Forum Discussion
Gallery sharing issues when sharing with entire tenant
Thank you Deleted ; however, as I noted everything works as expected when I change the sharing from Tenant to Subscription (i.e., and then select any/all subscriptions). So this tells me that all of the other things you noted to look into are irrelevant. I do wish to get some clarification from you though. On point #2, you mentioned the following:
"2. Check subscription permissions: Verify that the user accounts within the affected subscriptions have the appropriate RBAC permissions to view and access the shared galleries. They should have at least the necessary read permissions on the shared galleries to see them when creating a VM."
Does the user in the consuming subscription have to have permissions defined on the shared gallery that is in the other subscription? The reason we are looking into this feature is to avoid having to set granular permissions on galleries. For example, currently every time an app team creates a new Service Principal, a requests has to get entered to their help desk to add that SP to the gallery. Furthermore, when I tested this at the subscription level sharing it worked like that without having to set any additional permissions so I'm thinking that that sharing at the Tenant level should have the same affect. Moreover, there is one subscription that can see this shared gallery and all permissions are set the exact same way on every subscription.
Apologies for any confusion caused. Let's address your question regarding subscription permissions for shared galleries in Azure.
When you enable sharing at the subscription level, the permissions to access the shared gallery are automatically inherited by all the user accounts within that subscription. This means that users in the consuming subscription don't need to have separate permissions defined on the shared gallery itself. The shared gallery is accessible to all users within the subscription without requiring additional granular permissions.
In your scenario, where you tested sharing at the subscription level and it worked without setting any additional permissions, it aligns with the expected behavior. When sharing at the subscription level, the sharing permissions are automatically applied to all users within that subscription.
However, when sharing at the tenant level, the sharing permissions should also propagate to all subscriptions within the tenant without the need for additional granular permissions. This means that users in any subscription within the tenant should have access to the shared gallery without requiring specific permissions defined on the gallery itself.
If you are experiencing a specific issue where one subscription can see the shared gallery while others cannot, despite having the same permissions configured, it may indicate a potential problem or inconsistency. In such cases, it is recommended to reach out to Microsoft Support for further investigation and assistance. They can analyze the specific configurations and permissions in your environment to identify any potential causes or solutions.
It's important to ensure that the necessary sharing permissions are configured correctly at the tenant and subscription levels to allow seamless access to shared galleries across the entire tenant without the need for granular permission management on individual galleries.
If I have answered your question, please mark your post as Solved If you like my response, please give it a like |