Azure Role Based Access Control

A. Overview:

• RBAC lets you determine what operations specific users can do on specific resources, and control what areas of a resource each user can access.
• Authorization system built on Azure Resource Manager. Azure RBAC provides fine-grained access management of resources in Azure.
• The system subtracts NotActions permissions from Actions permissions to determine the effective permissions for a role.

1. Role definitions:

• 
• Different from Entra role
• Actions format:
  • {Company}.{ProviderName}/{resourceType}/{action}
  • can be:
    • *
    • read
    • write
    • action
    • delete
• Actions:
  • The Actions permission specifies the control plane actions that the role allows to be performed. It is a collection of strings that identify securable actions of Azure resource providers. Here are some examples of control plane actions that can be used in Actions.
  • */read: read actions for all resources
  • Microsoft.Compute/*: All actions types on Microsoft.Compute provider
  • Microsoft.Network/*/read
  • Microsoft.Compute/virtualMachines/*
  • microsoft.web/sites/restart/Action

2. Role Assignment:

• An assignment attaches a role definition to a Azure Security Principal at a particular scope.
  • Users can grant the access described in a role definition by creating (attaching) an assignment for the role.
• Assign the User Access Administrator role to an admin group scoped to a management group
• Assign the Contributor role to a user scoped to a subscription

3. Scope:

• The boundary for the requested level of access, or “how much” access is granted.
• Management group, subscription, resource group, resource

4.

---