Azure RBAC:- Creating a custom role

What is RBAC in Azure? Role Based Access Control, whenever you can see a resource within Azure Portal you have the correct RBAC role to be able to view the resource or even edit it.

Three basic types of RBAC roles:

  • Owner: Full access to all resources including the ability to delegate access to other users
  • Contributor: Same priviledges as owner except this role does not have the ability to delegate access to other users
  • Reader: Can view existing Azure Resources

These are the three basic types of RBAC roles, it wouldn’t be recommended to just leave access to the above. Microsoft recommend the following for best practice:

Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.

When planning your access control strategy, it’s a best practice to grant users the least privilege to get their work done. 

docs.microsoft.com

Azure does offer quite a number of built-in roles

From time to time, these built-in roles may not be suffice or allow too much access to what the actual user requires, this is where creating a custom RBAC role is recommended.

Lets look at the Application Insights Component Contributor role and review the current access it allows:

Now we want to create a similar role but not to allow the user the ability to create and manage support tickets

Below is the PowerShell for this role creation and also ARM template JSON snippet

PowerShell:

$role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()
$role.Name = 'Application Insights Component Contributor role no support tickets'
$role.Description = 'Application Insights Component Contributor role no support tickets.'
$role.IsCustom = $true
$perms = 'Microsoft.Authorization/*/read','Microsoft.Insights/alertRules/*','Microsoft.Insights/components/*	'
$perms += 'Microsoft.Insights/webtests/*','Microsoft.ResourceHealth/availabilityStatuses/read'
$perms += 'Microsoft.Resources/deployments/*','Microsoft.Resources/subscriptions/resourceGroups/read'
$role.Actions = $perms
$subs = '/subscriptions/XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX'
$role.AssignableScopes = $subs
New-AzureRmRoleDefinition -Role $role

JSON

{
  "Name": "Application Insights Component Contributor role no support tickets",
  "Id": null,
  "IsCustom": true,
  "Description": "Application Insights Component Contributor role no support tickets",
  "Actions": [
    "Microsoft.Authorization/*/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/components/*",	
	"Microsoft.Insights/webtests/*",
	"Microsoft.ResourceHealth/availabilityStatuses/read",
	"Microsoft.Resources/deployments/*",
	"Microsoft.Resources/subscriptions/resourceGroups/read",
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
  ]
}

Hopefully this blog has given you an insight into creating a custom RBAC role

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: