when should we create a custom role versus a custom policy (custom policy definition) ?
For example if we do not want anyone to modify tags or create resources without certain tags? please provide a JSON custom definition if you think this is a solution?
How about if we want to create a role where the user can only reboot, stop, and start a IaaS? As well as deploy tags so that nobody can modify and nobody can deploy without the specific tags. The issue is that specific tags identify which billing group the resource belongs to and we want to give the customer the ability to create new IaaS/PaaS with the proper tags which cannot be modified after creation of the IaaS/PaaS.
And the user will need to read everything else in the ARM.
dsk