I will try and answer this as best I can, but this is worded a bit vaguely.
If you are referring to the Roles you can assign via RBAC at the resource group/resource level then there are predefined Roles that can be assigned via ARM Template deployments, PowerShell, Azure CLI etc.
There are also custom roles you can create via Azure CLI, Powershell, REST API, and ARM Template Deployments. These custom roles can include any of the permissions you so choose.
These roles can be used to give permissions or deny permissions to a subscription, resource group, or resource.
Refer to these Microsoft document links for creating custom roles programmatically, paying special attention to the "NotAction" and "NotDataAction" properties since your question is regarding exclusions
Powershell Tutorial
Azure CLI Tutorial
REST API
ARM Template
Refer to these Microsoft document links for adding/removing roles programmatically:
Powershell assign/remove roles
Azure CLI assign/remove roles
Azure REST API add/remove roles
ARM Template Deployment add/remove roles **Cannot remove Role Assignment via ARM Template currently
By using both of these together you should be able to create custom roles, and assign those roles to Principals/Users to allow for customized permissions.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…