get-user-permissions
Retrieve detailed user permissions by analyzing role assignments and definitions within Azure. Specify a scope to check permissions at subscription or resource level.
Instructions
Get detailed user permissions by combining role assignments and role definitions
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| scope | No | Scope to check permissions for. Leave empty for subscription level. |
Implementation Reference
- src/AzureServer.ts:283-298 (registration)Tool registration in handleListTools() including name, description, and input schema definition.{ name: "get-user-permissions", description: "Get detailed user permissions by combining role assignments and role definitions", inputSchema: { type: "object", properties: { scope: { type: "string", description: "Scope to check permissions for. Leave empty for subscription level.", }, }, required: [], }, },
- src/AzureServer.ts:776-839 (handler)Main handler function that parses input, fetches role assignments and definitions using helper methods, combines them by matching roleDefinitionId, computes role summary, and returns structured permissions data.private async handleGetUserPermissions(args: any) { const { scope } = z .object({ scope: z.string().optional(), }) .parse(args); if (!this.context.authorizationClient) { throw new AzureMCPError( "Authorization client not initialized", "NO_CLIENT" ); } try { const permissionScope = scope || `/subscriptions/${this.context.selectedSubscription}`; // Get both role assignments and role definitions const [roleAssignments, roleDefinitions] = await Promise.all([ this.getRoleAssignments(permissionScope), this.getRoleDefinitions(permissionScope), ]); // Match assignments with definitions const userPermissions = roleAssignments.map((assignment) => { const roleDefinition = roleDefinitions.find((def) => assignment.roleDefinitionId?.endsWith(def.name || "") ); return { principalId: assignment.principalId, principalType: assignment.principalType, scope: assignment.scope, roleDefinition: { id: roleDefinition?.id, name: roleDefinition?.roleName, description: roleDefinition?.description, permissions: roleDefinition?.permissions || [], }, createdOn: assignment.createdOn, }; }); // Group by role for summary const roleSummary = userPermissions.reduce((acc, perm) => { const roleName = perm.roleDefinition.name || "Unknown"; acc[roleName] = (acc[roleName] || 0) + 1; return acc; }, {} as Record<string, number>); return { userPermissions, roleSummary, totalAssignments: roleAssignments.length, scope: permissionScope, }; } catch (error) { this.logWithContext("error", `Error getting user permissions: ${error}`, { error, }); throw new AzureResourceError(`Failed to get user permissions: ${error}`); } }
- src/AzureServer.ts:841-849 (helper)Helper method to list all role assignments for a given scope using the authorization client.private async getRoleAssignments(scope: string) { const assignments = []; for await (const assignment of this.context.authorizationClient!.roleAssignments.listForScope( scope )) { assignments.push(assignment); } return assignments; }
- src/AzureServer.ts:851-859 (helper)Helper method to list all role definitions for a given scope using the authorization client.private async getRoleDefinitions(scope: string) { const definitions = []; for await (const definition of this.context.authorizationClient!.roleDefinitions.list( scope )) { definitions.push(definition); } return definitions; }
- src/AzureServer.ts:460-462 (registration)Switch case in handleCallTool() that dispatches the tool call to the specific handler method.case "get-user-permissions": result = await this.handleGetUserPermissions(args); break;