Governance 101: The Difference Between RBAC and Policies
Published Nov 21 2019 12:01 AM 19.2K Views

Organization's that adopt governance can achieve effective and efficient use of IT by creating a common understanding between organizational projects and business goals. To achieve said goal, "guardrails" have to be set in place to ensure resource creation and utilization meet the standards an organization needs to abide by. Sometimes it is to follow a regulation or even control costs.  In any case Role Based Access Control (RBAC) and Policies play an important role in governance to ensure everyone and every resource stays within the required boundaries.


So what is the difference between Role Based Access Control (RBAC) and Policies?


Lets start with Role Based Access Control (RBAC). RBAC manages who has access to Azure resources, what areas they have access to and what they can do with those resources. RBAC can be used to assign duties within a team and grant only the amount of access needed to allow the assigned user the ability to perform their job instead of giving everybody unrestricted permissions in an Azure subscription or resource.


Examples of Role Based Access Control (RBAC) include:


  • Allowing a user the ability to only manage virtual machines in a subscription and not the ability to manage virtual networks
  • Allowing a user the ability to manage all resources, such as virtual machines, websites, and subnets, within a specified resource group
  • Allowing an app to access all resources in a resource group

RBAC achieves the ability to grant users the least amount privilege to get their work done without affecting other aspects of an instance or subscription as set by the governance plan.


Policies on the other hand play a slightly different role in governance. Azure Policies focus on resource properties during deployment and for already existing resources.  As an example, a policy can be issued to ensure users can only deploy DS series VMs within a specified resource should the user have the permission to deploy the VMs.  In an existing resource, a policy could be implemented to add or append tags to resources that do not currently have tags to make reporting on costs easier and provide a better way to assign resources to business cost centers.


Role Based Access Control (RBAC) vs PoliciesRole Based Access Control (RBAC) vs Policies


Both Role Based Access Control (RBAC) and Polices in Azure play a vital role in a governance strategy. While different, they both work hand-in-hand to ensure organizational business rules are followed be ensuring proper access and resource creation guidelines are met.

Version history
Last update:
‎Nov 21 2019 02:38 AM
Updated by: