Azure Classroomnotes 08/Apr/2022

Azure Role Based Access Control (Azure RBAC)

  • Azure RBAC is an authorization system built on Azure Resource Manager that provides a fine grained access management of Azure Resources.
  • Azure Security Prinicipal:

    • This is an object that represents a user, a group, service pricipal or managed identity that is request to Azure Resources
  • Role Definition
    • This is a collection of permissions typically called as role.
    • This list actions that can be performed such as read, write and delete
    • Azure has several built in roles Refer Here
  • Scope:
    • This is set of resources that the access applies to
      Preview
  • Role Assignment
    • This is the process of attaching a role definition to a user/group/service prinicipal/managed identity at a particular scope for the purpose of granting access.
      Preview
  • Exercise: Give the Reader Access at the subscription level to the Developers Group

Understanding Azure Role Definitions

  • Role definition has some properties
    Preview
  • Sample built in role defintion for Contributor in JSON Format
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "properties": {
        "roleName": "Contributor",
        "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [
                    "Microsoft.Authorization/*/Delete",
                    "Microsoft.Authorization/*/Write",
                    "Microsoft.Authorization/elevateAccess/Action",
                    "Microsoft.Blueprint/blueprintAssignments/write",
                    "Microsoft.Blueprint/blueprintAssignments/delete",
                    "Microsoft.Compute/galleries/share/action"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner