New and Improved Guidance: Grant Permission to Lab Resources
Published Mar 16 2023 10:02 PM 4,670 Views
Microsoft

We are in progress of making many improvements to the documentation for the Azure Lab Services Update that was released this past August 2022 .  One upcoming improvement, is that we're adding guidance on how to grant administrators and educators permission to lab resources.  Please see an early release of this new guidance further below - this guidance includes the following topics:

 

  • Resource group and lab plan structure
    • Permission to multiple resource groups
    • Permission to multiple lab plans
  • Roles for common lab activities
  • Administrator roles
    • Owner
    • Contributor
    • Lab Services Contributor
  • Educator roles
    • Lab Creator
    • Lab Contributor
    • Lab Assistant
    • Lab Services Reader
  • Moving role assignments from lab accounts to lab plans

 

We are interested to get your feedback on this content, including any points that may be unclear or where gaps may exist.  Please share any feedback that you have by adding a comment to this blog post.

 

Thanks!

Azure Lab Services Team

----------------------------------------------------------------------------------------------------------

Granting users permission to lab resources

To give administrators and educators access to Azure Lab Services, they need to be assigned one of the following roles using Azure’s role-based access control (RBAC) . 

  • Administrator roles
    • Owner
    • Contributor
    • Lab Services Contributor
  • Educator roles
    • Lab Creator
    • Lab Contributor
    • Lab Assistant
    • Lab Services Reader

As shown by the arrows in the graphic below, roles can be assigned to users on resource groups, lab plans, and labs:

  • Resource groups are logical containers for grouping together resources.  Role assignment at the resource group level grants permission to the resource group and all resources within the resource group, such as labs and lab plans.
  • Lab plans are used to apply common configuration settings when you create a lab. Role assignment at the lab plan level grants permission only to a specific lab plan.
  • Lab role assignment grants permission only to a specific lab.

nicolehaugen_1-1679021074311.png

IMPORTANT – Lab plans and labs are sibling resources to each other.  As a result, labs don’t inherit any roles/permissions that are assigned at the lab plan level.  However, roles/permissions assigned at the resource group level are inherited by both lab plans and labs.

 

Roles for common lab activities

The following table shows common lab activities and the role that needs to be assigned to an administrator or educator to perform each activity.  For more details on all the lab roles available and the permissions that each role grants, see the below sections about administrator roles and educator roles.

 

IMPORTANT – The Owner/Contributor roles can also be assigned at the subscription level.  An organization’s subscription is used to manage billing and security for all Azure resources and services.  Typically, only administrators are given subscription level access because this includes full access to all resources in the subscription.  Also, when assigned as an Owner, they have the ability to grant access to others.

 

Role Type Activity Role to Assign Resource Assigment Level
Administrator

Grant permission to create a resource group (which needs to exist before a lab plan or lab can be created).

 

Owner or Contributor Subscription*
Administrator

Grant permission to submit a Microsoft support ticket, including to request capacity

Owner, ContributorSupport Request Contributor

 

Subscription*
Administrator

Grant permission to:

Owner Resource Group
Administrator

Grant permission to:

However, not the ability to assign roles to other users.

 

Contributor Resource Group
Educator

Grant permission to create/manage their own labs:

  • Using all lab plans within a resource group.
  • Or, only for a specific lab plan.

 

Lab Creator Resource Group or Lab Plan
Educator

Grant permission to co-manage a lab, but not the ability to create labs.

 

Lab Contributor Lab
Educator

Grant permission to only start/stop/reset VMs for:

  • All labs within a resource group.
  • Or, only for a specific lab.
Lab Assistant Resource Group or Lab

* The specified roles must be assigned at the subscription level.

 

Administrator roles

To grant users permission to manage Azure Lab Services within your organization’s subscription, you should assign them the Owner, Contributor, or the Lab Services Contributor role.  These roles should be assigned at the resource group level.

 

IMPORTANT - Roles/permissions assigned at the resource group level are inherited by both lab plans and labs that are contained within the resource group.

nicolehaugen_0-1679023099130.png

 

The following table compares the administrator roles when they are assigned at the resource group level.

 

  Activity

Resource Group Level
  Owner Contributor Lab Services Contributor

Lab plan activities

View all lab plans within the resource group

Yes Yes Yes
Create, change or delete all lab plans within the resource group Yes Yes Yes

Assign roles to lab plans within the resource group

Yes No No
Lab activities

Create labs within the resource group*

Yes Yes Yes

View other users’ labs within the resource group

Yes Yes Yes

Change or delete other users’ labs within the resource group

Yes Yes No

Assign roles to other users’ labs within the resource group

Yes No No

* Users are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.

 

Owner

You should assign the Owner role to give a user full control to create/manage lab plans and labs, and grant permissions to other users.  When a user is assigned the Owner role at the resource group level, they can do the following activities across all resources within the resource group:

  • Assign roles to administrators so they can manage lab-related resources.
  • Assign roles to educators so they can create and manage labs.
  • Create lab plans and labs.
  • View, delete, and change settings for all lab plans; this includes attaching/detaching the compute gallery and enabling/disabling marketplace and custom images on lab plans.
  • View, delete, and change settings for all labs.

IMPORTANT – Owner/Contributor permissions assigned at the resource group level also applies to non-lab related resources that may exist within a resource group.

 

Contributor

You should assign the Contributor role to give an user full control to create/manage lab plans and labs within a resource group.  The Contributor role is nearly the same as the Owner role, except that a Contributor:

  • Can’t assign roles to other administrators or educators.

 

Lab Services Contributor

The Lab Services Contributor is the most restrictive of the administrator roles.  You should assign the Lab Services Contributor role to enable the same activities as the Owner role; however, a Lab Services Contributor:

  • Can’t assign roles to other administrators or educators.
  • Can’t change or delete other users’ labs.

 

Educator roles

The following roles should be used to grant educators permission to create and manage labs:

  • Lab Creator
  • Lab Contributor
  • Lab Assistant
  • Lab Services Reader

IMPORTANT – The educator roles only grant permission to view lab plans.  Users assigned educator roles can’t create, change, delete, or assign roles to lab plans.  In addition, they can’t attach/detach a compute gallery or enable/disable images.

 

Lab Creator

You should assign the Lab Creator role to a user so that they can create labs and have full control over the labs that they create.  For example, they can change their labs’ settings, delete their labs, and even grant other users permission to their labs.  The Lab Creator role should be assigned at either the resource group or lab plan level.

 

nicolehaugen_0-1679026179864.png

 

The following table compares the Lab Creator role when it’s assigned at the resource group level versus the lab plan level.

Lab Activity

Resource Group Level

Lab Plan Level

Lab Creator

Lab Creator

Create labs within the resource group*

Yes

Yes

View other users’ labs within the resource group

Yes

No

Change or delete other users’ labs within the resource group

No

No

Assign roles to other users’ labs within the resource group

No

No

* Lab Creators are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.

 

When the Lab Creator role is assigned at the resource group level, the user can:

  • View all labs within the resource group, including those created by other users.
  • Create new labs from all labs plans within the resource group.
  • Change and delete labs that they created; they can’t change or delete other users’ labs.

You can also assign the Lab Creator role at the lab plan .  With the Lab Creator role assigned on the lab plan, the user can:

  • Create new labs using only that specific lab plan.
  • View, change, or delete labs that they created; they can’t view, change, or delete other users’ labs.

 

Lab Contributor

You should assign the Lab Contributor role to give an user permission to help manage an existing lab.  The Lab Contributor role should be assigned at the lab level.

 

nicolehaugen_0-1679026682644.png

 

When the Lab Contributor role is assigned at the lab level, the user can manage the assigned lab.  Specifically, the user:

  • Can view, change all settings, or delete the assigned lab; they can’t view other users’ labs.
  • Can’t create new labs.

