名前空間: microsoft.graph
重要
Microsoft Graph の /beta バージョンの API は変更される可能性があります。 実稼働アプリケーションでこれらの API を使用することは、サポートされていません。 v1.0 で API を使用できるかどうかを確認するには、Version セレクターを使用します。
RBAC プロバイダーの新しい unifiedRoleDefinition オブジェクトを作成します。 この機能には、Microsoft Entra ID P1 または P2 ライセンスが必要です。
現在、次の RBAC プロバイダーがサポートされています。
- クラウド PC
- デバイス管理 (Intune)
- Defender (Microsoft Defender XDR)
- directory (Microsoft Entra ID)
この API は、次の国内クラウド展開で使用できます。
| グローバル サービス |
米国政府機関 L4 |
米国政府機関 L5 (DOD) |
21Vianet が運営する中国 |
| ✅ |
✅ |
✅ |
✅ |
アクセス許可
次の表は、サポートされている各リソースの種類でこの API を呼び出すために必要な最小特権のアクセス許可またはアクセス許可を示しています。
ベスト プラクティスに従って、最小限の特権のアクセス許可を要求します。 委任されたアクセス許可とアプリケーションのアクセス許可の詳細については、「アクセス許可の種類」を参照してください。 これらのアクセス許可の詳細については、「アクセス許可のリファレンス」を参照してください。
クラウド PC プロバイダーの場合
| アクセス許可の種類 |
最小特権アクセス許可 |
より高い特権のアクセス許可 |
| 委任 (職場または学校のアカウント) |
DeviceManagementRBAC.ReadWrite.All |
CloudPC.ReadWrite.All、Directory.ReadWrite.All、RoleManagement.ReadWrite.CloudPC、RoleManagement.ReadWrite.Directory |
| 委任 (個人用 Microsoft アカウント) |
サポートされていません。 |
サポートされていません。 |
| アプリケーション |
DeviceManagementRBAC.ReadWrite.All |
CloudPC.ReadWrite.All、Directory.ReadWrite.All、RoleManagement.ReadWrite.CloudPC、RoleManagement.ReadWrite.Directory |
デバイス管理 (Intune) プロバイダーの場合
| アクセス許可の種類 |
最小特権アクセス許可 |
より高い特権のアクセス許可 |
| 委任 (職場または学校のアカウント) |
RoleManagement.ReadWrite.Defender |
注意事項なし。 |
| 委任 (個人用 Microsoft アカウント) |
サポートされていません。 |
サポートされていません。 |
| アプリケーション |
RoleManagement.ReadWrite.Defender |
注意事項なし。 |
Defender プロバイダーの場合
| アクセス許可の種類 |
最小特権アクセス許可 |
より高い特権のアクセス許可 |
| 委任 (職場または学校のアカウント) |
RoleManagement.ReadWrite.Directory |
Directory.ReadWrite.All |
| 委任 (個人用 Microsoft アカウント) |
サポートされていません。 |
サポートされていません。 |
| アプリケーション |
RoleManagement.ReadWrite.Directory |
Directory.ReadWrite.All |
ディレクトリ (Microsoft Entra ID) プロバイダーの場合
| アクセス許可の種類 |
最小特権アクセス許可 |
より高い特権のアクセス許可 |
| 委任 (職場または学校のアカウント) |
DeviceManagementRBAC.ReadWrite.All |
CloudPC.ReadWrite.All、Directory.ReadWrite.All、RoleManagement.ReadWrite.CloudPC、RoleManagement.ReadWrite.Directory |
| 委任 (個人用 Microsoft アカウント) |
サポートされていません。 |
サポートされていません。 |
| アプリケーション |
DeviceManagementRBAC.ReadWrite.All |
CloudPC.ReadWrite.All、Directory.ReadWrite.All、RoleManagement.ReadWrite.CloudPC、RoleManagement.ReadWrite.Directory |
重要
職場または学校アカウントを使用した委任されたシナリオでは、サインインしているユーザーに、サポートされているMicrosoft Entraロールまたはサポートされているロールのアクセス許可を持つカスタム ロールを割り当てる必要があります。
特権ロール管理者 は、この操作でサポートされる最小限の特権ロールです。
HTTP 要求
デバイス管理プロバイダーのロール定義を作成するには:
POST /roleManagement/deviceManagement/roleDefinitions
Defender プロバイダーのロール定義を作成するには:
POST /roleManagement/defender/roleDefinitions
ディレクトリ プロバイダーのロール定義を作成するには:
POST /roleManagement/directory/roleDefinitions
クラウド PC プロバイダーのロール定義を作成するには:
POST /roleManagement/cloudPc/roleDefinitions
| 名前 |
説明 |
| Authorization |
ベアラー {token}。 必須です。
認証と認可についての詳細をご覧ください。 |
要求本文
要求本文で、 unifiedRoleDefinition オブジェクトの JSON 表現を指定します。
次の表は、roleDefinition を作成するときに必要なプロパティを示しています。
| パラメーター |
型 |
説明 |
| displayName |
string |
ロール定義の表示名。 |
| isEnabled |
ブール値 |
ロールが割り当てに対して有効になっているかどうかを示すフラグ。 false の場合、ロールは割り当てに使用できません。 |
| rolePermissions |
unifiedRolePermission コレクション |
ロールに含まれるアクセス許可の一覧。 |
応答
成功した場合、このメソッドは応答コード 201 Created 返し、応答本文に新しい unifiedRoleDefinition オブジェクトを返します。
例 1:ディレクトリ プロバイダーのカスタム ロールを作成する
要求
POST https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions
Content-type: application/json
{
"description": "Update basic properties of application registrations",
"displayName": "Application Registration Support Administrator",
"rolePermissions":
[
{
"allowedResourceActions":
[
"microsoft.directory/applications/basic/read"
]
}
],
"isEnabled" : "true"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new UnifiedRoleDefinition
{
Description = "Update basic properties of application registrations",
DisplayName = "Application Registration Support Administrator",
RolePermissions = new List<UnifiedRolePermission>
{
new UnifiedRolePermission
{
AllowedResourceActions = new List<string>
{
"microsoft.directory/applications/basic/read",
},
},
},
IsEnabled = true,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleDefinitions.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleDefinition()
description := "Update basic properties of application registrations"
requestBody.SetDescription(&description)
displayName := "Application Registration Support Administrator"
requestBody.SetDisplayName(&displayName)
unifiedRolePermission := graphmodels.NewUnifiedRolePermission()
allowedResourceActions := []string {
"microsoft.directory/applications/basic/read",
}
unifiedRolePermission.SetAllowedResourceActions(allowedResourceActions)
rolePermissions := []graphmodels.UnifiedRolePermissionable {
unifiedRolePermission,
}
requestBody.SetRolePermissions(rolePermissions)
isEnabled := true
requestBody.SetIsEnabled(&isEnabled)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleDefinitions, err := graphClient.RoleManagement().Directory().RoleDefinitions().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleDefinition unifiedRoleDefinition = new UnifiedRoleDefinition();
unifiedRoleDefinition.setDescription("Update basic properties of application registrations");
unifiedRoleDefinition.setDisplayName("Application Registration Support Administrator");
LinkedList<UnifiedRolePermission> rolePermissions = new LinkedList<UnifiedRolePermission>();
UnifiedRolePermission unifiedRolePermission = new UnifiedRolePermission();
LinkedList<String> allowedResourceActions = new LinkedList<String>();
allowedResourceActions.add("microsoft.directory/applications/basic/read");
unifiedRolePermission.setAllowedResourceActions(allowedResourceActions);
rolePermissions.add(unifiedRolePermission);
unifiedRoleDefinition.setRolePermissions(rolePermissions);
unifiedRoleDefinition.setIsEnabled(true);
UnifiedRoleDefinition result = graphClient.roleManagement().directory().roleDefinitions().post(unifiedRoleDefinition);
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleDefinition = {
description: 'Update basic properties of application registrations',
displayName: 'Application Registration Support Administrator',
rolePermissions:
[
{
allowedResourceActions:
[
'microsoft.directory/applications/basic/read'
]
}
],
isEnabled: 'true'
};
await client.api('/roleManagement/directory/roleDefinitions')
.version('beta')
.post(unifiedRoleDefinition);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRoleDefinition;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRolePermission;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new UnifiedRoleDefinition();
$requestBody->setDescription('Update basic properties of application registrations');
$requestBody->setDisplayName('Application Registration Support Administrator');
$rolePermissionsUnifiedRolePermission1 = new UnifiedRolePermission();
$rolePermissionsUnifiedRolePermission1->setAllowedResourceActions(['microsoft.directory/applications/basic/read', ]);
$rolePermissionsArray []= $rolePermissionsUnifiedRolePermission1;
$requestBody->setRolePermissions($rolePermissionsArray);
$requestBody->setIsEnabled(true);
$result = $graphServiceClient->roleManagement()->directory()->roleDefinitions()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
description = "Update basic properties of application registrations"
displayName = "Application Registration Support Administrator"
