Differences

This shows you the differences between two versions of the page.

--- azure:az-500:alt:role_based_access_control [2023/01/31 22:37] – mmuze
+++ azure:az-500:alt:role_based_access_control [2023/02/06 22:44] (current) – [Role Based Access Control/RBAC] mmuze
@@ Line 7: / Line 7: @@
       * The [[https://docs.microsoft.com/en-us/azure/role-based-access-control/scope-overview|scopes]] are specified as paths.
       * Roles give some identity (user, group, service principle, managed identity) permission to perform some set of actions against some service providers for some defined scope (management group, subscription, resource group).
+      * Unlike AAD roles ARM roles can be assigned to synced groups in addition to cloud groups and users.
   * **Custom Roles** require a P1 or P2 license
+  * In RBAC role definitions there are //actions// and //data actions//, with the former being actions on the //control plane// and the later on the //data plane//. For example, a permission that allows a storage account to be read (as in listing blob containers) is a control plane action, whereas reading the actual blobs is a data plane action.
 ===== Azure AD roles vs. Azure Resource Manager (ARM) roles =====
   * AAD Roles vs. ARM/Azure Roles
-  * AzureAD roles vs. AzureRM Roles
+  * AzureAD Roles vs. AzureRM Roles
   * Azure directory roles vs. Azure resource roles
   * [[https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-roles-and-azure-ad-roles/ba-p/2363647]]
@@ Line 67: / Line 70: @@
 | Reader | Lets you view everything, but not make any changes |
 | User Access Administrator | Lets you manage user access to Azure resources. |
+====== Access Policies ======
+  * In addition to RBAC roles some resources have an additional layer of access control in form of //access policies//.
+  * Roles operate at the //management plane// and access policies operate at the //data plane//.