We are in progress of making many improvements to the documentation for the latest update to Azure Lab Services. One upcoming improvement is that we're adding guidance on how to grant administrators and educators permission to lab resources. Please see an early release of this new guidance further below - this guidance includes the following topics:
We are interested to get your feedback on this content, including any points that may be unclear or where gaps may exist. Please share any feedback that you have by adding a comment to this blog post.
Thanks!
Azure Lab Services Team
----------------------------------------------------------------------------------------------------------
To give administrators and educators access to Azure Lab Services, they need to be assigned one of the following roles using Azure’s role-based access control (RBAC) .
As shown by the arrows in the graphic below, roles can be assigned to users on resource groups, lab plans, and labs:
IMPORTANT – Lab plans and labs are sibling resources to each other. As a result, labs don’t inherit any roles/permissions that are assigned at the lab plan level. However, roles/permissions assigned at the resource group level are inherited by both lab plans and labs.
The following table shows common lab activities and the role that needs to be assigned to an administrator or educator to perform each activity. For more details on all the lab roles available and the permissions that each role grants, see the below sections about administrator roles and educator roles.
IMPORTANT – The Owner/Contributor roles can also be assigned at the subscription level. An organization’s subscription is used to manage billing and security for all Azure resources and services. Typically, only administrators are given subscription level access because this includes full access to all resources in the subscription. Also, when assigned as an Owner, they have the ability to grant access to others.
Role Type | Activity | Role to Assign | Resource Assigment Level |
Administrator |
Grant permission to create a resource group (which needs to exist before a lab plan or lab can be created).
|
Owner or Contributor | Subscription* |
Administrator |
Grant permission to submit a Microsoft support ticket, including to request capacity |
Owner, Contributor, Support Request Contributor
|
Subscription* |
Administrator |
Grant permission to:
|
Owner | Resource Group |
Administrator |
Grant permission to:
However, not the ability to assign roles to other users.
|
Contributor | Resource Group |
Educator |
Grant permission to create/manage their own labs:
|
Lab Creator | Resource Group or Lab Plan |
Educator |
Grant permission to co-manage a lab, but not the ability to create labs.
|
Lab Contributor | Lab |
Educator |
Grant permission to only start/stop/reset VMs for:
|
Lab Assistant | Resource Group or Lab |
* The specified roles must be assigned at the subscription level.
To grant users permission to manage Azure Lab Services within your organization’s subscription, you should assign them the Owner, Contributor, or the Lab Services Contributor role. These roles should be assigned at the resource group level.
IMPORTANT - Roles/permissions assigned at the resource group level are inherited by both lab plans and labs that are contained within the resource group.
The following table compares the administrator roles when they are assigned at the resource group level.
Activity |
Resource Group Level | |||
Owner | Contributor | Lab Services Contributor | ||
Lab plan activities |
View all lab plans within the resource group |
Yes | Yes | Yes |
Create, change or delete all lab plans within the resource group | Yes | Yes | Yes | |
Assign roles to lab plans within the resource group |
Yes | No | No | |
Lab activities |
Create labs within the resource group* |
Yes | Yes | Yes |
View other users’ labs within the resource group |
Yes | Yes | Yes | |
Change or delete other users’ labs within the resource group |
Yes | Yes | No | |
Assign roles to other users’ labs within the resource group |
Yes | No | No |
* Users are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.
You should assign the Owner role to give a user full control to create/manage lab plans and labs, and grant permissions to other users. When a user is assigned the Owner role at the resource group level, they can do the following activities across all resources within the resource group:
IMPORTANT – Owner/Contributor permissions assigned at the resource group level also applies to non-lab related resources that may exist within a resource group.
You should assign the Contributor role to give an user full control to create/manage lab plans and labs within a resource group. The Contributor role is nearly the same as the Owner role, except that a Contributor:
The Lab Services Contributor is the most restrictive of the administrator roles. You should assign the Lab Services Contributor role to enable the same activities as the Owner role; however, a Lab Services Contributor:
The following roles should be used to grant educators permission to create and manage labs:
IMPORTANT – The educator roles only grant permission to view lab plans. Users assigned educator roles can’t create, change, delete, or assign roles to lab plans. In addition, they can’t attach/detach a compute gallery or enable/disable images.
You should assign the Lab Creator role to a user so that they can create labs and have full control over the labs that they create. For example, they can change their labs’ settings, delete their labs, and even grant other users permission to their labs. The Lab Creator role should be assigned at either the resource group or lab plan level.
The following table compares the Lab Creator role when it’s assigned at the resource group level versus the lab plan level.
Lab Activity |
Resource Group Level |
Lab Plan Level |
Lab Creator |
Lab Creator |
|
Create labs within the resource group* |
Yes |
Yes |
View other users’ labs within the resource group |
Yes |
No |
Change or delete other users’ labs within the resource group |
No |
No |
Assign roles to other users’ labs within the resource group |
No |
No |
* Lab Creators are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.
When the Lab Creator role is assigned at the resource group level, the user can:
You can also assign the Lab Creator role at the lab plan . With the Lab Creator role assigned on the lab plan, the user can:
You should assign the Lab Contributor role to give an user permission to help manage an existing lab. The Lab Contributor role should be assigned at the lab level.
When the Lab Contributor role is assigned at the lab level, the user can manage the assigned lab. Specifically, the user:
You should assign a user the Lab Assistant role if you only want them to be able to start/stop/reset lab VMs. The Lab Assistant role should be assigned at the resource group or lab level.
When the Lab Assistant role is assigned at the resource group level, the user:
When the Lab Assistant role is assigned at the lab level, the user:
The Lab Services Reader role enables user to view existing labs; they can’t make any changes. The Lab Services Reader role should be assigned at the resource group or lab level.
When the Lab Services Reader role is assigned at the resource group level, the user can view all labs within the resource group. Otherwise, when the Lab Services Reader role is assigned at the lab level, the user can only view that specific lab.
If you are moving from lab accounts to lab plans, it’s important to understand differences between lab accounts and lab plans and how this impacts role assignments:
For example, if you have users that are assigned the Owner or Contributor role at the lab account level, you should instead assign the Owner and Contributor roles at the resource group level for your lab plans. Roles assigned on a lab plan’s resource group will automatically grant permission to all labs within the resource group.
The table below shows recommendations to map roles from Azure Lab Services lab accounts to lab plans.
Role Type |
Lab accounts |
Lab plans
|
||
Role |
Assignment level |
Role |
Assignment level |
|
Administrator |
Owner |
Lab account |
Owner |
Resource group |
Contributor |
Lab account |
Contributor |
Resource group |
|
Educator |
Lab Creator |
Lab account |
Lab Creator |
Lab plan |
Owner* |
Lab |
Owner |
Resource group or lab |
|
Contributor* |
Lab |
Lab Contributor |
Lab |
* In the earlier version, the lab’s Contributor and Owner roles required that the Reader role also be assigned on the lab account. When using lab plans, you do not need to assign the Reader role at the lab plan or resource group level.
Your organization should invest time up front to plan the structure of your resource groups and lab plans. This is especially important when users are assigned roles at the resource group level because they automatically will have permission to use all resources within the resource group. To ensure that users are only granted permission to the appropriate resources, we recommend that you:
For example, you may want to create separate resource groups for different departments, such as one for Math and another for Engineering, so that each department’s lab resources are isolated from one another. Educators in the Engineering department can then be granted permission at the resource group level, which will only give them access to their department’s labs.
IMPORTANT – You should plan the structure of resource groups and labs plans up front because it’s not possible to move lab plans or labs to a different resource group once they are created.
Administrators and educators can be granted permission to more than one resource group. For example, when an educator is assigned the Lab Contributor role on labs from different resource groups, the educator will be prompted to choose from the list of resource groups to view their labs.
Likewise, administrators and educators can be granted permission to more than one lab plan. For example, when an educator is assigned the Lab Creator role on a resource group that contains more than one lab plan, the educator will be prompted to choose from the list of lab plans during lab creation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.