Azure Role Based Access Control (Azure RBAC)
-
Azure RBAC is an authorization system built on Azure Resource Manager that provides a fine grained access management of Azure Resources.
-
Azure Security Prinicipal:
- This is an object that represents a user, a group, service pricipal or managed identity that is request to Azure Resources
- Role Definition
- This is a collection of permissions typically called as role.
- This list actions that can be performed such as read, write and delete
- Azure has several built in roles Refer Here
- Scope:
- This is set of resources that the access applies to
- Role Assignment
- This is the process of attaching a role definition to a user/group/service prinicipal/managed identity at a particular scope for the purpose of granting access.
- Exercise: Give the Reader Access at the subscription level to the Developers Group
Understanding Azure Role Definitions
- Role definition has some properties
- Sample built in role defintion for Contributor in JSON Format
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"properties": {
"roleName": "Contributor",
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
Like this:
Like Loading...
