We are in the process of implmenting Sentinel with several data sources, what is the best way to do the RBAC?
You would just create the dashboard from Azure Sentinel and assign RBAC roles to it the same way you would with any other Resource in Azure.
The quickstart guide covers it:
To create a new dashboard from scratch, select Dashboards and then +New dashboard.
Select the subscription the dashboard is created in and give it a descriptive name. Each dashboard is an Azure resource like any other, and you can assign it roles (RBAC) to define and limit who can access.
To enable it to show up in your dashboards to pin visualizations to, you have to share it. Click Share and then Manage users.
Use the Check access and Role assignments as you would for any other Azure resource. For more information, see Share Azure dashboards by using RBAC.
Let me know if this helps.
There are two parts to this. The first is using RBAC to secure your Azure Sentinel. This document has more information on that:
https://learn.microsoft.com/en-us/azure/sentinel/roles
The second part is to secure the logs within your Log Analytics workspace. This will control what information those users that have access to your Azure Sentinel can see. So if you want only certain Security Analysts to see your O365 logs you can control it through table level RBAC in the logs.
https://techcommunity.microsoft.com/t5/Azure-Sentinel/Table-Level-RBAC-In-Azure-Sentinel/ba-p/965043
Related
I have a requirement to customize the contributor role at Azure Subscription level, such that, people added to that customized contributor role can NOT view or read the data from the storage account (under that subscription).
This is how i'm doing this:
Step1
Step2
Step3 ( Actions shows * )
This MSFT link does NOT show me the JSON details that can be removed or added so that the read access to the storage account can be blocked.
Hence, I'm trying below ways to customize this (two assignable scopes to cover subscription as well as block viewing the storage data):
Note, The idea is to People need a contributor role to manage the subscription. However, they MUST NOT view the data from the storage under this particular subscription.
I think this is not the right approach. Are there any other ways to achieve this? Thanks.
If you want to create a custom role, then you should have a look at the resource provider operations. From there, you can see all the available actions per resource provider.
You would probably be interested in the DataActions such as Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read and others depending on what you want to filter out.
If you want to block particularly Azure Storage under Subscription Scope Level.
Kindly Exclude Azure Storage under Add Permission Section in order to block Azure Storage only while creating RBAC Role
I would like to give our team members the necessary permissions to use the Query Performance Insight feature for an Azure SQL database, including the possibility to see the query text of long-running queries.
They already have "Reader" and "Monitoring Contributor" roles, so they can access the Query Performance Insight feature in the Azure Portal and see the IDs of long-running queries. However, when they click on a long-running query, they cannot see the query text. An error is shown indicating that "The connection timed out while running the query".
If I assigned them the "SQL DB Contributor" role, they would be able to use that feature, but they could then also change database settings such as the pricing tier, which I do not want.
Is there a role assignment that does what I need?
I think you will need to create an Azure Custom Role, as described in https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles .
You can start with Reader, and then include permissions you want, or start with SQL DB Contributor, and remove permissions you don't want. This will require experimentation.
From your subscription, create a new Custom Role:
Then from that role, you will add or exclude permissions:
Permissions that would be interesting to me would be:
List Query Store texts - for adding to a Reader
and Update Database - for excluding from a DB Contributor
Once that's done, you would go to the Access Control blade for the server that contains your database, and then add your users with that new custom role. Test, tweak, repeat until you have the security profile you want. Which role you use as your basis depends upon how close to a least-privilege security model you wish to adopt.
Edit: One possible way to figure out the permission to assign would be:
Scale the database up
Scale it back down
Go to the resource group, select your database, and Export Template
Inspect the JSON, which will be the ARM that was applied during the operation (you might need to look at multiple deployments to figure this out)
Once you find the operation, the provider in the JSON should give you a clue as to what to exclude from any roles you create.
Adding to #WaitingForGuacamole's answer: We ended up creating a custom role definition containing Microsoft.Sql/servers/databases/queryStore/write and Microsoft.Sql/servers/databases/topQueries/queryText/action. Assigning this custom role definition to team members who already had the Reader role on the Azure SQL Server then allowed them to view the query texts in Query Performance Insight.
The actual two permissions were provided to us by a very helpful Azure support engineer. YMMV, it might also work with just Microsoft.Sql/servers/databases/topQueries/queryText/action (in addition to the read permissions), as indicated by an Azure Docs Github issue. However, the support engineer was positive we'd also need the Microsoft.Sql/servers/databases/queryStore/write one and we didn't follow up by researching why.
A group of friends and I are working on an private project and are considering hosting it on Azure.
I have an account on Azure and will be the one controlling the costs.
Is it possible to assign a pool of resources (e.g. Functions + database) to another user(s), preferably also assigning a cost limit for it to avoid things exploding?
You can give them access to a subscription / resource group / resource by going to e.g. the subscription and clicking on Access Control (IAM).
There you can enter their email address, and give them the role needed. Reader for read-only, Contributor for Read/Write, and Owner for Read/Write + access management. There are a bunch of others too. More about Role-based access control
I am not aware of a way to limit cost for individual users, though you can for example setup Billing alerts.
You can use ARM policies to limit the types of resources that can be used. As an example, you can deny the use of certain very expensive VMs to a group of users. Some samples of these policy templates can be found here
As stated in other answers, you can assign access to others on various levels. You can assign to "live" accounts (Hotmail,outlook,live.com etc) but as part of your subscription you can also create an Azure Active Directory instance on which you can create users. You would also want to use this AAD to create service accounts in the future, register applications for authentication, etc.
I hired a contractor to work on a web service that uses DocumentDB to store our data. I need the contract to be able to login to Azure and access DocumentDB, but I do not want him playing with major things like users and my subscription. I also do not want him scaling anything up or down.
How do I add him as a user and let him access DocumentDB?
If he needs to manage the docdb resource in the Azure portal, you can give him reader or contributor rights on the invididual resource or on the resource group that contains the documentdb resource. By making him contributor (in case he needs to change things), you ensure that he cannot change any user permissions. Readers obviously cannot change anything.
If you require more complex permissions, you could consider using another built in role or even creating a custom role.
In case he just needs to write an application that accesses the DocDB contents, all you have to give him is a connection string and no portal access at all.
In my company we have one Azure subscription and there are two or three users which are added on the same subscription and have right to create any resource on Azure.
Now since three users are working on same subscription and they are independently creating resources, I want to keep track or see which user created what resource on the same subscription.
Please let me know is there any way to see this tracking/activity details corresponding to the user.
Currently all users have administrator role/permission.
You are looking for the Activity Log:
The Azure Activity Log is a log that provides insight into the
operations that were performed on resources in your subscription
The Activity Logs provides customers a Portal and REST API experience to see who performed what management operations (PUT/DELET/POST) through Azure Resource Manager (ARM) for the past 90 days.
For anything older than 90 days, you have the option to archive the data to storage account or stream the data to Event Hub if you would like to ingest this data into your own system.
The Activity Log data is also available through the Operations Management Suite.
http://www.deployazure.com/management/operations-management-suite/azure-activity-log-analytics-alerts-with-operations-management-suite/