- Delegated resource administration
- Roles organize related resource permissions together
- Depends on resource type
- E.g. different for VM and storage.
- Depends on resource type
- Scope
- Roles are applied to a scope.
- They're inherited in following order:
- Management groups
- Subscription
- Resource groups
- Individual resources
- Role can be assigned to:
- Users
- Groups
- Service principal
- Application
- System Assigned Managed Identity: App Service, Function App, Virtual Machine, Virtual Machine Scale Set
- User Assigned Managed Identity
- 60+
- Common roles:
- Owner: Manage resources and resource access
- Contributor: Manage resources but not resource access.
- Reader: Read-only access
- Storage Blob Data Reader: Specific to storage accounts
- SQL DB Contributor: Manage, but not access, SQL databases
- VM Contributor: Manage, but not access, virtual machines.
-
❗ Built using only PowerShell / CLI or REST API.
New-AzureRmRoleDefinitation -Role $customRole
-
Shows in same drop-down lists with built-in roles
-
JSON file looks like this:
{ "Name": "Network Resource Viewer", "IsCustom": true, "Description": "Allows reading Azure network resources.", "Actions": [ "Microsoft.Network/*/read" ], "NotActions": [ ], "AssignableScopes": [ "/subscriptions/048.." ] }
- The account that is used to sign up for Azure is automatically set as both the Account Administrator and Service Administrator.
- Roles are properties that can be changed in Subcription blade
- 💡 Azure recommends using RBAC roles
- Account Administrator (1 per Azure account)
- Conceptually, the billing owner of the subscription.
- The Account Administrator has no access to the Azure portal.
- Service Administrator (1 per Azure subscription)
- By default, for a new subscription, the Account Administrator is also the Service Administrator.
- The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.
- The Service Administrator has full access to the Azure portal.
- Co-Administrator (200 per subscription)
- The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.