rolePermissions = @(
@{
allowedResourceActions = @(
"microsoft.directory/applications/basic/read"
)
}
)
isEnabled = "true"
}
New-MgBetaRoleManagementDirectoryRoleDefinition -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.unified_role_definition import UnifiedRoleDefinition
from msgraph_beta.generated.models.unified_role_permission import UnifiedRolePermission
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleDefinition(
description = "Update basic properties of application registrations",
display_name = "Application Registration Support Administrator",
role_permissions = [
UnifiedRolePermission(
allowed_resource_actions = [
"microsoft.directory/applications/basic/read",
],
),
],
is_enabled = True,
)
result = await graph_client.role_management.directory.role_definitions.post(request_body)
応答
次の例は応答を示しています。
注: ここに示す応答オブジェクトは、読みやすさのために短縮されている場合があります。
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleDefinitions/$entity",
"id": "d5eec5e0-6992-4c6b-b430-0f833f1a815a",
"description": "Update basic properties of application registrations",
"displayName": "Application Registration Support Administrator",
"isBuiltIn": false,
"isEnabled": true,
"templateId": "d5eec5e0-6992-4c6b-b430-0f833f1a815a",
"version": null,
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/standard/read",
"microsoft.directory/applications/basic/update"
],
"condition": null
}
],
"inheritsPermissionsFrom": []
}
例 2: クラウド PC プロバイダーのカスタム ロールを作成する
要求
POST https://graph.microsoft.com/beta/roleManagement/cloudPC/roleDefinitions
Content-type: application/json
{
"description": "An example custom role",
"displayName": "ExampleCustomRole",
"rolePermissions":
[
{
"allowedResourceActions":
[
"Microsoft.CloudPC/CloudPCs/Read"
]
}
],
"condition" : "null"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new UnifiedRoleDefinition
{
Description = "An example custom role",
DisplayName = "ExampleCustomRole",
RolePermissions = new List<UnifiedRolePermission>
{
new UnifiedRolePermission
{
AllowedResourceActions = new List<string>
{
"Microsoft.CloudPC/CloudPCs/Read",
},
},
},
AdditionalData = new Dictionary<string, object>
{
{
"condition" , "null"
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.CloudPC.RoleDefinitions.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleDefinition()
description := "An example custom role"
requestBody.SetDescription(&description)
displayName := "ExampleCustomRole"
requestBody.SetDisplayName(&displayName)
unifiedRolePermission := graphmodels.NewUnifiedRolePermission()
allowedResourceActions := []string {
"Microsoft.CloudPC/CloudPCs/Read",
}
unifiedRolePermission.SetAllowedResourceActions(allowedResourceActions)
rolePermissions := []graphmodels.UnifiedRolePermissionable {
unifiedRolePermission,
}
requestBody.SetRolePermissions(rolePermissions)
additionalData := map[string]interface{}{
"condition" : "null",
}
requestBody.SetAdditionalData(additionalData)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleDefinitions, err := graphClient.RoleManagement().CloudPC().RoleDefinitions().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleDefinition unifiedRoleDefinition = new UnifiedRoleDefinition();
unifiedRoleDefinition.setDescription("An example custom role");
unifiedRoleDefinition.setDisplayName("ExampleCustomRole");
LinkedList<UnifiedRolePermission> rolePermissions = new LinkedList<UnifiedRolePermission>();
UnifiedRolePermission unifiedRolePermission = new UnifiedRolePermission();
LinkedList<String> allowedResourceActions = new LinkedList<String>();
allowedResourceActions.add("Microsoft.CloudPC/CloudPCs/Read");
unifiedRolePermission.setAllowedResourceActions(allowedResourceActions);
rolePermissions.add(unifiedRolePermission);
unifiedRoleDefinition.setRolePermissions(rolePermissions);
HashMap<String, Object> additionalData = new HashMap<String, Object>();
additionalData.put("condition", "null");
unifiedRoleDefinition.setAdditionalData(additionalData);
UnifiedRoleDefinition result = graphClient.roleManagement().cloudPC().roleDefinitions().post(unifiedRoleDefinition);
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleDefinition = {
description: 'An example custom role',
displayName: 'ExampleCustomRole',
rolePermissions:
[
{
allowedResourceActions:
[
'Microsoft.CloudPC/CloudPCs/Read'
]
}
],
condition: 'null'
};
await client.api('/roleManagement/cloudPC/roleDefinitions')
.version('beta')
.post(unifiedRoleDefinition);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRoleDefinition;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRolePermission;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new UnifiedRoleDefinition();
$requestBody->setDescription('An example custom role');
$requestBody->setDisplayName('ExampleCustomRole');
$rolePermissionsUnifiedRolePermission1 = new UnifiedRolePermission();
$rolePermissionsUnifiedRolePermission1->setAllowedResourceActions(['Microsoft.CloudPC/CloudPCs/Read', ]);
$rolePermissionsArray []= $rolePermissionsUnifiedRolePermission1;
$requestBody->setRolePermissions($rolePermissionsArray);
$additionalData = [
'condition' => 'null',
];
$requestBody->setAdditionalData($additionalData);
$result = $graphServiceClient->roleManagement()->cloudPC()->roleDefinitions()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.DeviceManagement.Enrollment
$params = @{
description = "An example custom role"
displayName = "ExampleCustomRole"
rolePermissions = @(
@{
allowedResourceActions = @(
"Microsoft.CloudPC/CloudPCs/Read"
)
}
)
condition = "null"
}
New-MgBetaRoleManagementCloudPcRoleDefinition -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.unified_role_definition import UnifiedRoleDefinition
from msgraph_beta.generated.models.unified_role_permission import UnifiedRolePermission
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleDefinition(
description = "An example custom role",
display_name = "ExampleCustomRole",
role_permissions = [
UnifiedRolePermission(
allowed_resource_actions = [
"Microsoft.CloudPC/CloudPCs/Read",
],
),
],
additional_data = {
"condition" : "null",
}
)
result = await graph_client.role_management.cloud_p_c.role_definitions.post(request_body)
応答
次の例は応答を示しています。
注: ここに示す応答オブジェクトは、読みやすさのために短縮されている場合があります。
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/cloudPc/roleDefinitions/$entity",
"id": "b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff",
"description": "An example custom role",
"displayName": "ExampleCustomRole",
"isBuiltIn": false,
"isEnabled": true,
"templateId": "b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff",
"version": null,
"rolePermissions": [
{
"allowedResourceActions": [
"Microsoft.CloudPC/CloudPCs/Read"
],
"condition": null
}
],
"resourceScopes":["/"]
}
例 3: Defender プロバイダーのカスタム ロールを作成する
要求
POST https://graph.microsoft.com/beta/roleManagement/defender/roleDefinitions
Content-type: application/json
{
"description": "Role 1 description",
"displayName": "Role 1",
"rolePermissions":
[
{
"allowedResourceActions":
[
"microsoft.xdr/securityposture/read"
]
}
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new UnifiedRoleDefinition
{
Description = "Role 1 description",
DisplayName = "Role 1",
RolePermissions = new List<UnifiedRolePermission>
{
new UnifiedRolePermission
{
AllowedResourceActions = new List<string>
{
"microsoft.xdr/securityposture/read",
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Defender.RoleDefinitions.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleDefinition()
description := "Role 1 description"
requestBody.SetDescription(&description)
displayName := "Role 1"
requestBody.SetDisplayName(&displayName)
unifiedRolePermission := graphmodels.NewUnifiedRolePermission()
allowedResourceActions := []string {
"microsoft.xdr/securityposture/read",
}
unifiedRolePermission.SetAllowedResourceActions(allowedResourceActions)
rolePermissions := []graphmodels.UnifiedRolePermissionable {
unifiedRolePermission,
}
requestBody.SetRolePermissions(rolePermissions)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleDefinitions, err := graphClient.RoleManagement().Defender().RoleDefinitions().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleDefinition unifiedRoleDefinition = new UnifiedRoleDefinition();
unifiedRoleDefinition.setDescription("Role 1 description");
unifiedRoleDefinition.setDisplayName("Role 1");
LinkedList<UnifiedRolePermission> rolePermissions = new LinkedList<UnifiedRolePermission>();
UnifiedRolePermission unifiedRolePermission = new UnifiedRolePermission();
LinkedList<String> allowedResourceActions = new LinkedList<String>();
allowedResourceActions.add("microsoft.xdr/securityposture/read");
unifiedRolePermission.setAllowedResourceActions(allowedResourceActions);
rolePermissions.add(unifiedRolePermission);
unifiedRoleDefinition.setRolePermissions(rolePermissions);
UnifiedRoleDefinition result = graphClient.roleManagement().defender().roleDefinitions().post(unifiedRoleDefinition);
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleDefinition = {
description: 'Role 1 description',
displayName: 'Role 1',
rolePermissions:
[
{
allowedResourceActions:
[
'microsoft.xdr/securityposture/read'
]
}
]
};
await client.api('/roleManagement/defender/roleDefinitions')
.version('beta')
.post(unifiedRoleDefinition);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRoleDefinition;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRolePermission;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new UnifiedRoleDefinition();
$requestBody->setDescription('Role 1 description');
$requestBody->setDisplayName('Role 1');
$rolePermissionsUnifiedRolePermission1 = new UnifiedRolePermission();
$rolePermissionsUnifiedRolePermission1->setAllowedResourceActions(['microsoft.xdr/securityposture/read', ]);
$rolePermissionsArray []= $rolePermissionsUnifiedRolePermission1;
$requestBody->setRolePermissions($rolePermissionsArray);
$result = $graphServiceClient->roleManagement()->defender()->roleDefinitions()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.unified_role_definition import UnifiedRoleDefinition
from msgraph_beta.generated.models.unified_role_permission import UnifiedRolePermission
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleDefinition(
description = "Role 1 description",
display_name = "Role 1",
role_permissions = [
UnifiedRolePermission(
allowed_resource_actions = [
"microsoft.xdr/securityposture/read",
],
),
],
)
result = await graph_client.role_management.defender.role_definitions.post(request_body)
応答
次の例は応答を示しています。
注: ここに示す応答オブジェクトは、読みやすさのために短縮されている場合があります。
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/defender/roleDefinitions/$entity",
"id": "d5eec5e0-6992-4c6b-b430-0f833f1a815b",
"description": "Role 1 description",
"displayName": "Role 1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.xdr/securityposture/read"
]
}
]
}