I have multiple resource groups in azure but only want to restrict users to 1. Don't want to have to manually assign user to all resource but one so wondering if it can be done the opposite way?
yes, you need to remove users permissions on the subscription level and grant them permissions on the resource group level.
Reading:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://learn.microsoft.com/en-us/azure/role-based-access-control/overview
Related
I am trying to give permissions to manage locks on resource groups. Atm I gave permission to write locks with following permissions.
"Microsoft.Authorization/",
"Microsoft.Authorization/locks/"
But the person is only able to manage locks on resources, not on resource groups.
Is there an easy way to find out which permission is needed to perform a certain action?
You can assign User Access Administrator to that specific User in the Subscription Scope . You can go to Subscription >> IAM >> Add role Assignment and select User Access Administration and then in members select the user you want to give permissions.
OR
If you want to give only access to locks then you can create a Custom Role following the below steps :
Go to Subscription>> IAM>> Add>> Add a Custom
Role.
Give Custom Role Name and select Start from Scratch.
In Permissions Tab , Click Add Permissions and search for
Microsoft.Autorization and select it and then again search for
Microsoft.Autorization/Locks and select the three permissions as
shown below and click on Add:
In all other tabs let it be default and in last tab i.e.
review+create , click on create. Once its created Go to
Subscriptions >> IAM >> Add >> Add role assignment and search the newly created role and assign it to the user you want .
Note : If you are assigning the permissions on Resource Group Level then you will be only able to manage the locks of the resources present inside the resource group , but if you assign the same permissions on Subscription Level then you can manage locks on resource groups as well as resources.
I need to restrict the users from adding to the groups manually in Azure, any help on this issue?
Thanks #Rahul Shukla for your suggestion .
Restrict Users from adding to groups
Give the user with reader or contributor permission to the user .
if you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything.
For more details refer this document: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current
2)Prevent admin to add the users to group
Create review process in places where if any user gets added in the group admin will get notification for the same and based on admin approval only it will gets added.
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access
For more details refer this document: https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
I want to invite guest user in Azure with permissions that he could do whatever he wants in subscription scope with owner role, but he couldn't view other resource groups that he didn't make or just be able to read them.
currently that's not possible. Deny assigments are limited to a couple of resource types.
I am writing to ask your assistance regarding an important Azure topic.
Scenario 1:
I have 30 different resources in Azure in different resource groups in a subscription. There is a tag (owner) on all resources. If the value of owner tag is a username the only person who will be able to modify the owner tag is the user whose username is equal the owner tag's value. Of course if user1 modified the owner tag's value to another existing username (user2) user1 wouldn't be able to modify the owner tag's value. In this case the only person who could modify the owner tag's value is user2. Is it possible to restrict tag value modification at any Azure resources?
Scenario 2:
I have 30 different resources in Azure in different resource groups in a subscription. I create a custom role (ops-role) which has similar privileges in Azure than a Contributor except this role doesn't have privilege to modify the tags and tags' value. Then I create a another custom role (tagger-role) which has only (or almost only) tag modification privileges. Is it possible to create these roles in Azure?
I need a solution for the 1st or the 2nd scenario. I would like to restrict the tags modification on the Azure resources.
no, this is not possible, you have to create your own api on top of azure
if my memory servers me well, there is no separate role for tags, anyone with write permission over the resource can tag so this is essentially not achievable, you need a custom api on top of azure to do that
How to restrict a user from accessing specific resource groups?
For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.
When you create a new user for Azure, they have no permissions at all against any subscriptions, logging into portal will present an empty view with no resources.
If you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything. As would be expected. With reader permission on the subscription, they cannot create anything, resource groups or otherwise.
If that user is only given permissions to a resource group, with no permission on the subscription, then they will only see the resource group they have permissions in. They will then have whatever permissions they have been granted within that group.
Under the surface, every contributer and reader role has the "Microsoft.Resources/subscriptions/resourceGroups/read" action, meaning that anyone with any contributer or reader role can see all resource groups.
There is no built in role that has explicitly defined resourceGroups/write or resourceGroups/* permission.
The only groups with that permission implicitly applied are contributer and owner, which have "*" applied.
This means that only contributers and owners can create resource groups in a subscription.
It would be possible to create a custom role that denied resourceGroup/write
So, to answer your question, to limit a user only to being able to see specific resource groups, ensure that they don't have any access at the subscription level (any access at all at this level will allow them to see resource groups), and only apply permissions to the resource groups you wish them to see.
For example, I have 10 resource groups in a subscription out of which
the user should be able to access only 3 resource groups where the
user can do their operations.
The above is possible with the following steps
Add the user to the subscription. Dont assign any role at subscription level for this user.
Add the User as contributor to the selected three resource groups (in Access Control (IAM)) property thru role assignment.
The above two configuration will enable the user to only view and operate on the explicit three resource groups, other resource group will not appear in Azure portal.
Best practice would be to add the user to security Group and assign the security group to the roles.
Add the user to the Contributor role in those resource groups.
Go to the resource group, then open Access Control (IAM), and add the user to Contributor role. Repeat for each resource group.