Role Based Access Control (RBAC)
This lab does an introduction to Azure Resource Model (ARM).
Experience RBAC in the Portal.
We recommend going through our ARM Introduction lab.
Assignation - Portal Experience
- Go to http://portal.azure.com
- Select Resource Group on the left-hand side menu
- We should see a list of resource groups assuming our subscription isn't empty
- Let's select a resource group
- On the left menu, let's select Access control (IAM)
- We can see the current RBAC settings:
- Those are inherited settings
- We see roles coming from both subscription and management group
- We see three types of roles
- We obfuscated email addresses: we shouldn't see those orange boxes in the portal
- Let's add a new permission: let's click the Add button on top of the pane
- This brings a pop up like this one:
- Let's look at the available roles:
- Let's select Reader
- In the Assign access to drop box, we can type the email of a colleague
We won't perform the assignment. But basically, a permission is a role + a user (or a group).
When a permission is assigned to a resource group, it is inherited by underlying resources. Similarly, a permission assigned to a subscription is inherited by underlying resource groups.
Definitions - CLI
We've seen that RBAC permissions was about roles. Let's look at role definitions.
- Let's type
az role definition list -o table | less
- This gives us the list of default roles:
- This tabular format is convenient but hides some field, let's type:
az role definition list -o jsonc | more
- This gives us more verbose definitions, including the actions allowed by the role
- An action correspond to an individual REST API call that can be performed by a user. In the example above, wildcards (*) are used. Let's look at a more specific one:
az role definition list --query "[?roleName == 'Virtual Machine User Login']" -o jsonc
- This gives us the definition of the role Virtual Machine User Login:
- We see that those include only read actions
It is possible to create custom roles by aggregating actions.
Online Documentation covers that topic.