[Role] az role assignment list: Add --at-scope

[jiasli]

Related command
az role assignment list

Description
Fix #29407
Prerequisite of fixing #14302

Currently for az role assignment list, --scope and --all are mutually exclusive. When --all is specified, scope is set to None:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 242 to 245 in a4c9d4d

	if show_all:
	if resource_group_name or scope:
	raise CLIError('group or scope are not required when --all is used')
	scope = None

When --scope is specified, atScope() is enforced:

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Lines 516 to 517 in a4c9d4d

	if scope:
	f = 'atScope()' # atScope() excludes role assignments at subscopes

Note

$filter=atScope(): Lists role assignments for only the specified scope, not including the role assignments at subscopes.

This produces 3 issues:

1. 🍎 --all forces scope to be the subscription.
2. 🍐 It is impossible to list role assignment at custom scope without atScope() (Role assigned to scope not returned unless scope is specified #14302 (comment)).
3. 🍋 As atScope() and principalId eq '{value}' are mutually exclusive in REST API, CLI's scope and assignee_object_id are mutually exclusive too (Role assigned to scope not returned unless scope is specified #14302 (comment)). A client-side filtering is needed to solve it.

This PR deprecates --all (solves issue 1 🍎) and adds --at-scope argument so that atScope() is no longer enforced. Specifying --at-scope false will allow listing role assignments at custom scope without atScope() (solves issue 2 🍐) and with principalId eq '{value}' (solves issue 2 🍋).

Testing Guide

az role assignment list --at-scope false
az role assignment list --scope /subscriptions/xxx --at-scope false
az role assignment list --scope /subscriptions/xxx --assignee-object-id xxx --at-scope false

History Notes

[azure-client-tools-bot-prd]

️✔️AzureCLI-FullTest

️✔️acr

️✔️latest

️✔️3.12

️✔️3.9

️✔️acs

️✔️latest

️✔️3.12

️✔️3.9

️✔️advisor

️✔️latest

️✔️3.12

️✔️3.9

️✔️ams

️✔️latest

️✔️3.12

️✔️3.9

️✔️apim

️✔️latest

️✔️3.12

️✔️3.9

️✔️appconfig

️✔️latest

️✔️3.12

️✔️3.9

️✔️appservice

️✔️latest

️✔️3.12

️✔️3.9

️✔️aro

️✔️latest

️✔️3.12

️✔️3.9

️✔️backup

️✔️latest

️✔️3.12

️✔️3.9

️✔️batch

️✔️latest

️✔️3.12

️✔️3.9

️✔️batchai

️✔️latest

️✔️3.12

️✔️3.9

️✔️billing

️✔️latest

️✔️3.12

️✔️3.9

️✔️botservice

️✔️latest

️✔️3.12

️✔️3.9

️✔️cdn

️✔️latest

️✔️3.12

️✔️3.9

️✔️cloud

️✔️latest

️✔️3.12

️✔️3.9

️✔️cognitiveservices

️✔️latest

️✔️3.12

️✔️3.9

️✔️compute_recommender

️✔️latest

️✔️3.12

️✔️3.9

️✔️computefleet

️✔️latest

️✔️3.12

️✔️3.9

️✔️config

️✔️latest

️✔️3.12

️✔️3.9

️✔️configure

️✔️latest

️✔️3.12

️✔️3.9

️✔️consumption

️✔️latest

️✔️3.12

️✔️3.9

️✔️container

️✔️latest

️✔️3.12

️✔️3.9

️✔️containerapp

️✔️latest

️✔️3.12

️✔️3.9

️✔️core

️✔️latest

️✔️3.12

️✔️3.9

️✔️cosmosdb

️✔️latest

️✔️3.12

️✔️3.9

️✔️databoxedge

️✔️latest

️✔️3.12

️✔️3.9

️✔️dls

️✔️latest

️✔️3.12

️✔️3.9

️✔️dms

️✔️latest

️✔️3.12

️✔️3.9

️✔️eventgrid

️✔️latest

️✔️3.12

️✔️3.9

️✔️eventhubs

️✔️latest

️✔️3.12

️✔️3.9

️✔️feedback

️✔️latest

️✔️3.12

️✔️3.9

️✔️find

️✔️latest

️✔️3.12

️✔️3.9

️✔️hdinsight

️✔️latest

️✔️3.12

️✔️3.9

️✔️identity

️✔️latest

️✔️3.12

️✔️3.9

️✔️iot

️✔️latest

️✔️3.12

️✔️3.9

️✔️keyvault

️✔️latest

️✔️3.12

️✔️3.9

️✔️lab

️✔️latest

️✔️3.12

️✔️3.9

️✔️managedservices

️✔️latest

️✔️3.12

️✔️3.9

️✔️maps

️✔️latest

️✔️3.12

️✔️3.9

️✔️marketplaceordering

️✔️latest

️✔️3.12

️✔️3.9

️✔️monitor

️✔️latest

️✔️3.12

️✔️3.9

️✔️mysql

️✔️latest

️✔️3.12

️✔️3.9

️✔️netappfiles

️✔️latest

️✔️3.12

️✔️3.9

️✔️network

️✔️latest

️✔️3.12

️✔️3.9

️✔️policyinsights

️✔️latest

️✔️3.12

️✔️3.9

️✔️privatedns

️✔️latest

️✔️3.12

️✔️3.9

️✔️profile

️✔️latest

️✔️3.12

️✔️3.9

️✔️rdbms

️✔️latest

️✔️3.12

️✔️3.9

️✔️redis

️✔️latest

️✔️3.12

️✔️3.9

️✔️relay

️✔️latest

️✔️3.12

️✔️3.9

️✔️resource

️✔️latest

️✔️3.12

️✔️3.9

️✔️role

️✔️latest

️✔️3.12

️✔️3.9

️✔️search

️✔️latest

️✔️3.12

️✔️3.9

️✔️security

️✔️latest

️✔️3.12

️✔️3.9

️✔️servicebus

️✔️latest

️✔️3.12

️✔️3.9

️✔️serviceconnector

️✔️latest

️✔️3.12

️✔️3.9

️✔️servicefabric

️✔️latest

️✔️3.12

️✔️3.9

️✔️signalr

️✔️latest

️✔️3.12

️✔️3.9

️✔️sql

️✔️latest

️✔️3.12

️✔️3.9

️✔️sqlvm

️✔️latest

️✔️3.12

️✔️3.9

️✔️storage

️✔️latest

️✔️3.12

️✔️3.9

️✔️synapse

️✔️latest

️✔️3.12

️✔️3.9

️✔️telemetry

️✔️latest

️✔️3.12

️✔️3.9

️✔️util

️✔️latest

️✔️3.12

️✔️3.9

️✔️vm

️✔️latest

️✔️3.12

️✔️3.9

[azure-client-tools-bot-prd]

⚠️AzureCLI-BreakingChangeTest

⚠️role

rule	cmd_name	rule_message	suggest_message
⚠️ 1006 - ParaAdd	role assignment list	cmd role assignment list added parameter at_scope
⚠️ 1008 - ParaPropAdd	role assignment list	cmd role assignment list update parameter show_all: added property deprecate_info_target=--all

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[jiasli]

I am hesitating on whether --at-scope should be exposed by az role assignment delete, as setting --at-scope false will include subscope assignments, causing accidental deletion.

[jiasli]

There is no need to call list_for_subscription at all. Its functionality is already covered by list_for_scope.

[jiasli]

Now with the ability to turn off atScope(), principalId eq '{}' filter can be used with scope, fixing #14302 (comment).

[jiasli]

The history note triggers a false positive in Check the Format of Pull Request Title and Content task.

[Role] `az role assignment list`: Add `--at-scope` argument. Deprecate `--all` argument. Use `--at-scope false` to achieve the same effect as `--all`. In addition to `--all`, `--at-scope false` can be used with custom `scope` and execute `principalId eq '{value}'` filter on the service side
: missing space after }
                                                                                                                                                                                                                                                                     ↑

It should be changed after the PR is merged:

[Role] az role assignment list: Add --at-scope argument. Deprecate --all argument. Use --at-scope false to achieve the same effect as --all. In addition to --all, --at-scope false can be used with custom scope and execute principalId eq '{value}' filter on the service side

[evelyn-ys]

I'd like to propose a new design to solve issue 1🍎 and issue 2🍐 which requires less customer modification. We can reuse --all as alternative of --at-scope:

Scenario	Original	PR's design	New design
/{sub}/…/roleAssignments?filter=atScope()	--scope {sub}	--scope {sub}	--scope {sub}
/{sub}/…/roleAssignments	--all	--scope {sub} --at-scope false	--scope {sub} [can be ommitted for sub scope to unbreak original usage] --all
/{rg}/…/roleAssignments?filter=atScope()	--scope {rg}	--scope {rg}	--scope {rg}
/{rg}/…/roleAssignments	NA	--scope {rg} --at-scope false	--scope {rg} --all