Skip to content

PIM ARM Role Management Policy (List) returns a different "rules" object if you have made edits to it via the API #24189

New issue
New issue
Open
Open
PIM ARM Role Management Policy (List) returns a different "rules" object if you have made edits to it via the API#24189

Description

@jwelker9

jwelker9
openedon May 26, 2023

When I use the Role Management Policies List API on any object I haven't also edited via the Update API, it returns a response like the below***** :

scope                 : /subscriptions/5715b9e3-5625-447f-89ea-bed0a29e57a6/resourceGroups/MadeUp-RG
isOrganizationDefault : True
lastModifiedBy        : 
rules                 : {@{isExpirationRequired=True; maximumDuration=P90D; id=Expiration_Admin_Eligibility; ruleType=RoleManagementPolicyExpirationRule; target=}, @{enabledRules=System.Object[]; id=Enablement_Admin_Eligibility; 
                        ruleType=RoleManagementPolicyEnablementRule; target=}, @{notificationType=Email; recipientType=Admin; isDefaultRecipientsEnabled=True; notificationLevel=All; id=Notification_Admin_Admin_Eligibility; 
                        ruleType=RoleManagementPolicyNotificationRule; target=}, @{notificationType=Email; recipientType=Requestor; isDefaultRecipientsEnabled=True; notificationLevel=All; id=Notification_Requestor_Admin_Eligibility; 
                        ruleType=RoleManagementPolicyNotificationRule; target=}...}
effectiveRules        : {@{isExpirationRequired=True; maximumDuration=P90D; id=Expiration_Admin_Eligibility; ruleType=RoleManagementPolicyExpirationRule; target=}, @{enabledRules=System.Object[]; id=Enablement_Admin_Eligibility; 
                        ruleType=RoleManagementPolicyEnablementRule; target=}, @{notificationType=Email; recipientType=Admin; isDefaultRecipientsEnabled=True; notificationLevel=All; id=Notification_Admin_Admin_Eligibility; 
                        ruleType=RoleManagementPolicyNotificationRule; target=}, @{notificationType=Email; recipientType=Requestor; isDefaultRecipientsEnabled=True; notificationLevel=All; id=Notification_Requestor_Admin_Eligibility; 
                        ruleType=RoleManagementPolicyNotificationRule; target=}...}
policyProperties      : @{scope=}

Note the isOrganizationDefault setting is True. This role has not been touched in anyway. In this case, this is the Log Analytics Reader role policy above. If I then expand the rules property specifically, this is what it looks like, consistent with what the response documentation says you should get back :
image
(screenshot trimmed for brevity)

However, after editing the policy via the Update API, I now get a rule attribute formatted completely differently. Exact same rule after being edited:
image
(comprehensive screenshot this time)

I've only edited the isExpirationRequired in my specific testing. I am using the APIs via the Invoke-RestMethod cmdlet in PowerShell. The different formatting returns the same even if it has been edited in the portal. The only difference I can trigger is if the API has made an update.

Quite frankly the second response is easier to read and handle I believe. Apparently it is the same content, but it threw me for a complete loop. That being said, is this change in response structuring intended?

*****I'm filtering for just a single policy related to a specific role, as is shown here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Service AttentionWorkflow: This issue is responsible by Azure service team.customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions