rbac: Role-based access control (RBAC)

rbacR Documentation

Role-based access control (RBAC)


Basic methods for RBAC: manage role assignments and retrieve role definitions. These are methods for the az_subscription, az_resource_group and az_resource classes.


add_role_assignment(principal, role, scope = NULL)


remove_role_assignment(id, confirm = TRUE)

list_role_assignments(filter = "atScope()", as_data_frame = TRUE)


list_role_definitions(filter=NULL, as_data_frame = TRUE)


  • principal: For add_role_assignment, the principal for which to assign a role. This can be a GUID, or an object of class az_user, az_app or az_storage_principal (from the AzureGraph package).

  • role: For add_role_assignment, the role to assign the principal. This can be a GUID, a string giving the role name (eg "Contributor"), or an object of class ⁠[az_role_definition]⁠.

  • scope: For add_role_assignment, an optional scope for the assignment.

  • id: A role ID. For get_role_assignment and remove_role_assignment, this is a role assignment GUID. For get_role_definition, this can be a role definition GUID or a role name.

  • confirm: For remove_role_assignment, whether to ask for confirmation before removing the role assignment.

  • filter: For list_role_assignments and list_role_definitions, an optional filter condition to limit the returned roles.

  • as_data_frame: For list_role_assignments and list_role_definitions, whether to return a data frame or a list of objects. See 'Value' below.


AzureRMR implements a subset of the full RBAC functionality within Azure Active Directory. You can retrieve role definitions and add and remove role assignments, at the subscription, resource group and resource levels.


The add_role_assignment and get_role_assignment methods return an object of class az_role_assignment. This is a simple R6 class, with one method: remove to remove the assignment.

The list_role_assignments method returns a list of az_role_assignment objects if the as_data_frame argument is FALSE. If this is TRUE, it instead returns a data frame containing the most broadly useful fields for each assigned role: the role assignment ID, the principal, and the role name.

The get_role_definition method returns an object of class az_role_definition. This is a plain-old-data R6 class (no methods), which can be used as input for creating role assignments (see the examples below).

The list_role_definitions method returns a list of az_role_definition if the as_data_frame argument is FALSE. If this is TRUE, it instead returns a data frame containing the most broadly useful fields for each role definition: the definition ID and role name.

See Also

az_rm, az_role_definition, az_role_assignment

Overview of role-based access control


## Not run: 

az <- get_azure_login("myaadtenant")
sub <- az$get_subscription("subscription_id")
rg <- sub$get_resource_group("rgname")
res <- rg$get_resource(type="provider_type", name="resname")


# get an app using the AzureGraph package
app <- get_graph_login("myaadtenant")$get_app("app_id")

# subscription level
asn1 <- sub$add_role_assignment(app, "Reader")

# resource group level
asn2 <- rg$add_role_assignment(app, "Contributor")

# resource level
asn3 <- res$add_role_assignment(app, "Owner")


## End(Not run)

AzureRMR documentation built on Sept. 21, 2023, 9:07 a.m.