What is Azure Role Based Access Control (RBAC)
When managing multiple IT and engineering teams, ensuring precise access control over Azure resources is crucial. A sound security practice involves granting users only the necessary permissions for their specific roles and relevant tasks.
To simplify access management, Azure offers role-based access control (RBAC) as an alternative to granting individual resource access. RBAC provides pre-defined roles with common access rules for cloud resources, and it also allows the creation of custom roles tailored to unique requirements.
Each role comes with a set of access permissions tied to its functions, and when assigning individuals or groups to these roles, they inherit all associated access permissions.
This ensures that users have the right level of access to perform their duties efficiently.
How is role-based access control applied to resources?
Role-based access control is applied to a scope, a scope is a resource or set of resources that this access applies too.
Scopes include:
• A management group (a collection of multiple subscriptions)
• A single subscription.
• A resource group.
• A single resource.
Image Credit: https://learn.microsoft.com/
Some examples of the kind of users or accounts that you would typically assign to roles include:
• Observers
• Users Managing resources.
• Admins
• Automated processes.
Access is inherited when you grant access at a parent scope, those permissions are inherited by all the child scopes. For example:
• When you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions within the management group.
• When you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource within the subscription.
• When you assign the Contributor role to an application at the resource group scope, the application can manage resources of all types within that resource group, but not other resource groups within the subscription.
When should I use RBAC?
Use Azure RBAC when you need to:
- Allow one user to manage VMs in a subscription and another user to manage virtual networks.
- Allow a database administrator group to manage SQL databases in a subscription.
- Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets.
- Allow an application to access all resources in a resource group.
These are just a few examples. You’ll find the complete list of built-in roles at the end of this module.
How is Azure RBAC enforced?
Azure RBAC operates by applying access controls to any action initiated on an Azure resource that goes through Azure Resource Manager. Azure Resource Manager serves as a management service, facilitating the organization and security of cloud resources.
Access to Azure Resource Manager is commonly achieved through the Azure portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. It’s important to note that Azure RBAC does not enforce access permissions at the application or data level. Application security remains the responsibility of the application itself.
RBAC functions on an “allow” model, meaning that when you are assigned a specific role, you gain the ability to perform certain actions, such as reading, writing, or deleting resources. Notably, if you receive multiple role assignments with different permissions for the same resource group, you possess both read and write access to that resource group.
Who does Azure RBAC apply to?
You can apply Azure RBAC to an individual person or to a group. You can also apply Azure RBAC to other special identity types, such as service principals and managed identities. These identity types are used by applications and services to automate access to Azure resources.
How do I manage Azure RBAC permissions?
You manage access permissions on the Access control (IAM) pane in the Azure portal. This pane shows who has access to what scope and what roles apply. You can also grant or remove access from this pane.
The following screenshot shows an example of the Access control (IAM) pane for a resource group. In this example, Alain Charon has been assigned the Backup Operator role for this resource group.
Image Credit: https://learn.microsoft.com/