled.
- target
Role
Management Policy Rule Target - The target of the current rule.
- claim
Value String - The claim value.
- id String
- The id of the rule.
- is
Enabled Boolean - The value indicating if rule is enabled.
- target Property Map
- The target of the current rule.
RoleManagementPolicyAuthenticationContextRuleResponse, RoleManagementPolicyAuthenticationContextRuleResponseArgs
- Claim
Value string - The claim value.
- Id string
- The id of the rule.
- Is
Enabled bool - The value indicating if rule is enabled.
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target Response - The target of the current rule.
- Claim
Value string - The claim value.
- Id string
- The id of the rule.
- Is
Enabled bool - The value indicating if rule is enabled.
- Target
Role
Management Policy Rule Target Response - The target of the current rule.
- claim
Value String - The claim value.
- id String
- The id of the rule.
- is
Enabled Boolean - The value indicating if rule is enabled.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- claim
Value string - The claim value.
- id string
- The id of the rule.
- is
Enabled boolean - The value indicating if rule is enabled.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- claim_
value str - The claim value.
- id str
- The id of the rule.
- is_
enabled bool - The value indicating if rule is enabled.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- claim
Value String - The claim value.
- id String
- The id of the rule.
- is
Enabled Boolean - The value indicating if rule is enabled.
- target Property Map
- The target of the current rule.
RoleManagementPolicyEnablementRule, RoleManagementPolicyEnablementRuleArgs
- Enabled
Rules List<Union<string, Pulumi.Azure Native. Authorization. Enablement Rules>> - The list of enabled rules.
- Id string
- The id of the rule.
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target - The target of the current rule.
- Enabled
Rules []string - The list of enabled rules.
- Id string
- The id of the rule.
- Target
Role
Management Policy Rule Target - The target of the current rule.
- enabled
Rules List<Either<String,EnablementRules>> - The list of enabled rules.
- id String
- The id of the rule.
- target
Role
Management Policy Rule Target - The target of the current rule.
- enabled
Rules (string | EnablementRules)[] - The list of enabled rules.
- id string
- The id of the rule.
- target
Role
Management Policy Rule Target - The target of the current rule.
- enabled_
rules Sequence[Union[str, EnablementRules]] - The list of enabled rules.
- id str
- The id of the rule.
- target
Role
Management Policy Rule Target - The target of the current rule.
- enabled
Rules List<String | "MultiFactor Authentication" | "Justification" | "Ticketing"> - The list of enabled rules.
- id String
- The id of the rule.
- target Property Map
- The target of the current rule.
RoleManagementPolicyEnablementRuleResponse, RoleManagementPolicyEnablementRuleResponseArgs
- Enabled
Rules List<string> - The list of enabled rules.
- Id string
- The id of the rule.
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target Response - The target of the current rule.
- Enabled
Rules []string - The list of enabled rules.
- Id string
- The id of the rule.
- Target
Role
Management Policy Rule Target Response - The target of the current rule.
- enabled
Rules List<String> - The list of enabled rules.
- id String
- The id of the rule.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- enabled
Rules string[] - The list of enabled rules.
- id string
- The id of the rule.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- enabled_
rules Sequence[str] - The list of enabled rules.
- id str
- The id of the rule.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- enabled
Rules List<String> - The list of enabled rules.
- id String
- The id of the rule.
- target Property Map
- The target of the current rule.
RoleManagementPolicyExpirationRule, RoleManagementPolicyExpirationRuleArgs
- Exception
Members List<Pulumi.Azure Native. Authorization. Inputs. User Set> - The members not restricted by expiration rule.
- Id string
- The id of the rule.
- Is
Expiration boolRequired - The value indicating whether expiration is required.
- Maximum
Duration string - The maximum duration of expiration in timespan.
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target - The target of the current rule.
- Exception
Members []UserSet - The members not restricted by expiration rule.
- Id string
- The id of the rule.
- Is
Expiration boolRequired - The value indicating whether expiration is required.
- Maximum
Duration string - The maximum duration of expiration in timespan.
- Target
Role
Management Policy Rule Target - The target of the current rule.
- exception
Members List<UserSet> - The members not restricted by expiration rule.
- id String
- The id of the rule.
- is
Expiration BooleanRequired - The value indicating whether expiration is required.
- maximum
Duration String - The maximum duration of expiration in timespan.
- target
Role
Management Policy Rule Target - The target of the current rule.
- exception
Members UserSet[] - The members not restricted by expiration rule.
- id string
- The id of the rule.
- is
Expiration booleanRequired - The value indicating whether expiration is required.
- maximum
Duration string - The maximum duration of expiration in timespan.
- target
Role
Management Policy Rule Target - The target of the current rule.
- exception_
members Sequence[UserSet] - The members not restricted by expiration rule.
- id str
- The id of the rule.
- is_
expiration_ boolrequired - The value indicating whether expiration is required.
- maximum_
duration str - The maximum duration of expiration in timespan.
- target
Role
Management Policy Rule Target - The target of the current rule.
- exception
Members List<Property Map> - The members not restricted by expiration rule.
- id String
- The id of the rule.
- is
Expiration BooleanRequired - The value indicating whether expiration is required.
- maximum
Duration String - The maximum duration of expiration in timespan.
- target Property Map
- The target of the current rule.
RoleManagementPolicyExpirationRuleResponse, RoleManagementPolicyExpirationRuleResponseArgs
- Exception
Members List<Pulumi.Azure Native. Authorization. Inputs. User Set Response> - The members not restricted by expiration rule.
- Id string
- The id of the rule.
- Is
Expiration boolRequired - The value indicating whether expiration is required.
- Maximum
Duration string - The maximum duration of expiration in timespan.
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target Response - The target of the current rule.
- Exception
Members []UserSet Response - The members not restricted by expiration rule.
- Id string
- The id of the rule.
- Is
Expiration boolRequired - The value indicating whether expiration is required.
- Maximum
Duration string - The maximum duration of expiration in timespan.
- Target
Role
Management Policy Rule Target Response - The target of the current rule.
- exception
Members List<UserSet Response> - The members not restricted by expiration rule.
- id String
- The id of the rule.
- is
Expiration BooleanRequired - The value indicating whether expiration is required.
- maximum
Duration String - The maximum duration of expiration in timespan.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- exception
Members UserSet Response[] - The members not restricted by expiration rule.
- id string
- The id of the rule.
- is
Expiration booleanRequired - The value indicating whether expiration is required.
- maximum
Duration string - The maximum duration of expiration in timespan.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- exception_
members Sequence[UserSet Response] - The members not restricted by expiration rule.
- id str
- The id of the rule.
- is_
expiration_ boolrequired - The value indicating whether expiration is required.
- maximum_
duration str - The maximum duration of expiration in timespan.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- exception
Members List<Property Map> - The members not restricted by expiration rule.
- id String
- The id of the rule.
- is
Expiration BooleanRequired - The value indicating whether expiration is required.
- maximum
Duration String - The maximum duration of expiration in timespan.
- target Property Map
- The target of the current rule.
RoleManagementPolicyNotificationRule, RoleManagementPolicyNotificationRuleArgs
- Id string
- The id of the rule.
- Is
Default boolRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- Notification
Level string | Pulumi.Azure Native. Authorization. Notification Level - The notification level.
- Notification
Recipients List<string> - The list of notification recipients.
- Notification
Type string | Pulumi.Azure Native. Authorization. Notification Delivery Mechanism - The type of notification.
- Recipient
Type string | Pulumi.Azure Native. Authorization. Recipient Type - The recipient type.
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target - The target of the current rule.
- Id string
- The id of the rule.
- Is
Default boolRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- Notification
Level string | NotificationLevel - The notification level.
- Notification
Recipients []string - The list of notification recipients.
- Notification
Type string | NotificationDelivery Mechanism - The type of notification.
- Recipient
Type string | RecipientType - The recipient type.
- Target
Role
Management Policy Rule Target - The target of the current rule.
- id String
- The id of the rule.
- is
Default BooleanRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- notification
Level String | NotificationLevel - The notification level.
- notification
Recipients List<String> - The list of notification recipients.
- notification
Type String | NotificationDelivery Mechanism - The type of notification.
- recipient
Type String | RecipientType - The recipient type.
- target
Role
Management Policy Rule Target - The target of the current rule.
- id string
- The id of the rule.
- is
Default booleanRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- notification
Level string | NotificationLevel - The notification level.
- notification
Recipients string[] - The list of notification recipients.
- notification
Type string | NotificationDelivery Mechanism - The type of notification.
- recipient
Type string | RecipientType - The recipient type.
- target
Role
Management Policy Rule Target - The target of the current rule.
- id str
- The id of the rule.
- is_
default_ boolrecipients_ enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- notification_
level str | NotificationLevel - The notification level.
- notification_
recipients Sequence[str] - The list of notification recipients.
- notification_
type str | NotificationDelivery Mechanism - The type of notification.
- recipient_
type str | RecipientType - The recipient type.
