Azure Arm-based RBAC

RBAC is the role Based access control is the short name based on roles. After the introduction of arm in Azure, the management granularity of Azure's various resources has been very granular, making RBAC possible.

RBAC makes it very easy to assign different permissions to different users for different resources.

This article will show you how to assign permissions to a user in one of the most common examples.

A demand

User vmops can only open, shut down, or restart a specific virtual machine for resource Group 1 virtual machines and resource Group 2. None of the other operations permissions.

Two implementations

1 Creating a user

Create a create user on an old portal in Azure [email protected]

2 Identify resources that can be accessed

Vmops the resources that this user can manipulate are:

VMS in Subscription 1

Resource Group 1 in Subscription 2

VM 1 in Resource Group 2 in Subscription 2

The actions you can take are:

Start, restart, powerOff, deallocate

3 related configuration via PowerShell

A you first need to get the action that the VM can manipulate:

Get-azurermprovideroperation microsoft.compute/virtualmachines/* | FT operation

Warning:the Output Object Type of this cmdlet is modified in a future release.

Operation

---------

Microsoft.compute/virtualmachines/read

Microsoft.compute/virtualmachines/write

Microsoft.compute/virtualmachines/delete

Microsoft.compute/virtualmachines/start/action

Microsoft.compute/virtualmachines/poweroff/action

Microsoft.compute/virtualmachines/redeploy/action

Microsoft.compute/virtualmachines/restart/action

Microsoft.compute/virtualmachines/deallocate/action

Microsoft.compute/virtualmachines/generalize/action

Microsoft.compute/virtualmachines/capture/action

Microsoft.compute/virtualmachines/vmsizes/read

Microsoft.compute/virtualmachines/instanceview/read

Microsoft.compute/virtualmachines/extensions/read

Microsoft.compute/virtualmachines/extensions/write

Microsoft.compute/virtualmachines/extensions/delete

B get the ID of three kinds of resources

1 Subscription ID

get-azurermsubscription | FT SubscriptionId

SubscriptionId

--------------

$Sub 1

$Sub 2

Resouce Group ID in 2 Subscription 2

Get-azurermresourcegroup | FT ResourceId

ResourceId

----------

/subscriptions/$Sub 1/resourcegroups/hwnosql

/subscriptions/$Sub 1/RESOURCEGROUPS/HWISCSI

which

3 ID of VM1 in HWISCSI

Get-azurermvm-resourcegroupname HWISCSI | FT ID

Id

/subscriptions/$Sub 1/resourcegroups/hwiscsi/providers/microsoft.compute/virtualmachines/hwiscsi01

/subscriptions/$Sub 1/resourcegroups/hwiscsi/providers/microsoft.compute/virtualmachines/hwiscsi02

/subscriptions/$Sub 1/resourcegroups/hwiscsi/providers/microsoft.compute/virtualmachines/hwiscsiwin

?

C Define a new role

First get the type of role you already have

get-azurermroledefinition | FT name

Name

----

API Management Service Contributor

Application Insights Component Contributor

BizTalk Contributor

Classic Network Contributor

Classic Storage Account Contributor

Classic Virtual Machine Contributor

ClearDB MySQL DB Contributor

Contributor

Data Factory Contributor

DocumentDB Account Contributor

Intelligent Systems Account Contributor

Network Contributor

New Relic APM Account contributor

Owner

Reader

Redis Cache Contributor

Scheduler Job Collections Contributor

Search Service Contributor

SQL DB Contributor

SQL Security Manager

SQL Server Contributor

Storage Account Contributor

User Access Administrator

Virtual Machine Contributor

Web Plan Contributor

Website Contributor

This scenario is modified by the virtual machine contributor template.

# Get "Virtual Machine contributor" Configuration

$role = get-azurermroledefinition "Virtual Machine contributor"

$role. Id = $null

$role. Name ="Virtual machine Operator"

$role. Description ="Can monitor and start stop or restart virtual machines."

$role. Actions. Clear ()

# add permission to read from a perimeter resource

$role. Actions. ADD ("Microsoft.storage/*/read")

$role. Actions. ADD ("Microsoft.network/*/read")

$role. Actions. ADD ("Microsoft.compute/*/read")

$role. Actions. ADD ("Microsoft.authorization/*/read")

$role. Actions. ADD ("Microsoft.resources/subscriptions/resourcegroups/read")

# Add VMS related permissions for operations

$role. Actions. ADD ("Microsoft.compute/virtualmachines/start/action")

$role. Actions. ADD ("Microsoft.compute/virtualmachines/restart/action")

$role. Actions. ADD ("Microsoft.compute/virtualmachines/poweroff/action")

$role. Actions. ADD ("Microsoft.compute/virtualmachines/deallocate/action")

$role. Actions. ADD ("microsoft.insights/alertrules/*")

# put two of Subscription Add to this Role Within the scope of management

$role. Assignablescopes. Clear ()

$role. Assignablescopes. ADD ("/subscriptions/$Sub 1")

$role. Assignablescopes. ADD ("/subscriptions/$Sub 2")

# Add a role

new-azurermroledefinition -role $role

?

New-azurermroledefinition-role $role

Name:virtual Machine Operator

Id:55aca895-61dc-4162-b7a6-fbab532d14a2

Iscustom:true

Description:can monitor and start stop or restart virtual machines.

Actions: {microsoft.storage/*/read, Microsoft.network/*/read, Microsoft.compute/*/read, microsoft.compute/ Virtualmachines/start/action ...}

NotActions: {}

Assignablescopes: {/subscriptions/$Sub 1}

?

D Assigning permissions to users

new-azurermroleassignment -signinname [email protected] -scope /subscriptions/$Sub 1/resourcegroups/hwnosql -roledefinitionname "Virtual machine Operator"

New-AzureRm Roleassignment -signinname [email  Protected] -scope /subscriptions/$Sub 1/ Resourcegroups/hwiscsi/providers/microsoft.compute/virtualmachines/hwiscsiwin - Roledefinitionname "Virtual machine Operator"

new-azurermroleassignment -signinname [email protected] -scope /subscriptions/$Sub 2 -roledefinitionname "Virtual machine Operator"

?

?

After the user logs on to the portal, the defined resources can be managed, but resources that do not have permissions cannot be managed.

Shows that VMs in ResourceGroup NoSQL can be managed, but only defined permissions are manipulated, such as the Stop VM

Display, virtual machine Iscsiwin can be managed, but only actions that have defined permissions are displayed: Start, Stop, Restart:

The admin has more permissions than the Delete menu:

In addition, for resources other than VMS, such as creating storageaccount,vmops, this user does not have administrative privileges:

Create a vnet with no permissions:

Summarize:

With the authorization of resources in Azure arm, you can control different permissions for different users.

The authorized actions include some steps:

1. Create role roles, including: actions that can be manipulated, actions that cannot be manipulated
2. Create user
3. Connecting users, roles, and resources

?

Azure Arm-based RBAC