Forum Discussion

AB_MN's avatar
AB_MN
Copper Contributor
Feb 28, 2023

Azure Storage RBAC

Is there a built-in Azure role(s) that will accomplish the following:

 

- Create any Azure resource

- Apply permissions to any Azure resource

- Not have read access to resources unless explicitly granted

 

Specifically, I am referring to a file share in a storage account.  I would like to have a security "role" be able to do all of the above, but don't want them to be able to access the data in a file share unless they are explicitly granted permissions.  There is a file share that would contain confidential documents that they security "role" should not be able to access, and yes I know that the "role" could easily just give themselves access to that share if they really wanted to.

 

Thanks for the help.

  • Tushar Kumar's avatar
    Tushar Kumar
    Brass Contributor
    The Azure role that meets these requirements is the "Contributor" role. The Contributor role has the permissions to create any Azure resource and apply permissions to any Azure resource. However, by default, the Contributor role also has read access to resources.

    To meet the third requirement of not having read access to resources unless explicitly granted, you can customize the Contributor role by removing the "Reader" permission from it. This can be achieved by creating a custom role based on the Contributor role and removing the "Reader" permission. The custom role can then be assigned to users or groups who need to create and manage Azure resources without having read access to them.

Resources