- target
Role
Management Policy Rule Target - The target of the current rule.
- id String
- The id of the rule.
- is
Default BooleanRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- notification
Level String | "None" | "Critical" | "All" - The notification level.
- notification
Recipients List<String> - The list of notification recipients.
- notification
Type String | "Email" - The type of notification.
- recipient
Type String | "Requestor" | "Approver" | "Admin" - The recipient type.
- target Property Map
- The target of the current rule.
RoleManagementPolicyNotificationRuleResponse, RoleManagementPolicyNotificationRuleResponseArgs
- Id string
- The id of the rule.
- Is
Default boolRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- Notification
Level string - The notification level.
- Notification
Recipients List<string> - The list of notification recipients.
- Notification
Type string - The type of notification.
- Recipient
Type string - The recipient type.
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target Response - The target of the current rule.
- Id string
- The id of the rule.
- Is
Default boolRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- Notification
Level string - The notification level.
- Notification
Recipients []string - The list of notification recipients.
- Notification
Type string - The type of notification.
- Recipient
Type string - The recipient type.
- Target
Role
Management Policy Rule Target Response - The target of the current rule.
- id String
- The id of the rule.
- is
Default BooleanRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- notification
Level String - The notification level.
- notification
Recipients List<String> - The list of notification recipients.
- notification
Type String - The type of notification.
- recipient
Type String - The recipient type.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- id string
- The id of the rule.
- is
Default booleanRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- notification
Level string - The notification level.
- notification
Recipients string[] - The list of notification recipients.
- notification
Type string - The type of notification.
- recipient
Type string - The recipient type.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- id str
- The id of the rule.
- is_
default_ boolrecipients_ enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- notification_
level str - The notification level.
- notification_
recipients Sequence[str] - The list of notification recipients.
- notification_
type str - The type of notification.
- recipient_
type str - The recipient type.
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- id String
- The id of the rule.
- is
Default BooleanRecipients Enabled - Determines if the notification will be sent to the recipient type specified in the policy rule.
- notification
Level String - The notification level.
- notification
Recipients List<String> - The list of notification recipients.
- notification
Type String - The type of notification.
- recipient
Type String - The recipient type.
- target Property Map
- The target of the current rule.
RoleManagementPolicyPimOnlyModeRule, RoleManagementPolicyPimOnlyModeRuleArgs
- Id string
- The id of the rule.
- Pim
Only Pulumi.Mode Settings Azure Native. Authorization. Inputs. PIMOnly Mode Settings - The PIM Only Mode settings
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target - The target of the current rule.
- Id string
- The id of the rule.
- Pim
Only PIMOnlyMode Settings Mode Settings - The PIM Only Mode settings
- Target
Role
Management Policy Rule Target - The target of the current rule.
- id String
- The id of the rule.
- pim
Only PIMOnlyMode Settings Mode Settings - The PIM Only Mode settings
- target
Role
Management Policy Rule Target - The target of the current rule.
- id string
- The id of the rule.
- pim
Only PIMOnlyMode Settings Mode Settings - The PIM Only Mode settings
- target
Role
Management Policy Rule Target - The target of the current rule.
- id str
- The id of the rule.
- pim_
only_ PIMOnlymode_ settings Mode Settings - The PIM Only Mode settings
- target
Role
Management Policy Rule Target - The target of the current rule.
- id String
- The id of the rule.
- pim
Only Property MapMode Settings - The PIM Only Mode settings
- target Property Map
- The target of the current rule.
RoleManagementPolicyPimOnlyModeRuleResponse, RoleManagementPolicyPimOnlyModeRuleResponseArgs
- Id string
- The id of the rule.
- Pim
Only Pulumi.Mode Settings Azure Native. Authorization. Inputs. PIMOnly Mode Settings Response - The PIM Only Mode settings
- Target
Pulumi.
Azure Native. Authorization. Inputs. Role Management Policy Rule Target Response - The target of the current rule.
- Id string
- The id of the rule.
- Pim
Only PIMOnlyMode Settings Mode Settings Response - The PIM Only Mode settings
- Target
Role
Management Policy Rule Target Response - The target of the current rule.
- id String
- The id of the rule.
- pim
Only PIMOnlyMode Settings Mode Settings Response - The PIM Only Mode settings
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- id string
- The id of the rule.
- pim
Only PIMOnlyMode Settings Mode Settings Response - The PIM Only Mode settings
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- id str
- The id of the rule.
- pim_
only_ PIMOnlymode_ settings Mode Settings Response - The PIM Only Mode settings
- target
Role
Management Policy Rule Target Response - The target of the current rule.
