Chapter 6: Role-Based Access Control Flashcards
What is a simple definition of RBAC (Azure Roles) and what are the key terms?
Who can do what, where
Who - Security Principles
Users
What they can do - Role Definition/Assignment
Ex. Contributor actions
Where - Scope
What resources they can impact
Ex. At the Subscription level and cascade down
What are the different types of Azure Roles (RBAC)?
Owner - full access to resources and delegate access
Reader - view resources but can’t perform actions
Contributor - create and manage resources, but not users
Administrator - manage users but not resources
What’s the primary function of an Azure Roles (RBAC), versus an Azure AD Role?
Manage Access to Azure resources
Can scope for Azure RBAC be at multiple levels or just one?
Multiple - Subscriptions, Resource Groups, and Resources
Can you have a custom Azure Role (RBAC) and Azure AD roles?
Yes
What is the primary function of Azure AD roles?
Perform actions on identity resources such as users and applications
What are the types of Azure AD roles?
Global Admin - manage Azure AD resources entirely
User admin - can manage users and groups
Billing Admin - can perform billing tasks
Help desk admin - perform help desk functions such as password resets
What scope can you set for Azure AD Roles?
At the tenant level only - flat data structure
What is the Azure AD role that is the highest level of access, can set and manage administrators as well as create and manage users and identity resources?
Global Admin
What is inherent to the authorization of RBAC?
Implicit deny - everyone is denied from everything unless explicitly stated to allow
Explicit allow
What are the JSON components of RBAC definition?
“Actions”
“Not Action”
Actions - Not Actions = Collective Permissions
What happens with overlapping roles?
Permissions are added
Ex. Reader role + contributor role = Contributor role
Who can create a custom role for both RBAC and Azure Ad Roles?
Azure AD Roles - Global Admin, App Admin
RBAC - Owner Role, User Access Admin
