I need to create two users in same subscription.Let users be A and B.the resource creating by user A should not be visible to user B and vice versa.It would be great if some one help me on this.
Assign RBAC to the user in the resource group Level, the user not able to access the resource until the user has permission to that resource group.
for more details please refer to this document
it would depend on the type of resources being created. it works in a hierarchy fashion, so if a user had access to read and write resources under the subscription, then they could see it all the resources under that. but you could for example create a resource group and only give users access to that, so they won't see other resource groups that they don't have access to.
Other than that, you could create more subscriptions, then use management groups for a level of management above that.
there may be other options, like creating custom roles that only allow very specific creation and not reading resources and such, which may or may not work. but that would need to be tested.
Related
I have one AD associated with one subscription and I need to create two users and need to isolate the resources created by them. Is this really possible? since I am new to Azure I am not much aware of this. It would be great if someone render their hand.
I need to create two users and need to isolate the resources created by them. Is this really possible?
Yes. To isolate them from a management and administration point-of-view, create two resource groups, and add each user to the appropriate role on one resource group.
I want a group of people to be able to completely manage a subscription, including managing access to resources within it, except for managing the subscription itself. So (for example) when a new resource group with a storage account is added to the subscription, I want them to be automatically (by inheritance) have all rights to the storage account, including the right to give people roles on that storage account. I just don't want them to be able to give other people roles on the subscription itself, so no adding administrators to the subscription etc.
Is a role (or combination of roles) built-in that I can use for that? Will I have to look into creating a custom role, or is what I'm looking for not possible?
well, I might be wrong, but I dont see how this could be possible:
You want a user to inherit rights from subscription level (only way to get rights to a newly created resource group)
you want rights to assign permissions
you want to block rights to assign permissions on subscription level
so, essentially you are asking for 2 things that conflict. this would not be possible even when using Azure Blueprints, because you cannot block inheritance yet. so you cannot block rights on a specific level, you can only block rights on that level and all "downward" levels
I want to create one single database server for all the resource groups I have created. Earlier, I have used one database server for each resource group but now I wish to have only one server for all the resource groups.
I must say, I believe your former setup more closely follows best practices. Having one server for each resource group allows you to scale each one independent of each other and monitor/configure independently. But to answer your question, every resource in Azure must belong to a resource group. You can create a common resource group and create the SQL db/server under that. Other resources in other groups will still be able to access it.
A group of friends and I are working on an private project and are considering hosting it on Azure.
I have an account on Azure and will be the one controlling the costs.
Is it possible to assign a pool of resources (e.g. Functions + database) to another user(s), preferably also assigning a cost limit for it to avoid things exploding?
You can give them access to a subscription / resource group / resource by going to e.g. the subscription and clicking on Access Control (IAM).
There you can enter their email address, and give them the role needed. Reader for read-only, Contributor for Read/Write, and Owner for Read/Write + access management. There are a bunch of others too. More about Role-based access control
I am not aware of a way to limit cost for individual users, though you can for example setup Billing alerts.
You can use ARM policies to limit the types of resources that can be used. As an example, you can deny the use of certain very expensive VMs to a group of users. Some samples of these policy templates can be found here
As stated in other answers, you can assign access to others on various levels. You can assign to "live" accounts (Hotmail,outlook,live.com etc) but as part of your subscription you can also create an Azure Active Directory instance on which you can create users. You would also want to use this AAD to create service accounts in the future, register applications for authentication, etc.
I hired a contractor to work on a web service that uses DocumentDB to store our data. I need the contract to be able to login to Azure and access DocumentDB, but I do not want him playing with major things like users and my subscription. I also do not want him scaling anything up or down.
How do I add him as a user and let him access DocumentDB?
If he needs to manage the docdb resource in the Azure portal, you can give him reader or contributor rights on the invididual resource or on the resource group that contains the documentdb resource. By making him contributor (in case he needs to change things), you ensure that he cannot change any user permissions. Readers obviously cannot change anything.
If you require more complex permissions, you could consider using another built in role or even creating a custom role.
In case he just needs to write an application that accesses the DocDB contents, all you have to give him is a connection string and no portal access at all.