Azure AD Roles Continued
- For all the built in roles Refer Here
- Azure role-based access control (RBAC) helps you manage who has access to Azure resources , what they can do with those resources.
- Azure RBAC is an authorization system built on Azure Resource Manager, than provides fine-grained access control & management
How Azure RBAC Works
- A role assignment consists of three elements
- security principal:
- This is an object that represents user, group, service principal or managed identity that is requesting access to Azure Resources
- role definition:
- A role definition (typically called as role) is list of operations that can be performed such as read, write and delete.
- Azure has several built-in roles that you use or create your own Azure custom rules
- scope: This is set of resources that access applies to. In Azure you specify scope at four levels
- management group
- subscription
- resource group
- resource
- security principal:
- Role assignment is the process of attaching a role definition to a security principal at a particular scope
- To create custom role start from any built-in as a best practice Refer Here
- Select the Azure Services you want to grant access to and find the mataching resource provider to service Refer Here
Exercise 1: Create a custom role using Azure Portal
- Navigate to Access Control (IAM) in the Subscriptions
- Click on the Roles table and select the role which you want to clone, lets select Storage Account Contributor
- Now create the custom role by select Add custom role or clone and select the option to clone and continue adding permissions as done in the class
- The better option to create custom roles is to create from json.
- Create a JSON File in the following format
{
"properties": {
"roleName": "",
"description": "",
"assignableScopes": [ ],
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
- To fill this json with the necesary information to create a role Refer Here
