Know about Role Definition in Azure

Role Definition in Azure

In Azure, Role Definitions are central to Role-Based Access Control (RBAC), which is the mechanism that controls access to resources in Azure.

A role definition is a set of permissions that determines what actions a security principal (such as a user, group, or service principal) can perform on Azure resources.

Role Definitions allow you to define a set of permissions for a security principal to perform certain actions on resources.

Azure provides both built-in roles for common tasks and the option to create custom roles for more specialized needs.

Let’s break down Role Definition in detail, covering its components, types, use cases, and management.

1. What is a Role Definition in Azure?

A Role Definition in Azure is a collection of permissions that determine what actions a security principal (user, group, service principal, etc.) can perform on Azure resources.

• Permissions specify what actions the security principal can take on resources.

• Actions are grouped into categories, such as read, write, delete, list, and others.

Each role definition provides specific permissions based on the level of access a principal should have.

Permissions in a role definition apply to specific types of resources or services within Azure.

2. Components of a Role Definition

A role definition typically includes the following components:

• Permissions

Defines the actions (operations) that are allowed or denied on resources.

Actions: Operations that the principal is allowed to perform (e.g., Microsoft.Compute/virtualMachines/start).

NotActions: Operations that are explicitly denied (e.g., Microsoft.Compute/virtualMachines/delete).

DataActions: Operations that work on data in Azure services (e.g., Microsoft.Storage/storageAccounts/blobServices/containers/read).

NotDataActions: Operations on data that are explicitly denied (e.g., Microsoft.Storage/storageAccounts/blobServices/containers/write).

• Assignable Scopes

Defines the scope where the role can be assigned.

The scope can range from a management group, subscription, resource group, to a specific resource (e.g., a virtual machine).

• Name

The name of the role, which could be a built-in role (like Contributor, Reader, Owner) or a custom role that is defined by the user.

• Description

A brief explanation of what the role is used for (e.g., "Allows management of virtual machines but not network configurations").

3. Types of Role Definitions

There are two types of role definitions in Azure:

1. Built-in Roles

Azure provides several built-in roles that cover common access control scenarios.

These roles can be assigned directly to security principals without modification.

• Owner: Full access to all resources, including the ability to assign roles to others.

• Contributor: Can manage all Azure resources, but cannot assign roles.

• Reader: Can view resources but cannot make changes.

• Virtual Machine Contributor: Can manage virtual machines, but not related resources like networking or storage.

• Storage Blob Data Contributor: Allows management of blob data within a storage account.

Some specialized roles are also available, such as:

• Security Administrator: Manages security-related settings like security policies and Azure Defender.

• Application Administrator: Manages enterprise application registrations and configurations.

Example of a Built-in Role: Contributor

xxxxxxxxxx
13
1
{
2
    "Name": "Contributor",
3
    "Description": "Can manage all Azure resources, but cannot assign roles to others.",
4
    "Actions": [
5
        "Microsoft.Resources/*/read",
6
        "Microsoft.Resources/deployments/*",
7
        "Microsoft.Compute/virtualMachines/*"
8
    ],
9
    "AssignableScopes": [
10
        "/subscriptions/{subscriptionId}",
11
        "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
12
    ]
13
}

2. Custom Roles

Azure also allows users to define custom roles if the built-in roles do not meet the organization’s requirements.

Custom roles can be created by specifying a set of actions, not-actions, data actions, and assignable scopes.

Creating a Custom Role:

Custom roles are defined using JSON syntax, where you specify the role’s permissions, description, actions, and assignable scopes.

Example JSON of a Custom Role:

xxxxxxxxxx
14
1
{
2
    "Name": "VM Reader",
3
    "Description": "Can view virtual machines but cannot manage them",
4
    "Actions": [
5
        "Microsoft.Compute/virtualMachines/read"
6
    ],
7
    "NotActions": [
8
        "Microsoft.Compute/virtualMachines/start",
9
        "Microsoft.Compute/virtualMachines/deallocate"
10
    ],
11
    "AssignableScopes": [
12
        "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
13
    ]
14
}

4. Permissions in Role Definitions

Permissions in role definitions are categorized into:

• Actions: Specific operations that the principal is allowed to perform on a resource.

