Skip to content

Latest commit

 

History

History
62 lines (57 loc) · 2.45 KB

2.1. Governence - Roles.md

File metadata and controls

62 lines (57 loc) · 2.45 KB

Roles

Assign Role-based Access Control

  • Delegated resource administration
  • Roles organize related resource permissions together
    • Depends on resource type
      • E.g. different for VM and storage.
  • Scope
    • Roles are applied to a scope.
    • They're inherited in following order:
      • Management groups
      • Subscription
      • Resource groups
      • Individual resources
  • Role can be assigned to:
    • Users
    • Groups
    • Service principal
      • Application
      • System Assigned Managed Identity: App Service, Function App, Virtual Machine, Virtual Machine Scale Set
      • User Assigned Managed Identity
  • Built-in roles:
    • 60+
    • Examples:
      • Owner: Manage resources and resource access
      • Contributor: Manage resources but not resource access.
      • Reader: Read-only access
      • Storage Blob Data Reader: Specific to storage accounts
      • SQL DB Contributor: Manage, but not access, SQL databases
      • VM Contributor: Manage, but not access, virtual machines.
  • Custom roles

    • ❗ Built using only PowerShell / CLI or REST API.

      • New-AzureRmRoleDefinitation -Role $customRole

    • Shows in same drop-down lists with built-in roles

    • JSON file looks like this:

        {
    "Name": "Network Resource Viewer",
    "IsCustom": true,
    "Description": "Allows reading Azure network resources.",
    "Actions": [ "Microsoft.Network/*/read" ],
    "NotActions": [ ],
    "AssignableScopes": [ "/subscriptions/048.." ]
  }

Classic Administrator Roles

  • The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator.
    • Roles are properties that can be changed in Subcription blade
  • 💡 Azure recommends using RBAC roles
  • Account Administrator (1 per Azure account)
    • Conceptually, the billing owner of the subscription.
    • The Account Administrator has no access to the Azure portal.
  • Service Administrator (1 per Azure subscription)
    • By default, for a new subscription, the Account Administrator is also the Service Administrator.
    • The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.
    • The Service Administrator has full access to the Azure portal.
  • Co-Administrator (200 per subscription)
    • The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.