You are the administrator of the Contoso financial group. You are responsible for all role permissions in the ?Production_Systems? Resource Group. You have received a request to grant a fellow employee permission to the ?financial_billings? VM. The fellow employee is the system owner for that VM and therefore requires full access to it, however, that user should not be able to assign other users and roles to the VM. Which RBAC role do you assign to her?
Contributor Role on the VM level is correct, as the contributor rule provides full access to VM and its settings, the only limitation is that the user will not be able to assign other users to the VM or change roles. RBAC should be done on the VM level as there might be other resources in the Resource Group and you do not want to give full control to another user’s resources (the rule of least access applies). The owner role will not suffice, as this will enable the user to assign additional users with roles to the VM.