SOLVED

View secure score with only resourcegroup permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-2707832%22%20slang%3D%22de-DE%22%3EView%20secure%20score%20with%20only%20resourcegroup%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2707832%22%20slang%3D%22de-DE%22%3E%3CP%3EWe%20provide%20resource%20groups%20for%20each%20project%20and%20bundle%20them%20together%20in%20a%20subscription.%20The%20project%20developer%20only%20have%20rights%20on%20their%20corresponding%20resource%20group%2C%20no%20rights%20on%20subscription%20level%20and%2For%20resource%20groups%20in%20the%20same%20subscription%20which%20not%20belong%20to%20their%20projects.%3C%2FP%3E%3CP%3Enow%20we%20have%20the%20problem%2C%20that%20these%20developer%20can't%20see%20the%20secure%20score%20for%20their%20resource%20group.%20only%20when%20we%20give%20them%20%22security%20reader%22%20permission%20on%20subscription%20level%20they%20can%20see%20the%20secure%20score%2C%20but%20they%20also%20can%20see%20all%20other%20resources%2Fresource%20groups%20to%20which%20they%20don't%20need%20access.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%20this%20is%20kind%20of%20a%20feature%20request%20to%20view%20the%20secure%20score%20for%20whom%20someone%20has%20access%20to%20in%20a%20subscription%2C%20but%20don't%20give%20them%20any%20permission%20on%20resources%20they%20don't%20need%20access%20to%20in%20the%20same%20subscription.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2712860%22%20slang%3D%22en-US%22%3ERe%3A%20View%20secure%20score%20with%20only%20resourcegroup%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2712860%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3ETwo%20things%20here.%20%3CBR%20%2F%3EASC%20currently%20does%20not%20have%20an%20option%20to%20track%2Fshow%20SS%20at%20the%20resource%20group%20level%2C%20only%20for%20a%20subscription%20or%20management%20group.%20We%20hear%20this%20ask%20pretty%20often%20and%20it's%20in%20our%20backlog%20with%20no%20concrete%20ETA%20yet.%3CBR%20%2F%3EIf%20you%20want%20to%20give%20someone%20ability%20to%20track%20SS%2C%20you%20may%20consider%20using%20on%20of%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fcustom-dashboards-azure-workbooks%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ebuilt-in%20ASC%20workbooks%3C%2FA%3E%20or%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmain%2FSecure%2520Score%2FPowerBI-SecureScoreReport%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EPowerBI%20report%3C%2FA%3E.%26nbsp%3B%26nbsp%3BIn%20both%20cases%20you%20will%20only%20need%20to%20give%20away%20the%20Reader%20access%20for%20a%20workspace%20used%20to%20store%20the%20exported%20data.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

We provide resource groups for each project and bundle them together in a subscription. The project developer only have rights on their corresponding resource group, no rights on subscription level and/or resource groups in the same subscription which not belong to their projects.

now we have the problem, that these developer can't see the secure score for their resource group. only when we give them "security reader" permission on subscription level they can see the secure score, but they also can see all other resources/resource groups to which they don't need access.

 

so this is kind of a feature request to view the secure score for whom someone has access to in a subscription, but don't give them any permission on resources they don't need access to in the same subscription.

1 Reply
best response confirmed by fkortor (Microsoft)
Solution

Two things here.
ASC currently does not have an option to track/show SS at the resource group level, only for a subscription or management group. We hear this ask pretty often and it's in our backlog with no concrete ETA yet.
If you want to give someone ability to track SS, you may consider using on of the built-in ASC workbooks or PowerBI report.  In both cases you will only need to give away the Reader access for a workspace used to store the exported data.