The following example shows the structure of a RBAC-role based on JSON-file, the file lists: Name, Description, Actions, NotActions, and AssignableScopes (can be set to complete subscription, resource group, or specific resource). Actions and NotActions list the exact Microsoft resources with the resource provider name, where access should be allowed or denied (for example, the resource provider to write Azure virtual network resources is disabled by set Microsoft.Network/virtualNetworks/write in not-actions).

Wildcards are supported, all child settings will be selected. Example for Actions and NotActions:

"Actions": [ 
    "/*/write/", 
    "/*/read/", 
    ], 
  "NotActions": [ 
    "Microsoft.Network/virtualNetworks/write", 
    ], 

Template for role is as follows:

{ 
  "Name": "<VF>-<Permission Type>", 
  "IsCustom": true, 
  "Description": "<Description>", 
  "Actions": [ 
        "*", 
    ], 
  "NotActions": [ 
      "*", 
    ], 
  "AssignableScopes": [ 
      "/subscriptions/<Subscription ID>/resourceGroups/<name of RG>" 
      ] 
}