Our blog today will be dedicated to how to control who access Azure resources, the level and type of access a user possesses. This is a very important function in using Cloud resources for the following reasons:
1)To manage usage of Azure resources
2)To ensure that only the needed resources for a particular
user's duties are accessed
3)It is a way to manage Operational Expenditure
Azure Role Based Access Control (RBAC) is an access control system created within Azure Resource Manager and allows for exact administration of permissions for Azure resources. To use RBAC to control access, Roles have to be assigned to individual users. These are permissions given to users based on their role within an organization. This approach to managing access is less prone to error than assigning permissions to users individually.
Role Assignment consists of three main elements. These are security principal, role definition, and scope.
Security principal refers to a user, group, service principal, or managed identity that is requesting access to Azure resources.
Role definitions is a collection of permissions that can be assigned to a user. An example is the Virtual Machine Contributor role that allows a user to create and manage virtual machines
Scope is the set of resources that the permission given applies to. When a role is assigned, further restrictions can be done by defining a scope. For example, a Web contributor can be limited to only one resource group
Let's move on to see the reality of these on the Azure portal as we describe what is explained above but first we will create a user to whom we will assign a role.
Step 1 - Create a User
Log in to Azure portal and search for Azure Active Directory
It will take you to a Default Directory. Click on Users
Then click on New User
Complete the Basics
I will use wumi for the User Principal name which will also be the display name
Click on Review and Create
Then User wumi has been created
Step 2 - Create a Resource group and Assign Role
Go to Resource group on the Azure portal and click on create
Complete the Basics and click on Review and Create
I will name the Resource group MayWorkload2
When Validation is passed, click on Create
On the Resource group MayWorkload2 click on Access Control (IAM)
Click on Add and select Add Role Assignment from the dropdown menu
Click on Add
Under Job function roles, search for Virtual Machine Contributor, which is the role we want to assign to User wumi, and click on it
Click on Select members and type in Virtual Machine Contributor in the Description box
On top righthand side of the next page displayed,you will find a list of users already created.
Select the User we want to assign role to, that is wumi
Click on Select
Then click on Review and Assign
Wumi have been assigned the role of a Virtual Machine Contributor as indicated in the image above. This access only allows the User to manage virtual machine but not to access them or virtual network or storage account they are connected to
Step 3 -View the Activity log
Now let us view the Activity Log. Go to Resource group
MayWorkload2 and click on Activity log
Here, two activities are shown in the Activity log. Role Assignment and updating resource group. It also show details about the activities including status, time, date ,subscription and the identity of the user that initiated the activities
Step 4 - Removing a Role Assignment
This may become very necessary when the User whom a role is assigned has completed his task for the role or has change roles or has left the service of the company.
Come on, lets go and see how this will be done
Go to Resource group MayWorload2 and click on Access Control(IAM)
Click on Remove
A confirmation dialog box will pop up
Click on Yes
Check the Resource group again
The role assignment has been removed!
Trust you find this useful. Please give a feedback
Top comments (1)
Awesome blog welldone