1. Packages
  2. Azure Classic
  3. API Docs
  4. pim
  5. RoleManagementPolicy

We recommend using Azure Native.

Azure v6.10.0 published on Tuesday, Nov 19, 2024 by Pulumi

azure.pim.RoleManagementPolicy

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure v6.10.0 published on Tuesday, Nov 19, 2024 by Pulumi

    Manage a role policy for an Azure Management Group, Subscription, Resource Group or resource.

    Example Usage

    Resource Group

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    import * as azuread from "@pulumi/azuread";
    
    const example = new azure.core.ResourceGroup("example", {
        name: "example-rg",
        location: "East US",
    });
    const rgContributor = azure.authorization.getRoleDefinitionOutput({
        name: "Contributor",
        scope: example.id,
    });
    const approvers = azuread.getGroup({
        displayName: "Example Approver Group",
    });
    const exampleRoleManagementPolicy = new azure.pim.RoleManagementPolicy("example", {
        scope: test.id,
        roleDefinitionId: contributor.id,
        activeAssignmentRules: {
            expireAfter: "P365D",
        },
        eligibleAssignmentRules: {
            expirationRequired: false,
        },
        activationRules: {
            maximumDuration: "PT1H",
            requireApproval: true,
            approvalStage: {
                primaryApprovers: [{
                    objectId: approvers.then(approvers => approvers.objectId),
                    type: "Group",
                }],
            },
        },
        notificationRules: {
            eligibleAssignments: {
                approverNotifications: {
                    notificationLevel: "Critical",
                    defaultRecipients: false,
                    additionalRecipients: ["someone@example.com"],
                },
            },
            eligibleActivations: {
                assigneeNotifications: {
                    notificationLevel: "All",
                    defaultRecipients: true,
                    additionalRecipients: ["someone.else@example.com"],
                },
            },
        },
    });
    
    import pulumi
    import pulumi_azure as azure
    import pulumi_azuread as azuread
    
    example = azure.core.ResourceGroup("example",
        name="example-rg",
        location="East US")
    rg_contributor = azure.authorization.get_role_definition_output(name="Contributor",
        scope=example.id)
    approvers = azuread.get_group(display_name="Example Approver Group")
    example_role_management_policy = azure.pim.RoleManagementPolicy("example",
        scope=test["id"],
        role_definition_id=contributor["id"],
        active_assignment_rules={
            "expire_after": "P365D",
        },
        eligible_assignment_rules={
            "expiration_required": False,
        },
        activation_rules={
            "maximum_duration": "PT1H",
            "require_approval": True,
            "approval_stage": {
                "primary_approvers": [{
                    "object_id": approvers.object_id,
                    "type": "Group",
                }],
            },
        },
        notification_rules={
            "eligible_assignments": {
                "approver_notifications": {
                    "notification_level": "Critical",
                    "default_recipients": False,
                    "additional_recipients": ["someone@example.com"],
                },
            },
            "eligible_activations": {
                "assignee_notifications": {
                    "notification_level": "All",
                    "default_recipients": True,
                    "additional_recipients": ["someone.else@example.com"],
                },
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/pim"
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-rg"),
    			Location: pulumi.String("East US"),
    		})
    		if err != nil {
    			return err
    		}
    		_ = authorization.LookupRoleDefinitionOutput(ctx, authorization.GetRoleDefinitionOutputArgs{
    			Name:  pulumi.String("Contributor"),
    			Scope: example.ID(),
    		}, nil)
    		approvers, err := azuread.LookupGroup(ctx, &azuread.LookupGroupArgs{
    			DisplayName: pulumi.StringRef("Example Approver Group"),
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = pim.NewRoleManagementPolicy(ctx, "example", &pim.RoleManagementPolicyArgs{
    			Scope:            pulumi.Any(test.Id),
    			RoleDefinitionId: pulumi.Any(contributor.Id),
    			ActiveAssignmentRules: &pim.RoleManagementPolicyActiveAssignmentRulesArgs{
    				ExpireAfter: pulumi.String("P365D"),
    			},
    			EligibleAssignmentRules: &pim.RoleManagementPolicyEligibleAssignmentRulesArgs{
    				ExpirationRequired: pulumi.Bool(false),
    			},
    			ActivationRules: &pim.RoleManagementPolicyActivationRulesArgs{
    				MaximumDuration: pulumi.String("PT1H"),
    				RequireApproval: pulumi.Bool(true),
    				ApprovalStage: &pim.RoleManagementPolicyActivationRulesApprovalStageArgs{
    					PrimaryApprovers: pim.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArray{
    						&pim.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs{
    							ObjectId: pulumi.String(approvers.ObjectId),
    							Type:     pulumi.String("Group"),
    						},
    					},
    				},
    			},
    			NotificationRules: &pim.RoleManagementPolicyNotificationRulesArgs{
    				EligibleAssignments: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs{
    					ApproverNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs{
    						NotificationLevel: pulumi.String("Critical"),
    						DefaultRecipients: pulumi.Bool(false),
    						AdditionalRecipients: pulumi.StringArray{
    							pulumi.String("someone@example.com"),
    						},
    					},
    				},
    				EligibleActivations: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsArgs{
    					AssigneeNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs{
    						NotificationLevel: pulumi.String("All"),
    						DefaultRecipients: pulumi.Bool(true),
    						AdditionalRecipients: pulumi.StringArray{
    							pulumi.String("someone.else@example.com"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-rg",
            Location = "East US",
        });
    
        var rgContributor = Azure.Authorization.GetRoleDefinition.Invoke(new()
        {
            Name = "Contributor",
            Scope = example.Id,
        });
    
        var approvers = AzureAD.GetGroup.Invoke(new()
        {
            DisplayName = "Example Approver Group",
        });
    
        var exampleRoleManagementPolicy = new Azure.Pim.RoleManagementPolicy("example", new()
        {
            Scope = test.Id,
            RoleDefinitionId = contributor.Id,
            ActiveAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyActiveAssignmentRulesArgs
            {
                ExpireAfter = "P365D",
            },
            EligibleAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyEligibleAssignmentRulesArgs
            {
                ExpirationRequired = false,
            },
            ActivationRules = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesArgs
            {
                MaximumDuration = "PT1H",
                RequireApproval = true,
                ApprovalStage = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesApprovalStageArgs
                {
                    PrimaryApprovers = new[]
                    {
                        new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs
                        {
                            ObjectId = approvers.Apply(getGroupResult => getGroupResult.ObjectId),
                            Type = "Group",
                        },
                    },
                },
            },
            NotificationRules = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesArgs
            {
                EligibleAssignments = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs
                {
                    ApproverNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs
                    {
                        NotificationLevel = "Critical",
                        DefaultRecipients = false,
                        AdditionalRecipients = new[]
                        {
                            "someone@example.com",
                        },
                    },
                },
                EligibleActivations = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsArgs
                {
                    AssigneeNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs
                    {
                        NotificationLevel = "All",
                        DefaultRecipients = true,
                        AdditionalRecipients = new[]
                        {
                            "someone.else@example.com",
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.authorization.AuthorizationFunctions;
    import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.inputs.GetGroupArgs;
    import com.pulumi.azure.pim.RoleManagementPolicy;
    import com.pulumi.azure.pim.RoleManagementPolicyArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyActiveAssignmentRulesArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyEligibleAssignmentRulesArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesApprovalStageArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleActivationsArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()
                .name("example-rg")
                .location("East US")
                .build());
    
            final var rgContributor = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
                .name("Contributor")
                .scope(example.id())
                .build());
    
            final var approvers = AzureadFunctions.getGroup(GetGroupArgs.builder()
                .displayName("Example Approver Group")
                .build());
    
            var exampleRoleManagementPolicy = new RoleManagementPolicy("exampleRoleManagementPolicy", RoleManagementPolicyArgs.builder()
                .scope(test.id())
                .roleDefinitionId(contributor.id())
                .activeAssignmentRules(RoleManagementPolicyActiveAssignmentRulesArgs.builder()
                    .expireAfter("P365D")
                    .build())
                .eligibleAssignmentRules(RoleManagementPolicyEligibleAssignmentRulesArgs.builder()
                    .expirationRequired(false)
                    .build())
                .activationRules(RoleManagementPolicyActivationRulesArgs.builder()
                    .maximumDuration("PT1H")
                    .requireApproval(true)
                    .approvalStage(RoleManagementPolicyActivationRulesApprovalStageArgs.builder()
                        .primaryApprovers(RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs.builder()
                            .objectId(approvers.applyValue(getGroupResult -> getGroupResult.objectId()))
                            .type("Group")
                            .build())
                        .build())
                    .build())
                .notificationRules(RoleManagementPolicyNotificationRulesArgs.builder()
                    .eligibleAssignments(RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs.builder()
                        .approverNotifications(RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs.builder()
                            .notificationLevel("Critical")
                            .defaultRecipients(false)
                            .additionalRecipients("someone@example.com")
                            .build())
                        .build())
                    .eligibleActivations(RoleManagementPolicyNotificationRulesEligibleActivationsArgs.builder()
                        .assigneeNotifications(RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs.builder()
                            .notificationLevel("All")
                            .defaultRecipients(true)
                            .additionalRecipients("someone.else@example.com")
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example-rg
          location: East US
      exampleRoleManagementPolicy:
        type: azure:pim:RoleManagementPolicy
        name: example
        properties:
          scope: ${test.id}
          roleDefinitionId: ${contributor.id}
          activeAssignmentRules:
            expireAfter: P365D
          eligibleAssignmentRules:
            expirationRequired: false
          activationRules:
            maximumDuration: PT1H
            requireApproval: true
            approvalStage:
              primaryApprovers:
                - objectId: ${approvers.objectId}
                  type: Group
          notificationRules:
            eligibleAssignments:
              approverNotifications:
                notificationLevel: Critical
                defaultRecipients: false
                additionalRecipients:
                  - someone@example.com
            eligibleActivations:
              assigneeNotifications:
                notificationLevel: All
                defaultRecipients: true
                additionalRecipients:
                  - someone.else@example.com
    variables:
      rgContributor:
        fn::invoke:
          Function: azure:authorization:getRoleDefinition
          Arguments:
            name: Contributor
            scope: ${example.id}
      approvers:
        fn::invoke:
          Function: azuread:getGroup
          Arguments:
            displayName: Example Approver Group
    

    Management Group

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const example = new azure.management.Group("example", {name: "example-group"});
    const mgContributor = azure.authorization.getRoleDefinitionOutput({
        name: "Contributor",
        scope: example.id,
    });
    const exampleRoleManagementPolicy = new azure.pim.RoleManagementPolicy("example", {
        scope: example.id,
        roleDefinitionId: mgContributor.apply(mgContributor => mgContributor.id),
        eligibleAssignmentRules: {
            expirationRequired: false,
        },
        activeAssignmentRules: {
            expireAfter: "P90D",
        },
        activationRules: {
            maximumDuration: "PT1H",
            requireApproval: true,
        },
        notificationRules: {
            activeAssignments: {
                adminNotifications: {
                    notificationLevel: "Critical",
                    defaultRecipients: false,
                    additionalRecipients: ["someone@example.com"],
                },
            },
        },
    });
    
    import pulumi
    import pulumi_azure as azure
    
    example = azure.management.Group("example", name="example-group")
    mg_contributor = azure.authorization.get_role_definition_output(name="Contributor",
        scope=example.id)
    example_role_management_policy = azure.pim.RoleManagementPolicy("example",
        scope=example.id,
        role_definition_id=mg_contributor.id,
        eligible_assignment_rules={
            "expiration_required": False,
        },
        active_assignment_rules={
            "expire_after": "P90D",
        },
        activation_rules={
            "maximum_duration": "PT1H",
            "require_approval": True,
        },
        notification_rules={
            "active_assignments": {
                "admin_notifications": {
                    "notification_level": "Critical",
                    "default_recipients": False,
                    "additional_recipients": ["someone@example.com"],
                },
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/management"
    	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/pim"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := management.NewGroup(ctx, "example", &management.GroupArgs{
    			Name: pulumi.String("example-group"),
    		})
    		if err != nil {
    			return err
    		}
    		mgContributor := authorization.LookupRoleDefinitionOutput(ctx, authorization.GetRoleDefinitionOutputArgs{
    			Name:  pulumi.String("Contributor"),
    			Scope: example.ID(),
    		}, nil)
    		_, err = pim.NewRoleManagementPolicy(ctx, "example", &pim.RoleManagementPolicyArgs{
    			Scope: example.ID(),
    			RoleDefinitionId: pulumi.String(mgContributor.ApplyT(func(mgContributor authorization.GetRoleDefinitionResult) (*string, error) {
    				return &mgContributor.Id, nil
    			}).(pulumi.StringPtrOutput)),
    			EligibleAssignmentRules: &pim.RoleManagementPolicyEligibleAssignmentRulesArgs{
    				ExpirationRequired: pulumi.Bool(false),
    			},
    			ActiveAssignmentRules: &pim.RoleManagementPolicyActiveAssignmentRulesArgs{
    				ExpireAfter: pulumi.String("P90D"),
    			},
    			ActivationRules: &pim.RoleManagementPolicyActivationRulesArgs{
    				MaximumDuration: pulumi.String("PT1H"),
    				RequireApproval: pulumi.Bool(true),
    			},
    			NotificationRules: &pim.RoleManagementPolicyNotificationRulesArgs{
    				ActiveAssignments: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs{
    					AdminNotifications: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs{
    						NotificationLevel: pulumi.String("Critical"),
    						DefaultRecipients: pulumi.Bool(false),
    						AdditionalRecipients: pulumi.StringArray{
    							pulumi.String("someone@example.com"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Management.Group("example", new()
        {
            Name = "example-group",
        });
    
        var mgContributor = Azure.Authorization.GetRoleDefinition.Invoke(new()
        {
            Name = "Contributor",
            Scope = example.Id,
        });
    
        var exampleRoleManagementPolicy = new Azure.Pim.RoleManagementPolicy("example", new()
        {
            Scope = example.Id,
            RoleDefinitionId = mgContributor.Apply(getRoleDefinitionResult => getRoleDefinitionResult.Id),
            EligibleAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyEligibleAssignmentRulesArgs
            {
                ExpirationRequired = false,
            },
            ActiveAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyActiveAssignmentRulesArgs
            {
                ExpireAfter = "P90D",
            },
            ActivationRules = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesArgs
            {
                MaximumDuration = "PT1H",
                RequireApproval = true,
            },
            NotificationRules = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesArgs
            {
                ActiveAssignments = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs
                {
                    AdminNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs
                    {
                        NotificationLevel = "Critical",
                        DefaultRecipients = false,
                        AdditionalRecipients = new[]
                        {
                            "someone@example.com",
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.management.Group;
    import com.pulumi.azure.management.GroupArgs;
    import com.pulumi.azure.authorization.AuthorizationFunctions;
    import com.pulumi.azure.authorization.inputs.GetRoleDefinitionArgs;
    import com.pulumi.azure.pim.RoleManagementPolicy;
    import com.pulumi.azure.pim.RoleManagementPolicyArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyEligibleAssignmentRulesArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyActiveAssignmentRulesArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyActivationRulesArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs;
    import com.pulumi.azure.pim.inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Group("example", GroupArgs.builder()
                .name("example-group")
                .build());
    
            final var mgContributor = AuthorizationFunctions.getRoleDefinition(GetRoleDefinitionArgs.builder()
                .name("Contributor")
                .scope(example.id())
                .build());
    
            var exampleRoleManagementPolicy = new RoleManagementPolicy("exampleRoleManagementPolicy", RoleManagementPolicyArgs.builder()
                .scope(example.id())
                .roleDefinitionId(mgContributor.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult).applyValue(mgContributor -> mgContributor.applyValue(getRoleDefinitionResult -> getRoleDefinitionResult.id())))
                .eligibleAssignmentRules(RoleManagementPolicyEligibleAssignmentRulesArgs.builder()
                    .expirationRequired(false)
                    .build())
                .activeAssignmentRules(RoleManagementPolicyActiveAssignmentRulesArgs.builder()
                    .expireAfter("P90D")
                    .build())
                .activationRules(RoleManagementPolicyActivationRulesArgs.builder()
                    .maximumDuration("PT1H")
                    .requireApproval(true)
                    .build())
                .notificationRules(RoleManagementPolicyNotificationRulesArgs.builder()
                    .activeAssignments(RoleManagementPolicyNotificationRulesActiveAssignmentsArgs.builder()
                        .adminNotifications(RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs.builder()
                            .notificationLevel("Critical")
                            .defaultRecipients(false)
                            .additionalRecipients("someone@example.com")
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:management:Group
        properties:
          name: example-group
      exampleRoleManagementPolicy:
        type: azure:pim:RoleManagementPolicy
        name: example
        properties:
          scope: ${example.id}
          roleDefinitionId: ${mgContributor.id}
          eligibleAssignmentRules:
            expirationRequired: false
          activeAssignmentRules:
            expireAfter: P90D
          activationRules:
            maximumDuration: PT1H
            requireApproval: true
          notificationRules:
            activeAssignments:
              adminNotifications:
                notificationLevel: Critical
                defaultRecipients: false
                additionalRecipients:
                  - someone@example.com
    variables:
      mgContributor:
        fn::invoke:
          Function: azure:authorization:getRoleDefinition
          Arguments:
            name: Contributor
            scope: ${example.id}
    

    Create RoleManagementPolicy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new RoleManagementPolicy(name: string, args: RoleManagementPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def RoleManagementPolicy(resource_name: str,
                             args: RoleManagementPolicyArgs,
                             opts: Optional[ResourceOptions] = None)
    
    @overload
    def RoleManagementPolicy(resource_name: str,
                             opts: Optional[ResourceOptions] = None,
                             role_definition_id: Optional[str] = None,
                             scope: Optional[str] = None,
                             activation_rules: Optional[RoleManagementPolicyActivationRulesArgs] = None,
                             active_assignment_rules: Optional[RoleManagementPolicyActiveAssignmentRulesArgs] = None,
                             eligible_assignment_rules: Optional[RoleManagementPolicyEligibleAssignmentRulesArgs] = None,
                             notification_rules: Optional[RoleManagementPolicyNotificationRulesArgs] = None)
    func NewRoleManagementPolicy(ctx *Context, name string, args RoleManagementPolicyArgs, opts ...ResourceOption) (*RoleManagementPolicy, error)
    public RoleManagementPolicy(string name, RoleManagementPolicyArgs args, CustomResourceOptions? opts = null)
    public RoleManagementPolicy(String name, RoleManagementPolicyArgs args)
    public RoleManagementPolicy(String name, RoleManagementPolicyArgs args, CustomResourceOptions options)
    
    type: azure:pim:RoleManagementPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args RoleManagementPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RoleManagementPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RoleManagementPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RoleManagementPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RoleManagementPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var roleManagementPolicyResource = new Azure.Pim.RoleManagementPolicy("roleManagementPolicyResource", new()
    {
        RoleDefinitionId = "string",
        Scope = "string",
        ActivationRules = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesArgs
        {
            ApprovalStage = new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesApprovalStageArgs
            {
                PrimaryApprovers = new[]
                {
                    new Azure.Pim.Inputs.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs
                    {
                        ObjectId = "string",
                        Type = "string",
                    },
                },
            },
            MaximumDuration = "string",
            RequireApproval = false,
            RequireJustification = false,
            RequireMultifactorAuthentication = false,
            RequireTicketInfo = false,
            RequiredConditionalAccessAuthenticationContext = "string",
        },
        ActiveAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyActiveAssignmentRulesArgs
        {
            ExpirationRequired = false,
            ExpireAfter = "string",
            RequireJustification = false,
            RequireMultifactorAuthentication = false,
            RequireTicketInfo = false,
        },
        EligibleAssignmentRules = new Azure.Pim.Inputs.RoleManagementPolicyEligibleAssignmentRulesArgs
        {
            ExpirationRequired = false,
            ExpireAfter = "string",
        },
        NotificationRules = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesArgs
        {
            ActiveAssignments = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs
            {
                AdminNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                ApproverNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                AssigneeNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
            },
            EligibleActivations = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsArgs
            {
                AdminNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                ApproverNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                AssigneeNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
            },
            EligibleAssignments = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs
            {
                AdminNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                ApproverNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                AssigneeNotifications = new Azure.Pim.Inputs.RoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
            },
        },
    });
    
    example, err := pim.NewRoleManagementPolicy(ctx, "roleManagementPolicyResource", &pim.RoleManagementPolicyArgs{
    	RoleDefinitionId: pulumi.String("string"),
    	Scope:            pulumi.String("string"),
    	ActivationRules: &pim.RoleManagementPolicyActivationRulesArgs{
    		ApprovalStage: &pim.RoleManagementPolicyActivationRulesApprovalStageArgs{
    			PrimaryApprovers: pim.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArray{
    				&pim.RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs{
    					ObjectId: pulumi.String("string"),
    					Type:     pulumi.String("string"),
    				},
    			},
    		},
    		MaximumDuration:                                pulumi.String("string"),
    		RequireApproval:                                pulumi.Bool(false),
    		RequireJustification:                           pulumi.Bool(false),
    		RequireMultifactorAuthentication:               pulumi.Bool(false),
    		RequireTicketInfo:                              pulumi.Bool(false),
    		RequiredConditionalAccessAuthenticationContext: pulumi.String("string"),
    	},
    	ActiveAssignmentRules: &pim.RoleManagementPolicyActiveAssignmentRulesArgs{
    		ExpirationRequired:               pulumi.Bool(false),
    		ExpireAfter:                      pulumi.String("string"),
    		RequireJustification:             pulumi.Bool(false),
    		RequireMultifactorAuthentication: pulumi.Bool(false),
    		RequireTicketInfo:                pulumi.Bool(false),
    	},
    	EligibleAssignmentRules: &pim.RoleManagementPolicyEligibleAssignmentRulesArgs{
    		ExpirationRequired: pulumi.Bool(false),
    		ExpireAfter:        pulumi.String("string"),
    	},
    	NotificationRules: &pim.RoleManagementPolicyNotificationRulesArgs{
    		ActiveAssignments: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsArgs{
    			AdminNotifications: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			ApproverNotifications: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			AssigneeNotifications: &pim.RoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    		EligibleActivations: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsArgs{
    			AdminNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			ApproverNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			AssigneeNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    		EligibleAssignments: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs{
    			AdminNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			ApproverNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			AssigneeNotifications: &pim.RoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    	},
    })
    
    var roleManagementPolicyResource = new RoleManagementPolicy("roleManagementPolicyResource", RoleManagementPolicyArgs.builder()
        .roleDefinitionId("string")
        .scope("string")
        .activationRules(RoleManagementPolicyActivationRulesArgs.builder()
            .approvalStage(RoleManagementPolicyActivationRulesApprovalStageArgs.builder()
                .primaryApprovers(RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs.builder()
                    .objectId("string")
                    .type("string")
                    .build())
                .build())
            .maximumDuration("string")
            .requireApproval(false)
            .requireJustification(false)
            .requireMultifactorAuthentication(false)
            .requireTicketInfo(false)
            .requiredConditionalAccessAuthenticationContext("string")
            .build())
        .activeAssignmentRules(RoleManagementPolicyActiveAssignmentRulesArgs.builder()
            .expirationRequired(false)
            .expireAfter("string")
            .requireJustification(false)
            .requireMultifactorAuthentication(false)
            .requireTicketInfo(false)
            .build())
        .eligibleAssignmentRules(RoleManagementPolicyEligibleAssignmentRulesArgs.builder()
            .expirationRequired(false)
            .expireAfter("string")
            .build())
        .notificationRules(RoleManagementPolicyNotificationRulesArgs.builder()
            .activeAssignments(RoleManagementPolicyNotificationRulesActiveAssignmentsArgs.builder()
                .adminNotifications(RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .approverNotifications(RoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .assigneeNotifications(RoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .build())
            .eligibleActivations(RoleManagementPolicyNotificationRulesEligibleActivationsArgs.builder()
                .adminNotifications(RoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .approverNotifications(RoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .assigneeNotifications(RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .build())
            .eligibleAssignments(RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs.builder()
                .adminNotifications(RoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .approverNotifications(RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .assigneeNotifications(RoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .build())
            .build())
        .build());
    
    role_management_policy_resource = azure.pim.RoleManagementPolicy("roleManagementPolicyResource",
        role_definition_id="string",
        scope="string",
        activation_rules={
            "approval_stage": {
                "primary_approvers": [{
                    "object_id": "string",
                    "type": "string",
                }],
            },
            "maximum_duration": "string",
            "require_approval": False,
            "require_justification": False,
            "require_multifactor_authentication": False,
            "require_ticket_info": False,
            "required_conditional_access_authentication_context": "string",
        },
        active_assignment_rules={
            "expiration_required": False,
            "expire_after": "string",
            "require_justification": False,
            "require_multifactor_authentication": False,
            "require_ticket_info": False,
        },
        eligible_assignment_rules={
            "expiration_required": False,
            "expire_after": "string",
        },
        notification_rules={
            "active_assignments": {
                "admin_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "approver_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "assignee_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
            },
            "eligible_activations": {
                "admin_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "approver_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "assignee_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
            },
            "eligible_assignments": {
                "admin_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "approver_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "assignee_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
            },
        })
    
    const roleManagementPolicyResource = new azure.pim.RoleManagementPolicy("roleManagementPolicyResource", {
        roleDefinitionId: "string",
        scope: "string",
        activationRules: {
            approvalStage: {
                primaryApprovers: [{
                    objectId: "string",
                    type: "string",
                }],
            },
            maximumDuration: "string",
            requireApproval: false,
            requireJustification: false,
            requireMultifactorAuthentication: false,
            requireTicketInfo: false,
            requiredConditionalAccessAuthenticationContext: "string",
        },
        activeAssignmentRules: {
            expirationRequired: false,
            expireAfter: "string",
            requireJustification: false,
            requireMultifactorAuthentication: false,
            requireTicketInfo: false,
        },
        eligibleAssignmentRules: {
            expirationRequired: false,
            expireAfter: "string",
        },
        notificationRules: {
            activeAssignments: {
                adminNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                approverNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                assigneeNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
            },
            eligibleActivations: {
                adminNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                approverNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                assigneeNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
            },
            eligibleAssignments: {
                adminNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                approverNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                assigneeNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
            },
        },
    });
    
    type: azure:pim:RoleManagementPolicy
    properties:
        activationRules:
            approvalStage:
                primaryApprovers:
                    - objectId: string
                      type: string
            maximumDuration: string
            requireApproval: false
            requireJustification: false
            requireMultifactorAuthentication: false
            requireTicketInfo: false
            requiredConditionalAccessAuthenticationContext: string
        activeAssignmentRules:
            expirationRequired: false
            expireAfter: string
            requireJustification: false
            requireMultifactorAuthentication: false
            requireTicketInfo: false
        eligibleAssignmentRules:
            expirationRequired: false
            expireAfter: string
        notificationRules:
            activeAssignments:
                adminNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                approverNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                assigneeNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
            eligibleActivations:
                adminNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                approverNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                assigneeNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
            eligibleAssignments:
                adminNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                approverNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                assigneeNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
        roleDefinitionId: string
        scope: string
    

    RoleManagementPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The RoleManagementPolicy resource accepts the following input properties:

    RoleDefinitionId string
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    Scope string
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    ActivationRules RoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    ActiveAssignmentRules RoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    EligibleAssignmentRules RoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    NotificationRules RoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    RoleDefinitionId string
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    Scope string
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    ActivationRules RoleManagementPolicyActivationRulesArgs
    An activation_rules block as defined below.
    ActiveAssignmentRules RoleManagementPolicyActiveAssignmentRulesArgs
    An active_assignment_rules block as defined below.
    EligibleAssignmentRules RoleManagementPolicyEligibleAssignmentRulesArgs
    An eligible_assignment_rules block as defined below.
    NotificationRules RoleManagementPolicyNotificationRulesArgs
    A notification_rules block as defined below.
    roleDefinitionId String
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    scope String
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    activationRules RoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    activeAssignmentRules RoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    eligibleAssignmentRules RoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    notificationRules RoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    roleDefinitionId string
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    scope string
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    activationRules RoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    activeAssignmentRules RoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    eligibleAssignmentRules RoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    notificationRules RoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    role_definition_id str
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    scope str
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    activation_rules RoleManagementPolicyActivationRulesArgs
    An activation_rules block as defined below.
    active_assignment_rules RoleManagementPolicyActiveAssignmentRulesArgs
    An active_assignment_rules block as defined below.
    eligible_assignment_rules RoleManagementPolicyEligibleAssignmentRulesArgs
    An eligible_assignment_rules block as defined below.
    notification_rules RoleManagementPolicyNotificationRulesArgs
    A notification_rules block as defined below.
    roleDefinitionId String
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    scope String
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    activationRules Property Map
    An activation_rules block as defined below.
    activeAssignmentRules Property Map
    An active_assignment_rules block as defined below.
    eligibleAssignmentRules Property Map
    An eligible_assignment_rules block as defined below.
    notificationRules Property Map
    A notification_rules block as defined below.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the RoleManagementPolicy resource produces the following output properties:

    Description string
    (String) The description of this policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    (String) The name of this policy, which is typically a UUID and may change over time.
    Description string
    (String) The description of this policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    (String) The name of this policy, which is typically a UUID and may change over time.
    description String
    (String) The description of this policy.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    (String) The name of this policy, which is typically a UUID and may change over time.
    description string
    (String) The description of this policy.
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    (String) The name of this policy, which is typically a UUID and may change over time.
    description str
    (String) The description of this policy.
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    (String) The name of this policy, which is typically a UUID and may change over time.
    description String
    (String) The description of this policy.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    (String) The name of this policy, which is typically a UUID and may change over time.

    Look up Existing RoleManagementPolicy Resource

    Get an existing RoleManagementPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RoleManagementPolicyState, opts?: CustomResourceOptions): RoleManagementPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            activation_rules: Optional[RoleManagementPolicyActivationRulesArgs] = None,
            active_assignment_rules: Optional[RoleManagementPolicyActiveAssignmentRulesArgs] = None,
            description: Optional[str] = None,
            eligible_assignment_rules: Optional[RoleManagementPolicyEligibleAssignmentRulesArgs] = None,
            name: Optional[str] = None,
            notification_rules: Optional[RoleManagementPolicyNotificationRulesArgs] = None,
            role_definition_id: Optional[str] = None,
            scope: Optional[str] = None) -> RoleManagementPolicy
    func GetRoleManagementPolicy(ctx *Context, name string, id IDInput, state *RoleManagementPolicyState, opts ...ResourceOption) (*RoleManagementPolicy, error)
    public static RoleManagementPolicy Get(string name, Input<string> id, RoleManagementPolicyState? state, CustomResourceOptions? opts = null)
    public static RoleManagementPolicy get(String name, Output<String> id, RoleManagementPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    ActivationRules RoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    ActiveAssignmentRules RoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    Description string
    (String) The description of this policy.
    EligibleAssignmentRules RoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    Name string
    (String) The name of this policy, which is typically a UUID and may change over time.
    NotificationRules RoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    RoleDefinitionId string
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    Scope string
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    ActivationRules RoleManagementPolicyActivationRulesArgs
    An activation_rules block as defined below.
    ActiveAssignmentRules RoleManagementPolicyActiveAssignmentRulesArgs
    An active_assignment_rules block as defined below.
    Description string
    (String) The description of this policy.
    EligibleAssignmentRules RoleManagementPolicyEligibleAssignmentRulesArgs
    An eligible_assignment_rules block as defined below.
    Name string
    (String) The name of this policy, which is typically a UUID and may change over time.
    NotificationRules RoleManagementPolicyNotificationRulesArgs
    A notification_rules block as defined below.
    RoleDefinitionId string
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    Scope string
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    activationRules RoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    activeAssignmentRules RoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    description String
    (String) The description of this policy.
    eligibleAssignmentRules RoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    name String
    (String) The name of this policy, which is typically a UUID and may change over time.
    notificationRules RoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    roleDefinitionId String
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    scope String
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    activationRules RoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    activeAssignmentRules RoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    description string
    (String) The description of this policy.
    eligibleAssignmentRules RoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    name string
    (String) The name of this policy, which is typically a UUID and may change over time.
    notificationRules RoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    roleDefinitionId string
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    scope string
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    activation_rules RoleManagementPolicyActivationRulesArgs
    An activation_rules block as defined below.
    active_assignment_rules RoleManagementPolicyActiveAssignmentRulesArgs
    An active_assignment_rules block as defined below.
    description str
    (String) The description of this policy.
    eligible_assignment_rules RoleManagementPolicyEligibleAssignmentRulesArgs
    An eligible_assignment_rules block as defined below.
    name str
    (String) The name of this policy, which is typically a UUID and may change over time.
    notification_rules RoleManagementPolicyNotificationRulesArgs
    A notification_rules block as defined below.
    role_definition_id str
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    scope str
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.
    activationRules Property Map
    An activation_rules block as defined below.
    activeAssignmentRules Property Map
    An active_assignment_rules block as defined below.
    description String
    (String) The description of this policy.
    eligibleAssignmentRules Property Map
    An eligible_assignment_rules block as defined below.
    name String
    (String) The name of this policy, which is typically a UUID and may change over time.
    notificationRules Property Map
    A notification_rules block as defined below.
    roleDefinitionId String
    The scoped Role Definition ID of the role for which this policy will apply. Changing this forces a new resource to be created.
    scope String
    The scope to which this Role Management Policy will apply. Can refer to a management group, a subscription, a resource group or a resource. Changing this forces a new resource to be created.

