> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/azure-identities/azure-resource-management/arm-roles.md).

# ARM Roles

The `ARM Roles` page provides a list of enumerated ARM roles in entire Azure. The list contains the `Object ID`, `Description`, `Type`, `Privileged`, `Tier 0` and `Built In`.

<figure><img src="/files/W7kTOaNUHxcYg9awSqRx" alt=""><figcaption></figcaption></figure>

### ARM Roles Details

Details page contains the `Risk Score` of the role, `Exposure Point` and `Information` panes.

> **Info** You can analyze objects in the `Graph module` by clicking the `Visualize` button on the upper left side of the `Information Pane`.

<figure><img src="/files/UBakuxmoefveLvELnYwP" alt=""><figcaption></figcaption></figure>

### Information

`Information Pane` can contain different badges to highlight important attributes.

| Badge      | Description                                     |
| ---------- | ----------------------------------------------- |
| Built-In   | Indicates the role is a built-in Azure ARM role |
| Tier 0     | Indicates the role is classified as Tier 0      |
| Tier 2     | Indicates the role is classified as Tier 2      |
| Privileged | Indicates the role has privileged permissions   |

`Information Pane` contains `Details`, `Actions`, `Not Actions`, `Data Actions`, `Not Data Actions`, `Groups`, `Service Principals`, `Users`.

### Details

Details tab contains attributes below about the AZ ARM role.

| Attribute         | Description                                         |
| ----------------- | --------------------------------------------------- |
| Name              | The display name of the role with tenant suffix     |
| Type              | The type of the role (e.g., BuiltInRole)            |
| Role Name         | The original name of the role without tenant suffix |
| Is Built In       | Indicates whether the role is a built-in Azure role |
| Description       | A brief description of the role and its permissions |
| Tenant            | The tenant the role belongs to                      |
| Assignable Scopes | The scopes at which the role can be assigned        |
| Object ID         | The unique identifier (GUID) of the role            |
| Member Count      | The number of members assigned to this role         |
| Created On        | The date and time when the role was created         |
| Updated On        | The date and time when the role was last updated    |
|                   |                                                     |

### Actions

Actions tab contains a list of management actions that the role allows. This list identifies the operations that can be performed on Azure resources when the role is assigned.

<figure><img src="/files/mcdqKgF9D0Coa4X337Qt" alt=""><figcaption></figcaption></figure>

### Not Actions

Not Actions tab contains a list of management actions that are excluded from the role. These are operations that are explicitly denied even if allowed by `Actions`.

<figure><img src="/files/kfTkSQuhmojnjmRy2zZY" alt=""><figcaption></figcaption></figure>

### Data Actions

Data Actions tab contains a list of data operations that the role allows. These are operations performed on data within Azure resources (e.g., reading blob data).

<figure><img src="/files/MArsTwGlX5FF5XhrLs7n" alt=""><figcaption></figcaption></figure>

### Not Data Actions

Not Data Actions tab contains a list of data operations that are excluded from the role. These are data operations that are explicitly denied even if allowed by `Data Actions`.

<figure><img src="/files/aTvuiv86SX74YF0Th7YF" alt=""><figcaption></figcaption></figure>

### Groups

Groups tab contains a list of groups that have been assigned this role. This list also contains `Enabled` and `On Prem Sync Enabled` columns to identify the status of these groups.

<figure><img src="/files/VTzNjgZ6M7OceTwo7Ss1" alt=""><figcaption></figcaption></figure>

### Service Principals

Service Principals tab contains a list of service principals that have been assigned this role. This list also contains `Enabled`, `App Display Name`, `Service Principal Type` columns to identify the status of these service principals.

<figure><img src="/files/3FDuTfNFdIGQvWNs7qEn" alt=""><figcaption></figcaption></figure>

### Users

Users tab contains a list of users that have been assigned this role. This list also contains `Enabled` and `On Prem Sync Enabled` columns to identify the status of these users.

<figure><img src="/files/0GvWCBqZSPYPo6W5nC8L" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.forestall.io/fsprotect/azure-identities/azure-resource-management/arm-roles.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.