Definition of RBAC
For large organizations that have multiple resources that are grouped into resource groups, granting the right permissions to the right person is what RBAC achieves. Azure RBAC provides fine-grained access management in Azure. An example would be allowing a user to manage VMs in a subscription while another to manage SQL DBs within the same subscription.
Every Azure Subscription is associated with an Azure AD. And every azure subscription has multiple resources or resource groups. Resource Groups are logical containers of resources.
Role based Access control provides the ability to grant required access to the right people of varying job descriptions.
For example, let’s say Resource Group 1 contains 2 resources, a SQL DB and multiple VMs. At a resource group level – User 1 is given the SQL DB contributor role while User 2 is given the VM Contributor role.
Resource Group | User | Role |
Resource Group 1 | User 1 | SQL DB contributor (Built-In role)
Can manage SQL servers and databases, but not their security-related policies |
Resource Group 1 | User 2 | Virtual Machine Contributor (Built-In role)
Can manage virtual machines, but not the virtual network or storage account to which they are connected |
Note: Azure RBAC cannot authorize data level operations for Azure Resources. For example, the user who has the role SQL DB contributor can manage the SQL DB – it would not give permissions to manage distinct tables within the SQL DB.
Built in Roles
Azure RBAC has three basic rules that apply to all role types.
- Owner: A person with an ‘Owner’ access has full access to all resources including the right to delegate access to others.
- Contributor: A person with a ‘Contributor’ access can create and manage all types of Azure resources but can’t grant access to others.
- Reader: A person with a ‘Reader’ access can view existing Azure Resources.
The rest of the below built in Roles allows management of specific Azure resources.
Role name | Description |
API Management Service Contributor | Can manage API Management service and the APIs |
API Management Service Operator Role | Can manage API Management service, but not the APIs themselves |
API Management Service Reader Role | Read-only access to API Management service and APIs |
Application Insights Component Contributor | Can manage Application Insights components |
Automation Operator | Able to start, stop, suspend, and resume jobs |
Backup Contributor | Can manage backup in Recovery Services vault |
Backup Operator | Can manage backup except removing backup, in Recovery Services vault |
Backup Reader | Can view all backup management services |
Billing Reader | Can view all billing information |
BizTalk Contributor | Can manage BizTalk services |
ClearDB MySQL DB Contributor | Can manage ClearDB MySQL databases |
Contributor | Can manage everything except access. |
Data Factory Contributor | Can create and manage data factories, and child resources within them. |
DevTest Labs User | Can view everything and connect, start, restart, and shutdown virtual machines |
DNS Zone Contributor | Can manage DNS zones and records |
Azure Cosmos DB Account Contributor | Can manage Azure Cosmos DB accounts |
Intelligent Systems Account Contributor | Can manage Intelligent Systems accounts |
Logic App Contributor | Can manage all aspects of a Logic App, but not create a new one. |
Logic App Operator | Can start and stop workflows defined within a Logic App. |
Monitoring Reader | Can read all monitoring data |
Monitoring Contributor | Can read monitoring data and edit monitoring settings |
Network Contributor | Can manage all network resources |
New Relic APM Account Contributor | Can manage New Relic Application Performance Management accounts and applications |
Owner | Can manage everything, including access |
Reader | Can view everything, but can’t make changes |
Redis Cache Contributor | Can manage Redis caches |
Scheduler Job Collections Contributor | Can manage scheduler job collections |
Search Service Contributor | Can manage search services |
Security Manager | Can manage security components, security policies, and virtual machines |
Site Recovery Contributor | Can manage Site Recovery in Recovery Services vault |
Site Recovery Operator | Can manage failover and failback operations Site Recovery in Recovery Services vault |
Site Recovery Reader | Can view all Site Recovery management operations |
SQL DB Contributor | Can manage SQL databases, but not their security-related policies |
SQL Security Manager | Can manage the security-related policies of SQL servers and databases |
SQL Server Contributor | Can manage SQL servers and databases, but not their security-related policies |
Classic Storage Account Contributor | Can manage classic storage accounts |
Storage Account Contributor | Can manage storage accounts |
Support Request Contributor | Can create and manage support requests |
User Access Administrator | Can manage user access to Azure resources |
Classic Virtual Machine Contributor | Can manage classic virtual machines, but not the virtual network or storage account to which they are connected |
Virtual Machine Contributor | Can manage virtual machines, but not the virtual network or storage account to which they are connected |
Classic Network Contributor | Can manage classic virtual networks and reserved IPs |
Web Plan Contributor | Can manage web plans |
Website Contributor | Can manage websites, but not the web plans to which they are connected |
Assigning a RBAC role to a user
In this example – I have created a Windows Server 2016 machine and assigned a role to a user within the company.
Step 1: Click on the Access control blade of the respected resource / Resource Group
Step 2: Click on Add on the top right section of the blade
Step 3: Choose one of the built in Roles
Step 4: Assign the role to either of the below options: –
- Azure AD user, Group, Application
- Virtual Machine
Step 5: Review the roles assigned to users in your IAM Blade as below.
Custom Roles in RBAC
Apart from the built-in roles, Azure provides users with the ability to create new roles if the ones available do not serve the purpose.
Custom Roles can be created using one of the below methods: –
Additional Resources