Azure Role Based Access Control (Azure RBAC) contd..

• If the Azure built in roles don’t meet the specific needs of your organizations, then you create your own custom riles
• Custom roles can be shared between subscriptions that have the same tenant (Azure AD)
• For every Azure AD there is limit of 5000 custom roles.
• To understand this better, lets create a resource group, in that lets create
  • A virtual machine
  • A storage account
  • A free sql database
• Once you create, we see different resources
  
• Activity1: We want a user (sonic) to manage networks and all other users should be able to read the information.
  • The components this user will be managing are network security group, virtual network, network interface
  • By manage i mean any thing possible on this resource.
  • Refer Here and find if there is any role to manage this.
  • Network Contributor seems to be a role that fits, so lets add the role assignment at resource group level to user (sonic)
    
  • We also want user (sonic) to view the other resources but not change them, Now we have added a Reader role assignment for the sonic user
    
• Activity 2: We want a user (hulk) to manage storage accounts and sql server and sql databases
  • Can you find the right role definitions (from built in) and assign.
    
• Activity 3: We want to give user (thor) a action to view (Reader), start and stop virtual machines.
  • In this case we need to find the list of all actions that can be don on virutal machine.
  • Azure Action capability is given by Resource Provider.
    • Refer Here for resource provider operations
    • Refer Here for resource provider to azure service
    • So can we summarize this to be Reader + two actions.
  • So we need to create a json file which will probably be
  • Copy the defintion from reader
    json
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"properties": {
"roleName": "Reader",
"description": "View all resources, but does not allow you to make any changes.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
  • Now add two actions

{
    "id": "we need to change this",
    "properties": {
        "roleName": "we need to change this",
        "description": "we need to change this",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                    "Microsoft.Compute/virtualMachines/start/action",
                    "Microsoft.Compute/virtualMachines/deallocate/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}