Custom Roles in Azure
Scenario-3: Give an access to a group/user to perform any database and vm operations but not delete the vm’s or databases.
- When we are defining azure custom roles ensure we are within limits Refer Here
- Refer Here to the steps recommended by microsoft to create a custom
- Resource Providers
- Virtual Machines => Microsoft.Compute
- Azure SQL => Microsoft.Sql
- Operation for deletion
- VM => Microsoft.Compute/virtualMachines/delete
- Azure SQL => Microsoft.Sql/servers/delete
- Now lets create a custom role using portal Refer Here
- Lets assume assignable scope is subscription
- Refer Here for the changes with rbac policy.
- Assign this policy to the user at subscription level
- Test:
- Create an Azure SQL DB from your user account
- Create a VM from your user account
- Now login as New user with policy 3 permission, Try
- Stop the vm => This should work
- Delete the VM => This should fail
- Delete the SQL Server => This should fail
Refer Here
Scenario 4: Create a policy which allows users to do anything on any service but not stop vms
- Refer Here for the changes done.
- Test this policy
Scenario 5: Exercise:
- Create a custom rbac with contributor permissions but user/group should not be able to delete
- Virtual Machines
- Disks
- SQL Databases
- SQL Servers
- Storage Accounts
- Azure Kubernetes Cluster
