Skip to content

Latest commit

 

History

History
215 lines (122 loc) · 13.3 KB

delegate-role-assignments-portal.md

File metadata and controls

215 lines (122 loc) · 13.3 KB
Raw
title description author manager ms.service ms.subservice ms.topic ms.date ms.author
Delegate Azure role assignment management to others with conditions - Azure ABAC
How to delegate Azure role assignment management to other users by using Azure attribute-based access control (Azure ABAC).
rolyon
amycolannino
role-based-access-control
conditions
how-to
04/15/2024
rolyon

Delegate Azure role assignment management to others with conditions

As an administrator, you might get several requests to grant access to Azure resources that you want to delegate to someone else. You could assign a user the Owner or User Access Administrator roles, but these are highly privileged roles. This article describes a more secure way to delegate role assignment management to other users in your organization, but add restrictions for those role assignments. For example, you can constrain the roles that can be assigned or constrain the principals the roles can be assigned to.

The following diagram shows how a delegate with conditions can only assign the Backup Contributor or Backup Reader roles to only the Marketing or Sales groups.

:::image type="content" source="./media/delegate-role-assignments-portal/delegate-role-assignments.png" alt-text="Diagram that shows an administrator delegating role assignment management with conditions." lightbox="./media/delegate-role-assignments-portal/delegate-role-assignments.png":::

Prerequisites

[!INCLUDE Azure role assignment prerequisites]

Step 1: Determine the permissions the delegate needs

To help determine the permissions the delegate needs, answer the following questions:

  • What roles can the delegate assign?
  • What types of principals can the delegate assign roles to?
  • Which principals can the delegate assign roles to?
  • Can delegate remove any role assignments?

Once you know the permissions that delegate needs, you use the following steps to add a condition to the delegate's role assignment. For example conditions, see Examples to delegate Azure role assignment management with conditions.

Step 2: Start a new role assignment

  1. Sign in to the Azure portal.

  2. Follow the steps to open the Add role assignment page.

  3. On the Roles tab, select the Privileged administrator roles tab.

  4. Select the Role Based Access Control Administrator role.

    The Conditions tab appears.

    You can select any role that includes the Microsoft.Authorization/roleAssignments/write or Microsoft.Authorization/roleAssignments/delete actions, such as User Access Administrator, but Role Based Access Control Administrator has fewer permissions.

  5. On the Members tab, find and select the delegate.

Step 3: Add a condition

There are two ways that you can add a condition. You can use a condition template or you can use an advanced condition editor.

Template

  1. On the Conditions tab under What user can do, select the Allow user to only assign selected roles to selected principals (fewer privileges) option.

    :::image type="content" source="./media/shared/condition-constrained.png" alt-text="Screenshot of Add role assignment with the constrained option selected." lightbox="./media/shared/condition-constrained.png":::

  2. Select Select roles and principals.

    The Add role assignment condition page appears with a list of condition templates.

    :::image type="content" source="./media/shared/condition-templates.png" alt-text="Screenshot of Add role assignment condition with a list of condition templates." lightbox="./media/shared/condition-templates.png":::

  3. Select a condition template and then select Configure.

    Condition template Select this template to
    Constrain roles Allow user to only assign roles you select
    Constrain roles and principal types Allow user to only assign roles you select
    Allow user to only assign these roles to principal types you select (users, groups, or service principals)
    Constrain roles and principals Allow user to only assign roles you select
    Allow user to only assign these roles to principals you select
    Allow all except specific roles Allow user to assign all roles except the roles you select

  4. In the configure pane, add the required configurations.

    :::image type="content" source="./media/shared/condition-template-configure-pane.png" alt-text="Screenshot of configure pane for a condition with selection added." lightbox="./media/shared/condition-template-configure-pane.png":::

  5. Select Save to add the condition to the role assignment.

Condition editor

If the condition templates don't work for your scenario or if you want more control, you can use the condition editor.

Open condition editor

  1. On the Conditions tab under What user can do, select the Allow user to only assign selected roles to selected principals (fewer privileges) option.

    :::image type="content" source="./media/shared/condition-constrained.png" alt-text="Screenshot of Add role assignment with the Constrained option selected." lightbox="./media/shared/condition-constrained.png":::

  2. Select Select roles and principals.

    The Add role assignment condition page appears with a list of condition templates.

    :::image type="content" source="./media/shared/condition-templates.png" alt-text="Screenshot of Add role assignment condition with a list of condition templates." lightbox="./media/shared/condition-templates.png":::

  3. Select Open advanced condition editor.

    The Add role assignment condition page appears.

  4. For the Editor type option, leave the default Visual selected.

Add action

  1. In the Add action section, select Add action.

    The Select an action pane appears. This pane is a filtered list of actions based on the role assignment that will be the target of your condition.

    :::image type="content" source="./media/delegate-role-assignments-portal/delegate-role-assignments-actions-select.png" alt-text="Screenshot of Select an action pane to delegate role assignment management with conditions." lightbox="./media/delegate-role-assignments-portal/delegate-role-assignments-actions-select.png":::

  2. Select the Create or update role assignments action you want to allow if the condition is true.

    [!TIP] If you select both Create or update role assignments and Delete a role assignment actions, you won't be able add a condition expression. If you want to target both of these actions, you must add two conditions. For more information, see Example: Constrain roles.

Build expressions

  1. In the Build expression section, select Add expression.

    Here is where you build the expression to constrain role assignments the delegate can add.

  2. In the Attribute source list, select Request.

  3. In the Attribute list, select one of the following attributes for the left side of the expression.

    • Role definition ID is used to constrain the roles the delegate can assign.
    • Principal ID is used to constrain the specific principals the delegate can assign roles to.
    • Principal type is used to constrain the types of principals (users, groups, or service principals) that the delegate can assign roles to.

  4. In the Operator list, select an operator.

    Depending on the attribute and the expression you want to build, you typically select these operators, which allow you to select one or more values for the right side of the expression.

    Attribute Common operator
    Role definition ID ForAnyOfAnyValues:GuidEquals
    ForAnyOfAllValues:GuidNotEquals
    Principal ID ForAnyOfAnyValues:GuidEquals
    Principal type ForAnyOfAnyValues:StringEqualsIgnoreCase

  5. In the Value box, enter one or more values for the right side of the expression.

    :::image type="content" source="./media/shared/delegate-role-assignments-expression.png" alt-text="Screenshot of Build expression section to delegate role assignment management with conditions." lightbox="./media/shared/delegate-role-assignments-expression.png":::

  6. Add additional expressions as needed.

    [!TIP] When you add multiple expressions to delegate role assignment management with conditions, you typically use the And operator between expressions instead of the default Or operator.

  7. Select Save to add the condition to the role assignment.

Step 4: Assign role with condition to delegate

  1. On the Review + assign tab, review the role assignment settings.

  2. Select Review + assign to assign the role.

    After a few moments, the delegate is assigned the Role Based Access Control Administrator role with your role assignment conditions.

Step 5: Delegate assigns roles with conditions

  • Delegate can now follow steps to assign roles.

    :::image type="content" source="./media/shared/groups-constrained.png" alt-text="Diagram of role assignments constrained to specific roles and specific groups." lightbox="./media/shared/groups-constrained.png":::

    When the delegate tries to assign roles in the Azure portal, the list of roles will be filtered to just show the roles they can assign.

    :::image type="content" source="./media/shared/constrained-roles-assign.png" alt-text="Screenshot of role assignments constrained to specific roles." lightbox="./media/shared/constrained-roles-assign.png":::

    If there is a condition for principals, the list of principals available for assignment are also filtered.

    :::image type="content" source="./media/shared/constrained-principals-assign.png" alt-text="Screenshot of role assignments constrained to specific groups." lightbox="./media/shared/constrained-principals-assign.png":::

    If the delegate attempts to assign a role that is outside the conditions using an API, the role assignment fails with an error. For more information, see Symptom - Unable to assign a role.

Edit a condition

There are two ways that you can edit a condition. You can use the condition template or you can use the condition editor.

  1. In the Azure portal, open Access control (IAM) page for the role assignment that has a condition that you want to view, edit, or delete.

  2. Select the Role assignments tab and find the role assignment.

  3. In the Condition column, select View/Edit.

    If you don't see the View/Edit link, be sure you're looking at the same scope as the role assignment.

    :::image type="content" source="./media/shared/condition-role-assignments-list-edit.png" alt-text="Screenshot of role assignment list with View/Edit link for condition." lightbox="./media/shared/condition-role-assignments-list-edit.png":::

    The Add role assignment condition page appears. This page will look different depending on whether the condition matches an existing template.

  4. If the condition matches an existing template, select Configure to edit the condition.

    :::image type="content" source="./media/shared/condition-templates-edit.png" alt-text="Screenshot of condition templates with matching template enabled." lightbox="./media/shared/condition-templates-edit.png":::

  5. If the condition doesn't match an existing template, use the advanced condition editor to edit the condition.

    For example, to edit a condition, scroll down to the build expression section and update the attributes, operator, or values.

    :::image type="content" source="./media/delegate-role-assignments-portal/condition-editor-build-expression.png" alt-text="Screenshot of condition editor that shows options to edit build expression." lightbox="./media/delegate-role-assignments-portal/condition-editor-build-expression.png":::

    To edit the condition directly, select the Code editor type and then edit the code for the condition.

    :::image type="content" source="./media/delegate-role-assignments-portal/condition-editor-code.png" alt-text="Screenshot of condition editor that shows Code editor type." lightbox="./media/delegate-role-assignments-portal/condition-editor-code.png":::

  6. When finished, click Save to update the condition.

Next steps