In Azure, Role-Based Access Control (RBAC) is used to manage access to Azure resources.
It ensures that users, groups, and service principals are assigned the correct permissions to interact with resources.
The process of role assignment involves four key elements
Security Principal,
Role Definition,
Role Assignment,
and Scope.
Let’s break down these concepts and how they work together to provide controlled access to resources.
1. Security Principal
A Security Principal is an identity to which Azure RBAC permissions can be assigned.
It represents any entity that needs to authenticate and get access to Azure resources.
What types of Security Principals are there in Azure RBAC?
Broadly, there are 5 types of security principals in Azure RBAC.
1. User
A person who has a Microsoft identity (either a work, school, or personal account).
2. Group
A collection of users that can be managed together.
3. Service Principal
A security identity used by applications, services, or automation tools to access Azure resources.
4. Managed Identity
An identity created for Azure resources, like virtual machines or apps, to interact with other Azure services securely without needing explicit credentials.
5. Guest
A user who has access to resources in another organization’s Azure AD tenant.
This is typically used for external users in a business-to-business collaboration scenario.
Example
You can assign a Service Principal (representing an application) to a role so that the application can manage specific resources like databases or storage accounts.
2. Role Definition
A Role Definition defines a set of permissions that can be assigned to a security principal.
It specifies what actions the security principal is allowed to perform on a resource.
Built-in Roles
Azure provides a set of built-in roles that are ready to use.
These roles are predefined and cover most common use cases.
Here are the examples of built-in roles included in Azure RBAC:
1. Owner
Has full control over all resources, including the ability to delegate access.
2. Contributor
Can create and manage all resources, but cannot assign roles.
3. Reader
Can view resources but cannot modify them.
4. Virtual Machine Contributor
Can manage virtual machines but cannot manage networking or storage.
Custom Roles
You can also create custom roles if the built-in roles do not meet your needs.
Custom roles allow you to define a specific set of permissions that can be assigned to a security principal.
Example
A custom role could give users permission to only read data from a specific storage account but not to modify it.
3. Role Assignment
Role Assignment is the process of associating a Role Definition with a security principal at a specific scope.
A role assignment gives the security principal the permissions defined in the Role Definition to act on resources at that scope.
What is a Role Assignment in Azure RBAC?
A role assignment consists of three main elements:
1. Security Principal
The user, group, service principal, or managed identity that you are granting permissions to.
2. Role Definition
The permissions or actions allowed, such as Reader, Contributor, or custom roles.
3. Scope
The set of resources that the role assignment applies to (e.g., subscription, resource group, or specific resource).
Example
You might assign the Contributor role to a user at the resource group level, allowing the user to manage all resources within that resource group but not the subscription or other resource groups.
4. Scope
Scope defines the level at which the role assignment applies in the Azure resource hierarchy.
You can assign roles at different levels of scope, which impacts the set of resources the security principal can access.
Scope Hierarchy
Role assignment is organized in hierarchical order.
It start with top level Management Group and goes on to inner most level where the scoping is done directly on the Resources.
Here are the scoping levels in top to bottom order:
1. Management Group
A container for managing multiple subscriptions.
2. Subscription
A billing unit in Azure, which can contain resources and resource groups.
3. Resource Group
A container for Azure resources that share the same lifecycle and permissions.
4. Resource
An individual Azure service or resource, such as a virtual machine, storage account, or database.
A role can be assigned to a security principal at one of these levels, and the permissions will propagate downward, granting access to all resources at that level and below.
Scope Examples
1. Management Group Level
A role assigned at this level would apply to all subscriptions and resources within the management group.
2. Subscription Level
A role assigned at the subscription level would give the security principal access to all resources and resource groups within that subscription.
3. Resource Group Level
A role assigned at the resource group level would grant the security principal access to all resources within that specific resource group.
4. Resource Level
A role assigned at the individual resource level would grant access only to that particular resource (e.g., a specific virtual machine or storage account).
Role Assignment Process (Step-By-Step)
Here is how the Role Assignment process works in practice.
1. Define the Security Principal
Identify the user, group, service principal, or managed identity you want to assign a role to.
For example, a User or Service Principal.
2. Choose the Role Definition
Decide which Role Definition you want to assign.
This defines what the security principal can do.
For example, you could assign the Contributor role if the user needs to create and manage resources.
3. Determine the Scope
Decide where you want the permissions to apply.
This could be at the subscription level, resource group level, or for a specific resource.
4. Create the Role Assignment
Assign the role to the security principal at the chosen scope.
5. Verify the Role Assignment
Once the role is assigned, the security principal will inherit the permissions defined by the role at the specified scope.
You can verify and review the role assignments in the Azure portal or using PowerShell/Azure CLI.
Example Of Role Assignment
Let's consider the Scenario, where we grant permissions to a User for a specific Resource Group.
Here are the steps that you need to follow, in order to do that.
1. Security Principal
Assign a User named “JaneDoe”.
2. Role Definition
Assign the Contributor role.
3. Scope
The scope is a specific resource group named "MarketingResources".
4. Role Assignment
The Contributor role is assigned to JaneDoe at the MarketingResources resource group level.
Result
JaneDoe now has the ability to create, modify, and delete resources within the MarketingResources resource group, but she cannot access resources outside this group or perform actions at the subscription level.
Removing A Role Assignment
Here is how you can remove a role assignment:
Navigate to Azure Policy > Access Control (IAM).
Locate the role assignment you want to remove.
Select the role assignment and click Remove.
This revokes the permissions associated with the role at the defined scope.
Best Practices For Role Assignments
1. Principle of Least Privilege
Always assign the least privilege needed to perform tasks.
For example, if a user only needs to view resources, assign the Reader role instead of Contributor.
2. Use Built-In Roles
Where possible, use built-in roles to avoid creating custom roles unless there’s a specific need for custom permissions.
3. Use Role Assignments at the Right Scope
Assign roles at the most appropriate scope to avoid over-granting permissions.
For example, assign a role at the resource group level instead of the subscription level if you want to limit the user’s access.
4. Audit Role Assignments
Regularly audit role assignments to ensure that only the necessary users have access to your resources.
Use tools like Azure Activity Log or Access Review to help with audits.
Summary
At the closing, we learned how Azure RBAC is used to manage access in Azure effectively.
We also learned about security principals available in Azure RBAC.
1. Security Principal
A user, group, service principal, or managed identity that requires access to Azure resources.
2. Role Definition
Defines what actions a principal can perform on Azure resources (e.g., Owner, Contributor, Reader).
3. Role Assignment
The actual process of assigning a role to a principal at a given scope (e.g., subscription, resource group, or resource).
4. Scope
The level at which the permissions apply (e.g., subscription, resource group, or resource).
By combining these elements, Azure provides a powerful, flexible, and scalable system for managing access to cloud resources.
Leave a Reply