    Supporting Types

    RoleManagementPolicyActivationRules, RoleManagementPolicyActivationRulesArgs

    ApprovalStage RoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    MaximumDuration string
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    RequireApproval bool
    Is approval required for activation. If true an approval_stage block must be provided.
    RequireJustification bool
    Is a justification required during activation of the role.
    RequireMultifactorAuthentication bool
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    RequireTicketInfo bool
    Is ticket information requrired during activation of the role.
    RequiredConditionalAccessAuthenticationContext string
    The Entra ID Conditional Access context that must be present for activation. Conflicts with require_multifactor_authentication.
    ApprovalStage RoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    MaximumDuration string
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    RequireApproval bool
    Is approval required for activation. If true an approval_stage block must be provided.
    RequireJustification bool
    Is a justification required during activation of the role.
    RequireMultifactorAuthentication bool
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    RequireTicketInfo bool
    Is ticket information requrired during activation of the role.
    RequiredConditionalAccessAuthenticationContext string
    The Entra ID Conditional Access context that must be present for activation. Conflicts with require_multifactor_authentication.
    approvalStage RoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    maximumDuration String
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    requireApproval Boolean
    Is approval required for activation. If true an approval_stage block must be provided.
    requireJustification Boolean
    Is a justification required during activation of the role.
    requireMultifactorAuthentication Boolean
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    requireTicketInfo Boolean
    Is ticket information requrired during activation of the role.
    requiredConditionalAccessAuthenticationContext String
    The Entra ID Conditional Access context that must be present for activation. Conflicts with require_multifactor_authentication.
    approvalStage RoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    maximumDuration string
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    requireApproval boolean
    Is approval required for activation. If true an approval_stage block must be provided.
    requireJustification boolean
    Is a justification required during activation of the role.
    requireMultifactorAuthentication boolean
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    requireTicketInfo boolean
    Is ticket information requrired during activation of the role.
    requiredConditionalAccessAuthenticationContext string
    The Entra ID Conditional Access context that must be present for activation. Conflicts with require_multifactor_authentication.
    approval_stage RoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    maximum_duration str
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    require_approval bool
    Is approval required for activation. If true an approval_stage block must be provided.
    require_justification bool
    Is a justification required during activation of the role.
    require_multifactor_authentication bool
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    require_ticket_info bool
    Is ticket information requrired during activation of the role.
    required_conditional_access_authentication_context str
    The Entra ID Conditional Access context that must be present for activation. Conflicts with require_multifactor_authentication.
    approvalStage Property Map
    An approval_stage block as defined below.
    maximumDuration String
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    requireApproval Boolean
    Is approval required for activation. If true an approval_stage block must be provided.
    requireJustification Boolean
    Is a justification required during activation of the role.
    requireMultifactorAuthentication Boolean
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    requireTicketInfo Boolean
    Is ticket information requrired during activation of the role.
    requiredConditionalAccessAuthenticationContext String
    The Entra ID Conditional Access context that must be present for activation. Conflicts with require_multifactor_authentication.

    RoleManagementPolicyActivationRulesApprovalStage, RoleManagementPolicyActivationRulesApprovalStageArgs

    PrimaryApprovers List<RoleManagementPolicyActivationRulesApprovalStagePrimaryApprover>
    The IDs of the users or groups who can approve the activation
    PrimaryApprovers []RoleManagementPolicyActivationRulesApprovalStagePrimaryApprover
    The IDs of the users or groups who can approve the activation
    primaryApprovers List<RoleManagementPolicyActivationRulesApprovalStagePrimaryApprover>
    The IDs of the users or groups who can approve the activation
    primaryApprovers RoleManagementPolicyActivationRulesApprovalStagePrimaryApprover[]
    The IDs of the users or groups who can approve the activation
    primary_approvers Sequence[RoleManagementPolicyActivationRulesApprovalStagePrimaryApprover]
    The IDs of the users or groups who can approve the activation
    primaryApprovers List<Property Map>
    The IDs of the users or groups who can approve the activation

    RoleManagementPolicyActivationRulesApprovalStagePrimaryApprover, RoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs

    ObjectId string
    The ID of the object which will act as an approver.
    Type string
    The type of object acting as an approver. Possible options are User and Group.
    ObjectId string
    The ID of the object which will act as an approver.
    Type string
    The type of object acting as an approver. Possible options are User and Group.
    objectId String
    The ID of the object which will act as an approver.
    type String
    The type of object acting as an approver. Possible options are User and Group.
    objectId string
    The ID of the object which will act as an approver.
    type string
    The type of object acting as an approver. Possible options are User and Group.
    object_id str
    The ID of the object which will act as an approver.
    type str
    The type of object acting as an approver. Possible options are User and Group.
    objectId String
    The ID of the object which will act as an approver.
    type String
    The type of object acting as an approver. Possible options are User and Group.

    RoleManagementPolicyActiveAssignmentRules, RoleManagementPolicyActiveAssignmentRulesArgs

    ExpirationRequired bool
    Must an assignment have an expiry date. false allows permanent assignment.
    ExpireAfter string
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    RequireJustification bool
    Is a justification required to create new assignments.
    RequireMultifactorAuthentication bool
    Is multi-factor authentication required to create new assignments.
    RequireTicketInfo bool

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    ExpirationRequired bool
    Must an assignment have an expiry date. false allows permanent assignment.
    ExpireAfter string
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    RequireJustification bool
    Is a justification required to create new assignments.
    RequireMultifactorAuthentication bool
    Is multi-factor authentication required to create new assignments.
    RequireTicketInfo bool

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    expirationRequired Boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter String
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    requireJustification Boolean
    Is a justification required to create new assignments.
    requireMultifactorAuthentication Boolean
    Is multi-factor authentication required to create new assignments.
    requireTicketInfo Boolean

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    expirationRequired boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter string
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    requireJustification boolean
    Is a justification required to create new assignments.
    requireMultifactorAuthentication boolean
    Is multi-factor authentication required to create new assignments.
    requireTicketInfo boolean

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    expiration_required bool
    Must an assignment have an expiry date. false allows permanent assignment.
    expire_after str
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    require_justification bool
    Is a justification required to create new assignments.
    require_multifactor_authentication bool
    Is multi-factor authentication required to create new assignments.
    require_ticket_info bool

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    expirationRequired Boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter String
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    requireJustification Boolean
    Is a justification required to create new assignments.
    requireMultifactorAuthentication Boolean
    Is multi-factor authentication required to create new assignments.
    requireTicketInfo Boolean

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    RoleManagementPolicyEligibleAssignmentRules, RoleManagementPolicyEligibleAssignmentRulesArgs

    ExpirationRequired bool
    Must an assignment have an expiry date. false allows permanent assignment.
    ExpireAfter string

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    ExpirationRequired bool
    Must an assignment have an expiry date. false allows permanent assignment.
    ExpireAfter string

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    expirationRequired Boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter String

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    expirationRequired boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter string

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    expiration_required bool
    Must an assignment have an expiry date. false allows permanent assignment.
    expire_after str

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    expirationRequired Boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter String

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    RoleManagementPolicyNotificationRules, RoleManagementPolicyNotificationRulesArgs

    ActiveAssignments RoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    EligibleActivations RoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    EligibleAssignments RoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    ActiveAssignments RoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    EligibleActivations RoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    EligibleAssignments RoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    activeAssignments RoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    eligibleActivations RoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    eligibleAssignments RoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    activeAssignments RoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    eligibleActivations RoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    eligibleAssignments RoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    active_assignments RoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    eligible_activations RoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    eligible_assignments RoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    activeAssignments Property Map
    A notification_target block as defined below to configure notfications on active role assignments.
    eligibleActivations Property Map
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    eligibleAssignments Property Map

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    RoleManagementPolicyNotificationRulesActiveAssignments, RoleManagementPolicyNotificationRulesActiveAssignmentsArgs

    adminNotifications Property Map
    Admin notification settings
    approverNotifications Property Map
    Approver notification settings
    assigneeNotifications Property Map
    Assignee notification settings

    RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotifications, RoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    RoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotifications, RoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    RoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotifications, RoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    RoleManagementPolicyNotificationRulesEligibleActivations, RoleManagementPolicyNotificationRulesEligibleActivationsArgs

    adminNotifications Property Map
    Admin notification settings
    approverNotifications Property Map
    Approver notification settings
    assigneeNotifications Property Map
    Assignee notification settings

    RoleManagementPolicyNotificationRulesEligibleActivationsAdminNotifications, RoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    RoleManagementPolicyNotificationRulesEligibleActivationsApproverNotifications, RoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotifications, RoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    RoleManagementPolicyNotificationRulesEligibleAssignments, RoleManagementPolicyNotificationRulesEligibleAssignmentsArgs

    adminNotifications Property Map
    Admin notification settings
    approverNotifications Property Map
    Approver notification settings
    assigneeNotifications Property Map
    Assignee notification settings

    RoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotifications, RoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotifications, RoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    RoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotifications, RoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    Import

    Because these policies are created automatically by Azure, they will auto-import on first use. They can be imported using the resource id of the role definition, combined with the scope id, e.g.

    $ pulumi import azure:pim/roleManagementPolicy:RoleManagementPolicy example "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000|<scope>"
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure v6.10.0 published on Tuesday, Nov 19, 2024 by Pulumi