Custom Roles in Azure
-
Prerequisites:
- Json
- To assign roles to others you should be Owner or User Access Administrator in Azure
-
Simple Method used in creating Roles:
- Look at existing roles
- Search for permissions
- View the available permissions
-
Azure Resource Manager Provider Refer Here:
- In Azure Resource operations are provided by Resources provider
- To give fine-grained access we need to Resource Provider operations which are documented over here
- To view Resource Provider by service Refer Here
-
Custom roles can be created from
- Portal
- Powershell
- Azure CLI
- REST API
- ARM Template
Steps for creating roles from Portal
- Open IAM blade in the subscription
- Open the Roles tab, select any role and view permissions. If you want a create a similar custom role, we can use clone
- If you prefer starting from scratch
Json Structure of Custom role
- Create a Json file file with following syntax Refer here for more info
{
"properties": {
"roleName": "",
"description": "",
"assignableScopes": [],
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Lets create a learning role which has access to all virtual machines
{
"properties": {
"roleName": "qt vm admin",
"description": "vm admin for the quality thought",
"assignableScopes": [],
"permissions": [
{
"actions": [
"Microsoft.Network/*",
"Microsoft.Compute/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Now assign this role to any ad user
- Now evaluate permissions by log in as user and adjust permissions accordingly.
Important References for writing roles
Exercise
- Create a custom role where the users will have full permissions on Azure SQL, Azure VM and Azure Resource Groups
- Setup Azure CLI & Azure Powershell Watch Here
