How to restrict a user from accessing specific resource groups?
For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.
When you create a new user for Azure, they have no permissions at all against any subscriptions, logging into portal will present an empty view with no resources.
If you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything. As would be expected. With reader permission on the subscription, they cannot create anything, resource groups or otherwise.
If that user is only given permissions to a resource group, with no permission on the subscription, then they will only see the resource group they have permissions in. They will then have whatever permissions they have been granted within that group.
Under the surface, every contributer and reader role has the "Microsoft.Resources/subscriptions/resourceGroups/read" action, meaning that anyone with any contributer or reader role can see all resource groups.
There is no built in role that has explicitly defined resourceGroups/write or resourceGroups/* permission.
The only groups with that permission implicitly applied are contributer and owner, which have "*" applied.
This means that only contributers and owners can create resource groups in a subscription.
It would be possible to create a custom role that denied resourceGroup/write
So, to answer your question, to limit a user only to being able to see specific resource groups, ensure that they don't have any access at the subscription level (any access at all at this level will allow them to see resource groups), and only apply permissions to the resource groups you wish them to see.
For example, I have 10 resource groups in a subscription out of which
the user should be able to access only 3 resource groups where the
user can do their operations.
The above is possible with the following steps
Add the user to the subscription. Dont assign any role at subscription level for this user.
Add the User as contributor to the selected three resource groups (in Access Control (IAM)) property thru role assignment.
The above two configuration will enable the user to only view and operate on the explicit three resource groups, other resource group will not appear in Azure portal.
Best practice would be to add the user to security Group and assign the security group to the roles.
Add the user to the Contributor role in those resource groups.
Go to the resource group, then open Access Control (IAM), and add the user to Contributor role. Repeat for each resource group.
Related
We have a tenant where all users are provided contributor access. Now, if i create a resource, what is the role assigned to me?
I can see that whatever resource I create, I still inherit contributor role only. But ideally, I should get owner role for the resources I create!!
What am I missing here? Can you please route me to relevant document if any. I dont see the clear information on this.
Lets say, by default all users are given a very restrictive role -> 'reader' role for all the resources.
Now, user can have all sorts of role on the resources created by him.. so this works in azure?
We have a tenant where all users are provided contributor access. Now,
if i create a resource, what is the role assigned to me?
You will get Contributor role. Because you did not explicitly assigned any role on the resource you created, you will inherit the role from the parent.
But ideally, I should get owner role for the resources I create!! What
am I missing here?
In order to get an owner role for the resource you crated, someone with owner or user access administrator role needs to grant you that role on the resource you created. You cannot grant yourself a higher role.
Lets say, by default all users are given a very restrictive role ->
'reader' role for all the resources. Now, user can have all sorts of
role on the resources created by him.. so this works in azure?
Explicit role assignment needs to be performed at the resource level.
I am trying to give permissions to manage locks on resource groups. Atm I gave permission to write locks with following permissions.
"Microsoft.Authorization/",
"Microsoft.Authorization/locks/"
But the person is only able to manage locks on resources, not on resource groups.
Is there an easy way to find out which permission is needed to perform a certain action?
You can assign User Access Administrator to that specific User in the Subscription Scope . You can go to Subscription >> IAM >> Add role Assignment and select User Access Administration and then in members select the user you want to give permissions.
OR
If you want to give only access to locks then you can create a Custom Role following the below steps :
Go to Subscription>> IAM>> Add>> Add a Custom
Role.
Give Custom Role Name and select Start from Scratch.
In Permissions Tab , Click Add Permissions and search for
Microsoft.Autorization and select it and then again search for
Microsoft.Autorization/Locks and select the three permissions as
shown below and click on Add:
In all other tabs let it be default and in last tab i.e.
review+create , click on create. Once its created Go to
Subscriptions >> IAM >> Add >> Add role assignment and search the newly created role and assign it to the user you want .
Note : If you are assigning the permissions on Resource Group Level then you will be only able to manage the locks of the resources present inside the resource group , but if you assign the same permissions on Subscription Level then you can manage locks on resource groups as well as resources.
Looking for a way to create Azure policy which denies based on policy rule, but does not deny, if you are an Owner on the policy assignment scope, or if the assignment scope is a specific AAD Group (Ideally a name wild card match)
Azure Policy Info:
The working Policy is denying role assignments if the role definition id is not within the parameter values
The Desire:
Specific role definition id is denied on role assignment attempt, if it does not match the whitelist, however, role assignment attempts are NOT denied if you are an Owner on the scope, or if not possible, the assignment scope is an AAD Group name match of a wild card or regex
The issue:
We have successfully denied all role assignments, if the role definition was not allowed in the Azure policy
We the admins are in turn now being blocked by policy, when attempting to assign custom roles that are not on the allowed role definitions list.
These custom roles not on the allowed list, are being assigned to AAD Groups
Not sure if we can create some kind of exclusion if you are an owner, or maybe for the aad group naming convention (customer-group-*)
Summary:
We need this Azure policy to deny customers the ability to assign any RBAC role that does not match the role definition id on the allowed list, but us as the admins, who will have 'Owner' or 'Contributor' role, need to still be able to assign roles not on the allowed list.
I have not been able to stratify a solution via either Azure Policy or RBAC, to achieve this.
Azure Policy is not "user-aware", so you cannot exclude based on Roles.
I want to invite guest user in Azure with permissions that he could do whatever he wants in subscription scope with owner role, but he couldn't view other resource groups that he didn't make or just be able to read them.
currently that's not possible. Deny assigments are limited to a couple of resource types.
I have multiple resource groups in azure but only want to restrict users to 1. Don't want to have to manually assign user to all resource but one so wondering if it can be done the opposite way?
yes, you need to remove users permissions on the subscription level and grant them permissions on the resource group level.
Reading:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://learn.microsoft.com/en-us/azure/role-based-access-control/overview