ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 4 question 87 discussion

Actual exam question from Microsoft's AZ-500
Question #: 87
Topic #: 4
[All AZ-500 Questions]

HOTSPOT
-

You have a management group named MG1 that contains an Azure subscription and a resource group named RG1. RG1 contains a virtual machine named VM1.

You have the custom Azure roles shown in the following table.



The permissions for Role1 are shown in the following role definition file.



The permissions for Role2 are shown in the following role definition file.



You assign the roles to the users shown in the following table.



For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by qerem at Jan. 9, 2023, 5:50 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
qerem
Highly Voted 2 years, 5 months ago
i think the correct answer is n,y,y
upvoted 25 times
dmlists
2 years, 5 months ago
True, as per MS docs: "If a user is assigned a role that excludes an action in NotActions, and is assigned a second role that grants access to the same action, the user is allowed to perform that action. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed actions when specific actions need to be excluded."
upvoted 20 times
chokrikl
2 years, 4 months ago
Yes you have right https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions
upvoted 4 times
...
...
...
majstor86
Highly Voted 2 years, 3 months ago
NO YES YES
upvoted 12 times
stepman
2 years, 1 month ago
I chose NYY, and this was On exam 4/27 with the new exam experience. No Sim or lab.
upvoted 2 times
...
...
morito
Most Recent 1 year, 5 months ago
The answer here is NYY NotActions are always scoped to the role they are a part of. So one NotAction of Role1 cannot negate a Action of Role2 when assigned to the same user account.
upvoted 3 times
...
wardy1983
1 year, 7 months ago
no yes yes NotActions are not DENY actions. They're only used to scope down * action by removing one or many actions from * (which is usually less lines to write that listing all available actions when creating a custom role).
upvoted 2 times
...
wardy1983
1 year, 7 months ago
yes yes NotActions are not DENY actions. They're only used to scope down * action by removing one or many actions from * (which is usually less lines to write that listing all available actions when creating a custom role
upvoted 1 times
...
BigShot0
1 year, 8 months ago
N, Y, Y Note If a user is assigned a role that excludes an action in NotActions, and is assigned a second role that grants access to the same action, the user is allowed to perform that action. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed actions when specific actions need to be excluded. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#notactions
upvoted 2 times
schpeter_091
7 months, 1 week ago
correct. Not a deny rule, just a lack of a permission rule.
upvoted 1 times
...
...
heatfan900
1 year, 9 months ago
N, Y, Y user 1 cannot because ROLE 1 does not allow it. user 2 can because has ROLE 2 assigned in addition to ROLE 1 allows him to do so. user 3 can because he has ROLE 2 as well. When there is a conflict between 'actions' and 'not actions' the action is allowed. Role permissions (INTERNAL TO THE ROLE ITSELF) do not behave in the same principle as allow/deny at, lets say, an NTFS level where DENY always wins out.
upvoted 2 times
...
Self_Study
1 year, 10 months ago
On an exam on 7/8/23. Role1 has had actions Compute/VM/* as well as Role2.
upvoted 2 times
...
zellck
2 years, 1 month ago
NYY is the answer. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions#notactions If a user is assigned a role that excludes an action in NotActions, and is assigned a second role that grants access to the same action, the user is allowed to perform that action. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed actions when specific actions need to be excluded.
upvoted 6 times
...
tutonata
2 years, 3 months ago
N, Y, Y. NotActions are not DENY actions. They're only used to scope down * action by removing one or many actions from * (which is usually less lines to write that listing all available actions when creating a custom role).
upvoted 3 times
...
Ajdlfasudfo0
2 years, 4 months ago
the answer is NYY
upvoted 4 times
...
Nickname01
2 years, 5 months ago
I think the answer is correct Actions - NotActions = Effective control plane permissions https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions The NotActions permission specifies the control plane actions that are subtracted or excluded from the allowed Actions that have a wildcard (*). Use the NotActions permission if the set of actions that you want to allow is more easily defined by subtracting from Actions that have a wildcard (*). The access granted by a role (effective permissions) is computed by subtracting the NotActions actions from the Actions actions
upvoted 2 times
tutonata
2 years, 3 months ago
Quoting the Note that you forgot to read in the doc you refer to: "If a user is assigned a role that excludes an action in NotActions, and is assigned a second role that grants access to the same action, the user is allowed to perform that action. NotActions is not a deny rule – it is simply a convenient way to create a set of allowed actions when specific actions need to be excluded."
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel