Azure RBAC

Azure provides authentication using Azure AD for its resources. Once authenticated, it needs to be evaluated and decided when the identity should be allowed to access any resource, all resources, or just the selected resource intended for that user. This activity has traditionally been known as authorization. Authorization evaluates whether the given identity has the necessary permissions to access the resource and if it can perform the intended operation. Anybody having access to an Azure subscription should be given just enough permissions so that the job can be performed. There should not be more than the required permissions assigned to identities to ensure that the attach surface remains minimum.

Authorization is popularly also known as Role-based Access Control. RBAC in Azure refers to the assigning of permissions to identities (users/groups/applications) at a scope. The scope could be subscription, resource group, or individual resources.

RBAC helps in creation and assignment of different permissions to different identities. This helps in segregating duties within teams rather than everyone having every permission. It helps in making people responsible for their job because others might not even have access to perform it. It is to be noted that providing access as higher scope automatically ensures that the child resources inherit those permissions. For example, providing read access on a resource group ensures that all resources within it will be with read permissions for the given identity.

Azure provides three general purpose built-in roles. They are as follows:

  • Owner role which has full access to all resources
  • Contributor role which has access to read/write resources
  • Readers role which has only read permissions on resources

There are more roles provided by Azure, but they are resource specific. Examples include network contributor and security manager.

To get all roles provided by Azure for all resources, execute the Get-AzureRmRoleDefinition command in the PowerShell console.

Each role definition has certain allowed and not allowed actions. For example, owner role has all actions permitted and none of the actions are prohibited. Prohibited actions take precedence on all actions:

PS C:Users
imodi> Get-AzureRmRoleDefinition -Name "owner"    
    
Name             : Owner
Id               : 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
IsCustom         : False
Description      : Lets you manage everything, including access to resources.
Actions          : {*}
NotActions       : {}
AssignableScopes : {/}

Each role comprises of multiple permissions. Each resource provides a list of operations. The operation supported by a resource can be obtained using the Get-AzureRmProviderOperation cmdlet. This cmdlet takes the name of the provider and resource for retrieving the operations:

Get-AzureRmProviderOperation -OperationSearchString "Microsoft.Insights/*"

This will result in the following output:

PS C:Users
imodi> get-AzureRmProviderOperation -OperationSearchString "Microsoft.Insights/*" | select operation
    
Operation                                                      
---------                                                      
Microsoft.Insights/Register/Action                                  
Microsoft.Insights/AlertRules/Write                                 
Microsoft.Insights/AlertRules/Delete                                
Microsoft.Insights/AlertRules/Read                                  
Microsoft.Insights/AlertRules/Activated/Action                      
Microsoft.Insights/AlertRules/Resolved/Action                       
Microsoft.Insights/AlertRules/Throttled/Action                      
Microsoft.Insights/AlertRules/Incidents/Read                        
Microsoft.Insights/MetricDefinitions/Read                           
Microsoft.Insights/eventtypes/values/Read                           
Microsoft.Insights/eventtypes/digestevents/Read                     
Microsoft.Insights/Metrics/Read                                     
Microsoft.Insights/LogProfiles/Write                                
Microsoft.Insights/LogProfiles/Delete                               
Microsoft.Insights/LogProfiles/Read                                 
Microsoft.Insights/Components/Write                                 
Microsoft.Insights/Components/Delete                                
Microsoft.Insights/Components/Read                                  
Microsoft.Insights/AutoscaleSettings/Write                          
Microsoft.Insights/AutoscaleSettings/Delete                         
Microsoft.Insights/AutoscaleSettings/Read                           
Microsoft.Insights/AutoscaleSettings/Scaleup/Action                 
Microsoft.Insights/AutoscaleSettings/Scaledown/Action               
    Microsoft.Insights/AutoscaleSettings/providers/Microsoft.Insights/MetricDefinitions/Read
Microsoft.Insights/ActivityLogAlerts/Activated/Action               
Microsoft.Insights/DiagnosticSettings/Write                         
Microsoft.Insights/DiagnosticSettings/Delete                        
Microsoft.Insights/DiagnosticSettings/Read                          
Microsoft.Insights/LogDefinitions/Read                              
Microsoft.Insights/Webtests/Write                                   
Microsoft.Insights/Webtests/Delete                                  
Microsoft.Insights/Webtests/Read                                    
Microsoft.Insights/ExtendedDiagnosticSettings/Write                 
Microsoft.Insights/ExtendedDiagnosticSettings/Delete                
Microsoft.Insights/ExtendedDiagnosticSettings/Read

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.16.23