Module 5ba - Identity, Governance, Privacy and Compliance - Build a Cloud Governance Strategy, RBAC

Question 1

What is a Role Assignment?

Answer 1

The process of attaching a Role Definition to an ENTITY at a particular SCOPE for the purpose of GRANTING access.

Question 2

What are the four (4) types of Users/Accounts that would be assigned a Role?

Answer 2

• Observers (the “read-only” people)
• Users (who manage Resources)
• Admins (obvious)
• Automated Processes (like our TestOps “AutomationUser”)

Question 3

Describe how Azure Roles-Based Access Control (RBAC) works when applying to individuals

Answer 3

When a Role is applied to user, they get all the perms associated to that Role

Question 4

Describe how Azure Roles-Based Access Control (RBAC) works when applying to a Resource Group

Answer 4

When a Role is applied to a Resource Group scope, any provisioned Resources in that Group are accessible to Users of that Role, at the level in which that Role allows access

Question 5

Hint: Similar to where you’d apply Policies or Tags, but non-exclusive

What is a Scope?

Answer 5

A Resource or Set of Resources that Roles-based Access is applied to. It can be any of the following:

• A management group (a collection of subscriptions)
• A single Subscription
• A Resource Group
• A Single Resource

Question 6

When would you use Azure RBAC?

Answer 6

When you need to control Resource access at a granular level, depending org structure, security compliance requirements, etc.

Examples:

• a user to manage VMs in a subscription and another to manage whole AVNs
• a DB Admin Group to manage SQL DBs in a subscription
• a user to manage all Resources in a Resource Group
• an app to access all resources in a Resource Group

Question 7

How is RBAC enforced?

Answer 7

When any action passes through the Azure Resource Manager and is initiated against an Azure Resource

Question 8

RBAC can enforce perms at the app or data levels (T/F)

Answer 8

False. you have to apply security to your own applications yourself! AZURE RBAC is for AZURE lol

Question 9

RBAC uses an ALLOW Model. What does that mean?

Answer 9

When you’re assigned a Role, RBAC ALLOWS you to perform certain actions.

Question 10

Where do you manage RBAC permissions?

Answer 10

In Access Control (IAM) in Azure Portal. Details pages in Azure Portal have an Access Control. Here you grant or remove access.

Question 11

Hint: NOT Scope

To what entities do you apply RBAC to?

Answer 11

USER ACCOUNTS

• An individual User (Account)
• A group (of User Accounts)
• Special identity types (principles and managed identities like the ones you have to auto-apply RBAC to when Policy Assignment causes deployment on ‘deployIfNotExists’ or Policy Assignment touches a Resource outside the target Scope)

Question 12

When you grant access at a Parent Scope, those permissions are inherited to Child Scopes. So when you grant the following:

Role: Owner
Scope: Management Group
Assigned to: User

How does that Role apply to the User?

Answer 12

The User has “Owner” permissions for ALL subscriptions within his/her Management Group

Question 13

When you grant access at a Parent Scope, those permissions are inherited to Child Scopes. So when you grant the following:

Role: Reader
Scope: Subscription
Assigned to: Group

How does that Role apply to the Group?

Answer 13

Any user who’s part of that Group can only read/view Resources within the specified Subscription

Question 14

When you grant access at a Parent Scope, those permissions are inherited to Child Scopes. So when you grant the following:

Role: Contributor
Scope: Resource Group
Assigned to: Application

How does that Role apply to the Application?

Answer 14

That app can manage Resources found in that Resource Group, but no other Resource Groups within the Subscription

Question 15

What are the four (4) Built-In General Roles? And the two other general ones?

Answer 15

Built-In General Roles

Contributor: Full access to manage all resources within the assigned Scope, but does NOT allow you to assign Roles in Azure RBAC or manage assignments in Azure Blueprints

Owner: Grants full access to manage all resources within the assigned Scope, with ability to assign Roles in Azure RBAC

Reader: Read-Only access to all resources in the assigned Scope

User Access Administrator: Lets you manage user access to Azure Resources

Two Other General Roles

Resource-Specific: Access to a specific Resource only

Custom: Build a custom Role

Question 16

Describe the inclusivity of Role Assignment and Intersections

Answer 16

If one Role grants Read to a Resource Group and another Role grants Write to the same Resource Group, you have BOTH read and write (they don’t override or replace each other, instead they are all inclusive)

Question 17

The Contributor Role grants full access to manage all Resources in the assigned Scope, as well as assigning Roles RBAC and Blueprint Assignments, so as long as those Roles and Blueprints are currently assigned to said Scope (T/F)?

Answer 17

False!!

You get full access to manage all resources within the assigned Scope, but it does NOT allow you to assign Roles in Azure RBAC or manage assignments in Azure Blueprints