Hope you all are safe and doing good.
In our last article we have discussed on the overview of Azure Role-Based Access Control(RBAC). Today in this article, we will continue with RBAC and see how to configure RBAC with a custom role using Azure portal.
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Azure Resource Provider :
All resources in our resource groups are created and managed by Resource Providers. Each resource provider knows, how to manage and configure their resource. There are different approaches available to deals with Azure Resource provider. Other than out of box resource provider we can also register our custom Resource Provider. To knw more on Resource provider, please check our following articles.
In our last article, we have discussed what is Role Definition/ Role, Role Assignment and what is RBAC. In this article, without wasting time, let first create a custom role for our RBAC.
Azure Role Definition :
Microsoft Azure provides lots of built-in Roles but if built-in roles don’t meet the specific requirement of our organization, then we can create our own custom roles. We can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes as we are doing with built-in roles.
As showing in the following figure, we can check all available roles in subscription level. to check the role let’s select Subscription => Access Control (IAM) and select Roles .
From the above page we can click +Add button to create a new Roles . We can also download existing custom Roles definition, if we want to modify the role and later create a new one using the downloaded JSON file of existing role definition. To get the definition file of a custom role, we need to select the Role and click on 3 dots (…) => select Edit from context menu and from there we can go to JSON tab and download the role definition.
To download a built-in role definition file, the first step is try to clone a built-in role. As showing in the following figure, I have selected Contributor role and then move to JSON tab.
As showing in the above figure, when we select JSON tab, it will show the following role definition of “Contributor” role. We can click Edit button, if we want to edit the role definition or we can download the definition file by clicking Download button as showing in the following figure.
Create Custom Role :
In the above section, we have discussed that, we can create a custom role if built-in role doesn’t meet the organization’s requirement. To create a custom role, click +Add button and select Add custom role as showing in the following figure.
On create a custom role page , we can see there are three different options/ways to create a custom role. We need to choose one to proceed with this.
As showing in the following figure the first way is Clone a Role. This will allow us to use an existing role as the base template and add new permissions and scopes to existing role as per the requirement and then deploy/create the new role.
The second option is Start From JSON. This option will allow us to use a role definition JSON file to create a new custom role. Before create the new role we can modify the JSON file as per our requirement. In the above section we have seen, how to get a role definition JSON file.
Now the last option is Start From Scratch. In this option, we will start from scratch. Here Same as in previous options, we need to first provide Name and Description of the custom role as shown in the following figure and select Start from scratch option.
Click on Next button to move to Permission tab as showing in the following figure.
On Permissions tab, we can specify the permissions for our custom role and select the permissions necessary. In case of other two options (Clone a Role and Start from JSON), Permission tab may contains some permission from it’s old definition and Permissions tab might already list some permissions. But when we are choosing Start from Scratch option, the permission tab would be very clean. So we need to plan and specify the permission as per our requirement.
The first step is to choose, correct Resource Provider as in our example I have selected Microsoft Compute, which provides actions to work around Virtual Machines.
After choosing Resource Provider, the next step is, to choose recuired Actions from the list of actions, provided by the Resource Provider. As this is a restricted custom role, I have selected only following actions to restrict the permission level as showing in the following figure.
In the following figure, I am choosing another action from a different Resource Provider Microsoft Resources.
From the above resource provider, I have choose only Read action, so that user can access the resource groups s showing in the following figure.
After choosing all Actions from different Resource Providers the permission tab will list all action as showing in the following figure. Click Next button to move to Next tab Assignable Scopes.
In Assignable Scopes tab, we are selecting scopes, where our custom role will be available for assignment. One role must have at least one assignable scope. As I have created this custom role from subscription level, by default select the subscription but we can modify it by deleting and adding more scopes.
As per the requirement, this custom role should be only available to a specific Resource Group not to all resource group. In that case, we need to remove the subscription level scope and add the specific Resource Group as the scope as showing in the following figure. I have added RBAC-RG as scope of this role.
Then let’s move to the last JSON tab. It shows the collection of configuration we did in JSON format. It means, what we configured in previous tabs, will be show here in JSON format. If we need any changes in previous configuration, we can also modify the JSON to edit the configuration and download this custom role definition file for future use. Now to proceed with the customs role click Review + Create button.
Following image showing all selected actions and scopes then will ask to confirm before create the custom Role.
Once we confirm, it will create our custom Role “Manas KJ Restricted Role” as showing in the following figure.
If we go inside the newly created custom role and choose Permission, we can see, What are the Resource Provider and their Actions configured for this Role as showing in the following figure.
The next step is to Add a Role Assignment to configure our custom role. Select Role Assignment to see all available role assignment.
To create a new Role Assignment click on +Add button and select Add role Assignment. In turn this will show a screen where we need to provide required information.
As we discussed, to configure a new role assignment, we need to provide following required information as per our requirement. For this lab, I have provided following input.
- Role : Manas KJ Restricted Role
- Assign Access To : User, Group or Service principal
- Selected Group or User : MSTechs , Rasmi Moharana
Click Save button to finish configuration of the new Role assignment. In he following figure, we can see, the new role assignment successfully added and it is assigned to our specified users and group.
If we remember, we have configure ‘RBAC-RG ‘ resource group as scope of the custom role. So if we see, the role assignments for the said resource group (RBAC-RG) in azure portal, we can find the our new role assignment is configured for the resource group.
With the above information, I am concluding this article. I hope this is informative to you. As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with Azure Active Directory . Please let me know if I missed anything important or if my understanding is not up to the mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .