Skip to content

Latest commit

 

History

History
68 lines (55 loc) · 2.42 KB

4.1.1. Role-Based Access Control (RBAC).md

File metadata and controls

68 lines (55 loc) · 2.42 KB
Raw

Role-Based Access Control (RBAC)

  • You can assign roles to existing Azure AD identities that grants them pre-determined levels of access to an Azure subscription, resource group or individual resource.
  • Some built-in roles:
    • Owner : Owner can manage everything, including access.
    • Contributor : Contributors can manage everything except access.
    • Reader : Readers can view everything, but can't make changes.
    • User Access Administrator : Allows you to manage user access to Azure resources.
    • Virtual Machine Contributor : Allows you to manage virtual machines, but not access to them, and not the virtual network or storage account they are connected to.

Role Assignment

  • Associates a [security principal](#security-principals) to a role in a given scope.

Security principals

  • Users
    • Users in AD of the subscription.
    • Can be assigned to external Microsoft accounts in same directory.
  • Groups
    • AD security groups.
    • Best practice.
  • Service principals
    • Service identities.
      • Authenticates with Azure AD to communicate with each other.
    • Can be granted access to other resources by assigning roles.

Resource Scopes

  • Subscriptions, resource group, individual resources.
  • Resource inherits assignments from its parent resources.
    • Access inheritance: Subscription => Resource Groups => Resources
  • Scoping to Resource Groups
    • Add/remove and modify resources quickly without having to recreate assignments and scopes
    • Owner or contributor access => Does not require additional administrator assistance or having access to resources in other resource groups.

Custom roles

  • Use REST API.
  • ❗ Azure AD tenant is limited to 2000 custom roles.
  • Steps:
    1. Create a role definition with assignable scopes.
    2. Assign the role definition to a scope.

Creating a new role definition

  • 📝 To create a new custom role you run the New-AzureRmRoleDefinition cmdlet
  • You can pass a JSON template to the cmdLet or use PSRoleDefinitionObject.
  • E.g. json:
  {
    "Name": "New Role 1",
    "Id": null,
    "IsCustom": true,
    "Description": "Allows for read access to Azure storage and compute resources",
    "Actions": [
      "Microsoft.Compute/\*/read",
      "Microsoft.Storage/\*/read",

    ],
    "NotActions": [
    ],
    "AssignableScopes": [
      "/subscriptions/c489345-9cd4-44c9-99a7-4gh6575315336g"
  ]
  }