The following permissions are part of the custom role custom-contributor. The role behaves like the Azure Stack built-in contributor role. Within the custom-contributor role network deployments and configurations are disabled. In case of deploying new Azure Stack resources and services, users have to use the existing core network resources:

"Actions": [ 
    "*", 
  ], 
  "NotActions": [ 
    "Microsoft.ClassicNetwork/*/write", 
    "Microsoft.ClassicNetwork/*/delete", 
    "Microsoft.Network/publicIPAddresses/*/write", 
    "Microsoft.Network/virtualNetworks/delete", 
    "Microsoft.Network/virtualNetworks/write", 
    "Microsoft.Network/virtualNetworks/peer/action", 
    "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", 
  "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", 
    "Microsoft.Authorization/*/Delete", 
    "Microsoft.Authorization/*/Write", 
    "Microsoft.Authorization/elevateAccess/Action", 
    ], 

Azure Stack RBAC as good practice provides a role based security concept when providing fine-grained permissions. As with Azure Stack this is a must, setting these roles up by default and before the Azure Stack can go live. If not done so, the worst case would be that at first everybody would have all permissions and later on it it would need to be cut down.