In Azure RBAC you can use the custom roles for Logic Apps to provide users with different permissions for the various operations with Logic Apps which you can use for ISE and Consumption. The roles are:

  • Logic App Contributor
  • Logic App Operator

Unfortunately the product group hasnt yet released roles for Logic App Standard common roles but there are actions already in place so until the official roles come out I decided to create one for myself.

My use case is for automated testing of Logic Apps. I dont want to provide my service principal with full contributor access to the Resource Group so I decided to create a custom role on the resource group.

I started by going to the resource group Access control menu and created a new custom role called Logic App Standard Testing

I then chose some permissions from the microsoft.web section

I can then add the service principal I use for testing to the role and now I can execute my tests without needing to have the elevated privilege of Contributor.

The json for my role definition is below.

{
    "properties": {
        "roleName": "Logic App Standard Testing",
        "description": "",
        "assignableScopes": [
            "/subscriptions/{mikes subscription}/resourceGroups/{mikes resource group}"
        ],
        "permissions": [
            {
                "actions": [
                    "microsoft.web/sites/hostruntime/webhooks/api/workflows/runs/read",
                    "microsoft.web/sites/hostruntime/webhooks/api/workflows/triggers/read",
                    "microsoft.web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
                    "microsoft.web/sites/slots/workflows/read",
                    "microsoft.web/sites/slots/workflowsconfiguration/read",
                    "microsoft.web/sites/workflows/read",
                    "microsoft.web/sites/workflowsconfiguration/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

 

Buy Me A Coffee