Skip to content

Latest commit

 

History

History
68 lines (58 loc) · 2.4 KB

2.1. Governance - Roles.md

File metadata and controls

68 lines (58 loc) · 2.4 KB
Raw

Roles

Role assignments

  • Delegated resource administration
  • Roles organize related resource permissions together
    • Depends on resource type
      • E.g. different for VM and storage.
  • Scope
    • Roles are applied to a scope.
    • They're inherited in following order:
      • Management groups
      • Subscription
      • Resource groups
      • Individual resources
  • Role can be assigned to:
    • Users
    • Groups
    • Service principal
      • Application
      • System Assigned Managed Identity: App Service, Function App, Virtual Machine, Virtual Machine Scale Set
      • User Assigned Managed Identity

Role types

Built-in roles

  • 60+
  • Common roles:
    • Owner: Manage resources and resource access
    • Contributor: Manage resources but not resource access.
    • Reader: Read-only access
    • Storage Blob Data Reader: Specific to storage accounts
    • SQL DB Contributor: Manage, but not access, SQL databases
    • VM Contributor: Manage, but not access, virtual machines.

Custom roles

  • ❗ Built using only PowerShell / CLI or REST API.

    • New-AzureRmRoleDefinitation -Role $customRole

  • Shows in same drop-down lists with built-in roles

  • JSON file looks like this:

      {
    "Name": "Network Resource Viewer",
    "IsCustom": true,
    "Description": "Allows reading Azure network resources.",
    "Actions": [ "Microsoft.Network/*/read" ],
    "NotActions": [ ],
    "AssignableScopes": [ "/subscriptions/048.." ]
  }

Classic Administrator Roles

  • The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator.
    • Roles are properties that can be changed in Subcription blade
  • 💡 Azure recommends using RBAC roles
  • Account Administrator (1 per Azure account)
    • Conceptually, the billing owner of the subscription.
    • The Account Administrator has no access to the Azure portal.
  • Service Administrator (1 per Azure subscription)
    • By default, for a new subscription, the Account Administrator is also the Service Administrator.
    • The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.
    • The Service Administrator has full access to the Azure portal.
  • Co-Administrator (200 per subscription)
    • The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.