Azure Basic Chapter 4: Azure RBAC (Role Based Access control)

Table of Contents

  1. Introduction
  2. Snapshot of Access Control IAM or RBAC
  3. Scenario
    3.1. Scenario A
    3.2. Scenario B
    3.3. Scenario C
  4. End of Document

1. Introduction

Purpose of this document is to explain about RBAC (Role based access control) .This is also called IAM Identity and Access management.

IAM is all about assigning ROLE’s (permission) on specific resources/ object to particular users.

Permission on objects is called IAM or RBAC. Forget about Azure Active directory Roles for now, will explain later in this series. See all roles list at Azure Basic Chapter 1: Azure Active Directory  => Section “7.2. Access Control Roles list (RBAC list)”

  • If access control applied at subscription level it will flow down on all the objects under that subscription (Ex: Resource groups and objects under that Resource Groups).
  • If access control applied at Resource group level it will flow down on all the objects under that resource group.
  • If access control applied on specific leaf object (Like VM, Storage account, Virtual Network, Network security group etc) will be applicable to that object only.

2. Snapshot of Access Control IAM or RBAC

Access control can be applied at any level of the Objects in Azure. See port for Azure object hierarchy. IAM applied at top level object flow down for example.

If you want to assign any permission on specific object click on “Access control (IAM)” and add the Role to desire user.

3. Scenario

There are so many scenarios for assigning Access Control (IAM) on different objects based on the requirement. Below are the few scenarios explains RBAC.

  • User1 can see billing on Subscription “Pay-As-You-Go”
  • User2 can see any object under Subscription “Pay-As-You-Go”.
  • User3 can do anything on Resource group “NSIT-RG01”, but can’t see billing of Subscription.

3.1. Scenario A

User1 should able to see only the billing for specific subscription.

Implementation

  • Login with Administrator have full Global Admin permission on Azure Active Directory and Owner/ Admin permission on subscription.
  • Create new user “User1” in “Azure Active Directory”.
  • “user1” User created

Select subscription (Ex: Pay-As-You=Go) => Click on Access Control (IAM) => Add role Assignment

  • Add role “Billing Reader” to “User1”

Conclusion:

User1 can read the billing of subscription “Pay-As-You-Go” only. However “User1” can’t see anything else in this subscription.

  • Can read subscription
  • Cannot see any resources

3.2. Scenario B

User2 should able to sell all the objects in Subscription including billing (Ex: Pay-As-You-Go) but can’t modify any object.

Implementation

  • Login with Administrator have full Global Admin permission on Azure Active Directory and Owner/ Admin permission on subscription.
  • Create new user “User2” in “Azure Active Directory”.

Creation of user2 not shown as you already saw in Scenario A.

  • Below user created.
  • Select subscription (Ex: Pay-As-You=Go) => Click on Access Control (IAM) => Add role Assignment

Add role “Reader” to “User2”

Conclusion:

User2 can read any objects under subscription “Pay-As-You-Go”. However “User2” can’t modify any objects under subscription.

  • Can see billing
  • User2 can see any objects under Subscription “Pay-As-You-Go” like Resource Groups & Objects.
  • User2 cannot create any object or modify any object.

3.3. Scenario C

User3 should able to create any objects under Resource Group “NSIT-RG01” but can’t see billing of “Pay-As-You-Go” subscription.

Implementation

  • Login with Administrator have full permission on subscription and Azure AD.
  • Create new user “User3” in “Azure Active Directory”.
  • Creation of user3 not shown as you already saw in Scenario A.
  • Below User created
  • Select Resource Group “NSIT-RG01” => Click on Access Control (IAM) => Add role Assignment
  • Add role “Contributor” to “User3”

Conclusion:

  • User3 cannot see subscription “Pay-As-You-Go” or billing details.
  • Since User3 is Contributor User3 can create, delete and modify any object under Resource Group “NSIT-RG01”, however User 3 can’t grant permission to any other user onto object NSIT-RG01. User 3 can grant permission to any other user on Resource Group “NSIT-RG01” only if user3 is Owner of that object. See all ROLES at or at or at https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Related posts

See post Azure Basic Chapter 1: Azure Active Directory. and Azure Basic Chapter 2: Create custom Azure Active Directory

See post Azure Basic Chapter 3: Azure Subscription. Azure Subscription.

4. End of Document

Facebook Comments

Leave a Reply

Your email address will not be published. Required fields are marked *