- id String
- The id of the rule.
- pim
Only Property MapMode Settings - The PIM Only Mode settings
- target Property Map
- The target of the current rule.
RoleManagementPolicyRuleTarget, RoleManagementPolicyRuleTargetArgs
- Caller string
- The caller of the setting.
- Enforced
Settings List<string> - The list of enforced settings.
- Inheritable
Settings List<string> - The list of inheritable settings.
- Level string
- The assignment level to which rule is applied.
- Operations List<string>
- The type of operation.
- Target
Objects List<string> - The list of target objects.
- Caller string
- The caller of the setting.
- Enforced
Settings []string - The list of enforced settings.
- Inheritable
Settings []string - The list of inheritable settings.
- Level string
- The assignment level to which rule is applied.
- Operations []string
- The type of operation.
- Target
Objects []string - The list of target objects.
- caller String
- The caller of the setting.
- enforced
Settings List<String> - The list of enforced settings.
- inheritable
Settings List<String> - The list of inheritable settings.
- level String
- The assignment level to which rule is applied.
- operations List<String>
- The type of operation.
- target
Objects List<String> - The list of target objects.
- caller string
- The caller of the setting.
- enforced
Settings string[] - The list of enforced settings.
- inheritable
Settings string[] - The list of inheritable settings.
- level string
- The assignment level to which rule is applied.
- operations string[]
- The type of operation.
- target
Objects string[] - The list of target objects.
- caller str
- The caller of the setting.
- enforced_
settings Sequence[str] - The list of enforced settings.
- inheritable_
settings Sequence[str] - The list of inheritable settings.
- level str
- The assignment level to which rule is applied.
- operations Sequence[str]
- The type of operation.
- target_
objects Sequence[str] - The list of target objects.
- caller String
- The caller of the setting.
- enforced
Settings List<String> - The list of enforced settings.
- inheritable
Settings List<String> - The list of inheritable settings.
- level String
- The assignment level to which rule is applied.
- operations List<String>
- The type of operation.
- target
Objects List<String> - The list of target objects.
RoleManagementPolicyRuleTargetResponse, RoleManagementPolicyRuleTargetResponseArgs
- Caller string
- The caller of the setting.
- Enforced
Settings List<string> - The list of enforced settings.
- Inheritable
Settings List<string> - The list of inheritable settings.
- Level string
- The assignment level to which rule is applied.
- Operations List<string>
- The type of operation.
- Target
Objects List<string> - The list of target objects.
- Caller string
- The caller of the setting.
- Enforced
Settings []string - The list of enforced settings.
- Inheritable
Settings []string - The list of inheritable settings.
- Level string
- The assignment level to which rule is applied.
- Operations []string
- The type of operation.
- Target
Objects []string - The list of target objects.
- caller String
- The caller of the setting.
- enforced
Settings List<String> - The list of enforced settings.
- inheritable
Settings List<String> - The list of inheritable settings.
- level String
- The assignment level to which rule is applied.
- operations List<String>
- The type of operation.
- target
Objects List<String> - The list of target objects.
- caller string
- The caller of the setting.
- enforced
Settings string[] - The list of enforced settings.
- inheritable
Settings string[] - The list of inheritable settings.
- level string
- The assignment level to which rule is applied.
- operations string[]
- The type of operation.
- target
Objects string[] - The list of target objects.
- caller str
- The caller of the setting.
- enforced_
settings Sequence[str] - The list of enforced settings.
- inheritable_
settings Sequence[str] - The list of inheritable settings.
- level str
- The assignment level to which rule is applied.
- operations Sequence[str]
- The type of operation.
- target_
objects Sequence[str] - The list of target objects.
- caller String
- The caller of the setting.
- enforced
Settings List<String> - The list of enforced settings.
- inheritable
Settings List<String> - The list of inheritable settings.
- level String
- The assignment level to which rule is applied.
- operations List<String>
- The type of operation.
- target
Objects List<String> - The list of target objects.
UserSet, UserSetArgs
- Description string
- The description of the user.
- Id string
- The object id of the user.
- Is
Backup bool - The value indicating whether the user is a backup fallback approver
- User
Type string | Pulumi.Azure Native. Authorization. User Type - The type of user.
- Description string
- The description of the user.
- Id string
- The object id of the user.
- Is
Backup bool - The value indicating whether the user is a backup fallback approver
- User
Type string | UserType - The type of user.
- description String
- The description of the user.
- id String
- The object id of the user.
