DEV Community

Cover image for Azure RBAC - A Sure way to Control Access in Azure
Yemisi Oyesainu
Yemisi Oyesainu

Posted on

Azure RBAC - A Sure way to Control Access in Azure

Our blog today will be dedicated to how to control who access Azure resources, the level and type of access a user possesses. This is a very important function in using Cloud resources for the following reasons:
1)To manage usage of Azure resources
2)To ensure that only the needed resources for a particular
user's duties are accessed
3)It is a way to manage Operational Expenditure

Azure Role Based Access Control (RBAC) is an access control system created within Azure Resource Manager and allows for exact administration of permissions for Azure resources. To use RBAC to control access, Roles have to be assigned to individual users. These are permissions given to users based on their role within an organization. This approach to managing access is less prone to error than assigning permissions to users individually.
Role Assignment consists of three main elements. These are security principal, role definition, and scope.
Security principal refers to a user, group, service principal, or managed identity that is requesting access to Azure resources.
Role definitions is a collection of permissions that can be assigned to a user. An example is the Virtual Machine Contributor role that allows a user to create and manage virtual machines
Scope is the set of resources that the permission given applies to. When a role is assigned, further restrictions can be done by defining a scope. For example, a Web contributor can be limited to only one resource group

Let's move on to see the reality of these on the Azure portal as we describe what is explained above but first we will create a user to whom we will assign a role.

Step 1 - Create a User

Log in to Azure portal and search for Azure Active Directory

Image description

Image description
It will take you to a Default Directory. Click on Users

Image description
Then click on New User

Image description
Complete the Basics

Image description
I will use wumi for the User Principal name which will also be the display name

Image description
Click on Review and Create

Image description
Then User wumi has been created

Image description

Step 2 - Create a Resource group and Assign Role
Go to Resource group on the Azure portal and click on create

Image description
Complete the Basics and click on Review and Create

Image description

Image description

I will name the Resource group MayWorkload2

Image description
When Validation is passed, click on Create

Image description
On the Resource group MayWorkload2 click on Access Control (IAM)

Image description
Click on Add and select Add Role Assignment from the dropdown menu

Image description
Click on Add

Image description
Under Job function roles, search for Virtual Machine Contributor, which is the role we want to assign to User wumi, and click on it

Image description
Click on Select members and type in Virtual Machine Contributor in the Description box

Image description
On top righthand side of the next page displayed,you will find a list of users already created.

Image description
Select the User we want to assign role to, that is wumi

Image description
Click on Select

Image description
Then click on Review and Assign

Image description

Image description

Wumi have been assigned the role of a Virtual Machine Contributor as indicated in the image above. This access only allows the User to manage virtual machine but not to access them or virtual network or storage account they are connected to

Step 3 -View the Activity log

Now let us view the Activity Log. Go to Resource group
MayWorkload2 and click on Activity log

Image description

Here, two activities are shown in the Activity log. Role Assignment and updating resource group. It also show details about the activities including status, time, date ,subscription and the identity of the user that initiated the activities

Step 4 - Removing a Role Assignment

This may become very necessary when the User whom a role is assigned has completed his task for the role or has change roles or has left the service of the company.
Come on, lets go and see how this will be done

Go to Resource group MayWorload2 and click on Access Control(IAM)

Image description
Click on Remove

Image description
A confirmation dialog box will pop up

Image description
Click on Yes

Image description
Check the Resource group again

Image description

The role assignment has been removed!

Trust you find this useful. Please give a feedback

Top comments (1)

Collapse
 
coonzee profile image
Adisa Oluwaseyi

Awesome blog welldone