 

Lab Assistant

You should assign a user the Lab Assistant role if you only want them to be able to start/stop/reset lab VMs.  The Lab Assistant role should be assigned at the resource group or lab level.

 

nicolehaugen_1-1679026740816.png

 

When the Lab Assistant role is assigned at the resource group level, the user:

  • Can view all labs within the resource group and start/stop/reset student VMs for each lab; otherwise, they can’t delete or make any other changes to the labs.

 

When the Lab Assistant role is assigned at the lab level, the user:

  • Can view the assigned lab and start/stop/reset student VMs; otherwise, they can’t delete or make any other changes to the lab.
  • Can’t create new labs.

Lab Services Reader

The Lab Services Reader role enables user to view existing labs; they can’t make any changes.  The Lab Services Reader role should be assigned at the resource group or lab level.

 

nicolehaugen_0-1679026845865.png

 

When the Lab Services Reader role is assigned at the resource group level, the user can view all labs within the resource group.  Otherwise, when the Lab Services Reader role is assigned at the lab level, the user can only view that specific lab.

 

Moving role assignment from lab accounts to lab plans

If you are moving from lab accounts to lab plans, it’s important to understand differences between lab accounts and lab plans and how this impacts role assignments:

  • Lab accounts serve as a parent to labs; as a result, the roles assigned on a lab account are automatically inherited by its child labs.
  • Lab plans and labs are siblings to each other; this means that labs don’t inherit roles from lab plans.

For example, if you have users that are assigned the Owner or Contributor role at the lab account level, you should instead assign the Owner and Contributor roles at the resource group level for your lab plans.  Roles assigned on a lab plan’s resource group will automatically grant permission to all  labs within the resource group.

 

The table below shows recommendations to map roles from the earlier version of Azure Lab Services to roles in the August 2022 Update (Classic).

 

Role Type

Classic Version ---------------------------------->

August 2022 Update

 

Role

Assignment level

Role

Assignment level

Administrator

Owner

Lab account

Owner 

Resource group

Contributor

Lab account

Contributor 

Resource group

Educator

Lab Creator

Lab account

Lab Creator 

Lab plan

Owner*

Lab

Owner 

Resource group or lab

Contributor*

Lab

Lab Contributor 

Lab

* In the earlier version, the lab’s Contributor and Owner roles required that the Reader role also be assigned on the lab account.  In the August 2022 update, you do not need to assign the role at the lab plan or resource group level.

 

Resource group and lab plan structure

Your organization should invest time up front to plan the structure of your resource groups and lab plans.  This is especially important when users are assigned roles at the resource group level because they automatically will have permission to use all resources within the resource group.  To ensure that users are only granted permission to the appropriate resources, we recommend that you:

  • Create resource groups that only contain lab-related resources.
  • Organize lab plans and labs into separate resource groups according to the users that should have access.

For example, you may want to create separate resource groups for different departments, such as one for Math and another for Engineering, so that each department’s lab resources are isolated from one another.  Educators in the Engineering department can then be granted permission at the resource group level, which will only give them access to their department’s labs.

 

IMPORTANT – You should plan the structure of resource groups and labs plans up front because it’s not possible to move lab plans or labs to a different resource group once they are created.

 

Permission to multiple resource groups

Administrators and educators can be granted permission to more than one resource group.  For example, when an educator is assigned the Lab Contributor role on labs from different resource groups, the educator will be prompted to choose from the list of resource groups to view their labs.

 

nicolehaugen_2-1679021250451.png

Permission to multiple lab plans

Likewise, administrators and educators can be granted permission to more than one lab plan.  For example, when an educator is assigned the Lab Creator role on a resource group that contains more than one lab plan, the educator will be prompted to choose from the list of lab plans during lab creation.

 

nicolehaugen_3-1679021389721.png

 

Co-Authors
Version history
Last update:
‎Apr 10 2023 09:07 AM
Updated by: