Home
Microsoft

Hello Folks,

 

During the preparation of the Ignite The Tour conference, @Neil Peterson  and I along with the whole Cloud Ops Advocate team, were looking at issues that IT/Ops professionals are facing when looking at hybrid environments and migrating workloads to the cloud.

 

One of these issues is more than a technological problem to solve.  It’s a business decision that can be supported by a set of tools available in azure.  I’m talking about Governance.  Governance refers to the ongoing process of managing, monitoring, and auditing the use of Azure resources to meet the goals and requirements of your organization.

 

Azure implements two primary governance tools, role based access control (RBAC), and resource policy, and it's up to each organization to design their governance model using them.

 

In this post we will cover RBAC.  More specifically, custom RBAC, because built in roles may not always cover every situation so you can customize the RBAC so they are tailored to your specific needs.  Here’s a quick video we recorded to cover that.  The details are below.

 

 

So, To create custom RBAC roles you need to create a JSON file with the specific and granular access you want to grant or deny.  Here is the JSON files Neil used in his demo.

 

 

{
        "Name": "Restart Virtual Machines",
        "IsCustom": true,
        "Description": "Restart Virtual Machines.",
        "Actions": [
           "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
        ],
        "NotActions": [
        ],
        "DataActions": [
        ],
        "NotDataActions": [
        ],
        "AssignableScopes": [
               "/subscriptions/d5b9d4b7-6fc1-46c5-bafe-38effaed19b2"
        ]
}

 

 

As you can see the file has 8 sections:

  • Name --> that one is pretty evident
  • IsCustom --> Boolean value telling the Azure Resouce manager if this is built in role or custom. When you create a custom role, it appears in the Azure portal with an orange resource icon.

roles-custom-role-icon.png

  • The next 4 sections dictate what rights that new custom role will inherit Action à what you’re allowed to do, NotActions --> what you’re not allowed to do. The next 2 are the same, but focused on data operation.
  • The last section, the AssignableScopes --> the subscription IDs that this role will cover. As mentioned in the documentation, to create a custom role you MUST have either Owner or User Access Administrator roles yourself in the subscriptions listed.

Once you have the file, you need to use either PowerShell or Azure-CLI to create the new role in Azure using the JSON file you created. The Azure-CLI command documentation can be found here.

 

 

az role definition create --role-definition vm-restart.json 

 

 

Once the role has been create you can use the following command to assign it to a group or user(s)

 

 

az role assignment create --role "Restart Virtual Machines" --assignee rebecca@nepeters.com

 

 

or assign it using the portal. As you can see bellow.  We now have a new role (1) and it is assigned to the Rebecca user as per our last command.

 

custom-rbac.jpg

 

Here you go.  It's pretty simple to create your own roles.  However,  there needs to be significant thoughts around the entire governance issue.

 

For now.  more information about RBAC for Azure resources and Custom roles for Azure resources can be found in our docs.

 

To view the list of operations, see the Azure Resource Manager resource provider operations.

 

I hope you found this helpful.  let us know in the comments what topics you want us to cover.

 

Cheers!

 

Pierre

 

4 Comments
Super Contributor

How does one check what this custom role allows the user to do?

Microsoft

@Oleg K If you look in the JSON file, you will notice the Actions NoActions section where you can set granular permissions or  explicitly deny action.

 

You can refer to this page https://aka.ms/AA5243q to see the list of the operations available for each Azure Resource Manager resource provider. These operations can be used in custom roles to provide granular role-based access control (RBAC) to resources in Azure. Operation strings have the following format: {Company}.{ProviderName}/{resourceType}/{action}

 

I hope this helps

Super Contributor

What i meant is how can one at a glance (without having the JSON file) check what actual permissions are? In the last screenshot, can i click on the "Restart Virtual Machi..." link in the Role column and see what the actual permissions are set for this custom role?

Microsoft

Ah!  i get it.  yes you can.

In the Access Control (IAM) section you can click on Roles

rbac-1.jpg

 

select the role you want to check out.

rbac-2.jpg

 

click the Permissions option. and from there you can navigate the Resource Providers and 

see the permissions for each item. 

rbac-3.jpg

Please keep in mind that this part is still in preview...

 

I hope this helps