Azure Role Based Access Control (Azure RBAC) contd..
- If the Azure built in roles don’t meet the specific needs of your organizations, then you create your own custom riles
- Custom roles can be shared between subscriptions that have the same tenant (Azure AD)
-
For every Azure AD there is limit of 5000 custom roles.
-
To understand this better, lets create a resource group, in that lets create
- A virtual machine
- A storage account
- A free sql database
- Once you create, we see different resources
- Activity1: We want a user (sonic) to manage networks and all other users should be able to read the information.
- The components this user will be managing are network security group, virtual network, network interface
- By manage i mean any thing possible on this resource.
- Refer Here and find if there is any role to manage this.
- Network Contributor seems to be a role that fits, so lets add the role assignment at resource group level to user (sonic)
- We also want user (sonic) to view the other resources but not change them, Now we have added a Reader role assignment for the sonic user
- Activity 2: We want a user (hulk) to manage storage accounts and sql server and sql databases
- Can you find the right role definitions (from built in) and assign.
- Activity 3: We want to give user (thor) a action to view (Reader), start and stop virtual machines.
- In this case we need to find the list of all actions that can be don on virutal machine.
- Azure Action capability is given by Resource Provider.
- Refer Here for resource provider operations
- Refer Here for resource provider to azure service
- So can we summarize this to be Reader + two actions.
- So we need to create a json file which will probably be
- Copy the defintion from reader
json
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"properties": {
"roleName": "Reader",
"description": "View all resources, but does not allow you to make any changes.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Now add two actions
{
"id": "we need to change this",
"properties": {
"roleName": "we need to change this",
"description": "we need to change this",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Like this:
Like Loading...
