azure:az-500:alt:role_based_access_control

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:alt:role_based_access_control [2022/10/07 22:39] – [Azure AD roles vs. Azure Resource Manager (ARM) roles] mmuzeazure:az-500:alt:role_based_access_control [2023/02/06 22:44] (current) – [Role Based Access Control/RBAC] mmuze
Line 2: Line 2:
 > RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. > RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
  
-  * RBAC roles can be assigned at the level of management group, subscription, resource group or resource. Roles at higher levels are inherited by lower levels.+  * A **//security principal//** is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals. 
 +  * **//role scope://** RBAC roles can be assigned at the level of management group, subscription, resource group or resource. Roles at higher levels are inherited by lower levels.
   * Roles (role definitions) are comprised of scopes and permissions that apply to the scopes.   * Roles (role definitions) are comprised of scopes and permissions that apply to the scopes.
       * The [[https://docs.microsoft.com/en-us/azure/role-based-access-control/scope-overview|scopes]] are specified as paths.       * The [[https://docs.microsoft.com/en-us/azure/role-based-access-control/scope-overview|scopes]] are specified as paths.
       * Roles give some identity (user, group, service principle, managed identity) permission to perform some set of actions against some service providers for some defined scope (management group, subscription, resource group).       * Roles give some identity (user, group, service principle, managed identity) permission to perform some set of actions against some service providers for some defined scope (management group, subscription, resource group).
 +      * Unlike AAD roles ARM roles can be assigned to synced groups in addition to cloud groups and users.
 +  * **Custom Roles** require a P1 or P2 license
 +  * In RBAC role definitions there are //actions// and //data actions//, with the former being actions on the //control plane// and the later on the //data plane//. For example, a permission that allows a storage account to be read (as in listing blob containers) is a control plane action, whereas reading the actual blobs is a data plane action.
 +
  
 ===== Azure AD roles vs. Azure Resource Manager (ARM) roles ===== ===== Azure AD roles vs. Azure Resource Manager (ARM) roles =====
   * AAD Roles vs. ARM/Azure Roles   * AAD Roles vs. ARM/Azure Roles
 +  * AzureAD Roles vs. AzureRM Roles
 +  * Azure directory roles vs. Azure resource roles
   * [[https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-roles-and-azure-ad-roles/ba-p/2363647]]   * [[https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-roles-and-azure-ad-roles/ba-p/2363647]]
  
Line 63: Line 70:
 | Reader | Lets you view everything, but not make any changes | | Reader | Lets you view everything, but not make any changes |
 | User Access Administrator | Lets you manage user access to Azure resources. | | User Access Administrator | Lets you manage user access to Azure resources. |
 +
 +====== Access Policies ======
 +  * In addition to RBAC roles some resources have an additional layer of access control in form of //access policies//.
 +  * Roles operate at the //management plane// and access policies operate at the //data plane//.
  • azure/az-500/alt/role_based_access_control.1665182373.txt.gz
  • Last modified: 2022/10/07 22:39
  • by mmuze