diff --git a/provider/cmd/pulumi-resource-azure-native/schema.json b/provider/cmd/pulumi-resource-azure-native/schema.json
index 16c7adb60058..592ecb06ec0d 100644
--- a/provider/cmd/pulumi-resource-azure-native/schema.json
+++ b/provider/cmd/pulumi-resource-azure-native/schema.json
@@ -22719,6 +22719,61 @@
"roleDefinitionId"
]
},
+ "azure-native:authorization:ApprovalMode": {
+ "description": "The type of rule",
+ "type": "string",
+ "enum": [
+ {
+ "value": "SingleStage"
+ },
+ {
+ "value": "Serial"
+ },
+ {
+ "value": "Parallel"
+ },
+ {
+ "value": "NoApproval"
+ }
+ ]
+ },
+ "azure-native:authorization:ApprovalSettings": {
+ "description": "The approval settings.",
+ "properties": {
+ "approvalMode": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "$ref": "#/types/azure-native:authorization:ApprovalMode"
+ }
+ ],
+ "description": "The type of rule"
+ },
+ "approvalStages": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:ApprovalStage"
+ },
+ "description": "The approval stages of the request."
+ },
+ "isApprovalRequired": {
+ "type": "boolean",
+ "description": "Determines whether approval is required or not."
+ },
+ "isApprovalRequiredForExtension": {
+ "type": "boolean",
+ "description": "Determines whether approval is required for assignment extension."
+ },
+ "isRequestorJustificationRequired": {
+ "type": "boolean",
+ "description": "Determine whether requestor justification is required."
+ }
+ },
+ "type": "object"
+ },
"azure-native:authorization:ApprovalSettingsResponse": {
"description": "The approval settings.",
"properties": {
@@ -22749,6 +22804,44 @@
},
"type": "object"
},
+ "azure-native:authorization:ApprovalStage": {
+ "description": "The approval stage.",
+ "properties": {
+ "approvalStageTimeOutInDays": {
+ "type": "integer",
+ "description": "The time in days when approval request would be timed out"
+ },
+ "escalationApprovers": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:UserSet"
+ },
+ "description": "The escalation approver of the request."
+ },
+ "escalationTimeInMinutes": {
+ "type": "integer",
+ "description": "The time in minutes when the approval request would be escalated if the primary approver does not approve"
+ },
+ "isApproverJustificationRequired": {
+ "type": "boolean",
+ "description": "Determines whether approver need to provide justification for his decision."
+ },
+ "isEscalationEnabled": {
+ "type": "boolean",
+ "description": "The value determine whether escalation feature is enabled."
+ },
+ "primaryApprovers": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:UserSet"
+ },
+ "description": "The primary approver of the request."
+ }
+ },
+ "type": "object"
+ },
"azure-native:authorization:ApprovalStageResponse": {
"description": "The approval stage.",
"properties": {
@@ -22816,6 +22909,21 @@
}
]
},
+ "azure-native:authorization:EnablementRules": {
+ "description": "The type of enablement rule",
+ "type": "string",
+ "enum": [
+ {
+ "value": "MultiFactorAuthentication"
+ },
+ {
+ "value": "Justification"
+ },
+ {
+ "value": "Ticketing"
+ }
+ ]
+ },
"azure-native:authorization:EnforcementMode": {
"description": "The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.",
"type": "string",
@@ -22830,6 +22938,17 @@
}
]
},
+ "azure-native:authorization:ExcludedPrincipalTypes": {
+ "type": "string",
+ "enum": [
+ {
+ "value": "ServicePrincipalsAsTarget"
+ },
+ {
+ "value": "ServicePrincipalsAsRequestor"
+ }
+ ]
+ },
"azure-native:authorization:ExemptionCategory": {
"description": "The policy exemption category. Possible values are Waiver and Mitigated.",
"type": "string",
@@ -22977,6 +23096,30 @@
"message"
]
},
+ "azure-native:authorization:NotificationDeliveryMechanism": {
+ "description": "The type of notification.",
+ "type": "string",
+ "enum": [
+ {
+ "value": "Email"
+ }
+ ]
+ },
+ "azure-native:authorization:NotificationLevel": {
+ "description": "The notification level.",
+ "type": "string",
+ "enum": [
+ {
+ "value": "None"
+ },
+ {
+ "value": "Critical"
+ },
+ {
+ "value": "All"
+ }
+ ]
+ },
"azure-native:authorization:Override": {
"description": "The policy property value override.",
"properties": {
@@ -23038,6 +23181,85 @@
},
"type": "object"
},
+ "azure-native:authorization:PIMOnlyMode": {
+ "description": "Determines whether the setting is enabled, disabled or report only.",
+ "type": "string",
+ "enum": [
+ {
+ "value": "Disabled"
+ },
+ {
+ "value": "Enabled"
+ },
+ {
+ "value": "ReportOnly"
+ }
+ ]
+ },
+ "azure-native:authorization:PIMOnlyModeSettings": {
+ "description": "The PIM Only Mode settings.",
+ "properties": {
+ "excludedAssignmentTypes": {
+ "type": "array",
+ "items": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "$ref": "#/types/azure-native:authorization:ExcludedPrincipalTypes"
+ }
+ ]
+ },
+ "description": "The list of excluded assignment types allowed."
+ },
+ "excludes": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:UsersOrServicePrincipalSet"
+ },
+ "description": "The list of excluded entities that the rule does not apply to."
+ },
+ "mode": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "$ref": "#/types/azure-native:authorization:PIMOnlyMode"
+ }
+ ],
+ "description": "Determines whether the setting is enabled, disabled or report only."
+ }
+ },
+ "type": "object"
+ },
+ "azure-native:authorization:PIMOnlyModeSettingsResponse": {
+ "description": "The PIM Only Mode settings.",
+ "properties": {
+ "excludedAssignmentTypes": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "The list of excluded assignment types allowed."
+ },
+ "excludes": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:UsersOrServicePrincipalSetResponse"
+ },
+ "description": "The list of excluded entities that the rule does not apply to."
+ },
+ "mode": {
+ "type": "string",
+ "description": "Determines whether the setting is enabled, disabled or report only."
+ }
+ },
+ "type": "object"
+ },
"azure-native:authorization:ParameterDefinitionsValue": {
"description": "The definition of a parameter that can be provided to the policy.",
"properties": {
@@ -23551,6 +23773,38 @@
"type"
]
},
+ "azure-native:authorization:PolicyPropertiesResponse": {
+ "description": "Expanded info of resource scope",
+ "properties": {
+ "scope": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:PolicyPropertiesResponseScope",
+ "description": "Details of the resource scope"
+ }
+ },
+ "type": "object",
+ "required": [
+ "scope"
+ ]
+ },
+ "azure-native:authorization:PolicyPropertiesResponseScope": {
+ "description": "Details of the resource scope",
+ "properties": {
+ "displayName": {
+ "type": "string",
+ "description": "Display name of the resource"
+ },
+ "id": {
+ "type": "string",
+ "description": "Scope id of the resource"
+ },
+ "type": {
+ "type": "string",
+ "description": "Type of the resource"
+ }
+ },
+ "type": "object"
+ },
"azure-native:authorization:PolicySetDefinitionVersionResponse": {
"description": "The policy set definition version.",
"properties": {
@@ -23799,6 +24053,21 @@
}
]
},
+ "azure-native:authorization:RecipientType": {
+ "description": "The recipient type.",
+ "type": "string",
+ "enum": [
+ {
+ "value": "Requestor"
+ },
+ {
+ "value": "Approver"
+ },
+ {
+ "value": "Admin"
+ }
+ ]
+ },
"azure-native:authorization:ResourceIdentityType": {
"description": "The identity type. This is the only required field when adding a system or user assigned identity to a resource.",
"type": "string",
@@ -23865,6 +24134,34 @@
},
"type": "object"
},
+ "azure-native:authorization:RoleManagementPolicyApprovalRule": {
+ "description": "The role management policy approval rule.",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The id of the rule."
+ },
+ "ruleType": {
+ "type": "string",
+ "description": "The type of rule\nExpected value is 'RoleManagementPolicyApprovalRule'.",
+ "const": "RoleManagementPolicyApprovalRule"
+ },
+ "setting": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:ApprovalSettings",
+ "description": "The approval setting"
+ },
+ "target": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyRuleTarget",
+ "description": "The target of the current rule."
+ }
+ },
+ "type": "object",
+ "required": [
+ "ruleType"
+ ]
+ },
"azure-native:authorization:RoleManagementPolicyApprovalRuleResponse": {
"description": "The role management policy approval rule.",
"properties": {
@@ -23893,6 +24190,37 @@
"ruleType"
]
},
+ "azure-native:authorization:RoleManagementPolicyAuthenticationContextRule": {
+ "description": "The role management policy authentication context rule.",
+ "properties": {
+ "claimValue": {
+ "type": "string",
+ "description": "The claim value."
+ },
+ "id": {
+ "type": "string",
+ "description": "The id of the rule."
+ },
+ "isEnabled": {
+ "type": "boolean",
+ "description": "The value indicating if rule is enabled."
+ },
+ "ruleType": {
+ "type": "string",
+ "description": "The type of rule\nExpected value is 'RoleManagementPolicyAuthenticationContextRule'.",
+ "const": "RoleManagementPolicyAuthenticationContextRule"
+ },
+ "target": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyRuleTarget",
+ "description": "The target of the current rule."
+ }
+ },
+ "type": "object",
+ "required": [
+ "ruleType"
+ ]
+ },
"azure-native:authorization:RoleManagementPolicyAuthenticationContextRuleResponse": {
"description": "The role management policy authentication context rule.",
"properties": {
@@ -23924,6 +24252,43 @@
"ruleType"
]
},
+ "azure-native:authorization:RoleManagementPolicyEnablementRule": {
+ "description": "The role management policy enablement rule.",
+ "properties": {
+ "enabledRules": {
+ "type": "array",
+ "items": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "$ref": "#/types/azure-native:authorization:EnablementRules"
+ }
+ ]
+ },
+ "description": "The list of enabled rules."
+ },
+ "id": {
+ "type": "string",
+ "description": "The id of the rule."
+ },
+ "ruleType": {
+ "type": "string",
+ "description": "The type of rule\nExpected value is 'RoleManagementPolicyEnablementRule'.",
+ "const": "RoleManagementPolicyEnablementRule"
+ },
+ "target": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyRuleTarget",
+ "description": "The target of the current rule."
+ }
+ },
+ "type": "object",
+ "required": [
+ "ruleType"
+ ]
+ },
"azure-native:authorization:RoleManagementPolicyEnablementRuleResponse": {
"description": "The role management policy enablement rule.",
"properties": {
@@ -23954,9 +24319,56 @@
"ruleType"
]
},
+ "azure-native:authorization:RoleManagementPolicyExpirationRule": {
+ "description": "The role management policy expiration rule.",
+ "properties": {
+ "exceptionMembers": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:UserSet"
+ },
+ "description": "The members not restricted by expiration rule."
+ },
+ "id": {
+ "type": "string",
+ "description": "The id of the rule."
+ },
+ "isExpirationRequired": {
+ "type": "boolean",
+ "description": "The value indicating whether expiration is required."
+ },
+ "maximumDuration": {
+ "type": "string",
+ "description": "The maximum duration of expiration in timespan."
+ },
+ "ruleType": {
+ "type": "string",
+ "description": "The type of rule\nExpected value is 'RoleManagementPolicyExpirationRule'.",
+ "const": "RoleManagementPolicyExpirationRule"
+ },
+ "target": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyRuleTarget",
+ "description": "The target of the current rule."
+ }
+ },
+ "type": "object",
+ "required": [
+ "ruleType"
+ ]
+ },
"azure-native:authorization:RoleManagementPolicyExpirationRuleResponse": {
"description": "The role management policy expiration rule.",
"properties": {
+ "exceptionMembers": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:UserSetResponse"
+ },
+ "description": "The members not restricted by expiration rule."
+ },
"id": {
"type": "string",
"description": "The id of the rule."
@@ -23985,6 +24397,73 @@
"ruleType"
]
},
+ "azure-native:authorization:RoleManagementPolicyNotificationRule": {
+ "description": "The role management policy notification rule.",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The id of the rule."
+ },
+ "isDefaultRecipientsEnabled": {
+ "type": "boolean",
+ "description": "Determines if the notification will be sent to the recipient type specified in the policy rule."
+ },
+ "notificationLevel": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "$ref": "#/types/azure-native:authorization:NotificationLevel"
+ }
+ ],
+ "description": "The notification level."
+ },
+ "notificationRecipients": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "The list of notification recipients."
+ },
+ "notificationType": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "$ref": "#/types/azure-native:authorization:NotificationDeliveryMechanism"
+ }
+ ],
+ "description": "The type of notification."
+ },
+ "recipientType": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "$ref": "#/types/azure-native:authorization:RecipientType"
+ }
+ ],
+ "description": "The recipient type."
+ },
+ "ruleType": {
+ "type": "string",
+ "description": "The type of rule\nExpected value is 'RoleManagementPolicyNotificationRule'.",
+ "const": "RoleManagementPolicyNotificationRule"
+ },
+ "target": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyRuleTarget",
+ "description": "The target of the current rule."
+ }
+ },
+ "type": "object",
+ "required": [
+ "ruleType"
+ ]
+ },
"azure-native:authorization:RoleManagementPolicyNotificationRuleResponse": {
"description": "The role management policy notification rule.",
"properties": {
@@ -24031,6 +24510,104 @@
"ruleType"
]
},
+ "azure-native:authorization:RoleManagementPolicyPimOnlyModeRule": {
+ "description": "The role management policy PIM only mode rule.",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The id of the rule."
+ },
+ "pimOnlyModeSettings": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:PIMOnlyModeSettings",
+ "description": "The PIM Only Mode settings"
+ },
+ "ruleType": {
+ "type": "string",
+ "description": "The type of rule\nExpected value is 'RoleManagementPolicyPimOnlyModeRule'.",
+ "const": "RoleManagementPolicyPimOnlyModeRule"
+ },
+ "target": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyRuleTarget",
+ "description": "The target of the current rule."
+ }
+ },
+ "type": "object",
+ "required": [
+ "ruleType"
+ ]
+ },
+ "azure-native:authorization:RoleManagementPolicyPimOnlyModeRuleResponse": {
+ "description": "The role management policy PIM only mode rule.",
+ "properties": {
+ "id": {
+ "type": "string",
+ "description": "The id of the rule."
+ },
+ "pimOnlyModeSettings": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:PIMOnlyModeSettingsResponse",
+ "description": "The PIM Only Mode settings"
+ },
+ "ruleType": {
+ "type": "string",
+ "description": "The type of rule\nExpected value is 'RoleManagementPolicyPimOnlyModeRule'.",
+ "const": "RoleManagementPolicyPimOnlyModeRule"
+ },
+ "target": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyRuleTargetResponse",
+ "description": "The target of the current rule."
+ }
+ },
+ "type": "object",
+ "required": [
+ "ruleType"
+ ]
+ },
+ "azure-native:authorization:RoleManagementPolicyRuleTarget": {
+ "description": "The role management policy rule target.",
+ "properties": {
+ "caller": {
+ "type": "string",
+ "description": "The caller of the setting."
+ },
+ "enforcedSettings": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "The list of enforced settings."
+ },
+ "inheritableSettings": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "The list of inheritable settings."
+ },
+ "level": {
+ "type": "string",
+ "description": "The assignment level to which rule is applied."
+ },
+ "operations": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "The type of operation."
+ },
+ "targetObjects": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "The list of target objects."
+ }
+ },
+ "type": "object"
+ },
"azure-native:authorization:RoleManagementPolicyRuleTargetResponse": {
"description": "The role management policy rule target.",
"properties": {
@@ -24073,6 +24650,30 @@
},
"type": "object"
},
+ "azure-native:authorization:RoleManagementPolicyRuleType": {
+ "description": "The type of rule",
+ "type": "string",
+ "enum": [
+ {
+ "value": "RoleManagementPolicyApprovalRule"
+ },
+ {
+ "value": "RoleManagementPolicyAuthenticationContextRule"
+ },
+ {
+ "value": "RoleManagementPolicyEnablementRule"
+ },
+ {
+ "value": "RoleManagementPolicyExpirationRule"
+ },
+ {
+ "value": "RoleManagementPolicyNotificationRule"
+ },
+ {
+ "value": "RoleManagementPolicyPimOnlyModeRule"
+ }
+ ]
+ },
"azure-native:authorization:Selector": {
"description": "The selector expression.",
"properties": {
@@ -24180,6 +24781,35 @@
},
"type": "object"
},
+ "azure-native:authorization:UserSet": {
+ "description": "The detail of a user.",
+ "properties": {
+ "description": {
+ "type": "string",
+ "description": "The description of the user."
+ },
+ "id": {
+ "type": "string",
+ "description": "The object id of the user."
+ },
+ "isBackup": {
+ "type": "boolean",
+ "description": "The value indicating whether the user is a backup fallback approver"
+ },
+ "userType": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "$ref": "#/types/azure-native:authorization:UserType"
+ }
+ ],
+ "description": "The type of user."
+ }
+ },
+ "type": "object"
+ },
"azure-native:authorization:UserSetResponse": {
"description": "The detail of a user.",
"properties": {
@@ -24202,6 +24832,64 @@
},
"type": "object"
},
+ "azure-native:authorization:UserType": {
+ "description": "The type of user.",
+ "type": "string",
+ "enum": [
+ {
+ "value": "User"
+ },
+ {
+ "value": "Group"
+ },
+ {
+ "value": "ServicePrincipal"
+ }
+ ]
+ },
+ "azure-native:authorization:UsersOrServicePrincipalSet": {
+ "description": "The detail of a subject.",
+ "properties": {
+ "displayName": {
+ "type": "string",
+ "description": "The display Name of the entity."
+ },
+ "id": {
+ "type": "string",
+ "description": "The object id of the entity."
+ },
+ "type": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "$ref": "#/types/azure-native:authorization:UserType"
+ }
+ ],
+ "description": "The type of user."
+ }
+ },
+ "type": "object"
+ },
+ "azure-native:authorization:UsersOrServicePrincipalSetResponse": {
+ "description": "The detail of a subject.",
+ "properties": {
+ "displayName": {
+ "type": "string",
+ "description": "The display Name of the entity."
+ },
+ "id": {
+ "type": "string",
+ "description": "The object id of the entity."
+ },
+ "type": {
+ "type": "string",
+ "description": "The type of user."
+ }
+ },
+ "type": "object"
+ },
"azure-native:automanage:AccountIdentity": {
"description": "Identity for the Automanage account.",
"properties": {
@@ -557115,6 +557803,227 @@
}
]
},
+ "azure-native:authorization:RoleManagementPolicy": {
+ "description": "Role management policy\nAzure REST API version: 2024-09-01-preview.\n\nOther available API versions: 2020-10-01, 2020-10-01-preview, 2024-02-01-preview.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n### PatchPartialRoleManagementPolicy\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureNative = Pulumi.AzureNative;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy(\"roleManagementPolicy\", new()\n {\n RoleManagementPolicyName = \"570c3619-7688-4b34-b290-2b8bb3ccab2a\",\n Rules = \n {\n new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs\n {\n Id = \"Expiration_Admin_Eligibility\",\n IsExpirationRequired = false,\n MaximumDuration = \"P180D\",\n RuleType = \"RoleManagementPolicyExpirationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Eligibility\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Admin_Admin_Eligibility\",\n IsDefaultRecipientsEnabled = false,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationRecipients = new[]\n {\n \"admin_admin_eligible@test.com\",\n },\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Admin,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Eligibility\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n },\n Scope = \"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\",\n });\n\n});\n\n\n```\n\n```go\npackage main\n\nimport (\n\tauthorization \"github.com/pulumi/pulumi-azure-native-sdk/authorization/v2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := authorization.NewRoleManagementPolicy(ctx, \"roleManagementPolicy\", \u0026authorization.RoleManagementPolicyArgs{\n\t\t\tRoleManagementPolicyName: pulumi.String(\"570c3619-7688-4b34-b290-2b8bb3ccab2a\"),\n\t\t\tRules: pulumi.Array{\n\t\t\t\tauthorization.RoleManagementPolicyExpirationRule{\n\t\t\t\t\tId: \"Expiration_Admin_Eligibility\",\n\t\t\t\t\tIsExpirationRequired: false,\n\t\t\t\t\tMaximumDuration: \"P180D\",\n\t\t\t\t\tRuleType: \"RoleManagementPolicyExpirationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Eligibility\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Admin_Admin_Eligibility\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: false,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationRecipients: []string{\n\t\t\t\t\t\t\"admin_admin_eligible@test.com\",\n\t\t\t\t\t},\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeAdmin,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Eligibility\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tScope: pulumi.String(\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n\n```\n\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azurenative.authorization.RoleManagementPolicy;\nimport com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var roleManagementPolicy = new RoleManagementPolicy(\"roleManagementPolicy\", RoleManagementPolicyArgs.builder()\n .roleManagementPolicyName(\"570c3619-7688-4b34-b290-2b8bb3ccab2a\")\n .rules( \n RoleManagementPolicyExpirationRuleArgs.builder()\n .id(\"Expiration_Admin_Eligibility\")\n .isExpirationRequired(false)\n .maximumDuration(\"P180D\")\n .ruleType(\"RoleManagementPolicyExpirationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Eligibility\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Admin_Admin_Eligibility\")\n .isDefaultRecipientsEnabled(false)\n .notificationLevel(\"Critical\")\n .notificationRecipients(\"admin_admin_eligible@test.com\")\n .notificationType(\"Email\")\n .recipientType(\"Admin\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Eligibility\")\n .operations(\"All\")\n .build())\n .build())\n .scope(\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\")\n .build());\n\n }\n}\n\n```\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azure_native from \"@pulumi/azure-native\";\n\nconst roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy(\"roleManagementPolicy\", {\n roleManagementPolicyName: \"570c3619-7688-4b34-b290-2b8bb3ccab2a\",\n rules: [\n {\n id: \"Expiration_Admin_Eligibility\",\n isExpirationRequired: false,\n maximumDuration: \"P180D\",\n ruleType: \"RoleManagementPolicyExpirationRule\",\n target: {\n caller: \"Admin\",\n level: \"Eligibility\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Admin_Admin_Eligibility\",\n isDefaultRecipientsEnabled: false,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationRecipients: [\"admin_admin_eligible@test.com\"],\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Admin,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"Admin\",\n level: \"Eligibility\",\n operations: [\"All\"],\n },\n },\n ],\n scope: \"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\",\n});\n\n```\n\n```python\nimport pulumi\nimport pulumi_azure_native as azure_native\n\nrole_management_policy = azure_native.authorization.RoleManagementPolicy(\"roleManagementPolicy\",\n role_management_policy_name=\"570c3619-7688-4b34-b290-2b8bb3ccab2a\",\n rules=[\n {\n \"id\": \"Expiration_Admin_Eligibility\",\n \"is_expiration_required\": False,\n \"maximum_duration\": \"P180D\",\n \"rule_type\": \"RoleManagementPolicyExpirationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Eligibility\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Admin_Admin_Eligibility\",\n \"is_default_recipients_enabled\": False,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_recipients\": [\"admin_admin_eligible@test.com\"],\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.ADMIN,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Eligibility\",\n \"operations\": [\"All\"],\n },\n },\n ],\n scope=\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\")\n\n```\n\n```yaml\nresources:\n roleManagementPolicy:\n type: azure-native:authorization:RoleManagementPolicy\n properties:\n roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a\n rules:\n - id: Expiration_Admin_Eligibility\n isExpirationRequired: false\n maximumDuration: P180D\n ruleType: RoleManagementPolicyExpirationRule\n target:\n caller: Admin\n level: Eligibility\n operations:\n - All\n - id: Notification_Admin_Admin_Eligibility\n isDefaultRecipientsEnabled: false\n notificationLevel: Critical\n notificationRecipients:\n - admin_admin_eligible@test.com\n notificationType: Email\n recipientType: Admin\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: Admin\n level: Eligibility\n operations:\n - All\n scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\n\n```\n\n{{% /example %}}\n{{% example %}}\n### PatchRoleManagementPolicy\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureNative = Pulumi.AzureNative;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy(\"roleManagementPolicy\", new()\n {\n RoleManagementPolicyName = \"570c3619-7688-4b34-b290-2b8bb3ccab2a\",\n Rules = \n {\n new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs\n {\n Id = \"Expiration_Admin_Eligibility\",\n IsExpirationRequired = false,\n MaximumDuration = \"P180D\",\n RuleType = \"RoleManagementPolicyExpirationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Eligibility\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Admin_Admin_Eligibility\",\n IsDefaultRecipientsEnabled = false,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationRecipients = new[]\n {\n \"admin_admin_eligible@test.com\",\n },\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Admin,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Eligibility\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Requestor_Admin_Eligibility\",\n IsDefaultRecipientsEnabled = false,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationRecipients = new[]\n {\n \"requestor_admin_eligible@test.com\",\n },\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Requestor,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Eligibility\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Approver_Admin_Eligibility\",\n IsDefaultRecipientsEnabled = false,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationRecipients = new[]\n {\n \"approver_admin_eligible@test.com\",\n },\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Approver,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Eligibility\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyEnablementRuleArgs\n {\n EnabledRules = new() { },\n Id = \"Enablement_Admin_Eligibility\",\n RuleType = \"RoleManagementPolicyEnablementRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Eligibility\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs\n {\n Id = \"Expiration_Admin_Assignment\",\n IsExpirationRequired = false,\n MaximumDuration = \"P90D\",\n RuleType = \"RoleManagementPolicyExpirationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyEnablementRuleArgs\n {\n EnabledRules = new[]\n {\n AzureNative.Authorization.EnablementRules.Justification,\n AzureNative.Authorization.EnablementRules.MultiFactorAuthentication,\n },\n Id = \"Enablement_Admin_Assignment\",\n RuleType = \"RoleManagementPolicyEnablementRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Admin_Admin_Assignment\",\n IsDefaultRecipientsEnabled = false,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationRecipients = new[]\n {\n \"admin_admin_member@test.com\",\n },\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Admin,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Requestor_Admin_Assignment\",\n IsDefaultRecipientsEnabled = false,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationRecipients = new[]\n {\n \"requestor_admin_member@test.com\",\n },\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Requestor,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Approver_Admin_Assignment\",\n IsDefaultRecipientsEnabled = false,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationRecipients = new[]\n {\n \"approver_admin_member@test.com\",\n },\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Approver,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs\n {\n Id = \"Expiration_EndUser_Assignment\",\n IsExpirationRequired = true,\n MaximumDuration = \"PT7H\",\n RuleType = \"RoleManagementPolicyExpirationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"EndUser\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyEnablementRuleArgs\n {\n EnabledRules = new[]\n {\n AzureNative.Authorization.EnablementRules.Justification,\n AzureNative.Authorization.EnablementRules.MultiFactorAuthentication,\n AzureNative.Authorization.EnablementRules.Ticketing,\n },\n Id = \"Enablement_EndUser_Assignment\",\n RuleType = \"RoleManagementPolicyEnablementRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"EndUser\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyApprovalRuleArgs\n {\n Id = \"Approval_EndUser_Assignment\",\n RuleType = \"RoleManagementPolicyApprovalRule\",\n Setting = new AzureNative.Authorization.Inputs.ApprovalSettingsArgs\n {\n ApprovalMode = AzureNative.Authorization.ApprovalMode.SingleStage,\n ApprovalStages = new[]\n {\n new AzureNative.Authorization.Inputs.ApprovalStageArgs\n {\n ApprovalStageTimeOutInDays = 1,\n EscalationTimeInMinutes = 0,\n IsApproverJustificationRequired = true,\n IsEscalationEnabled = false,\n PrimaryApprovers = new[]\n {\n new AzureNative.Authorization.Inputs.UserSetArgs\n {\n Description = \"amansw_new_group\",\n Id = \"2385b0f3-5fa9-43cf-8ca4-b01dc97298cd\",\n IsBackup = false,\n UserType = AzureNative.Authorization.UserType.Group,\n },\n new AzureNative.Authorization.Inputs.UserSetArgs\n {\n Description = \"amansw_group\",\n Id = \"2f4913c9-d15b-406a-9946-1d66a28f2690\",\n IsBackup = false,\n UserType = AzureNative.Authorization.UserType.Group,\n },\n },\n },\n },\n IsApprovalRequired = true,\n IsApprovalRequiredForExtension = false,\n IsRequestorJustificationRequired = true,\n },\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"EndUser\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyAuthenticationContextRuleArgs\n {\n ClaimValue = \"\",\n Id = \"AuthenticationContext_EndUser_Assignment\",\n IsEnabled = false,\n RuleType = \"RoleManagementPolicyAuthenticationContextRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"EndUser\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Admin_EndUser_Assignment\",\n IsDefaultRecipientsEnabled = false,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationRecipients = new[]\n {\n \"admin_enduser_member@test.com\",\n },\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Admin,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"EndUser\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Requestor_EndUser_Assignment\",\n IsDefaultRecipientsEnabled = false,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationRecipients = new[]\n {\n \"requestor_enduser_member@test.com\",\n },\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Requestor,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"EndUser\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs\n {\n Id = \"Notification_Approver_EndUser_Assignment\",\n IsDefaultRecipientsEnabled = true,\n NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,\n NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,\n RecipientType = AzureNative.Authorization.RecipientType.Approver,\n RuleType = \"RoleManagementPolicyNotificationRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"EndUser\",\n Level = \"Assignment\",\n Operations = new[]\n {\n \"All\",\n },\n },\n },\n new AzureNative.Authorization.Inputs.RoleManagementPolicyPimOnlyModeRuleArgs\n {\n Id = \"PIMOnlyMode_Admin_Assignment\",\n PimOnlyModeSettings = new AzureNative.Authorization.Inputs.PIMOnlyModeSettingsArgs\n {\n ExcludedAssignmentTypes = new[]\n {\n AzureNative.Authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget,\n },\n Excludes = new[]\n {\n new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs\n {\n Id = \"ec42a424-a0c0-4418-8788-d19bdeb03704\",\n Type = AzureNative.Authorization.UserType.User,\n },\n new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs\n {\n Id = \"00029dfb-0218-4e7a-9a85-c15dc0c880bc\",\n Type = AzureNative.Authorization.UserType.Group,\n },\n new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs\n {\n Id = \"0000103d-1fc2-4ac8-81de-71517765655c\",\n Type = AzureNative.Authorization.UserType.ServicePrincipal,\n },\n },\n Mode = AzureNative.Authorization.PIMOnlyMode.Enabled,\n },\n RuleType = \"RoleManagementPolicyPimOnlyModeRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n EnforcedSettings = new[]\n {\n \"all\",\n },\n InheritableSettings = new[]\n {\n \"all\",\n },\n Level = \"Assignment\",\n Operations = new[]\n {\n \"all\",\n },\n TargetObjects = new() { },\n },\n },\n },\n Scope = \"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\",\n });\n\n});\n\n\n```\n\n```go\npackage main\n\nimport (\n\tauthorization \"github.com/pulumi/pulumi-azure-native-sdk/authorization/v2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := authorization.NewRoleManagementPolicy(ctx, \"roleManagementPolicy\", \u0026authorization.RoleManagementPolicyArgs{\n\t\t\tRoleManagementPolicyName: pulumi.String(\"570c3619-7688-4b34-b290-2b8bb3ccab2a\"),\n\t\t\tRules: pulumi.Array{\n\t\t\t\tauthorization.RoleManagementPolicyExpirationRule{\n\t\t\t\t\tId: \"Expiration_Admin_Eligibility\",\n\t\t\t\t\tIsExpirationRequired: false,\n\t\t\t\t\tMaximumDuration: \"P180D\",\n\t\t\t\t\tRuleType: \"RoleManagementPolicyExpirationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Eligibility\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Admin_Admin_Eligibility\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: false,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationRecipients: []string{\n\t\t\t\t\t\t\"admin_admin_eligible@test.com\",\n\t\t\t\t\t},\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeAdmin,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Eligibility\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Requestor_Admin_Eligibility\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: false,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationRecipients: []string{\n\t\t\t\t\t\t\"requestor_admin_eligible@test.com\",\n\t\t\t\t\t},\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeRequestor,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Eligibility\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Approver_Admin_Eligibility\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: false,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationRecipients: []string{\n\t\t\t\t\t\t\"approver_admin_eligible@test.com\",\n\t\t\t\t\t},\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeApprover,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Eligibility\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyEnablementRule{\n\t\t\t\t\tEnabledRules: []authorization.EnablementRules{},\n\t\t\t\t\tId: \"Enablement_Admin_Eligibility\",\n\t\t\t\t\tRuleType: \"RoleManagementPolicyEnablementRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Eligibility\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyExpirationRule{\n\t\t\t\t\tId: \"Expiration_Admin_Assignment\",\n\t\t\t\t\tIsExpirationRequired: false,\n\t\t\t\t\tMaximumDuration: \"P90D\",\n\t\t\t\t\tRuleType: \"RoleManagementPolicyExpirationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyEnablementRule{\n\t\t\t\t\tEnabledRules: []authorization.EnablementRules{\n\t\t\t\t\t\tauthorization.EnablementRulesJustification,\n\t\t\t\t\t\tauthorization.EnablementRulesMultiFactorAuthentication,\n\t\t\t\t\t},\n\t\t\t\t\tId: \"Enablement_Admin_Assignment\",\n\t\t\t\t\tRuleType: \"RoleManagementPolicyEnablementRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Admin_Admin_Assignment\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: false,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationRecipients: []string{\n\t\t\t\t\t\t\"admin_admin_member@test.com\",\n\t\t\t\t\t},\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeAdmin,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Requestor_Admin_Assignment\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: false,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationRecipients: []string{\n\t\t\t\t\t\t\"requestor_admin_member@test.com\",\n\t\t\t\t\t},\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeRequestor,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Approver_Admin_Assignment\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: false,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationRecipients: []string{\n\t\t\t\t\t\t\"approver_admin_member@test.com\",\n\t\t\t\t\t},\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeApprover,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyExpirationRule{\n\t\t\t\t\tId: \"Expiration_EndUser_Assignment\",\n\t\t\t\t\tIsExpirationRequired: true,\n\t\t\t\t\tMaximumDuration: \"PT7H\",\n\t\t\t\t\tRuleType: \"RoleManagementPolicyExpirationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"EndUser\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyEnablementRule{\n\t\t\t\t\tEnabledRules: []authorization.EnablementRules{\n\t\t\t\t\t\tauthorization.EnablementRulesJustification,\n\t\t\t\t\t\tauthorization.EnablementRulesMultiFactorAuthentication,\n\t\t\t\t\t\tauthorization.EnablementRulesTicketing,\n\t\t\t\t\t},\n\t\t\t\t\tId: \"Enablement_EndUser_Assignment\",\n\t\t\t\t\tRuleType: \"RoleManagementPolicyEnablementRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"EndUser\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyApprovalRule{\n\t\t\t\t\tId: \"Approval_EndUser_Assignment\",\n\t\t\t\t\tRuleType: \"RoleManagementPolicyApprovalRule\",\n\t\t\t\t\tSetting: authorization.ApprovalSettings{\n\t\t\t\t\t\tApprovalMode: authorization.ApprovalModeSingleStage,\n\t\t\t\t\t\tApprovalStages: []authorization.ApprovalStage{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tApprovalStageTimeOutInDays: 1,\n\t\t\t\t\t\t\t\tEscalationTimeInMinutes: 0,\n\t\t\t\t\t\t\t\tIsApproverJustificationRequired: true,\n\t\t\t\t\t\t\t\tIsEscalationEnabled: false,\n\t\t\t\t\t\t\t\tPrimaryApprovers: []authorization.UserSet{\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tDescription: \"amansw_new_group\",\n\t\t\t\t\t\t\t\t\t\tId: \"2385b0f3-5fa9-43cf-8ca4-b01dc97298cd\",\n\t\t\t\t\t\t\t\t\t\tIsBackup: false,\n\t\t\t\t\t\t\t\t\t\tUserType: authorization.UserTypeGroup,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tDescription: \"amansw_group\",\n\t\t\t\t\t\t\t\t\t\tId: \"2f4913c9-d15b-406a-9946-1d66a28f2690\",\n\t\t\t\t\t\t\t\t\t\tIsBackup: false,\n\t\t\t\t\t\t\t\t\t\tUserType: authorization.UserTypeGroup,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tIsApprovalRequired: true,\n\t\t\t\t\t\tIsApprovalRequiredForExtension: false,\n\t\t\t\t\t\tIsRequestorJustificationRequired: true,\n\t\t\t\t\t},\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"EndUser\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyAuthenticationContextRule{\n\t\t\t\t\tClaimValue: \"\",\n\t\t\t\t\tId: \"AuthenticationContext_EndUser_Assignment\",\n\t\t\t\t\tIsEnabled: false,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyAuthenticationContextRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"EndUser\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Admin_EndUser_Assignment\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: false,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationRecipients: []string{\n\t\t\t\t\t\t\"admin_enduser_member@test.com\",\n\t\t\t\t\t},\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeAdmin,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"EndUser\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Requestor_EndUser_Assignment\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: false,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationRecipients: []string{\n\t\t\t\t\t\t\"requestor_enduser_member@test.com\",\n\t\t\t\t\t},\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeRequestor,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"EndUser\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyNotificationRule{\n\t\t\t\t\tId: \"Notification_Approver_EndUser_Assignment\",\n\t\t\t\t\tIsDefaultRecipientsEnabled: true,\n\t\t\t\t\tNotificationLevel: authorization.NotificationLevelCritical,\n\t\t\t\t\tNotificationType: authorization.NotificationDeliveryMechanismEmail,\n\t\t\t\t\tRecipientType: authorization.RecipientTypeApprover,\n\t\t\t\t\tRuleType: \"RoleManagementPolicyNotificationRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"EndUser\",\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"All\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tauthorization.RoleManagementPolicyPimOnlyModeRule{\n\t\t\t\t\tId: \"PIMOnlyMode_Admin_Assignment\",\n\t\t\t\t\tPimOnlyModeSettings: authorization.PIMOnlyModeSettings{\n\t\t\t\t\t\tExcludedAssignmentTypes: []authorization.ExcludedPrincipalTypes{\n\t\t\t\t\t\t\tauthorization.ExcludedPrincipalTypesServicePrincipalsAsTarget,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExcludes: []authorization.UsersOrServicePrincipalSet{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tId: \"ec42a424-a0c0-4418-8788-d19bdeb03704\",\n\t\t\t\t\t\t\t\tType: authorization.UserTypeUser,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tId: \"00029dfb-0218-4e7a-9a85-c15dc0c880bc\",\n\t\t\t\t\t\t\t\tType: authorization.UserTypeGroup,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tId: \"0000103d-1fc2-4ac8-81de-71517765655c\",\n\t\t\t\t\t\t\t\tType: authorization.UserTypeServicePrincipal,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tMode: authorization.PIMOnlyModeEnabled,\n\t\t\t\t\t},\n\t\t\t\t\tRuleType: \"RoleManagementPolicyPimOnlyModeRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tEnforcedSettings: []string{\n\t\t\t\t\t\t\t\"all\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tInheritableSettings: []string{\n\t\t\t\t\t\t\t\"all\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"all\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tTargetObjects: []interface{}{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tScope: pulumi.String(\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n\n```\n\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azurenative.authorization.RoleManagementPolicy;\nimport com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var roleManagementPolicy = new RoleManagementPolicy(\"roleManagementPolicy\", RoleManagementPolicyArgs.builder()\n .roleManagementPolicyName(\"570c3619-7688-4b34-b290-2b8bb3ccab2a\")\n .rules( \n RoleManagementPolicyExpirationRuleArgs.builder()\n .id(\"Expiration_Admin_Eligibility\")\n .isExpirationRequired(false)\n .maximumDuration(\"P180D\")\n .ruleType(\"RoleManagementPolicyExpirationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Eligibility\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Admin_Admin_Eligibility\")\n .isDefaultRecipientsEnabled(false)\n .notificationLevel(\"Critical\")\n .notificationRecipients(\"admin_admin_eligible@test.com\")\n .notificationType(\"Email\")\n .recipientType(\"Admin\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Eligibility\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Requestor_Admin_Eligibility\")\n .isDefaultRecipientsEnabled(false)\n .notificationLevel(\"Critical\")\n .notificationRecipients(\"requestor_admin_eligible@test.com\")\n .notificationType(\"Email\")\n .recipientType(\"Requestor\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Eligibility\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Approver_Admin_Eligibility\")\n .isDefaultRecipientsEnabled(false)\n .notificationLevel(\"Critical\")\n .notificationRecipients(\"approver_admin_eligible@test.com\")\n .notificationType(\"Email\")\n .recipientType(\"Approver\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Eligibility\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyEnablementRuleArgs.builder()\n .enabledRules()\n .id(\"Enablement_Admin_Eligibility\")\n .ruleType(\"RoleManagementPolicyEnablementRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Eligibility\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyExpirationRuleArgs.builder()\n .id(\"Expiration_Admin_Assignment\")\n .isExpirationRequired(false)\n .maximumDuration(\"P90D\")\n .ruleType(\"RoleManagementPolicyExpirationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyEnablementRuleArgs.builder()\n .enabledRules( \n \"Justification\",\n \"MultiFactorAuthentication\")\n .id(\"Enablement_Admin_Assignment\")\n .ruleType(\"RoleManagementPolicyEnablementRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Admin_Admin_Assignment\")\n .isDefaultRecipientsEnabled(false)\n .notificationLevel(\"Critical\")\n .notificationRecipients(\"admin_admin_member@test.com\")\n .notificationType(\"Email\")\n .recipientType(\"Admin\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Requestor_Admin_Assignment\")\n .isDefaultRecipientsEnabled(false)\n .notificationLevel(\"Critical\")\n .notificationRecipients(\"requestor_admin_member@test.com\")\n .notificationType(\"Email\")\n .recipientType(\"Requestor\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Approver_Admin_Assignment\")\n .isDefaultRecipientsEnabled(false)\n .notificationLevel(\"Critical\")\n .notificationRecipients(\"approver_admin_member@test.com\")\n .notificationType(\"Email\")\n .recipientType(\"Approver\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyExpirationRuleArgs.builder()\n .id(\"Expiration_EndUser_Assignment\")\n .isExpirationRequired(true)\n .maximumDuration(\"PT7H\")\n .ruleType(\"RoleManagementPolicyExpirationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"EndUser\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyEnablementRuleArgs.builder()\n .enabledRules( \n \"Justification\",\n \"MultiFactorAuthentication\",\n \"Ticketing\")\n .id(\"Enablement_EndUser_Assignment\")\n .ruleType(\"RoleManagementPolicyEnablementRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"EndUser\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyApprovalRuleArgs.builder()\n .id(\"Approval_EndUser_Assignment\")\n .ruleType(\"RoleManagementPolicyApprovalRule\")\n .setting(ApprovalSettingsArgs.builder()\n .approvalMode(\"SingleStage\")\n .approvalStages(ApprovalStageArgs.builder()\n .approvalStageTimeOutInDays(1)\n .escalationTimeInMinutes(0)\n .isApproverJustificationRequired(true)\n .isEscalationEnabled(false)\n .primaryApprovers( \n UserSetArgs.builder()\n .description(\"amansw_new_group\")\n .id(\"2385b0f3-5fa9-43cf-8ca4-b01dc97298cd\")\n .isBackup(false)\n .userType(\"Group\")\n .build(),\n UserSetArgs.builder()\n .description(\"amansw_group\")\n .id(\"2f4913c9-d15b-406a-9946-1d66a28f2690\")\n .isBackup(false)\n .userType(\"Group\")\n .build())\n .build())\n .isApprovalRequired(true)\n .isApprovalRequiredForExtension(false)\n .isRequestorJustificationRequired(true)\n .build())\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"EndUser\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyAuthenticationContextRuleArgs.builder()\n .claimValue(\"\")\n .id(\"AuthenticationContext_EndUser_Assignment\")\n .isEnabled(false)\n .ruleType(\"RoleManagementPolicyAuthenticationContextRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"EndUser\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Admin_EndUser_Assignment\")\n .isDefaultRecipientsEnabled(false)\n .notificationLevel(\"Critical\")\n .notificationRecipients(\"admin_enduser_member@test.com\")\n .notificationType(\"Email\")\n .recipientType(\"Admin\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"EndUser\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Requestor_EndUser_Assignment\")\n .isDefaultRecipientsEnabled(false)\n .notificationLevel(\"Critical\")\n .notificationRecipients(\"requestor_enduser_member@test.com\")\n .notificationType(\"Email\")\n .recipientType(\"Requestor\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"EndUser\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyNotificationRuleArgs.builder()\n .id(\"Notification_Approver_EndUser_Assignment\")\n .isDefaultRecipientsEnabled(true)\n .notificationLevel(\"Critical\")\n .notificationType(\"Email\")\n .recipientType(\"Approver\")\n .ruleType(\"RoleManagementPolicyNotificationRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"EndUser\")\n .level(\"Assignment\")\n .operations(\"All\")\n .build())\n .build(),\n RoleManagementPolicyPimOnlyModeRuleArgs.builder()\n .id(\"PIMOnlyMode_Admin_Assignment\")\n .pimOnlyModeSettings(PIMOnlyModeSettingsArgs.builder()\n .excludedAssignmentTypes(\"ServicePrincipalsAsTarget\")\n .excludes( \n UsersOrServicePrincipalSetArgs.builder()\n .id(\"ec42a424-a0c0-4418-8788-d19bdeb03704\")\n .type(\"User\")\n .build(),\n UsersOrServicePrincipalSetArgs.builder()\n .id(\"00029dfb-0218-4e7a-9a85-c15dc0c880bc\")\n .type(\"Group\")\n .build(),\n UsersOrServicePrincipalSetArgs.builder()\n .id(\"0000103d-1fc2-4ac8-81de-71517765655c\")\n .type(\"ServicePrincipal\")\n .build())\n .mode(\"Enabled\")\n .build())\n .ruleType(\"RoleManagementPolicyPimOnlyModeRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .enforcedSettings(\"all\")\n .inheritableSettings(\"all\")\n .level(\"Assignment\")\n .operations(\"all\")\n .targetObjects()\n .build())\n .build())\n .scope(\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\")\n .build());\n\n }\n}\n\n```\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azure_native from \"@pulumi/azure-native\";\n\nconst roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy(\"roleManagementPolicy\", {\n roleManagementPolicyName: \"570c3619-7688-4b34-b290-2b8bb3ccab2a\",\n rules: [\n {\n id: \"Expiration_Admin_Eligibility\",\n isExpirationRequired: false,\n maximumDuration: \"P180D\",\n ruleType: \"RoleManagementPolicyExpirationRule\",\n target: {\n caller: \"Admin\",\n level: \"Eligibility\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Admin_Admin_Eligibility\",\n isDefaultRecipientsEnabled: false,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationRecipients: [\"admin_admin_eligible@test.com\"],\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Admin,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"Admin\",\n level: \"Eligibility\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Requestor_Admin_Eligibility\",\n isDefaultRecipientsEnabled: false,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationRecipients: [\"requestor_admin_eligible@test.com\"],\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Requestor,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"Admin\",\n level: \"Eligibility\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Approver_Admin_Eligibility\",\n isDefaultRecipientsEnabled: false,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationRecipients: [\"approver_admin_eligible@test.com\"],\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Approver,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"Admin\",\n level: \"Eligibility\",\n operations: [\"All\"],\n },\n },\n {\n enabledRules: [],\n id: \"Enablement_Admin_Eligibility\",\n ruleType: \"RoleManagementPolicyEnablementRule\",\n target: {\n caller: \"Admin\",\n level: \"Eligibility\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Expiration_Admin_Assignment\",\n isExpirationRequired: false,\n maximumDuration: \"P90D\",\n ruleType: \"RoleManagementPolicyExpirationRule\",\n target: {\n caller: \"Admin\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n enabledRules: [\n azure_native.authorization.EnablementRules.Justification,\n azure_native.authorization.EnablementRules.MultiFactorAuthentication,\n ],\n id: \"Enablement_Admin_Assignment\",\n ruleType: \"RoleManagementPolicyEnablementRule\",\n target: {\n caller: \"Admin\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Admin_Admin_Assignment\",\n isDefaultRecipientsEnabled: false,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationRecipients: [\"admin_admin_member@test.com\"],\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Admin,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"Admin\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Requestor_Admin_Assignment\",\n isDefaultRecipientsEnabled: false,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationRecipients: [\"requestor_admin_member@test.com\"],\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Requestor,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"Admin\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Approver_Admin_Assignment\",\n isDefaultRecipientsEnabled: false,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationRecipients: [\"approver_admin_member@test.com\"],\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Approver,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"Admin\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Expiration_EndUser_Assignment\",\n isExpirationRequired: true,\n maximumDuration: \"PT7H\",\n ruleType: \"RoleManagementPolicyExpirationRule\",\n target: {\n caller: \"EndUser\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n enabledRules: [\n azure_native.authorization.EnablementRules.Justification,\n azure_native.authorization.EnablementRules.MultiFactorAuthentication,\n azure_native.authorization.EnablementRules.Ticketing,\n ],\n id: \"Enablement_EndUser_Assignment\",\n ruleType: \"RoleManagementPolicyEnablementRule\",\n target: {\n caller: \"EndUser\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Approval_EndUser_Assignment\",\n ruleType: \"RoleManagementPolicyApprovalRule\",\n setting: {\n approvalMode: azure_native.authorization.ApprovalMode.SingleStage,\n approvalStages: [{\n approvalStageTimeOutInDays: 1,\n escalationTimeInMinutes: 0,\n isApproverJustificationRequired: true,\n isEscalationEnabled: false,\n primaryApprovers: [\n {\n description: \"amansw_new_group\",\n id: \"2385b0f3-5fa9-43cf-8ca4-b01dc97298cd\",\n isBackup: false,\n userType: azure_native.authorization.UserType.Group,\n },\n {\n description: \"amansw_group\",\n id: \"2f4913c9-d15b-406a-9946-1d66a28f2690\",\n isBackup: false,\n userType: azure_native.authorization.UserType.Group,\n },\n ],\n }],\n isApprovalRequired: true,\n isApprovalRequiredForExtension: false,\n isRequestorJustificationRequired: true,\n },\n target: {\n caller: \"EndUser\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n claimValue: \"\",\n id: \"AuthenticationContext_EndUser_Assignment\",\n isEnabled: false,\n ruleType: \"RoleManagementPolicyAuthenticationContextRule\",\n target: {\n caller: \"EndUser\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Admin_EndUser_Assignment\",\n isDefaultRecipientsEnabled: false,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationRecipients: [\"admin_enduser_member@test.com\"],\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Admin,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"EndUser\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Requestor_EndUser_Assignment\",\n isDefaultRecipientsEnabled: false,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationRecipients: [\"requestor_enduser_member@test.com\"],\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Requestor,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"EndUser\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n id: \"Notification_Approver_EndUser_Assignment\",\n isDefaultRecipientsEnabled: true,\n notificationLevel: azure_native.authorization.NotificationLevel.Critical,\n notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,\n recipientType: azure_native.authorization.RecipientType.Approver,\n ruleType: \"RoleManagementPolicyNotificationRule\",\n target: {\n caller: \"EndUser\",\n level: \"Assignment\",\n operations: [\"All\"],\n },\n },\n {\n id: \"PIMOnlyMode_Admin_Assignment\",\n pimOnlyModeSettings: {\n excludedAssignmentTypes: [azure_native.authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget],\n excludes: [\n {\n id: \"ec42a424-a0c0-4418-8788-d19bdeb03704\",\n type: azure_native.authorization.UserType.User,\n },\n {\n id: \"00029dfb-0218-4e7a-9a85-c15dc0c880bc\",\n type: azure_native.authorization.UserType.Group,\n },\n {\n id: \"0000103d-1fc2-4ac8-81de-71517765655c\",\n type: azure_native.authorization.UserType.ServicePrincipal,\n },\n ],\n mode: azure_native.authorization.PIMOnlyMode.Enabled,\n },\n ruleType: \"RoleManagementPolicyPimOnlyModeRule\",\n target: {\n caller: \"Admin\",\n enforcedSettings: [\"all\"],\n inheritableSettings: [\"all\"],\n level: \"Assignment\",\n operations: [\"all\"],\n targetObjects: [],\n },\n },\n ],\n scope: \"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\",\n});\n\n```\n\n```python\nimport pulumi\nimport pulumi_azure_native as azure_native\n\nrole_management_policy = azure_native.authorization.RoleManagementPolicy(\"roleManagementPolicy\",\n role_management_policy_name=\"570c3619-7688-4b34-b290-2b8bb3ccab2a\",\n rules=[\n {\n \"id\": \"Expiration_Admin_Eligibility\",\n \"is_expiration_required\": False,\n \"maximum_duration\": \"P180D\",\n \"rule_type\": \"RoleManagementPolicyExpirationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Eligibility\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Admin_Admin_Eligibility\",\n \"is_default_recipients_enabled\": False,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_recipients\": [\"admin_admin_eligible@test.com\"],\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.ADMIN,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Eligibility\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Requestor_Admin_Eligibility\",\n \"is_default_recipients_enabled\": False,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_recipients\": [\"requestor_admin_eligible@test.com\"],\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.REQUESTOR,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Eligibility\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Approver_Admin_Eligibility\",\n \"is_default_recipients_enabled\": False,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_recipients\": [\"approver_admin_eligible@test.com\"],\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.APPROVER,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Eligibility\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"enabled_rules\": [],\n \"id\": \"Enablement_Admin_Eligibility\",\n \"rule_type\": \"RoleManagementPolicyEnablementRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Eligibility\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Expiration_Admin_Assignment\",\n \"is_expiration_required\": False,\n \"maximum_duration\": \"P90D\",\n \"rule_type\": \"RoleManagementPolicyExpirationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"enabled_rules\": [\n azure_native.authorization.EnablementRules.JUSTIFICATION,\n azure_native.authorization.EnablementRules.MULTI_FACTOR_AUTHENTICATION,\n ],\n \"id\": \"Enablement_Admin_Assignment\",\n \"rule_type\": \"RoleManagementPolicyEnablementRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Admin_Admin_Assignment\",\n \"is_default_recipients_enabled\": False,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_recipients\": [\"admin_admin_member@test.com\"],\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.ADMIN,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Requestor_Admin_Assignment\",\n \"is_default_recipients_enabled\": False,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_recipients\": [\"requestor_admin_member@test.com\"],\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.REQUESTOR,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Approver_Admin_Assignment\",\n \"is_default_recipients_enabled\": False,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_recipients\": [\"approver_admin_member@test.com\"],\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.APPROVER,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Expiration_EndUser_Assignment\",\n \"is_expiration_required\": True,\n \"maximum_duration\": \"PT7H\",\n \"rule_type\": \"RoleManagementPolicyExpirationRule\",\n \"target\": {\n \"caller\": \"EndUser\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"enabled_rules\": [\n azure_native.authorization.EnablementRules.JUSTIFICATION,\n azure_native.authorization.EnablementRules.MULTI_FACTOR_AUTHENTICATION,\n azure_native.authorization.EnablementRules.TICKETING,\n ],\n \"id\": \"Enablement_EndUser_Assignment\",\n \"rule_type\": \"RoleManagementPolicyEnablementRule\",\n \"target\": {\n \"caller\": \"EndUser\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Approval_EndUser_Assignment\",\n \"rule_type\": \"RoleManagementPolicyApprovalRule\",\n \"setting\": {\n \"approval_mode\": azure_native.authorization.ApprovalMode.SINGLE_STAGE,\n \"approval_stages\": [{\n \"approval_stage_time_out_in_days\": 1,\n \"escalation_time_in_minutes\": 0,\n \"is_approver_justification_required\": True,\n \"is_escalation_enabled\": False,\n \"primary_approvers\": [\n {\n \"description\": \"amansw_new_group\",\n \"id\": \"2385b0f3-5fa9-43cf-8ca4-b01dc97298cd\",\n \"is_backup\": False,\n \"user_type\": azure_native.authorization.UserType.GROUP,\n },\n {\n \"description\": \"amansw_group\",\n \"id\": \"2f4913c9-d15b-406a-9946-1d66a28f2690\",\n \"is_backup\": False,\n \"user_type\": azure_native.authorization.UserType.GROUP,\n },\n ],\n }],\n \"is_approval_required\": True,\n \"is_approval_required_for_extension\": False,\n \"is_requestor_justification_required\": True,\n },\n \"target\": {\n \"caller\": \"EndUser\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"claim_value\": \"\",\n \"id\": \"AuthenticationContext_EndUser_Assignment\",\n \"is_enabled\": False,\n \"rule_type\": \"RoleManagementPolicyAuthenticationContextRule\",\n \"target\": {\n \"caller\": \"EndUser\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Admin_EndUser_Assignment\",\n \"is_default_recipients_enabled\": False,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_recipients\": [\"admin_enduser_member@test.com\"],\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.ADMIN,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"EndUser\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Requestor_EndUser_Assignment\",\n \"is_default_recipients_enabled\": False,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_recipients\": [\"requestor_enduser_member@test.com\"],\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.REQUESTOR,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"EndUser\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"Notification_Approver_EndUser_Assignment\",\n \"is_default_recipients_enabled\": True,\n \"notification_level\": azure_native.authorization.NotificationLevel.CRITICAL,\n \"notification_type\": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,\n \"recipient_type\": azure_native.authorization.RecipientType.APPROVER,\n \"rule_type\": \"RoleManagementPolicyNotificationRule\",\n \"target\": {\n \"caller\": \"EndUser\",\n \"level\": \"Assignment\",\n \"operations\": [\"All\"],\n },\n },\n {\n \"id\": \"PIMOnlyMode_Admin_Assignment\",\n \"pim_only_mode_settings\": {\n \"excluded_assignment_types\": [azure_native.authorization.ExcludedPrincipalTypes.SERVICE_PRINCIPALS_AS_TARGET],\n \"excludes\": [\n {\n \"id\": \"ec42a424-a0c0-4418-8788-d19bdeb03704\",\n \"type\": azure_native.authorization.UserType.USER,\n },\n {\n \"id\": \"00029dfb-0218-4e7a-9a85-c15dc0c880bc\",\n \"type\": azure_native.authorization.UserType.GROUP,\n },\n {\n \"id\": \"0000103d-1fc2-4ac8-81de-71517765655c\",\n \"type\": azure_native.authorization.UserType.SERVICE_PRINCIPAL,\n },\n ],\n \"mode\": azure_native.authorization.PIMOnlyMode.ENABLED,\n },\n \"rule_type\": \"RoleManagementPolicyPimOnlyModeRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"enforced_settings\": [\"all\"],\n \"inheritable_settings\": [\"all\"],\n \"level\": \"Assignment\",\n \"operations\": [\"all\"],\n \"target_objects\": [],\n },\n },\n ],\n scope=\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\")\n\n```\n\n```yaml\nresources:\n roleManagementPolicy:\n type: azure-native:authorization:RoleManagementPolicy\n properties:\n roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a\n rules:\n - id: Expiration_Admin_Eligibility\n isExpirationRequired: false\n maximumDuration: P180D\n ruleType: RoleManagementPolicyExpirationRule\n target:\n caller: Admin\n level: Eligibility\n operations:\n - All\n - id: Notification_Admin_Admin_Eligibility\n isDefaultRecipientsEnabled: false\n notificationLevel: Critical\n notificationRecipients:\n - admin_admin_eligible@test.com\n notificationType: Email\n recipientType: Admin\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: Admin\n level: Eligibility\n operations:\n - All\n - id: Notification_Requestor_Admin_Eligibility\n isDefaultRecipientsEnabled: false\n notificationLevel: Critical\n notificationRecipients:\n - requestor_admin_eligible@test.com\n notificationType: Email\n recipientType: Requestor\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: Admin\n level: Eligibility\n operations:\n - All\n - id: Notification_Approver_Admin_Eligibility\n isDefaultRecipientsEnabled: false\n notificationLevel: Critical\n notificationRecipients:\n - approver_admin_eligible@test.com\n notificationType: Email\n recipientType: Approver\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: Admin\n level: Eligibility\n operations:\n - All\n - enabledRules: []\n id: Enablement_Admin_Eligibility\n ruleType: RoleManagementPolicyEnablementRule\n target:\n caller: Admin\n level: Eligibility\n operations:\n - All\n - id: Expiration_Admin_Assignment\n isExpirationRequired: false\n maximumDuration: P90D\n ruleType: RoleManagementPolicyExpirationRule\n target:\n caller: Admin\n level: Assignment\n operations:\n - All\n - enabledRules:\n - Justification\n - MultiFactorAuthentication\n id: Enablement_Admin_Assignment\n ruleType: RoleManagementPolicyEnablementRule\n target:\n caller: Admin\n level: Assignment\n operations:\n - All\n - id: Notification_Admin_Admin_Assignment\n isDefaultRecipientsEnabled: false\n notificationLevel: Critical\n notificationRecipients:\n - admin_admin_member@test.com\n notificationType: Email\n recipientType: Admin\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: Admin\n level: Assignment\n operations:\n - All\n - id: Notification_Requestor_Admin_Assignment\n isDefaultRecipientsEnabled: false\n notificationLevel: Critical\n notificationRecipients:\n - requestor_admin_member@test.com\n notificationType: Email\n recipientType: Requestor\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: Admin\n level: Assignment\n operations:\n - All\n - id: Notification_Approver_Admin_Assignment\n isDefaultRecipientsEnabled: false\n notificationLevel: Critical\n notificationRecipients:\n - approver_admin_member@test.com\n notificationType: Email\n recipientType: Approver\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: Admin\n level: Assignment\n operations:\n - All\n - id: Expiration_EndUser_Assignment\n isExpirationRequired: true\n maximumDuration: PT7H\n ruleType: RoleManagementPolicyExpirationRule\n target:\n caller: EndUser\n level: Assignment\n operations:\n - All\n - enabledRules:\n - Justification\n - MultiFactorAuthentication\n - Ticketing\n id: Enablement_EndUser_Assignment\n ruleType: RoleManagementPolicyEnablementRule\n target:\n caller: EndUser\n level: Assignment\n operations:\n - All\n - id: Approval_EndUser_Assignment\n ruleType: RoleManagementPolicyApprovalRule\n setting:\n approvalMode: SingleStage\n approvalStages:\n - approvalStageTimeOutInDays: 1\n escalationTimeInMinutes: 0\n isApproverJustificationRequired: true\n isEscalationEnabled: false\n primaryApprovers:\n - description: amansw_new_group\n id: 2385b0f3-5fa9-43cf-8ca4-b01dc97298cd\n isBackup: false\n userType: Group\n - description: amansw_group\n id: 2f4913c9-d15b-406a-9946-1d66a28f2690\n isBackup: false\n userType: Group\n isApprovalRequired: true\n isApprovalRequiredForExtension: false\n isRequestorJustificationRequired: true\n target:\n caller: EndUser\n level: Assignment\n operations:\n - All\n - claimValue:\n id: AuthenticationContext_EndUser_Assignment\n isEnabled: false\n ruleType: RoleManagementPolicyAuthenticationContextRule\n target:\n caller: EndUser\n level: Assignment\n operations:\n - All\n - id: Notification_Admin_EndUser_Assignment\n isDefaultRecipientsEnabled: false\n notificationLevel: Critical\n notificationRecipients:\n - admin_enduser_member@test.com\n notificationType: Email\n recipientType: Admin\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: EndUser\n level: Assignment\n operations:\n - All\n - id: Notification_Requestor_EndUser_Assignment\n isDefaultRecipientsEnabled: false\n notificationLevel: Critical\n notificationRecipients:\n - requestor_enduser_member@test.com\n notificationType: Email\n recipientType: Requestor\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: EndUser\n level: Assignment\n operations:\n - All\n - id: Notification_Approver_EndUser_Assignment\n isDefaultRecipientsEnabled: true\n notificationLevel: Critical\n notificationType: Email\n recipientType: Approver\n ruleType: RoleManagementPolicyNotificationRule\n target:\n caller: EndUser\n level: Assignment\n operations:\n - All\n - id: PIMOnlyMode_Admin_Assignment\n pimOnlyModeSettings:\n excludedAssignmentTypes:\n - ServicePrincipalsAsTarget\n excludes:\n - id: ec42a424-a0c0-4418-8788-d19bdeb03704\n type: User\n - id: 00029dfb-0218-4e7a-9a85-c15dc0c880bc\n type: Group\n - id: 0000103d-1fc2-4ac8-81de-71517765655c\n type: ServicePrincipal\n mode: Enabled\n ruleType: RoleManagementPolicyPimOnlyModeRule\n target:\n caller: Admin\n enforcedSettings:\n - all\n inheritableSettings:\n - all\n level: Assignment\n operations:\n - all\n targetObjects: []\n scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\n\n```\n\n{{% /example %}}\n{{% example %}}\n### PatchRoleManagementPolicyToEnablePIMOnlyMode\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureNative = Pulumi.AzureNative;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy(\"roleManagementPolicy\", new()\n {\n RoleManagementPolicyName = \"570c3619-7688-4b34-b290-2b8bb3ccab2a\",\n Rules = new[]\n {\n new AzureNative.Authorization.Inputs.RoleManagementPolicyPimOnlyModeRuleArgs\n {\n Id = \"PIMOnlyMode_Admin_Assignment\",\n PimOnlyModeSettings = new AzureNative.Authorization.Inputs.PIMOnlyModeSettingsArgs\n {\n ExcludedAssignmentTypes = new[]\n {\n AzureNative.Authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget,\n },\n Excludes = new[]\n {\n new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs\n {\n Id = \"ec42a424-a0c0-4418-8788-d19bdeb03704\",\n Type = AzureNative.Authorization.UserType.User,\n },\n new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs\n {\n Id = \"00029dfb-0218-4e7a-9a85-c15dc0c880bc\",\n Type = AzureNative.Authorization.UserType.Group,\n },\n new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs\n {\n Id = \"0000103d-1fc2-4ac8-81de-71517765655c\",\n Type = AzureNative.Authorization.UserType.ServicePrincipal,\n },\n },\n Mode = AzureNative.Authorization.PIMOnlyMode.Enabled,\n },\n RuleType = \"RoleManagementPolicyPimOnlyModeRule\",\n Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs\n {\n Caller = \"Admin\",\n EnforcedSettings = new[]\n {\n \"all\",\n },\n InheritableSettings = new[]\n {\n \"all\",\n },\n Level = \"Assignment\",\n Operations = new[]\n {\n \"all\",\n },\n TargetObjects = new() { },\n },\n },\n },\n Scope = \"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\",\n });\n\n});\n\n\n```\n\n```go\npackage main\n\nimport (\n\tauthorization \"github.com/pulumi/pulumi-azure-native-sdk/authorization/v2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := authorization.NewRoleManagementPolicy(ctx, \"roleManagementPolicy\", \u0026authorization.RoleManagementPolicyArgs{\n\t\t\tRoleManagementPolicyName: pulumi.String(\"570c3619-7688-4b34-b290-2b8bb3ccab2a\"),\n\t\t\tRules: pulumi.Array{\n\t\t\t\tauthorization.RoleManagementPolicyPimOnlyModeRule{\n\t\t\t\t\tId: \"PIMOnlyMode_Admin_Assignment\",\n\t\t\t\t\tPimOnlyModeSettings: authorization.PIMOnlyModeSettings{\n\t\t\t\t\t\tExcludedAssignmentTypes: []authorization.ExcludedPrincipalTypes{\n\t\t\t\t\t\t\tauthorization.ExcludedPrincipalTypesServicePrincipalsAsTarget,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExcludes: []authorization.UsersOrServicePrincipalSet{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tId: \"ec42a424-a0c0-4418-8788-d19bdeb03704\",\n\t\t\t\t\t\t\t\tType: authorization.UserTypeUser,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tId: \"00029dfb-0218-4e7a-9a85-c15dc0c880bc\",\n\t\t\t\t\t\t\t\tType: authorization.UserTypeGroup,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tId: \"0000103d-1fc2-4ac8-81de-71517765655c\",\n\t\t\t\t\t\t\t\tType: authorization.UserTypeServicePrincipal,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tMode: authorization.PIMOnlyModeEnabled,\n\t\t\t\t\t},\n\t\t\t\t\tRuleType: \"RoleManagementPolicyPimOnlyModeRule\",\n\t\t\t\t\tTarget: authorization.RoleManagementPolicyRuleTarget{\n\t\t\t\t\t\tCaller: \"Admin\",\n\t\t\t\t\t\tEnforcedSettings: []string{\n\t\t\t\t\t\t\t\"all\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tInheritableSettings: []string{\n\t\t\t\t\t\t\t\"all\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tLevel: \"Assignment\",\n\t\t\t\t\t\tOperations: []string{\n\t\t\t\t\t\t\t\"all\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tTargetObjects: []interface{}{},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tScope: pulumi.String(\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n\n```\n\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azurenative.authorization.RoleManagementPolicy;\nimport com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var roleManagementPolicy = new RoleManagementPolicy(\"roleManagementPolicy\", RoleManagementPolicyArgs.builder()\n .roleManagementPolicyName(\"570c3619-7688-4b34-b290-2b8bb3ccab2a\")\n .rules(RoleManagementPolicyPimOnlyModeRuleArgs.builder()\n .id(\"PIMOnlyMode_Admin_Assignment\")\n .pimOnlyModeSettings(PIMOnlyModeSettingsArgs.builder()\n .excludedAssignmentTypes(\"ServicePrincipalsAsTarget\")\n .excludes( \n UsersOrServicePrincipalSetArgs.builder()\n .id(\"ec42a424-a0c0-4418-8788-d19bdeb03704\")\n .type(\"User\")\n .build(),\n UsersOrServicePrincipalSetArgs.builder()\n .id(\"00029dfb-0218-4e7a-9a85-c15dc0c880bc\")\n .type(\"Group\")\n .build(),\n UsersOrServicePrincipalSetArgs.builder()\n .id(\"0000103d-1fc2-4ac8-81de-71517765655c\")\n .type(\"ServicePrincipal\")\n .build())\n .mode(\"Enabled\")\n .build())\n .ruleType(\"RoleManagementPolicyPimOnlyModeRule\")\n .target(RoleManagementPolicyRuleTargetArgs.builder()\n .caller(\"Admin\")\n .enforcedSettings(\"all\")\n .inheritableSettings(\"all\")\n .level(\"Assignment\")\n .operations(\"all\")\n .targetObjects()\n .build())\n .build())\n .scope(\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\")\n .build());\n\n }\n}\n\n```\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azure_native from \"@pulumi/azure-native\";\n\nconst roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy(\"roleManagementPolicy\", {\n roleManagementPolicyName: \"570c3619-7688-4b34-b290-2b8bb3ccab2a\",\n rules: [{\n id: \"PIMOnlyMode_Admin_Assignment\",\n pimOnlyModeSettings: {\n excludedAssignmentTypes: [azure_native.authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget],\n excludes: [\n {\n id: \"ec42a424-a0c0-4418-8788-d19bdeb03704\",\n type: azure_native.authorization.UserType.User,\n },\n {\n id: \"00029dfb-0218-4e7a-9a85-c15dc0c880bc\",\n type: azure_native.authorization.UserType.Group,\n },\n {\n id: \"0000103d-1fc2-4ac8-81de-71517765655c\",\n type: azure_native.authorization.UserType.ServicePrincipal,\n },\n ],\n mode: azure_native.authorization.PIMOnlyMode.Enabled,\n },\n ruleType: \"RoleManagementPolicyPimOnlyModeRule\",\n target: {\n caller: \"Admin\",\n enforcedSettings: [\"all\"],\n inheritableSettings: [\"all\"],\n level: \"Assignment\",\n operations: [\"all\"],\n targetObjects: [],\n },\n }],\n scope: \"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\",\n});\n\n```\n\n```python\nimport pulumi\nimport pulumi_azure_native as azure_native\n\nrole_management_policy = azure_native.authorization.RoleManagementPolicy(\"roleManagementPolicy\",\n role_management_policy_name=\"570c3619-7688-4b34-b290-2b8bb3ccab2a\",\n rules=[{\n \"id\": \"PIMOnlyMode_Admin_Assignment\",\n \"pim_only_mode_settings\": {\n \"excluded_assignment_types\": [azure_native.authorization.ExcludedPrincipalTypes.SERVICE_PRINCIPALS_AS_TARGET],\n \"excludes\": [\n {\n \"id\": \"ec42a424-a0c0-4418-8788-d19bdeb03704\",\n \"type\": azure_native.authorization.UserType.USER,\n },\n {\n \"id\": \"00029dfb-0218-4e7a-9a85-c15dc0c880bc\",\n \"type\": azure_native.authorization.UserType.GROUP,\n },\n {\n \"id\": \"0000103d-1fc2-4ac8-81de-71517765655c\",\n \"type\": azure_native.authorization.UserType.SERVICE_PRINCIPAL,\n },\n ],\n \"mode\": azure_native.authorization.PIMOnlyMode.ENABLED,\n },\n \"rule_type\": \"RoleManagementPolicyPimOnlyModeRule\",\n \"target\": {\n \"caller\": \"Admin\",\n \"enforced_settings\": [\"all\"],\n \"inheritable_settings\": [\"all\"],\n \"level\": \"Assignment\",\n \"operations\": [\"all\"],\n \"target_objects\": [],\n },\n }],\n scope=\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\")\n\n```\n\n```yaml\nresources:\n roleManagementPolicy:\n type: azure-native:authorization:RoleManagementPolicy\n properties:\n roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a\n rules:\n - id: PIMOnlyMode_Admin_Assignment\n pimOnlyModeSettings:\n excludedAssignmentTypes:\n - ServicePrincipalsAsTarget\n excludes:\n - id: ec42a424-a0c0-4418-8788-d19bdeb03704\n type: User\n - id: 00029dfb-0218-4e7a-9a85-c15dc0c880bc\n type: Group\n - id: 0000103d-1fc2-4ac8-81de-71517765655c\n type: ServicePrincipal\n mode: Enabled\n ruleType: RoleManagementPolicyPimOnlyModeRule\n target:\n caller: Admin\n enforcedSettings:\n - all\n inheritableSettings:\n - all\n level: Assignment\n operations:\n - all\n targetObjects: []\n scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\n\n```\n\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nAn existing resource can be imported using its type token, name, and identifier, e.g.\n\n```sh\n$ pulumi import azure-native:authorization:RoleManagementPolicy 570c3619-7688-4b34-b290-2b8bb3ccab2a /{scope}/providers/Microsoft.Authorization/roleManagementPolicies/{roleManagementPolicyName} \n```\n",
+ "properties": {
+ "description": {
+ "type": "string",
+ "description": "The role management policy description."
+ },
+ "displayName": {
+ "type": "string",
+ "description": "The role management policy display name."
+ },
+ "effectiveRules": {
+ "type": "array",
+ "items": {
+ "oneOf": [
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRuleResponse"
+ }
+ ],
+ "discriminator": {
+ "propertyName": "ruleType",
+ "mapping": {
+ "RoleManagementPolicyApprovalRule": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRuleResponse",
+ "RoleManagementPolicyAuthenticationContextRule": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRuleResponse",
+ "RoleManagementPolicyEnablementRule": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRuleResponse",
+ "RoleManagementPolicyExpirationRule": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRuleResponse",
+ "RoleManagementPolicyNotificationRule": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRuleResponse",
+ "RoleManagementPolicyPimOnlyModeRule": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRuleResponse"
+ }
+ }
+ },
+ "description": "The readonly computed rule applied to the policy."
+ },
+ "isOrganizationDefault": {
+ "type": "boolean",
+ "description": "The role management policy is default policy."
+ },
+ "lastModifiedBy": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:PrincipalResponse",
+ "description": "The name of the entity last modified it"
+ },
+ "lastModifiedDateTime": {
+ "type": "string",
+ "description": "The last modified date time."
+ },
+ "name": {
+ "type": "string",
+ "description": "The role management policy name."
+ },
+ "policyProperties": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:PolicyPropertiesResponse",
+ "description": "Additional properties of scope"
+ },
+ "rules": {
+ "type": "array",
+ "items": {
+ "oneOf": [
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRuleResponse"
+ }
+ ],
+ "discriminator": {
+ "propertyName": "ruleType",
+ "mapping": {
+ "RoleManagementPolicyApprovalRule": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRuleResponse",
+ "RoleManagementPolicyAuthenticationContextRule": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRuleResponse",
+ "RoleManagementPolicyEnablementRule": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRuleResponse",
+ "RoleManagementPolicyExpirationRule": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRuleResponse",
+ "RoleManagementPolicyNotificationRule": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRuleResponse",
+ "RoleManagementPolicyPimOnlyModeRule": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRuleResponse"
+ }
+ }
+ },
+ "description": "The rule applied to the policy."
+ },
+ "scope": {
+ "type": "string",
+ "description": "The role management policy scope."
+ },
+ "type": {
+ "type": "string",
+ "description": "The role management policy type."
+ }
+ },
+ "type": "object",
+ "required": [
+ "effectiveRules",
+ "lastModifiedBy",
+ "lastModifiedDateTime",
+ "name",
+ "policyProperties",
+ "type"
+ ],
+ "inputProperties": {
+ "description": {
+ "type": "string",
+ "description": "The role management policy description."
+ },
+ "displayName": {
+ "type": "string",
+ "description": "The role management policy display name."
+ },
+ "isOrganizationDefault": {
+ "type": "boolean",
+ "description": "The role management policy is default policy."
+ },
+ "roleManagementPolicyName": {
+ "type": "string",
+ "description": "The name (guid) of the role management policy to upsert.",
+ "willReplaceOnChanges": true
+ },
+ "rules": {
+ "type": "array",
+ "items": {
+ "oneOf": [
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRule"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRule"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRule"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRule"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRule"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRule"
+ }
+ ],
+ "discriminator": {
+ "propertyName": "ruleType",
+ "mapping": {
+ "RoleManagementPolicyApprovalRule": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRule",
+ "RoleManagementPolicyAuthenticationContextRule": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRule",
+ "RoleManagementPolicyEnablementRule": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRule",
+ "RoleManagementPolicyExpirationRule": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRule",
+ "RoleManagementPolicyNotificationRule": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRule",
+ "RoleManagementPolicyPimOnlyModeRule": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRule"
+ }
+ }
+ },
+ "description": "The rule applied to the policy."
+ },
+ "scope": {
+ "type": "string",
+ "description": "The role management policy scope."
