Skip to content

Fix workbooks deployment permissions documentation #1629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 7 commits into
base: dev
Choose a base branch
from
Draft

Fix workbooks deployment permissions documentation #1629

wants to merge 7 commits into from
+29 −8

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented May 22, 2025
edited
Loading

This PR updates the documentation related to the permissions required for deploying FinOps workbooks. The original documentation incorrectly stated that Reader access was sufficient to deploy workbooks, which is not true when using the ARM template deployment method.

Changes made:

  • Updated the permission requirements across all workbooks documentation:

    • Clarified that Contributor role or a role with Microsoft.Resources/deployments/validate/action permission is required for ARM template deployments
    • Specified that Workbook Contributor role is for saving workbooks after deployment
    • Maintained that Reader role is for viewing workbook tabs

  • Added alternative deployment instructions for users with only Reader access:

    • Added step-by-step instructions for downloading workbook files directly from GitHub
    • Added instructions for importing workbooks directly into Azure Monitor (which works with Reader access)
    • Included links to the correct repository locations for the workbook files

  • Ensured consistency across all related documentation files:

    • docs-mslearn/toolkit/workbooks/finops-workbooks-overview.md
    • docs-mslearn/toolkit/workbooks/customize-workbooks.md
    • docs/workbooks.md
    • src/templates/finops-workbooks/README.md

These changes address the issue where users with only Reader access are unable to deploy workbooks using the ARM template method, and provide clear alternatives for those users.

Fixes #1612.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Skill: DevOps GitHub setup and automation label May 22, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added Skill: Documentation Documentation updates Tool: FinOps guide Implementing FinOps guide labels May 22, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Review 👀 PR that is ready to be reviewed label May 22, 2025
@Copilot @KevDLR
Fix documentation about workbooks deployment permissions
4aa070e 
Co-authored-by: KevDLR <86437159+KevDLR@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] More than Reader Access is requirerd Fix workbooks deployment permissions documentation May 22, 2025
@Copilot Copilot AI requested a review from KevDLR May 22, 2025 21:41
Copilot finished work on behalf of KevDLR May 22, 2025 21:41
flanakin
flanakin requested changes May 24, 2025
View reviewed changes
docs/workbooks.md Outdated
Comment on lines 70 to 75
To deploy FinOps workbooks using ARM templates, you need:
- **Contributor** role or a role with `Microsoft.Resources/deployments/validate/action` permission
- **Workbook Contributor** role to save workbooks after deployment
- **Reader** role to view all workbook tabs

> If you only have Reader access, you can download the workbook files from the [GitHub repository](https://github.com/microsoft/finops-toolkit/tree/main/src/workbooks) and import them directly into Azure Monitor Workbooks.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To deploy FinOps workbooks using ARM templates, you need:
- **Contributor** role or a role with `Microsoft.Resources/deployments/validate/action` permission
- **Workbook Contributor** role to save workbooks after deployment
- **Reader** role to view all workbook tabs
> If you only have Reader access, you can download the workbook files from the [GitHub repository](https://github.com/microsoft/finops-toolkit/tree/main/src/workbooks) and import them directly into Azure Monitor Workbooks.
FinOps workbooks require the <strong>Workbook Contributor</strong> role to deploy and <strong>Reader</strong> on all subscriptions you want to monitor.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simplified the permissions section with your suggested wording that's more concise and accurate. Commit de144d6

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 Issue or PR needs to be reviewed by the author or it will be closed due to no activity and removed Needs: Review 👀 PR that is ready to be reviewed labels May 24, 2025
@Copilot @flanakin
Apply reviewer suggestions for permissions documentation
de144d6 
Co-authored-by: flanakin <399533+flanakin@users.noreply.github.com>
@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Review 👀 PR that is ready to be reviewed and removed Needs: Attention 👋 Issue or PR needs to be reviewed by the author or it will be closed due to no activity labels May 24, 2025
Copilot finished work on behalf of flanakin May 24, 2025 18:28
@Copilot @KevDLR
Update workbooks permissions to include Microsoft.Resources/deploymen…
f631e13 
…ts/write permission

Co-authored-by: KevDLR <86437159+KevDLR@users.noreply.github.com>
Copilot finished work on behalf of KevDLR May 24, 2025 19:40
flanakin
flanakin requested changes May 25, 2025
View reviewed changes
docs/workbooks.md Outdated
Comment on lines 70 to 72
FinOps workbooks require the <strong>Contributor</strong> role or a role with both <strong>Microsoft.Resources/deployments/validate/action</strong> and <strong>Microsoft.Resources/deployments/write</strong> permissions for ARM template deployments, <strong>Workbook Contributor</strong> role to save changes, and <strong>Reader</strong> on all subscriptions you want to monitor.

> If you only have Reader access, you can download the workbook files from the [GitHub repository](https://github.com/microsoft/finops-toolkit/tree/main/src/workbooks) and import them directly into Azure Monitor Workbooks.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
FinOps workbooks require the <strong>Contributor</strong> role or a role with both <strong>Microsoft.Resources/deployments/validate/action</strong> and <strong>Microsoft.Resources/deployments/write</strong> permissions for ARM template deployments, <strong>Workbook Contributor</strong> role to save changes, and <strong>Reader</strong> on all subscriptions you want to monitor.
> If you only have Reader access, you can download the workbook files from the [GitHub repository](https://github.com/microsoft/finops-toolkit/tree/main/src/workbooks) and import them directly into Azure Monitor Workbooks.
FinOps workbooks require the <strong>Workbook Contributor</strong> role to deploy and <strong>Reader</strong> on any subscriptions you want to monitor.

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 Issue or PR needs to be reviewed by the author or it will be closed due to no activity and removed Needs: Review 👀 PR that is ready to be reviewed labels May 25, 2025
@flanakin flanakin added this to the 2025-06 - June milestone May 28, 2025
KevDLR
KevDLR reviewed May 28, 2025
View reviewed changes
@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Review 👀 PR that is ready to be reviewed and removed Needs: Attention 👋 Issue or PR needs to be reviewed by the author or it will be closed due to no activity labels May 28, 2025
KevDLR
KevDLR reviewed May 29, 2025
View reviewed changes
KevDLR and others added 2 commits May 29, 2025 15:16
@KevDLR @flanakin
Apply suggestions from code review
9cf3f6d 
Co-authored-by: Michael Flanakin <flanakin@users.noreply.github.com>
@KevDLR
Update docs/workbooks.md resource link
967c5c8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KevDLR KevDLR KevDLR left review comments

@arthurclares arthurclares Awaiting requested review from arthurclares arthurclares is a code owner

@aromano2 aromano2 Awaiting requested review from aromano2

@CaddyG CaddyG Awaiting requested review from CaddyG

@flanakin flanakin Awaiting requested review from flanakin flanakin is a code owner

@nteyan nteyan Awaiting requested review from nteyan nteyan will be requested when the pull request is marked ready for review nteyan is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@flanakin flanakin

@aromano2 aromano2

@arthurclares arthurclares

@KevDLR KevDLR

@CaddyG CaddyG

Copilot code review Copilot

Labels
Needs: Review 👀 PR that is ready to be reviewed Skill: DevOps GitHub setup and automation Skill: Documentation Documentation updates Tool: FinOps guide Implementing FinOps guide
Projects
None yet
Milestone
2025-07 - July
Development

Successfully merging this pull request may close these issues.

More than Reader Access is requirerd
6 participants
@Copilot @flanakin @KevDLR @aromano2 @arthurclares @CaddyG