Azure ARM (17) Role-based access controls (role Based access control, RBAC)-Custom role

Windows Azure Platform Family of articles Catalog

　　

In the above blog, the author describes how to set the default role in RBAC.

Here I will show you how to use a custom role.

　　

The main contents are:

I. Understanding action and notaction in role

Two. Through PowerShell, view the appropriate action

Three. Edit the JSON Template, customize role

Four. Set the appropriate role

Five. Delete a custom role

I. Understanding action and notaction in role

such as SQL DB contributor this role, the permissions are as follows

　　　

　　The action allowed is the actions of the actions, minus the notactions operation. This concept is very, very important.

　　The action allowed is the actions of the actions, minus the notactions operation. This concept is very, very important.

The action allowed is the actions of the actions, minus the notactions operation. This concept is very, very important.

The access granted by a custom role was computed by subtracting the NotActions operations from the Actions operations.

Https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles#notactions

　　Two. Through PowerShell, view the appropriate action

　　We know that there are a lot of services in Azure arm, such as Azure Storage, Azure Virtual machine, Azure SQL database, and so on.

There are a lot of things to do, like Read, Delete, list, and so on.

If you need to know each individual service and the appropriate steps, we need to query the appropriate action steps.

The specific commands are as follows:

# sign in to Azure China and log in as admin Add-azurermaccount-Environment Azurechinacloud# Select Current subscription select-azurermsubscription-  Subscriptionname ' [subscription name] '# gets all operations on the storage Storage get-azurermprovideroperation microsoft.storage /*# get all read-only operations on VM VMS get-azurermprovideroperation Microsoft.compute/*/read

In the content of the output, we can select the appropriate action. Entries

Three. Edit the JSON Template, customize role

1. With the Get-azurermprovideroperation statement above, we can see the specific operation.

Before editing the JSON template, we need to look at the name and ID of the default role to prevent the custom name and ID from conflicting with the default role.

The specific commands are as follows:

# sign in to Azure China and log in as admin Add-azurermaccount-Environment Azurechinacloud# Select Current subscription select-azurermsubscription-  Subscriptionname ' [subscription name] '# View Name,id,iscustom properties for role Azure already exists Get-azurermroledefinition | Select Name,id,iscustom

Execution results such as:

　　

2. Then we can edit the JSON template as follows:

{    //here is the name of the custom role, please do not conflict with the Azure default name    "Name":"Cannot Delete Storage account Role",    //here is the ID of role, please do not conflict with azure default ID    "Id":"11794e3b-eeeb-4e5c-a98b-27cc053a0b35",    //value is true because it is a custom setting    "Iscustom":true,    //here is a description of the simple role    "Description":"Cannot Delete Storage account Role.",    "Actions": [    //here is the allowed Operation            //read-only operation on Azure storage            "Microsoft.storage/*/read",            //View Role            "Microsoft.authorization/*/read",            //read-only operation on resource group            "Microsoft.resources/subscriptions/resourcegroups/read"    ],    "NotActions": [    //Note that this is not a denied operation.     //The user's final permission is the actions, minus the notactions permissions    //The access granted by a custom role was computed by subtracting the NotActions operations from the Actions operations.     //https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles#notactions         ],    "Assignablescopes": [    //Modify the following subscription ID for the user Azure subscription ID    "/subscriptions/11111111-2222-3333-4444-1e2900a4504b"    ]}

Save the above file in JSON format and place it in the D-packing directory with the path D:\cannotdeletestorage.json

　　

4. Then we execute the following azure Powershell to upload the above Cannotdeletestorage.json to Azure

# sign in to Azure China and log in as admin Add-azurermaccount-Environment Azurechinacloud# Select Current subscription select-azurermsubscription-  Subscriptionname ' [subscription name] '# upload the JSON template file on the local PC machine new-azurermroledefinition-inputfile ' D : \cannotdeletestorage.json '

After successful execution such as:

Four. Set the appropriate role

1. Open Chrome Browser, we log in to Azure ARM Portal as service administrator (Admin): https://portal.azure.cn

2. Create 1 storage accounts and 2 Azure SQL database resources. Such as:

You can see a total of 5 resources:

　　

3. Click Azure Active Directory, set the ReadOnly account to custom Role:cannot Delete Storage accounts Role

　　

　　

4. Open Internet Explorer to sign in to Azure ARM Portal with readonly account: https://portal.azure.cn, see the results such as:

You can see only 1 resources.

This is because we set the action in the JSON template

"Actions" : [    　　　　　// Here is allowed Operation            // read-only operation on Azure storage            ] Microsoft.storage/*/read ",            // View role            " Microsoft.authorization/*/read ",            // read-only operation to resource group            " Microsoft.resources/subscriptions/resourcegroups/read "    ],

The storage storage account is read-only and does not operate on Azure SQL database. So readonly This account cannot see the corresponding resources for Azure SQL database.

5. The storage account cannot be deleted because the ReadOnly account is read-only to the storage storage account. For example:

　　

Five. Delete a custom role

1. If the user does not want to continue using the custom role, follow these steps.

2. Open Chrome Browser, we log in to Azure ARM Portal as service administrator (Admin): https://portal.azure.cn.

Remove the custom role from the ReadOnly account. Such as:

　　

3. Execute the following command in Azure PowerShell:

# sign in to Azure China and log in as admin Add-azurermaccount-Environment Azurechinacloud# Select Current subscription select-azurermsubscription-  Subscriptionname ' [subscription name] '# can be deleted based on the name of the custom role remove-azurermroledefinition-name ' Cannot delete Storage account role '# or delete remove-azurermroledefinition-name based on the ID of the custom Role [Roleid] '

Execution Result:

Finally, if you are interested, you can view the permissions of the following custom role

{  "Name":"Virtual machine Operator",  "Id":"cadb4a5a-4e7a-47be-84db-05cad13b6769",  "Iscustom":true,  "Description":"Can Monitor and restart virtual machines.",  "Actions": [    "Microsoft.storage/*/read",    "Microsoft.network/*/read",    "Microsoft.compute/*/read",    "Microsoft.compute/virtualmachines/start/action",    "Microsoft.compute/virtualmachines/restart/action",    "Microsoft.authorization/*/read",    "Microsoft.resources/subscriptions/resourcegroups/read",    "microsoft.insights/alertrules/*",    "microsoft.insights/diagnosticsettings/*",    "microsoft.support/*"  ],  "NotActions": [  ],  "Assignablescopes": [    "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e",    "/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624",    "/SUBSCRIPTIONS/34370E90-AC4A-4BF9-821F-85EEEDEAE1A2"  ]}

Azure ARM (17) Role-based access controls (role Based access control, RBAC)-Custom role