+ }
+ },
+ "requiredInputs": [
+ "scope"
+ ],
+ "aliases": [
+ {
+ "type": "azure-native:authorization/v20201001:RoleManagementPolicy"
+ },
+ {
+ "type": "azure-native:authorization/v20201001preview:RoleManagementPolicy"
+ },
+ {
+ "type": "azure-native:authorization/v20240201preview:RoleManagementPolicy"
+ },
+ {
+ "type": "azure-native:authorization/v20240901preview:RoleManagementPolicy"
+ }
+ ]
+ },
"azure-native:authorization:RoleManagementPolicyAssignment": {
"description": "Role management policy\nAzure REST API version: 2020-10-01. Prior API version in Azure Native 1.x: 2020-10-01.\n\nOther available API versions: 2020-10-01-preview, 2024-02-01-preview, 2024-09-01-preview.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n### PutRoleManagementPolicyAssignment\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureNative = Pulumi.AzureNative;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var roleManagementPolicyAssignment = new AzureNative.Authorization.RoleManagementPolicyAssignment(\"roleManagementPolicyAssignment\", new()\n {\n PolicyId = \"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleManagementPolicies/b959d571-f0b5-4042-88a7-01be6cb22db9\",\n RoleDefinitionId = \"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24\",\n RoleManagementPolicyAssignmentName = \"b959d571-f0b5-4042-88a7-01be6cb22db9_a1705bd2-3a8f-45a5-8683-466fcfd5cc24\",\n Scope = \"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\",\n });\n\n});\n\n\n```\n\n```go\npackage main\n\nimport (\n\tauthorization \"github.com/pulumi/pulumi-azure-native-sdk/authorization/v2\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := authorization.NewRoleManagementPolicyAssignment(ctx, \"roleManagementPolicyAssignment\", \u0026authorization.RoleManagementPolicyAssignmentArgs{\n\t\t\tPolicyId: pulumi.String(\"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleManagementPolicies/b959d571-f0b5-4042-88a7-01be6cb22db9\"),\n\t\t\tRoleDefinitionId: pulumi.String(\"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24\"),\n\t\t\tRoleManagementPolicyAssignmentName: pulumi.String(\"b959d571-f0b5-4042-88a7-01be6cb22db9_a1705bd2-3a8f-45a5-8683-466fcfd5cc24\"),\n\t\t\tScope: pulumi.String(\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n\n```\n\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azurenative.authorization.RoleManagementPolicyAssignment;\nimport com.pulumi.azurenative.authorization.RoleManagementPolicyAssignmentArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var roleManagementPolicyAssignment = new RoleManagementPolicyAssignment(\"roleManagementPolicyAssignment\", RoleManagementPolicyAssignmentArgs.builder()\n .policyId(\"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleManagementPolicies/b959d571-f0b5-4042-88a7-01be6cb22db9\")\n .roleDefinitionId(\"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24\")\n .roleManagementPolicyAssignmentName(\"b959d571-f0b5-4042-88a7-01be6cb22db9_a1705bd2-3a8f-45a5-8683-466fcfd5cc24\")\n .scope(\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\")\n .build());\n\n }\n}\n\n```\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azure_native from \"@pulumi/azure-native\";\n\nconst roleManagementPolicyAssignment = new azure_native.authorization.RoleManagementPolicyAssignment(\"roleManagementPolicyAssignment\", {\n policyId: \"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleManagementPolicies/b959d571-f0b5-4042-88a7-01be6cb22db9\",\n roleDefinitionId: \"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24\",\n roleManagementPolicyAssignmentName: \"b959d571-f0b5-4042-88a7-01be6cb22db9_a1705bd2-3a8f-45a5-8683-466fcfd5cc24\",\n scope: \"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\",\n});\n\n```\n\n```python\nimport pulumi\nimport pulumi_azure_native as azure_native\n\nrole_management_policy_assignment = azure_native.authorization.RoleManagementPolicyAssignment(\"roleManagementPolicyAssignment\",\n policy_id=\"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleManagementPolicies/b959d571-f0b5-4042-88a7-01be6cb22db9\",\n role_definition_id=\"/subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24\",\n role_management_policy_assignment_name=\"b959d571-f0b5-4042-88a7-01be6cb22db9_a1705bd2-3a8f-45a5-8683-466fcfd5cc24\",\n scope=\"providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\")\n\n```\n\n```yaml\nresources:\n roleManagementPolicyAssignment:\n type: azure-native:authorization:RoleManagementPolicyAssignment\n properties:\n policyId: /subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleManagementPolicies/b959d571-f0b5-4042-88a7-01be6cb22db9\n roleDefinitionId: /subscriptions/129ff972-28f8-46b8-a726-e497be039368/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24\n roleManagementPolicyAssignmentName: b959d571-f0b5-4042-88a7-01be6cb22db9_a1705bd2-3a8f-45a5-8683-466fcfd5cc24\n scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368\n\n```\n\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nAn existing resource can be imported using its type token, name, and identifier, e.g.\n\n```sh\n$ pulumi import azure-native:authorization:RoleManagementPolicyAssignment b959d571-f0b5-4042-88a7-01be6cb22db9_a1705bd2-3a8f-45a5-8683-466fcfd5cc24 /{scope}/providers/Microsoft.Authorization/roleManagementPolicyAssignments/{roleManagementPolicyAssignmentName} \n```\n",
"properties": {
@@ -840408,6 +841317,171 @@
]
}
},
+ "azure-native:authorization:getRoleManagementPolicy": {
+ "description": "Get the specified role management policy for a resource scope\nAzure REST API version: 2024-09-01-preview.\n\nOther available API versions: 2020-10-01, 2020-10-01-preview, 2024-02-01-preview.",
+ "inputs": {
+ "properties": {
+ "roleManagementPolicyName": {
+ "type": "string",
+ "description": "The name (guid) of the role management policy to get.",
+ "willReplaceOnChanges": true
+ },
+ "scope": {
+ "type": "string",
+ "description": "The scope of the role management policy.",
+ "willReplaceOnChanges": true
+ }
+ },
+ "type": "object",
+ "required": [
+ "roleManagementPolicyName",
+ "scope"
+ ]
+ },
+ "outputs": {
+ "description": "Role management policy",
+ "properties": {
+ "description": {
+ "type": "string",
+ "description": "The role management policy description."
+ },
+ "displayName": {
+ "type": "string",
+ "description": "The role management policy display name."
+ },
+ "effectiveRules": {
+ "type": "array",
+ "items": {
+ "oneOf": [
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRuleResponse"
+ }
+ ],
+ "discriminator": {
+ "propertyName": "ruleType",
+ "mapping": {
+ "RoleManagementPolicyApprovalRule": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRuleResponse",
+ "RoleManagementPolicyAuthenticationContextRule": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRuleResponse",
+ "RoleManagementPolicyEnablementRule": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRuleResponse",
+ "RoleManagementPolicyExpirationRule": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRuleResponse",
+ "RoleManagementPolicyNotificationRule": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRuleResponse",
+ "RoleManagementPolicyPimOnlyModeRule": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRuleResponse"
+ }
+ }
+ },
+ "description": "The readonly computed rule applied to the policy."
+ },
+ "id": {
+ "type": "string",
+ "description": "The role management policy Id."
+ },
+ "isOrganizationDefault": {
+ "type": "boolean",
+ "description": "The role management policy is default policy."
+ },
+ "lastModifiedBy": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:PrincipalResponse",
+ "description": "The name of the entity last modified it"
+ },
+ "lastModifiedDateTime": {
+ "type": "string",
+ "description": "The last modified date time."
+ },
+ "name": {
+ "type": "string",
+ "description": "The role management policy name."
+ },
+ "policyProperties": {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:PolicyPropertiesResponse",
+ "description": "Additional properties of scope"
+ },
+ "rules": {
+ "type": "array",
+ "items": {
+ "oneOf": [
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRuleResponse"
+ },
+ {
+ "type": "object",
+ "$ref": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRuleResponse"
+ }
+ ],
+ "discriminator": {
+ "propertyName": "ruleType",
+ "mapping": {
+ "RoleManagementPolicyApprovalRule": "#/types/azure-native:authorization:RoleManagementPolicyApprovalRuleResponse",
+ "RoleManagementPolicyAuthenticationContextRule": "#/types/azure-native:authorization:RoleManagementPolicyAuthenticationContextRuleResponse",
+ "RoleManagementPolicyEnablementRule": "#/types/azure-native:authorization:RoleManagementPolicyEnablementRuleResponse",
+ "RoleManagementPolicyExpirationRule": "#/types/azure-native:authorization:RoleManagementPolicyExpirationRuleResponse",
+ "RoleManagementPolicyNotificationRule": "#/types/azure-native:authorization:RoleManagementPolicyNotificationRuleResponse",
+ "RoleManagementPolicyPimOnlyModeRule": "#/types/azure-native:authorization:RoleManagementPolicyPimOnlyModeRuleResponse"
+ }
+ }
+ },
+ "description": "The rule applied to the policy."
+ },
+ "scope": {
+ "type": "string",
+ "description": "The role management policy scope."
+ },
+ "type": {
+ "type": "string",
+ "description": "The role management policy type."
+ }
+ },
+ "type": "object",
+ "required": [
+ "effectiveRules",
+ "id",
+ "lastModifiedBy",
+ "lastModifiedDateTime",
+ "name",
+ "policyProperties",
+ "type"
+ ]
+ }
+ },
"azure-native:authorization:getRoleManagementPolicyAssignment": {
"description": "Get the specified role management policy assignment for a resource scope\nAzure REST API version: 2020-10-01.\n\nOther available API versions: 2020-10-01-preview, 2024-02-01-preview, 2024-09-01-preview.",
"inputs": {
diff --git a/reports/allEndpoints.json b/reports/allEndpoints.json
index b7821f13af1f..860ebc851fd7 100644
--- a/reports/allEndpoints.json
+++ b/reports/allEndpoints.json
@@ -9044,7 +9044,8 @@
"DELETE",
"GET",
"PATCH"
- ]
+ ],
+ "Added": true
}
},
"RoleManagementPolicyAssignments": {
diff --git a/reports/allResourceVersionsByResource.json b/reports/allResourceVersionsByResource.json
index f022f28e155a..8bed7d19eb1a 100644
--- a/reports/allResourceVersionsByResource.json
+++ b/reports/allResourceVersionsByResource.json
@@ -3080,6 +3080,12 @@
"2022-04-01",
"2022-05-01-preview"
],
+ "RoleManagementPolicy": [
+ "2020-10-01",
+ "2020-10-01-preview",
+ "2024-02-01-preview",
+ "2024-09-01-preview"
+ ],
"RoleManagementPolicyAssignment": [
"2020-10-01",
"2020-10-01-preview",
diff --git a/reports/allResourcesByVersion.json b/reports/allResourcesByVersion.json
index 92a0a918c56f..bb51a8d5dc40 100644
--- a/reports/allResourcesByVersion.json
+++ b/reports/allResourcesByVersion.json
@@ -2788,10 +2788,12 @@
"PolicySetDefinitionAtManagementGroup"
],
"2020-10-01": [
+ "RoleManagementPolicy",
"RoleManagementPolicyAssignment"
],
"2020-10-01-preview": [
"RoleAssignment",
+ "RoleManagementPolicy",
"RoleManagementPolicyAssignment"
],
"2021-03-01-preview": [
@@ -2854,6 +2856,7 @@
"listPolicySetDefinitionVersionAllBuiltins"
],
"2024-02-01-preview": [
+ "RoleManagementPolicy",
"RoleManagementPolicyAssignment"
],
"2024-04-01": [
@@ -2877,6 +2880,7 @@
"listPolicySetDefinitionVersionAllBuiltins"
],
"2024-09-01-preview": [
+ "RoleManagementPolicy",
"RoleManagementPolicyAssignment"
]
},
diff --git a/sdk/dotnet/Authorization/Enums.cs b/sdk/dotnet/Authorization/Enums.cs
index 022b9075a77d..2d67e1929e37 100644
--- a/sdk/dotnet/Authorization/Enums.cs
+++ b/sdk/dotnet/Authorization/Enums.cs
@@ -104,6 +104,39 @@ private AccessReviewResult(string value)
public override string ToString() => _value;
}
+ ///
+ /// The type of rule
+ ///
+ [EnumType]
+ public readonly struct ApprovalMode : IEquatable
+ {
+ private readonly string _value;
+
+ private ApprovalMode(string value)
+ {
+ _value = value ?? throw new ArgumentNullException(nameof(value));
+ }
+
+ public static ApprovalMode SingleStage { get; } = new ApprovalMode("SingleStage");
+ public static ApprovalMode Serial { get; } = new ApprovalMode("Serial");
+ public static ApprovalMode Parallel { get; } = new ApprovalMode("Parallel");
+ public static ApprovalMode NoApproval { get; } = new ApprovalMode("NoApproval");
+
+ public static bool operator ==(ApprovalMode left, ApprovalMode right) => left.Equals(right);
+ public static bool operator !=(ApprovalMode left, ApprovalMode right) => !left.Equals(right);
+
+ public static explicit operator string(ApprovalMode value) => value._value;
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override bool Equals(object? obj) => obj is ApprovalMode other && Equals(other);
+ public bool Equals(ApprovalMode other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+ public override string ToString() => _value;
+ }
+
///
/// The option whether validate the exemption is at or under the assignment scope.
///
@@ -173,6 +206,38 @@ private DefaultDecisionType(string value)
public override string ToString() => _value;
}
+ ///
+ /// The type of enablement rule
+ ///
+ [EnumType]
+ public readonly struct EnablementRules : IEquatable
+ {
+ private readonly string _value;
+
+ private EnablementRules(string value)
+ {
+ _value = value ?? throw new ArgumentNullException(nameof(value));
+ }
+
+ public static EnablementRules MultiFactorAuthentication { get; } = new EnablementRules("MultiFactorAuthentication");
+ public static EnablementRules Justification { get; } = new EnablementRules("Justification");
+ public static EnablementRules Ticketing { get; } = new EnablementRules("Ticketing");
+
+ public static bool operator ==(EnablementRules left, EnablementRules right) => left.Equals(right);
+ public static bool operator !=(EnablementRules left, EnablementRules right) => !left.Equals(right);
+
+ public static explicit operator string(EnablementRules value) => value._value;
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override bool Equals(object? obj) => obj is EnablementRules other && Equals(other);
+ public bool Equals(EnablementRules other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+ public override string ToString() => _value;
+ }
+
///
/// The policy assignment enforcement mode. Possible values are Default and DoNotEnforce.
///
@@ -210,6 +275,34 @@ private EnforcementMode(string value)
public override string ToString() => _value;
}
+ [EnumType]
+ public readonly struct ExcludedPrincipalTypes : IEquatable
+ {
+ private readonly string _value;
+
+ private ExcludedPrincipalTypes(string value)
+ {
+ _value = value ?? throw new ArgumentNullException(nameof(value));
+ }
+
+ public static ExcludedPrincipalTypes ServicePrincipalsAsTarget { get; } = new ExcludedPrincipalTypes("ServicePrincipalsAsTarget");
+ public static ExcludedPrincipalTypes ServicePrincipalsAsRequestor { get; } = new ExcludedPrincipalTypes("ServicePrincipalsAsRequestor");
+
+ public static bool operator ==(ExcludedPrincipalTypes left, ExcludedPrincipalTypes right) => left.Equals(right);
+ public static bool operator !=(ExcludedPrincipalTypes left, ExcludedPrincipalTypes right) => !left.Equals(right);
+
+ public static explicit operator string(ExcludedPrincipalTypes value) => value._value;
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override bool Equals(object? obj) => obj is ExcludedPrincipalTypes other && Equals(other);
+ public bool Equals(ExcludedPrincipalTypes other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+ public override string ToString() => _value;
+ }
+
///
/// The policy exemption category. Possible values are Waiver and Mitigated.
///
@@ -279,6 +372,68 @@ private LockLevel(string value)
public override string ToString() => _value;
}
+ ///
+ /// The type of notification.
+ ///
+ [EnumType]
+ public readonly struct NotificationDeliveryMechanism : IEquatable
+ {
+ private readonly string _value;
+
+ private NotificationDeliveryMechanism(string value)
+ {
+ _value = value ?? throw new ArgumentNullException(nameof(value));
+ }
+
+ public static NotificationDeliveryMechanism Email { get; } = new NotificationDeliveryMechanism("Email");
+
+ public static bool operator ==(NotificationDeliveryMechanism left, NotificationDeliveryMechanism right) => left.Equals(right);
+ public static bool operator !=(NotificationDeliveryMechanism left, NotificationDeliveryMechanism right) => !left.Equals(right);
+
+ public static explicit operator string(NotificationDeliveryMechanism value) => value._value;
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override bool Equals(object? obj) => obj is NotificationDeliveryMechanism other && Equals(other);
+ public bool Equals(NotificationDeliveryMechanism other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+ public override string ToString() => _value;
+ }
+
+ ///
+ /// The notification level.
+ ///
+ [EnumType]
+ public readonly struct NotificationLevel : IEquatable
+ {
+ private readonly string _value;
+
+ private NotificationLevel(string value)
+ {
+ _value = value ?? throw new ArgumentNullException(nameof(value));
+ }
+
+ public static NotificationLevel None { get; } = new NotificationLevel("None");
+ public static NotificationLevel Critical { get; } = new NotificationLevel("Critical");
+ public static NotificationLevel All { get; } = new NotificationLevel("All");
+
+ public static bool operator ==(NotificationLevel left, NotificationLevel right) => left.Equals(right);
+ public static bool operator !=(NotificationLevel left, NotificationLevel right) => !left.Equals(right);
+
+ public static explicit operator string(NotificationLevel value) => value._value;
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override bool Equals(object? obj) => obj is NotificationLevel other && Equals(other);
+ public bool Equals(NotificationLevel other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+ public override string ToString() => _value;
+ }
+
///
/// The override kind.
///
@@ -312,6 +467,38 @@ private OverrideKind(string value)
public override string ToString() => _value;
}
+ ///
+ /// Determines whether the setting is enabled, disabled or report only.
+ ///
+ [EnumType]
+ public readonly struct PIMOnlyMode : IEquatable
+ {
+ private readonly string _value;
+
+ private PIMOnlyMode(string value)
+ {
+ _value = value ?? throw new ArgumentNullException(nameof(value));
+ }
+
+ public static PIMOnlyMode Disabled { get; } = new PIMOnlyMode("Disabled");
+ public static PIMOnlyMode Enabled { get; } = new PIMOnlyMode("Enabled");
+ public static PIMOnlyMode ReportOnly { get; } = new PIMOnlyMode("ReportOnly");
+
+ public static bool operator ==(PIMOnlyMode left, PIMOnlyMode right) => left.Equals(right);
+ public static bool operator !=(PIMOnlyMode left, PIMOnlyMode right) => !left.Equals(right);
+
+ public static explicit operator string(PIMOnlyMode value) => value._value;
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override bool Equals(object? obj) => obj is PIMOnlyMode other && Equals(other);
+ public bool Equals(PIMOnlyMode other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+ public override string ToString() => _value;
+ }
+
///
/// The data type of the parameter.
///
@@ -443,6 +630,38 @@ private PublicNetworkAccessOptions(string value)
public override string ToString() => _value;
}
+ ///
+ /// The recipient type.
+ ///
+ [EnumType]
+ public readonly struct RecipientType : IEquatable
+ {
+ private readonly string _value;
+
+ private RecipientType(string value)
+ {
+ _value = value ?? throw new ArgumentNullException(nameof(value));
+ }
+
+ public static RecipientType Requestor { get; } = new RecipientType("Requestor");
+ public static RecipientType Approver { get; } = new RecipientType("Approver");
+ public static RecipientType Admin { get; } = new RecipientType("Admin");
+
+ public static bool operator ==(RecipientType left, RecipientType right) => left.Equals(right);
+ public static bool operator !=(RecipientType left, RecipientType right) => !left.Equals(right);
+
+ public static explicit operator string(RecipientType value) => value._value;
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override bool Equals(object? obj) => obj is RecipientType other && Equals(other);
+ public bool Equals(RecipientType other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+ public override string ToString() => _value;
+ }
+
///
/// The identity type. This is the only required field when adding a system or user assigned identity to a resource.
///
@@ -484,6 +703,41 @@ private ResourceIdentityType(string value)
public override string ToString() => _value;
}
+ ///
+ /// The type of rule
+ ///
+ [EnumType]
+ public readonly struct RoleManagementPolicyRuleType : IEquatable
+ {
+ private readonly string _value;
+
+ private RoleManagementPolicyRuleType(string value)
+ {
+ _value = value ?? throw new ArgumentNullException(nameof(value));
+ }
+
+ public static RoleManagementPolicyRuleType RoleManagementPolicyApprovalRule { get; } = new RoleManagementPolicyRuleType("RoleManagementPolicyApprovalRule");
+ public static RoleManagementPolicyRuleType RoleManagementPolicyAuthenticationContextRule { get; } = new RoleManagementPolicyRuleType("RoleManagementPolicyAuthenticationContextRule");
+ public static RoleManagementPolicyRuleType RoleManagementPolicyEnablementRule { get; } = new RoleManagementPolicyRuleType("RoleManagementPolicyEnablementRule");
+ public static RoleManagementPolicyRuleType RoleManagementPolicyExpirationRule { get; } = new RoleManagementPolicyRuleType("RoleManagementPolicyExpirationRule");
+ public static RoleManagementPolicyRuleType RoleManagementPolicyNotificationRule { get; } = new RoleManagementPolicyRuleType("RoleManagementPolicyNotificationRule");
+ public static RoleManagementPolicyRuleType RoleManagementPolicyPimOnlyModeRule { get; } = new RoleManagementPolicyRuleType("RoleManagementPolicyPimOnlyModeRule");
+
+ public static bool operator ==(RoleManagementPolicyRuleType left, RoleManagementPolicyRuleType right) => left.Equals(right);
+ public static bool operator !=(RoleManagementPolicyRuleType left, RoleManagementPolicyRuleType right) => !left.Equals(right);
+
+ public static explicit operator string(RoleManagementPolicyRuleType value) => value._value;
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override bool Equals(object? obj) => obj is RoleManagementPolicyRuleType other && Equals(other);
+ public bool Equals(RoleManagementPolicyRuleType other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+ public override string ToString() => _value;
+ }
+
///
/// The selector kind.
///
@@ -528,4 +782,36 @@ private SelectorKind(string value)
public override string ToString() => _value;
}
+
+ ///
+ /// The type of user.
+ ///
+ [EnumType]
+ public readonly struct UserType : IEquatable
+ {
+ private readonly string _value;
+
+ private UserType(string value)
+ {
+ _value = value ?? throw new ArgumentNullException(nameof(value));
+ }
+
+ public static UserType User { get; } = new UserType("User");
+ public static UserType Group { get; } = new UserType("Group");
+ public static UserType ServicePrincipal { get; } = new UserType("ServicePrincipal");
+
+ public static bool operator ==(UserType left, UserType right) => left.Equals(right);
+ public static bool operator !=(UserType left, UserType right) => !left.Equals(right);
+
+ public static explicit operator string(UserType value) => value._value;
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override bool Equals(object? obj) => obj is UserType other && Equals(other);
+ public bool Equals(UserType other) => string.Equals(_value, other._value, StringComparison.Ordinal);
+
+ [EditorBrowsable(EditorBrowsableState.Never)]
+ public override int GetHashCode() => _value?.GetHashCode() ?? 0;
+
+ public override string ToString() => _value;
+ }
}
diff --git a/sdk/dotnet/Authorization/GetRoleManagementPolicy.cs b/sdk/dotnet/Authorization/GetRoleManagementPolicy.cs
new file mode 100644
index 000000000000..3ef1a81d3535
--- /dev/null
+++ b/sdk/dotnet/Authorization/GetRoleManagementPolicy.cs
@@ -0,0 +1,167 @@
+// *** WARNING: this file was generated by pulumi. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureNative.Authorization
+{
+ public static class GetRoleManagementPolicy
+ {
+ ///
+ /// Get the specified role management policy for a resource scope
+ /// Azure REST API version: 2024-09-01-preview.
+ ///
+ /// Other available API versions: 2020-10-01, 2020-10-01-preview, 2024-02-01-preview.
+ ///
+ public static Task InvokeAsync(GetRoleManagementPolicyArgs args, InvokeOptions? options = null)
+ => global::Pulumi.Deployment.Instance.InvokeAsync("azure-native:authorization:getRoleManagementPolicy", args ?? new GetRoleManagementPolicyArgs(), options.WithDefaults());
+
+ ///
+ /// Get the specified role management policy for a resource scope
+ /// Azure REST API version: 2024-09-01-preview.
+ ///
+ /// Other available API versions: 2020-10-01, 2020-10-01-preview, 2024-02-01-preview.
+ ///
+ public static Output Invoke(GetRoleManagementPolicyInvokeArgs args, InvokeOptions? options = null)
+ => global::Pulumi.Deployment.Instance.Invoke("azure-native:authorization:getRoleManagementPolicy", args ?? new GetRoleManagementPolicyInvokeArgs(), options.WithDefaults());
+ }
+
+
+ public sealed class GetRoleManagementPolicyArgs : global::Pulumi.InvokeArgs
+ {
+ ///
+ /// The name (guid) of the role management policy to get.
+ ///
+ [Input("roleManagementPolicyName", required: true)]
+ public string RoleManagementPolicyName { get; set; } = null!;
+
+ ///
+ /// The scope of the role management policy.
+ ///
+ [Input("scope", required: true)]
+ public string Scope { get; set; } = null!;
+
+ public GetRoleManagementPolicyArgs()
+ {
+ }
+ public static new GetRoleManagementPolicyArgs Empty => new GetRoleManagementPolicyArgs();
+ }
+
+ public sealed class GetRoleManagementPolicyInvokeArgs : global::Pulumi.InvokeArgs
+ {
+ ///
+ /// The name (guid) of the role management policy to get.
+ ///
+ [Input("roleManagementPolicyName", required: true)]
+ public Input RoleManagementPolicyName { get; set; } = null!;
+
+ ///
+ /// The scope of the role management policy.
+ ///
+ [Input("scope", required: true)]
+ public Input Scope { get; set; } = null!;
+
+ public GetRoleManagementPolicyInvokeArgs()
+ {
+ }
+ public static new GetRoleManagementPolicyInvokeArgs Empty => new GetRoleManagementPolicyInvokeArgs();
+ }
+
+
+ [OutputType]
+ public sealed class GetRoleManagementPolicyResult
+ {
+ ///
+ /// The role management policy description.
+ ///
+ public readonly string? Description;
+ ///
+ /// The role management policy display name.
+ ///
+ public readonly string? DisplayName;
+ ///
+ /// The readonly computed rule applied to the policy.
+ ///
+ public readonly ImmutableArray