Learn about role-based access control and how it can be used in Azure to manage your users and resources.
- [Instructor] Role-Based Access Control allows to control what our users are doing within Azure. The benefits of this is we control access and we can provide just enough administration for our users. This means we can provide the permissions that they need to do their job and only their job. RBAC leverages Azure Active Directory therefore the user can only manipulate resources associated with that Azure Active Directory. We can apply RBAC to the subscription, the resource group, we can even apply it to a single resource, and remember that the permissions are inherited from the parent.
Therefore, if you apply an RBAC rule to the resource group that RBAC rule will be applied to all the resources within that resource group. There are three built-in roles in Azure and these include the owner, which has full access over the resource and can delegate access to others. There's the contributor who can create and manage resources but they cannot delegate access to others and finally the reader and this role only can view existing resources.
This is not a complete list. In addition to the built-in roles, there are already several prepopulated roles and you can also create custom roles for your users. Let's go ahead and actually take a look at the roles in Azure. As you can see, I have already logged into Azure and for this demonstration, I'm going to apply RBAC rules to our resource group SimpleVM. As I do not have the SimpleVM resource group readily accessible to me, I'm going to have to scroll up and click on Resource Groups.
And then I'm going to click on SimpleVM and we're going to open the blade Access control. You'll notice that I do have some users here already and we can see that the MyCompanyApp has a reader role, the Subscription mins are the owners, and the test app has a reader role. If I click in Roles, we can see all the roles that can be assigned at this resource group level. There's our owner, contributor, and reader, and then you'll notice that we have a whole list and these are the built-in roles.
If I click in Reader, I can see the two users, these are actually web applications, that are associated with that reader role. If I wanted to add a contributor, I can go ahead and click add. I'm going to go ahead and add Lucy. By selecting Lucy, she becomes a contributor to this resource group and that is all the permissions that Lucy has which will mean that she can create and manage resources, but she cannot delegate access to others. I could also invite external users if I wanted to do so.
For our demonstration, I'm just going to close the blade, but just know that you can invite external users. I'm going to click Select and we can now see that Lucy is part of the contributors group within the resource group of SimpleVM and only that resource group. We can also do the same thing via PowerShell. To do so, I'm going to go ahead and launch PowerShell ISE, I'm clicking the Windows key, typing ISE, I am going to run as administrator, therefore I'll right click, Run as administrator.
If you happen to receive a dialog box asking, "Are you really sure you wanted run as administrator?" Go ahead and click yes. Accept the warning. And the first thing I need to do is to log into my Azure account using the command login-azurermaccount I'm going to provide my credentials. As you can see I have logged in but my subscription name is Bennett Demo which will not work for this demonstration. So I need to switch over to my pay as you go subscription.
You may or may not need to do this, but if you do, you're going to use the command Select-AzureRmSubscription and then you'll either provide the subscription name or subscriptionId. I'm simply going to paste my SubscriptionId and then run the command. You'll notice the subscription is now the pay as you go service. Perfect, we can continue on. Next, let's go ahead and list all the roles that are available to us. To do so, we are going to use Get-AzureRmRoleDefinition and then I'm going to pipe this into a format that makes it a little bit easier for us to read using FT name and Description.
I'm going to go ahead and run this command and you'll notice here that we have the whole list of all the roles that we've already seen. I'm going to scroll down, give us a little bit more real estate. Let's go ahead and list the current role assignments within that resource group of SimpleVM. To do so, you'll use the command Get-AzureRmRoleAssignment. I'm going to go ahead and provide the resource group name which is called SimpleVM and then I'll use the pipe in order to make it a little bit easier to see the information.
As we can see, for the resource group SimpleVM we have the two users, the MyCompanyApp and the test app and again they're not actually users, those are applications that we registered. We can also see that Lucy in in our list. You will notice, though, I am missing the role definition, so I can't tell what roles these users have been assigned to and that's because I actually have a typo. If I look at roledefinition, I forgot to add in name. Now let's rerun this.
There we go, that's a little bit better. Now we can see that MyCompanyApp and test are both part of the reader role and Lucy is the contributor. Let's go ahead and assign a new user to the contributor role. To do so, we'll use the command New-AzureRmRoleassignment. I am going to provide a sign-in name, I'm going to define the role using Roledefinition, this will be contributor and finally I will provide the resource group name which is SimpleVM.
I'm going to go ahead and run that command. We can now see that Watson has been added as a contributor. If I rerun our Get-AzureRmRoleassignment we'll see this in a little bit more readable list and we can see Watson here is now a contributor. Using Role-Based Access Control allows you to control what your users can do either within the subscription, the resource group, or again, right down to that resource if you wanted to do so and it's very easy either through the portal or using PowerShell to assign your users to specific roles so they can do their jobs.
- Implementing Azure Resource Manager templates
- Creating a template from a deployment
- Deploying a template using the portal
- Deploying a template using PowerShell
- Using Azure Quickstart Templates
- Using service principals
- Locking Azure resources
- Securing Azure subscriptions
- Azure active directory roles
- Designing custom RBAC roles