Overview of RBAC

Access Control (IAM)

This is where we can set access for resources. You will find this option at the “resource group” level and the resource level.

Checking Access

• Go to the resource you want to check -> Access Control
• Click on Check Access

Assigning Access

• Go to the resource you want to check -> Access Control
• Go to Role Assignments -> Add Role Assignment
• You get a large number of built in roles to select from. The main ones are:
  – Owner (keys to the castle, can do everything. Same as contributor plus can grant access to others)
  – Contributor (create/edit/delete resources, just cant set permissions)
  – reader (can see resources but cant edit them)
• Select the user/group to grant access to

Deny Access

If an account is getting inherited permissions to resource, but you don’t want it to access it, you use “Deny assignments”. This works in a similar way to Role Assignments

Creating Custom RBAC Roles

Using PowerShell

https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell

The recommended way to do this is to:

• Take an existing role
• Export it to a JSON format (Get-AzRoleDefinition)
• Then modify it
• Create new role from tis JSON file (New-AzRoleDefinition)

EG:

Get-AzRoleDefinition -Name “Reader” | ConvertTo-Json | Out-File C:\CustomRoles\ReaderSupportRole.json

New-AzRoleDefinition -InputFile “C:\CustomRoles\ReaderSupportRole.json”