The so-called "lower levels" inherit role permissions (or role assignments, if you will), which is something else entirely. Furthermore I'd say this is both expected and necessary to effectively administer permissions in organizations. Assigning permissions (via roles or otherwise) on every single object is not feasible. Inheritance is required. It works similarly to NTFS ACLs.
What I wrote is, in fact, accurate. An identity cannot inherit a role. It is simply impossible. What would it inherit from? The identity does not actually exist where it appears in the control plane (ie. in a resource group). It exists in Entra ID (formerly Azure AD).
There is but one possibility for a newly created identity to actually have roles assignments: Automation via policy. Now that I think about it, there might be another: assigning roles to special groups like "Authenticated users".
ok so now it's a semantic debate. love that... i hope this knowledge that i shared is useful to you in the future, so you can avoid dumb ass RBAC inheritance footguns
What I wrote is, in fact, accurate. An identity cannot inherit a role. It is simply impossible. What would it inherit from? The identity does not actually exist where it appears in the control plane (ie. in a resource group). It exists in Entra ID (formerly Azure AD).
There is but one possibility for a newly created identity to actually have roles assignments: Automation via policy. Now that I think about it, there might be another: assigning roles to special groups like "Authenticated users".