Azure ARM (16) Role-based access controls (role Based access control, RBAC)-Using the default role

Windows Azure Platform Family of articles Catalog

　　This morning has just communicated with the customer, the strike to write a blog.

Readers familiar with the Microsoft Azure platform know that in the old classic portal, we can set up co-administrators (Co-admin).

Reference: Windows Azure Active Directory (3) China Azure AD adds new users

　　

However, the Co-admin and Service Admin permissions are the same.

For example, any resource created by admin can be deleted by the NewUser user. This does not make permission control.

Within the new Azure ARM portal, we are able to set role-based access control for resource groups (Resource Group) based on different users (role Based access controls, RBAC)

Here the author carries on the detailed introduction.

The main operations are:

I. Create a new Azure AD account

Two. Create an azure Resource and set up RBAC

I. Create a new Azure AD account

1. We log in to the Azure ARM Portal as a service administrator (Admin): https://portal.azure.cn

2. Click Azure Active Directory

　　

3. Create a new user, we set the account name here: readonly. Save the following password in Notepad. Use it when you log in below.

　　

4. After creating the Azure AD account, we create an azure Resource Group, named Leidemo-rg. Entries

5. In Leidemo-rg, we create 1 new storage accounts, named Leidemostorage. Entries

6. Then we select LEIDEMO-RG, click Access Control, add:

　　

　　

7. Roles here I want to explain in detail:

　　

(1) Owners (owner)

If I set readonly this account as the owner , the ReadOnly account can do anything to leidemo-rg, including deleting

(2) Participants (contributor)

If I set readonly this account as a participant , the ReadOnly account can do anything to LEIDEMO-RG, but does not include the deletion and writing of permissions (Authorization).

(3) Readers (reader)

If I set readonly this account as a reader , the ReadOnly account will only be read-only for LEIDEMO-RG, but cannot read the access key.

Interested readers can refer to the Microsoft documentation:

　　Https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles

(1) Owners owner

　　

The allowed action is *, which means that any action can be taken

　　

(2) Participant contributor

　　

　　The action allowed is the actions of the actions, minus the notactions operation. This concept is very, very important.

　　The action allowed is the actions of the actions, minus the notactions operation. This concept is very, very important.

The action allowed is the actions of the actions, minus the notactions operation. This concept is very, very important.

The action is to allow any action, but does not include the deletion and writing of permissions (Authorization).

(3) Readers (reader)

　　

The operation allowed is read-only, but the access key cannot be read.

8. We first set up the ReadOnly account as the Participant (contributor).

　　

　　

9. Ensure that the admin login browser (such as Chrome) does not close. Switch to another browser (ie, for example). In IE, log in as a readonly account.

10. We use readonly account login in IE browser, select the resource group LEIDEMO-RG, set access control.

, we can see that because the ReadOnly account is set to participant (contributor), any action is allowed, but the deletion and writing of permissions (Authorization) are not included.

　　

　　

11. We go back to Chrome and set the ReadOnly as the readerin admin status. Entries

12. Then go back to Internet Explorer and press the F5 page to refresh. At this time ReadOnly's permission is reader.

We are in Internet Explorer, to readonly identity, select the resource Leidemostorage, and then click Delete.

　　

Remember: In step 11, we set the ReadOnly permission to reader. All readonly permissions are read-only, but the access key cannot be read.

　　

13. We try to delete this storage account as ReadOnly: Leidemostorage. The delete failure is displayed:

　　

This is understandable, because the reader's identity can only be read-only, but the access key cannot be read.

Summarize:

1. Learn how to create a new account in Azure AD

2. Understand the default three roles in RBAC: Owner, Participant (contributor), reader

　　

Azure ARM (16) Role-based access controls (role Based access control, RBAC)-Using the default role