Azure Classroomnotes 09/Apr/2022

Azure Role Based Access Control (Azure RBAC) contd..

  • If the Azure built in roles don’t meet the specific needs of your organizations, then you create your own custom riles
  • Custom roles can be shared between subscriptions that have the same tenant (Azure AD)
  • For every Azure AD there is limit of 5000 custom roles.
  • To understand this better, lets create a resource group, in that lets create
    • A virtual machine
    • A storage account
    • A free sql database
  • Once you create, we see different resources
  • Activity1: We want a user (sonic) to manage networks and all other users should be able to read the information.
    • The components this user will be managing are network security group, virtual network, network interface
    • By manage i mean any thing possible on this resource.
    • Refer Here and find if there is any role to manage this.
    • Network Contributor seems to be a role that fits, so lets add the role assignment at resource group level to user (sonic)
    • We also want user (sonic) to view the other resources but not change them, Now we have added a Reader role assignment for the sonic user
  • Activity 2: We want a user (hulk) to manage storage accounts and sql server and sql databases
    • Can you find the right role definitions (from built in) and assign.
  • Activity 3: We want to give user (thor) a action to view (Reader), start and stop virtual machines.
    • In this case we need to find the list of all actions that can be don on virutal machine.
    • Azure Action capability is given by Resource Provider.
      • Refer Here for resource provider operations
      • Refer Here for resource provider to azure service
      • So can we summarize this to be Reader + two actions.
    • So we need to create a json file which will probably be
    • Copy the defintion from reader
      json
      {
      "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
      "properties": {
      "roleName": "Reader",
      "description": "View all resources, but does not allow you to make any changes.",
      "assignableScopes": [
      "/"
      ],
      "permissions": [
      {
      "actions": [
      "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
      }
      ]
      }
      }
    • Now add two actions 
{
    "id": "we need to change this",
    "properties": {
        "roleName": "we need to change this",
        "description": "we need to change this",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read",
                    "Microsoft.Compute/virtualMachines/start/action",
                    "Microsoft.Compute/virtualMachines/deallocate/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%