
---

# 📘 Azure Role-Based Access Control (RBAC) – Technical Overview

## 🧭 Introduction

Azure Role-Based Access Control (RBAC) is a fundamental security mechanism in Microsoft Azure that enables fine-grained access management for Azure resources. This documentation provides a comprehensive overview of the RBAC model, its components, and how it governs access control in Azure environments.

---

## 🔐 What is Azure RBAC?

**RBAC** stands for **Role-Based Access Control**. It is a system that allows administrators to assign permissions to users, groups, and applications based on their roles within an organization.

In essence:
- **Roles** define **what** actions can be performed.
- **Security principals** define **who** can perform those actions.
- **Scopes** define **where** those actions can be performed.

---

## 🧩 Core Components of Azure RBAC

Azure RBAC is built around **three key artifacts**:

### 1. 👤 Security Principal (**Who**)

A **security principal** is an identity that can be assigned access to Azure resources. This represents the **"who"** in the RBAC model.

#### Types of Security Principals:
- **User**: An individual user account.
- **Group**: A collection of users managed as a single entity.
- **Service Principal**: An identity for applications or services to access Azure resources securely.
- **Managed Identity**: An automatically managed identity for Azure services.

> 🔎 **Service Principal**: Think of it as a user account for applications. It allows apps to authenticate and access resources securely without user intervention.

#### Example Use Case:
In a team with developers, IT admins, DB admins, and security admins, each role requires different levels of access. Security principals help segregate duties and enforce least privilege access.

---

### 2. 📜 Role Definition (**What**)

A **role definition** specifies **what** actions a security principal can perform. It is essentially a collection of permissions.

#### Built-in Roles:
- **Owner**: Full access to all resources, including the ability to assign roles.
- **Contributor**: Can create, read, update, and delete resources but **cannot** assign roles.
- **Reader**: Can view resources but **cannot** make changes.

#### Permissions Include:
- **Read**
- **Write**
- **Delete**
- **Specific resource actions**

> ⚠️ **Important Distinction**: A **Contributor** can manage resources but **cannot** manage access or assign roles, unlike an **Owner**.

---

### 3. 🌍 Scope (**Where**)

**Scope** defines **where** the access applies. It determines the boundaries within which the role definition is effective.

#### Levels of Scope:
- **Management Group**
- **Subscription**
- **Resource Group**
- **Resource**

> 🔁 **Hierarchy**: Azure RBAC follows a **top-down inheritance model**. Permissions assigned at a higher level (e.g., subscription) are automatically inherited by lower levels (e.g., resource group, resource).

---

## 🔗 Role Assignment

Once the **who**, **what**, and **where** are defined, the final step is to **attach** the role to the security principal. This process is called **Role Assignment**.

### Role Assignment = Security Principal + Role Definition + Scope

#### Example:
- **Security Principal**: Marketing Group
- **Role Definition**: Contributor
- **Scope**: Former Sales Resource Group

> ✅ This means users in the Marketing Group can manage resources **only** within the Former Sales Resource Group. They **cannot** access resources outside this scope unless explicitly assigned another role.

---

## 🧠 Summary

| Concept            | Description                                                                 |
|--------------------|-----------------------------------------------------------------------------|
| **Who**            | Security principal (User, Group, Service Principal, Managed Identity)       |
| **What**           | Role definition (Owner, Contributor, Reader) – defines permissions          |
| **Where**          | Scope (Management Group, Subscription, Resource Group, Resource)            |
| **Role Assignment**| Binding of a role to a security principal at a specific scope               |

---

## 📚 Further Reading

- Azure RBAC Documentation
- Azure Identity Management
- Best Practices for RBAC

---


![1-azure-rbac-model.png](1-azure-rbac-model.png)
![2-azure-openai-rbac-model.png](2-azure-openai-rbac-model.png)