get-user-permissions
Retrieve detailed Azure user permissions by combining role assignments and definitions to manage access control and security policies.
Instructions
Get detailed user permissions by combining role assignments and role definitions
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| scope | No | Scope to check permissions for. Leave empty for subscription level. |
Implementation Reference
- src/AzureServer.ts:776-839 (handler)Main handler function for 'get-user-permissions' tool. Parses input scope, fetches role assignments and definitions using helpers, matches them to compute user permissions, and returns structured results including summary.private async handleGetUserPermissions(args: any) { const { scope } = z .object({ scope: z.string().optional(), }) .parse(args); if (!this.context.authorizationClient) { throw new AzureMCPError( "Authorization client not initialized", "NO_CLIENT" ); } try { const permissionScope = scope || `/subscriptions/${this.context.selectedSubscription}`; // Get both role assignments and role definitions const [roleAssignments, roleDefinitions] = await Promise.all([ this.getRoleAssignments(permissionScope), this.getRoleDefinitions(permissionScope), ]); // Match assignments with definitions const userPermissions = roleAssignments.map((assignment) => { const roleDefinition = roleDefinitions.find((def) => assignment.roleDefinitionId?.endsWith(def.name || "") ); return { principalId: assignment.principalId, principalType: assignment.principalType, scope: assignment.scope, roleDefinition: { id: roleDefinition?.id, name: roleDefinition?.roleName, description: roleDefinition?.description, permissions: roleDefinition?.permissions || [], }, createdOn: assignment.createdOn, }; }); // Group by role for summary const roleSummary = userPermissions.reduce((acc, perm) => { const roleName = perm.roleDefinition.name || "Unknown"; acc[roleName] = (acc[roleName] || 0) + 1; return acc; }, {} as Record<string, number>); return { userPermissions, roleSummary, totalAssignments: roleAssignments.length, scope: permissionScope, }; } catch (error) { this.logWithContext("error", `Error getting user permissions: ${error}`, { error, }); throw new AzureResourceError(`Failed to get user permissions: ${error}`); } }
- src/AzureServer.ts:283-298 (registration)Tool registration in listTools response, including name, description, and input schema definition.{ name: "get-user-permissions", description: "Get detailed user permissions by combining role assignments and role definitions", inputSchema: { type: "object", properties: { scope: { type: "string", description: "Scope to check permissions for. Leave empty for subscription level.", }, }, required: [], }, },
- src/AzureServer.ts:460-462 (registration)Dispatch case in handleCallTool switch statement that routes to the handler.case "get-user-permissions": result = await this.handleGetUserPermissions(args); break;
- src/AzureServer.ts:841-849 (helper)Helper function to fetch role assignments for a given scope.private async getRoleAssignments(scope: string) { const assignments = []; for await (const assignment of this.context.authorizationClient!.roleAssignments.listForScope( scope )) { assignments.push(assignment); } return assignments; }
- src/AzureServer.ts:851-859 (helper)Helper function to fetch role definitions for a given scope.private async getRoleDefinitions(scope: string) { const definitions = []; for await (const definition of this.context.authorizationClient!.roleDefinitions.list( scope )) { definitions.push(definition); } return definitions; }