- is
Backup Boolean - The value indicating whether the user is a backup fallback approver
- user
Type String | UserType - The type of user.
- description string
- The description of the user.
- id string
- The object id of the user.
- is
Backup boolean - The value indicating whether the user is a backup fallback approver
- user
Type string | UserType - The type of user.
- description str
- The description of the user.
- id str
- The object id of the user.
- is_
backup bool - The value indicating whether the user is a backup fallback approver
- user_
type str | UserType - The type of user.
- description String
- The description of the user.
- id String
- The object id of the user.
- is
Backup Boolean - The value indicating whether the user is a backup fallback approver
- user
Type String | "User" | "Group" | "ServicePrincipal" - The type of user.
UserSetResponse, UserSetResponseArgs
- Description string
- The description of the user.
- Id string
- The object id of the user.
- Is
Backup bool - The value indicating whether the user is a backup fallback approver
- User
Type string - The type of user.
- Description string
- The description of the user.
- Id string
- The object id of the user.
- Is
Backup bool - The value indicating whether the user is a backup fallback approver
- User
Type string - The type of user.
- description String
- The description of the user.
- id String
- The object id of the user.
- is
Backup Boolean - The value indicating whether the user is a backup fallback approver
- user
Type String - The type of user.
- description string
- The description of the user.
- id string
- The object id of the user.
- is
Backup boolean - The value indicating whether the user is a backup fallback approver
- user
Type string - The type of user.
- description str
- The description of the user.
- id str
- The object id of the user.
- is_
backup bool - The value indicating whether the user is a backup fallback approver
- user_
type str - The type of user.
- description String
- The description of the user.
- id String
- The object id of the user.
- is
Backup Boolean - The value indicating whether the user is a backup fallback approver
- user
Type String - The type of user.
UserType, UserTypeArgs
- User
- User
- Group
- Group
- Service
Principal - ServicePrincipal
- User
Type User - User
- User
Type Group - Group
- User
Type Service Principal - ServicePrincipal
- User
- User
- Group
- Group
- Service
Principal - ServicePrincipal
- User
- User
- Group
- Group
- Service
Principal - ServicePrincipal
- USER
- User
- GROUP
- Group
- SERVICE_PRINCIPAL
- ServicePrincipal
- "User"
- User
- "Group"
- Group
- "Service
Principal" - ServicePrincipal
UsersOrServicePrincipalSet, UsersOrServicePrincipalSetArgs
- Display
Name string - The display Name of the entity.
- Id string
- The object id of the entity.
- Type
string | Pulumi.
Azure Native. Authorization. User Type - The type of user.
- Display
Name string - The display Name of the entity.
- Id string
- The object id of the entity.
- Type
string | User
Type - The type of user.
- display
Name String - The display Name of the entity.
- id String
- The object id of the entity.
- type
String | User
Type - The type of user.
- display
Name string - The display Name of the entity.
- id string
- The object id of the entity.
- type
string | User
Type - The type of user.
- display_
name str - The display Name of the entity.
- id str
- The object id of the entity.
- type
str | User
Type - The type of user.
- display
Name String - The display Name of the entity.
- id String
- The object id of the entity.
- type
String | "User" | "Group" | "Service
Principal" - The type of user.
UsersOrServicePrincipalSetResponse, UsersOrServicePrincipalSetResponseArgs
- Display
Name string - The display Name of the entity.
- Id string
- The object id of the entity.
- Type string
- The type of user.
- Display
Name string - The display Name of the entity.
- Id string
- The object id of the entity.
- Type string
- The type of user.
- display
Name String - The display Name of the entity.
- id String
- The object id of the entity.
- type String
- The type of user.
- display
Name string - The display Name of the entity.
- id string
- The object id of the entity.
- type string
- The type of user.
- display_
name str - The display Name of the entity.
- id str
- The object id of the entity.
- type str
- The type of user.
- display
Name String - The display Name of the entity.
- id String
- The object id of the entity.
- type String
- The type of user.
Import
An existing resource can be imported using its type token, name, and identifier, e.g.
$ pulumi import azure-native:authorization:RoleManagementPolicy 570c3619-7688-4b34-b290-2b8bb3ccab2a /{scope}/providers/Microsoft.Authorization/roleManagementPolicies/{roleManagementPolicyName}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Native pulumi/pulumi-azure-native
- License
- Apache-2.0
This is the latest version of Azure Native. Use the Azure Native v2 docs if using the v2 version of this package.
Azure Native v2.90.0 published on Thursday, Mar 27, 2025 by Pulumi