Permissions for @turbot/azure-iam
Taking a look at permissions and associated grant levels for each permission for IAM:
| Permission | Grant Level | Help |
|---|---|---|
| microsoft.authorization/classicadministrators/read | Metadata | get administrator |
| microsoft.authorization/classicadministrators/write | Owner | set administrator |
| microsoft.authorization/classicadministrators/delete | Owner | delete administrator |
| microsoft.authorization/roleassignments/read | Metadata | get role assignment |
| microsoft.authorization/roleassignments/write | Owner | create role assignment |
| microsoft.authorization/roleassignments/delete | Owner | delete role assignment |
| microsoft.authorization/permissions/read | Metadata | list permissions |
| microsoft.authorization/locks/read | Metadata | get management locks |
| microsoft.authorization/locks/write | Owner | add management locks |
| microsoft.authorization/locks/delete | Owner | delete management locks |
| microsoft.authorization/roledefinitions/read | Metadata | get role definition |
| microsoft.authorization/roledefinitions/write | Owner | create or update custom role definition |
| microsoft.authorization/roledefinitions/delete | Owner | delete custom role definition |
| microsoft.authorization/provideroperations/read | Metadata | get operations for resource providers |
| microsoft.authorization/policysetdefinitions/read | Metadata | get policy set definition |
| microsoft.authorization/policysetdefinitions/write | Owner | create policy set definition |
| microsoft.authorization/policysetdefinitions/delete | Owner | delete policy set definition |
| microsoft.authorization/policydefinitions/read | Metadata | get policy definition |
| microsoft.authorization/policydefinitions/write | Owner | create policy definition |
| microsoft.authorization/policydefinitions/delete | Owner | delete policy definition |
| microsoft.authorization/policyassignments/read | Metadata | get policy assignment |
| microsoft.authorization/policyassignments/write | Owner | create policy assignment |
| microsoft.authorization/policyassignments/delete | Owner | delete policy assignment |
| microsoft.authorization/operations/read | Metadata | get operations |
| microsoft.authorization/classicadministrators/operationstatuses/read | Metadata | get administrator operation statuses |
| microsoft.authorization/denyassignments/read | Metadata | get deny assignment |
| microsoft.authorization/denyassignments/write | Owner | create deny assignment |
| microsoft.authorization/denyassignments/delete | Owner | delete deny assignment |
| microsoft.authorization/policies/audit/action | Owner | 'audit' policy action. |
| microsoft.authorization/policies/auditifnotexists/action | Owner | 'auditifnotexists' policy action. |
| microsoft.authorization/policies/deny/action | Owner | 'deny' policy action. |
| microsoft.authorization/policies/deployifnotexists/action | Owner | 'deployifnotexists' policy action. |
| microsoft.authorization/elevateaccess/action | Owner | assigns the caller to user access administrator role |