{"id":"rbac-additive-arm-authorization-model","text":"Azure RBAC enforces an additive authorization model built on Azure Resource Manager: effective permissions are the union of all role assignments with no subtraction, role definition IDs remain stable across renames for automation safety, and the Owner/Contributor split specifically gates role assignment capability — making RBAC a monotonically increasing permission surface where the only way to reduce access is to remove assignments.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"rbac-additive-arm-authorization-model","truth_value":"IN","reason":"premise"}]}}