Azure RBAC/ABAC

Published by admin on

Azure RBAC/ABAC

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a key aspect of Azure Identity and Access Management and allows roles to be assigned to users to determine their permissions across different cloud hierarchy levels, ie management groups, subscriptions, etc. Additionally, it is generally recommended to assign roles on the higher hierarchal levels to make resources easier to manage at scale.  We can help decide which users get which roles by considering three main elements:

  1. Scope
  2. Role Definition
  3. Security Principal

Scope

The scope decides where in the cloud governance hierarchy (ie. management groups, subscriptions, resource groups, and resources) a user has access. As we know, children inherit any such assigned users, so if a user is assigned a role in a subscription, that same user will maintain their role, and consequently permissions, within that subscription’s resource groups and resources.

Role Definition

The Role Definition defines what permission a user has, which can include reading, writing, or deleting. Azure provides over 120 built-in roles and allows for even more granular functionality with custom roles. 

Security Principal

The security principal determines who has such role permissions, which can include

  1. User: a member of the cloud environment
  2. Group: members joined together, typically combined on the basis of a specific topic or identity.
  3. Service Principal: defines the access policy and permissions for the user/application in the Azure AD tenant.
  4. Managed Identity: provides an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.

Example: Implementing RBAC

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is a more specific form of authorization that assigns access to resources based on the attributes a resource may have. This allows for:

  1. Fine-grained access control
    1. Adds another layer of filtering using the attributes
  2. Possible reduction of role assignments
    1. Azure subscriptions have a role assignment limit of 2000 so there are situations where attribute conditions can be added instead of creating new roles
  3. Further specification of resource value
    1. An attribute can further describe the purpose of a certain resource

Currently, this feature only exists for Azure Blob storage accounts under `Role Assignments’ with the following roles

  1. Storage Blob Data Owner
  2. Storage Blob Data Contributor
  3. Storage Blob Data Reader

Example: Implementing ABAC

Categories: Cloud

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Cloud

Azure Policy

Azure Policy An Azure policy is a rule that can be placed across management groups, resource groups, and resources to ensure that each respective environment is compliant with the organization’s standards. This means that real-time Read more…

Cloud

Azure Cloud Hierarchy

Azure Cloud Hierarchy Cloud governance is the rules, policies, and practices that help run an organization’s environment. This set of conditions helps an organization remain organized in several ways, from creating logical separations of resources Read more…

Cloud

Passing the AZ-900

Passing the AZ-900 The Azure Fundamentals exam, or AZ-900, is Microsoft’s introductory certification into the world of the Azure cloud platform. Preparing for it gives one an overview of several key cloud computing concepts and Read more…

css.php