Status: IN
Azure RBAC enforces an additive authorization model built on Azure Resource Manager: effective permissions are the union of all role assignments with no subtraction, role definition IDs remain stable across renames for automation safety, and the Owner/Contributor split specifically gates role assignment capability — making RBAC a monotonically increasing permission surface where the only way to reduce access is to remove assignments.