Microsoft Azure RBAC- Part 2

On 2/20/2015 Microsoft announced release of additional set of role based access controls. In my previous blog post we talked about RBAC concepts. In this blog post I wanted to highlight the importance of these new roles.

You can see this in the Azure preview portal today, you can now see additional roles come up as shown below-

New RBAC roles

New RBAC roles

Before 2/20/15 you could just see ‘owner’, ‘contributor’ and ‘reader’, now can see these additional 20 roles. If you give a closer look, all these are essentially contributor roles.

ROLE NAME DESCRIPTION
API Management Service Contributor Let’s you manage API Management service, but not access to them.
Application Insights Component Contributor Let’s you manage Application Insights components, but not access to them.
BizTalk Contributor Let’s you manage BizTalk services, but not access to them.
ClearDB MySQL DB Contributor Let’s you manage ClearDB MySQL databases, but not access to them.
Contributor Contributors can manage everything except access.
Data Factory Contributor Let’s you manage data factories, but not access to them.
Document DB Account Contributor Let’s you manage DocumentDB accounts, but not access to them.
Intelligent Systems Account Contributor Let’s you manage Intelligent Systems accounts, but not access to them.
NewRelic APM Account Contributor Let’s you manage New Relic Application Performance Management accounts and applications, but not access to them.
Owner Owner can manage everything, including access.
Reader Readers can view everything, but can’t make changes.
Redis Cache Contributor Let’s you manage Redis caches, but not access to them.
SQL DB Contributor Let’s you manage SQL databases, but not access to them. Also, you can’t manage their security-related policies or their parent SQL servers.
SQL Security Manager Let’s you manage the security-related policies of SQL servers and databases, but not access to them.
SQL Server Contributor Let’s you manage SQL servers and databases, but not access to them, and not their security-related policies.
Scheduler Job Collections Contributor Let’s you manage Scheduler job collections, but not access to them.
Search Service Contributor Let’s you manage Search services, but not access to them.
Storage Account Contributor Let’s you manage storage accounts, but not access to them.
User Access Administrator Let’s you manage user access to Azure resources.
Virtual Machine Contributor Let’s you manage virtual machines, but not access to them, and not the virtual network or storage account they’re connected to.
Virtual Network Contributor Let’s you manage virtual networks, but not access to them.
Web Plan Contributor Let’s you manage the web plans for websites, but not access to them.
Website Contributor Let’s you manage websites (not web plans), but not access to them.

All this gives one more level at which you can assign permissions to resources. Earlier if you were a contributor for a ‘resource group’, you could do everything across all resources like VMs, VNets and so on within the resource group. Now you if you are part of “Virtual Machine Contributor” you can only deal with Virtual Machine(s) in the resource group and not VNets or other resources. This brings in one more level of granularity.

Azure role based access control.

Azure role based access control.

A word about resource groups-

Prior to resource groups’ introduction into Azure, the recommendation for achieving isolation was to use as many subscriptions as needed in a Microsoft Azure account(s). That was good, but it certainly introduced issues around network and resource sharing like AD and so on. And you had to do VPN between these networks for resource sharing. Lot of work for achieving the isolation.

Introduction of ‘resource groups’ and ‘RBAC’ makes it easy to achieve this isolation level. As you can guess, there certainly is a need to group entity actions together to make this flexible and achieve granular scenarios. For example, it would be better if there can be a custom role where we can pick few actions from Network and few actions from Virtual Machines. That should possibly be a road-map item for Azure RBAC.

Thanks, -Phani

This entry was posted in Azure IAM and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>