Dev / Test / Prod - Subscription per environment or Resource Group per environment?

%3CLINGO-SUB%20id%3D%22lingo-sub-127461%22%20slang%3D%22en-US%22%3EDev%20%2F%20Test%20%2F%20Prod%20-%20Subscription%20per%20environment%20or%20Resource%20Group%20per%20environment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-127461%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20looking%20back%202%20years%2C%20the%20general%20idea%20was%20to%20create%20a%20subscription%20per%20environment%20to%20secure%20resources%20from%20the%20unintended.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20with%20the%20new%20RBAC%20model%20-%20it%20now%20looks%20like%20(for%20small%20shops)%20some%20people%20are%20recommending%20one%20subscription%20with%20a%20resource%20group%20per%20environment%26nbsp%3Bbecause%20you%20can%20now%20lock%20these%20down%20via%20roles.%20E.g.%20Some%20dev's%20cant%20access%20or%20even%20see%20the%20%22Production%22%20resource%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20a%20small%20startup%20so%20we%26nbsp%3Bdon't%20want%26nbsp%3Blarge%20overheads%2C%20but%20we%20also%20don't%20want%20to%26nbsp%3Bgo%20down%20some%20path%20that%20will%20box%20us%20in%20down%20the%20track.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20words%20of%20wisdom%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3CBR%20%2F%3ESam%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-127461%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-127561%22%20slang%3D%22en-US%22%3ERe%3A%20Dev%20%2F%20Test%20%2F%20Prod%20-%20Subscription%20per%20environment%20or%20Resource%20Group%20per%20environment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-127561%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Sam!%20With%20RBAC%20you%20can%20grant%20or%20revoke%20access%20for%20all%20of%20your%20members%20of%20your%20team.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20for%20some%20resources%2C%20you%20can%20block%20create%2C%20delete%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20permissions%20are%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOwner%3A%20Has%20full%20access%20to%20resources%20and%20can%20delegate%20access%20to%20other%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EContributor%3A%20Has%20the%20same%20permissioning%20pattern%20as%20the%20Owner%2C%20but%20can%20not%20delegate%20access%20to%20other%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReader%3A%20Only%20displays%20the%20features%20in%20a%20signature.%20(Can%20not%20create%2C%20delete%2C%20move%2C%20resize%2C%20etc)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20YES!%20You%20can%20use%20RBAC%20to%20help%20you%20on%20manage%20coasts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBig%20hug!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi,

 

So looking back 2 years, the general idea was to create a subscription per environment to secure resources from the unintended.

 

However, with the new RBAC model - it now looks like (for small shops) some people are recommending one subscription with a resource group per environment because you can now lock these down via roles. E.g. Some dev's cant access or even see the "Production" resource group.

 

We are a small startup so we don't want large overheads, but we also don't want to go down some path that will box us in down the track.

 

Does anyone have any words of wisdom?

 

Cheers,
Sam

1 Reply

Hello Sam! With RBAC you can grant or revoke access for all of your members of your team.

 

So, for some resources, you can block create, delete, etc.

 

The permissions are:

 

Owner: Has full access to resources and can delegate access to other users.

 

Contributor: Has the same permissioning pattern as the Owner, but can not delegate access to other users.

 

Reader: Only displays the features in a signature. (Can not create, delete, move, resize, etc)

 

So, YES! You can use RBAC to help you on manage coasts.

 

Big hug!