Identity: RBAC Flashcards
A role definition file
is a set of properties defined in a JSON file.
Name ID Description Actions - allowable permissions NotActions - denied permissions AssignableScopes - scope
Owner Role - Actions and NotActions
Actions: {*} #allowed everything
NotActions: {} #no denied actions
Contributor Role: Actions and NotActions
allow all actions except writing or deleting role assignment
Actions: *
NotActions: Microsoft.Authorization//Delete, Microsoft.Authorization//Write. Microsoft.Authorization/elevateAccess/Action
Reader Role : Actions and NotActions
allowed to read only
Actions: {*/read}
Roles: AssignableScopes property
specifies the role scope - subscriptions, resource groups or resources.
- /subscriptions/[subscription id]
- /subscriptions/[subscription id]/resourceGroups/[resource group name]
- /subscriptions/[subscription id]/resourceGroups/[resource group name]/[resource]
Role Inheritance
A resource inherits role assignment from its parent resource
Azure AD roles vs Azure RBAC roles
Azure RBAC roles control permissions to manage Azure resources (more fine grained)
Azure AD administrator roles control permissions to manage Azure Active Directory resources.
Azure RBAC (Security Principal)
A security principal is a user, group or application that you want to grant access to.
Azure RBAC (Role Definition)
A role definition is a collection of permissions.
Azure RBAC (Scope)
Scope is where the access applies to.
Can be specified at multiple levels: management group, subscription, resource group or resource.
Permissions are inherited by child scopes. (i.e., assigning Contributor role at Resource Group level then all Resources in that Resource Group get the same permissions)
Azure RBAC (Role Assignment)
A role assignment is the process of binding a role to a security principal at a particular scope.
Suppose a team member can’t view resources in a resource group. Where would the administrator go to check the team member’s access?
Go to the resource group and select Access Control(IAM) > Check Access
Suppose an administrator in another department needs access to a virtual machine managed by your department. What’s the best way to grant them access to just that resource?
At the resource group create a role for them with appropriate access.
Suppose a developer needs full access to a resource group. If you are following least-privilege best practices, what scope should you specify?
Resource Group
Suppose an administrator needs to generate a report of the role assignments for the last week. Where in the Azure portal would they generate that report?
Search for Activity Log and filter on the Create role assignment (roleAssignments) operation.
