Differences

This shows you the differences between two versions of the page.

--- azure:az-500:alt:role_based_access_control [2022/08/05 13:05] – [Azure AD roles vs. Azure Resource Manager (ARM) roles] mmuze
+++ azure:az-500:alt:role_based_access_control [2023/02/06 22:44] (current) – [Role Based Access Control/RBAC] mmuze
@@ Line 2: / Line 2: @@
 > RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
-  * RBAC roles can be assigned at the level of subscription, resource group or resource. Roles at higher levels are inherited by lower levels.
+  * A **//security principal//** is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals.
+  * **//role scope://** RBAC roles can be assigned at the level of management group, subscription, resource group or resource. Roles at higher levels are inherited by lower levels.
   * Roles (role definitions) are comprised of scopes and permissions that apply to the scopes.
       * The [[https://docs.microsoft.com/en-us/azure/role-based-access-control/scope-overview|scopes]] are specified as paths.
+      * Roles give some identity (user, group, service principle, managed identity) permission to perform some set of actions against some service providers for some defined scope (management group, subscription, resource group).
+      * Unlike AAD roles ARM roles can be assigned to synced groups in addition to cloud groups and users.
+  * **Custom Roles** require a P1 or P2 license
+  * In RBAC role definitions there are //actions// and //data actions//, with the former being actions on the //control plane// and the later on the //data plane//. For example, a permission that allows a storage account to be read (as in listing blob containers) is a control plane action, whereas reading the actual blobs is a data plane action.
 ===== Azure AD roles vs. Azure Resource Manager (ARM) roles =====
   * AAD Roles vs. ARM/Azure Roles
+  * AzureAD Roles vs. AzureRM Roles
+  * Azure directory roles vs. Azure resource roles
   * [[https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-roles-and-azure-ad-roles/ba-p/2363647]]
@@ Line 14: / Line 22: @@
   * [[https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin]]
   * RBAC is generally thought of as being used to apply to the control plane, but it can also be used to apply to data plane operations.
-  * AAD roles cannot be assigned to regular user groups, but ARM roles can be assigned to regular groups.
+  * AAD roles cannot be assigned to regular user groups (by default), but ARM roles can be assigned to regular groups. There is an option that can be enabled for groups to allow AAD roles to be assigned to them.
+  * Azure AD roles control access to Azure AD resources such as users, groups, and applications using the Microsoft Graph API
+  * Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management
+  * [[https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-overview]]
@@ Line 57: / Line 70: @@
 | Reader | Lets you view everything, but not make any changes |
 | User Access Administrator | Lets you manage user access to Azure resources. |
+====== Access Policies ======
+  * In addition to RBAC roles some resources have an additional layer of access control in form of //access policies//.
+  * Roles operate at the //management plane// and access policies operate at the //data plane//.