Multiple role assignments
- Azure RBAC ia an additive model, so your effective permissions will be sum of your role assignments.
- Ex: User is granted a contributor role at subscription scope and the Reader role on a resource group. Sum of contributor + Reader will be applied to resource group, so Reader role will not have any impact
- Ground principle: Give necessary roles with write permissions at lower scope levels
- Refer here
Deny Assignments
- Azure RBAC was allow-only, but now azure supports deny assignments in a limited way using Azure Blueprints.
How Azure RBAC determines if user has access to a resource
- A user acquires a token for Azure Resource Manager.
- The user makes a REST API call to ARM with the token attached
- ARM retrieves all the role assignments & deny assignments that apply to the resource
- ARM narrows down the role assignments to the user & determines what roles user has for this resource
- ARM determines if the action in the API call is included in the role that user has
- If user has access to action it will allow.
Azure Policy
- Azure Policy is used to enforce Standards and assess compliance at-scale.
- Azure Policy evaluates resources in Azure by comparing the properties of resources to business rules. These business rules are defined in Json format using Azure Policy Definitions
- Azure gives you lot of inbuilt policies
- Azure Policy Definitions can be created using Json Structure Mentioned over here
Azure Policy Assignment
- Launch Azure Policy from all services
Azure Management Groups
- If an organization has many subscriptions, we need to effective manage access policies and compliance for subscriptions. Azure management group provides a new level of scope above your subscriptions.
Next Steps
- Azure AD & ADFS (Next saturday & sunday)
- Azure Compute
