Azure Identity Premier Fast Start Optional Module Azure
- Slides: 12
Azure Identity Premier Fast Start Optional Module
Azure Role-Based Access Control
What Is RBAC? In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users Microsoft Azure RBAC • It is the capability to control cloud resources access between employees at resource level and which actions they can perform • Subscription is no longer access management boundary • Access is granted to users and groups • Supported on Azure Preview Portal only • To enforce RBAC, user cannot be granted co-administrator of the subscription from the current management portal Microsoft Confidential 4
Before RBAC Microsoft Confidential 5
RBAC and Azure Active Directory RBAC depends on Azure Active Directory to provide authentication and authorization R Users RG Authentication and Authorization R R Subscription RG R Groups RG R R Service Principals Azure Active Directory Azure Resources in Resources Groups Microsoft Confidential 6
Basic Definitions Role Collection of actions that can be performed Role Assignment Process of assigning a role to the user on an Azure Resource Azure AD Security Principals • Users (organizational and external) • Groups • Service principals Resources User managed entity, like virtual machines, website, database, etc. Resource Group It is a lifecycle boundary group for resources contained on it Microsoft Confidential 7
Scope and Access Inheritance R Example: Cloud Service RG Subscription RG RG Example: Virtual Machine R R R Access Inheritance RG: Resource Groups, R: Resources Microsoft Confidential 9
Basic Process for Adding Access Create user on Azure AD Grant user read access to subscription level Browse for Resource group and add role to it Microsoft Confidential Add user to role 10
Built-in Roles • Basic built-in roles (created with first preview) Role Description Owner Can perform all management operations for a resource and its child resources including access management Contributor Can perform all management operations for a resource including create and delete resources. A contributor cannot grant access to others Reader Has read-only access to a resource and its child resources. A Reader cannot read secrets • In total, there are 21 roles • For details on built-in roles section, see: http: //azure. microsoft. com/en-us/documentation/articles/role-basedaccess-control-configure/ Microsoft Confidential 11
Limiting External Users Microsoft Confidential 12
Full Scenario Microsoft Confidential 13