• NotActions: Specific operations that the principal is explicitly denied (this is a way to fine-tune permissions).

• DataActions: Actions that pertain to the data inside Azure resources, such as reading or writing blobs in a storage account.

• NotDataActions: Denied data operations within a resource.

Example Actions in a Role Definition:

• "Microsoft.Compute/virtualMachines/start": Start a virtual machine.

• "Microsoft.Storage/storageAccounts/blobServices/containers/read": Read data from a container in a blob service.

• "Microsoft.Resources/subscriptions/read": Read the details of a subscription.

Example of NotActions:

• "Microsoft.Compute/virtualMachines/delete": Denies deletion of virtual machines.

Example of DataActions:

• "Microsoft.Storage/storageAccounts/blobServices/containers/read": Read access to blob containers.

• "Microsoft.Storage/storageAccounts/blobServices/containers/write": Write access to blob containers.

5. Assignable Scopes

Assignable scopes determine where the role can be assigned.

Azure RBAC allows roles to be assigned at multiple levels of the Azure resource hierarchy.

The assignable scopes can be:

• Management Group: A higher-level grouping that can contain multiple subscriptions.

• Subscription: A container for resources and resource groups.

• Resource Group: A container for resources that share a common lifecycle.

• Resource: The actual Azure resource (e.g., a specific virtual machine or storage account).

Scope Example:

• A role like Contributor can be assigned at the resource group level so the user can manage all resources within that resource group.

• A Reader role could be applied to an entire subscription to give read-only access to all resources within the subscription.

6. How to Create a Custom Role Definition

You can create custom roles using the Azure Portal, Azure CLI, or Azure PowerShell.

Using Azure Portal:

1. Go to Azure Active Directory > Roles and administrators.

2. Click on + Add custom role.

3. Fill in the role name, description, and permissions.

4. Set the Assignable Scopes to determine where the role can be applied (e.g., subscription, resource group).

5. Click Create to save the custom role.

Using Azure CLI:

You can create a custom role definition using the az role definition create command with a JSON file.

xxxxxxxxxx
1
1
az role definition create --role-definition customRole.json

Where customRole.json contains the JSON definition of the role.

Using PowerShell:

The same can be done using PowerShell’s New-AzRoleDefinition cmdlet.

xxxxxxxxxx
1
1
New-AzRoleDefinition -InputFile "C:\path\to\customRole.json"

7. Best Practices for Role Definitions

• Principle of Least Privilege

Assign only the permissions necessary for a user or service to perform their job functions.

Custom roles are particularly useful for fine-tuning permissions to avoid over-permissioning.

• Use Built-in Roles

Where possible, use Azure’s built-in roles rather than custom roles to simplify management and reduce complexity.

• Audit Role Definitions

Regularly review role definitions and assignments to ensure users and services only have the required level of access.

• Test Custom Roles

Always test custom roles in a non-production environment to ensure they work as expected without granting unnecessary permissions.

8. Summary

Role Definitions are crucial components of Azure's Role-Based Access Control (RBAC) system.

They define the permissions a security principal has within Azure, allowing you to control who can do what across your resources.

• Built-in Roles

Predefined roles for common access control scenarios (e.g., Owner, Contributor, Reader).

• Custom Roles

Custom roles provide fine-grained control, allowing users to define roles with specific permissions tailored to organizational needs.

• Actions, NotActions, DataActions

Define the specific operations (like reading, writing, or managing) allowed or denied for a role.

• Assignable Scopes

Specify the scope (subscription, resource group, resource) where the role is applied.

Azure’s RBAC model allows for precise access control, promoting security and efficiency by ensuring only the necessary permissions are granted to the right individuals or services.