rbac: list & delete assignment; role definition create, list and delete

[yugangw-msft]

Notes by comparing with node cli

1. Make create, list, delete consistent. By using the same filter, those 3 command will work on the same assignment. Node cli doesn't have this behavior, which is confusing
2. Relieve users from the concept of scope, they just need to use either resource group, or resource id
3. Expose the filters of --all, --include-inherited for people to opt-in to see extra assignments if they like
4. For delete, i have not made up mind of whether to expose --all to delete all assignments. Feel it somehow risky operations. But feel free to comment.

/CC:@derekbekoe, @BurtBiel, @tjprescott , @JasonRShaver

[yugangw-msft]

Command
    az role assignment list

Arguments
    --all              : Show all assignments under the current subscription.
    --assignee         : Represent a user, group, or service principal. supported format: object id,
                         user sign-in name, or service principal name.
    --include-groups   : Include extra assignments to the groups of which the user is a
                         member(transitively). Supported only for a user principal.
    --include-inherited: Include assignments applied on parent scopes.
    --resource-group -g: Use it only if the role or assignment was added at a resource group level.
    --resource-id      : Use it only if the role or assignment was added at the level of a resource.
    --role             : Role name or id.

Command
    az role assignment delete

Arguments
    --assignee         : Represent a user, group, or service principal. supported format: object id,
                         user sign-in name, or service principal name.
    --ids              : Space separated role assignment ids.
    --include-inherited: Include assignments applied on parent scopes.
    --resource-group -g: Use it only if the role or assignment was added at the level of a resource
                         group.
    --resource-id      : Use it only if the role or assignment was added at the level of a resource.
    --role             : Role name or id.

Command
    az role create

Arguments
    --role-definition [Required]: Json formatted content which defines the new role. run 'show-
                                  create-template' to get samples.

Command
    az role list

Arguments
    --custom-role-only : Custom roles only(vs. build-in ones).
    --name -n          : The role's logical name.
    --resource-group -g: Use it only if the role or assignment was added at the level of a resource
                         group.
    --resource-id      : Use it only if the role or assignment was added at the level of a resource.

Command
    az role delete

Arguments
    --name -n [Required]: The role's logical name.
    --custom-role-only  : Custom roles only(vs. build-in ones).
    --resource-group -g : Use it only if the role or assignment was added at the level of a resource
                          group.
    --resource-id       : Use it only if the role or assignment was added at the level of a
                          resource.

Command
    az role show-create-template

[tjprescott]

show_role_create_template [](start = 4, length = 25)

Is there a reason this isn't just part of the "examples" help text for the create role command? It seems odd to have a command that just outputs what is essentially help text (except the taskhelp module but that's totally different)

[tjprescott]

After our discussion I understand the rationale. Once you've changed the create_role command to be multiple parameters, I'm not sure this would be necessary. Even if we preserve the ability to use a JSON template as the input, they could just get the template from the examples portion of the help file. I'd ask others what they think.

---

In reply to: 73603847 [](ancestors = 73603847)

[yugangw-msft]

@tjprescott , on a second thought, I feel it better to just get rid of the show-create-template and move it into the sample section in the help. 3 reasons

1. The json format is well recognized, check out this msdn post
2. The definition is rather complex, from usabilities aspect, using your favorite json editor is much easier than to type up in the command line which could extend to 10+ command lines.
3. If possible, i like to be compatible with node version.

[derekbekoe]

roles match [](start = 33, length = 11)

This should be 'more than one role matches' like it was before this change.

[yugangw-msft]

Fixed. Forgive me, i just could not get this grammar right.

[derekbekoe]

[jiasli]

include_groups should be declared in _params.py, not here.