AZ-900 Episode 28 | Azure Role-based Access Control (RBAC)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

I started studying for my Az-900 using your videos before I realized you were not finished creating them all. I went on to study with other resources after finishing the videos you had posted, and passed my exam. I just wanted to come on here and say thanks for the work you are doing as I found your videos helpful and I'm sure others will as well. Thanks!

👍︎︎ 2 👤︎︎ u/Cybertron2600 📅︎︎ Nov 09 2020 🗫︎ replies

Azure Role-based Access Control (RBAC) is a key topic when it comes to access management in Azure. In this episode, we dive into what RBAC is and how it works.

📺 Video: https://youtu.be/4v7ffXxOnwU

🌐 Site: https://marczak.io/az-900/#ep28

🧠 Practice Test https://marczak.io/az-900/episode-28/practice-test

👍︎︎ 1 👤︎︎ u/AdamMarczakIO 📅︎︎ Nov 06 2020 🗫︎ replies
Captions
hey everyone it's adam in today's episode i want to talk about how azure manages access to your resources with something called role-based access control stay tuned today we will be talking about managing access to azure resources with something called role-based access control in previous episodes we talked about how azure active directory is a centralized service for identity and access management and that access management for azure resources is done with role-based access control feature to better understand how this works let's start with what are roles in azure you have multiple resources like disks virtual machines sql databases or web applications or many more and for all of those services you can perform certain actions like you can create a disk update that disk maybe attach it to a virtual machine start or stop this virtual machine scale up your database or just deploy web application all those things that you can do in azure with those services are so called actions action as the name suggests defines what can be done with a certain type of service potentially you could assign each specific action to users and applications to allow them manage azure resources but it would be very time consuming because there are literally hundreds or even thousands of actions that can be performed in azure as such it is easier to create a bundles of those actions so you can combine the actions that you are interested in like update disk start and stop virtual machine and attach disk and create a role called virtual machine operator and you can create as many roles as you want for your organization so you can fine-grain your permissions for your applications and for your users however you need and all of those are of course roles and azure comes with a lot of built-in roles allowing you to manage your access to your resources and cover the most common scenarios very easily so a role in azure a so-called role definition is simply a collection of actions that can be assigned to user or application identity and it will define which actions can be performed by that specific identity so a role definition answers the question what can be done which actions can you perform on azure resources which brings us to the second topic we already said the role needs to be assigned to identity in this case identities are so-called security principle objects with an azure active directory that represent users or applications so those could be users or groups of users you can also assign roles to service principles so application accounts in azure or application accounts that are tied to a specific service called manage identity all those are called security principles and they can be assigned a role so let's say we have user called adam we can assign roles to adam so let's say we can assign him a virtual machine and database operator role so that adam can perform support and operation tasks effectively and you can combine as many roles as you need to fit your needs it is a common practice in azure to give multiple roles to users and groups so that you can find great permissions and only grant the least privilege required to perform certain actions for specific users you can also assign to tom let's say a web developer if he is developing web applications or assign it to a group in this case a db operator will be assigned to support l1 group so that means both jess and pete who are part of this group would get that role assigned as well and it is quite important to understand that assigning a role to a group will affect all of the users within that group and those are exactly those security principles that we've been talking about so a security principle is an azure object and identity that can be assigned a role and those identity those objects can be users groups or applications in this case security principle assignment answers the question who can do it so a role answers the question what can be done and the security principle assignment defines who can do it additionally a role needs to be assigned to a scope so where exactly those actions can be taken azure is organized in a hierarchy and a top level object in azure is called management group which allows you to group multiple subscriptions or multiple management groups a subscription is top level billing object so most of us will have a subscription asset our top level resource in azure when we purchase our azure subscriptions under each subscription you will have multiple resource groups and of course since resource groups are a logical container for resources under them you will have your own resources when you assign a role to a scope you can assign it at any level in this case if you assign it on a top level on a management group level that role will be inherited by all the child resources so if you assign a role on a management group level that role will be propagated across all of these subscriptions all of the resource groups and all of the resources within this management group if you decide to assign it on a subscription level of course it will affect only resource groups and resources within that subscription and if you assign it on a resource group level the same thing applies so you can assign it on any level that you want even down to a resource level so if you want you can give me an access to your specific virtual machine or specific database only and all of those are called scopes so a scope is simply one or more other resources that the access is applied to in that case scope assignment answers the question where it can be done so let's follow this with an example what can be done if you assign an owner role that means everything can be done all the actions with an azure can be taken by who can it be done in this case if you assign it to user that means adam can do everything so the last question is where it can be done so let's say you assign it to a virtual machine resource called dev vm in this case you can read it from the top to bottom every action everything can be performed by adam on the vm virtual machine and those three things are combined into something called role assignment so a role assignment is simply a combination of role definition security principle and the scope inside of the azure portal i'm logged in with my administrative account my full owner account of this entire subscription but i'm also logged in into another browser window with a tomdow account tondo currently doesn't have any privileges so if i would go to resource groups i would see i don't have any resource groups or any resources that i have access to so let's play around with roles let's see what roles tom can be assigned and how to manage roles for tom in azure portal so we go back to the browser window where i'm logged in with my administrative account and i can open resource groups panel to find all the resource groups that i have access to and let's say we want to give access to one of those resource groups let's say az900 vm to tom just open this resource group and on the left hand side navigate to the panel called access control i am in this panel you can manage the access to your azure resources and resource groups this panel exists on every single resource in azure in here there are multiple tabs that you can use for example check access tab allows you to check what are the currently assigned permissions to a specific user group or a service principle in this case if i would search for adam and select my own account i would see that currently i have owner assigned on a subscription level on a management group level and also i'm assigned a storage blob data owner also on a subscription level so i have multiple roles that are inherited from the subscription and management group level for my account if i close this panel and if i would type home i would find out that tom cuntley doesn't have any role assigned and we could see that in our second browser window if i want to assign the role i can select the button here called add and select role assignment as we said a role assignment is a combination of three things so we need to select a role so what can be done as you see there's plenty of available roles in azure and they solve the most common challenges around access management in azure if i would want to give a reader role to tom so tom should be only able to read and see azure resources but don't change them i can select the reader role next i need to select to whom do we assign this do we assign it to user group service principle or maybe some manage identities next we need to select the object right so who can perform this in this case i will type tom and select tom's account and hit save notice that we didn't pick a scope because scope in this case was automatically picked because we are now on the resource group level and we can review all of the assignments that are done for this specific resource groups in another tab called role assignments in this tab we can review all the roles and role assignments that have been done for the specific resource group and we now see tom added as a reader and if you scroll up the next tab is called roles this panel allows you to review what are the built-in and custom roles in azure which user groups and service principles are assigned to those roles but also what are the actions that are bundled under each specific role that's the topic for another day let me navigate back to my resource group where i will navigate even further down to a level of a virtual machine in a virtual machine i will go to access control again and show you that tom currently has a reader role assigned but we can also add another role assignment to tom on this specific virtual machine let's say virtual machine contributor role with this role tom should be able to manage everything related to this virtual machine not just read it so let's type tom select homes account and hit save in this case the scope only applies to this specific virtual machine because this is the place where we access this access control panel now if we navigate to tom's account we will need to wait couple of minutes for tom's permissions to be updated but after that he should be able to perform all of the actions based on the roles that we just assigned to him and once the few minutes passed you can refresh the page when you see your resource group you can navigate to it and let's confirm that tom has only reader access by trying to delete one of the resources let's say we will go to this public ip and try to delete it we should get an error because we currently don't have any permissions on this specific virtual machine ip that allows us to delete it and if we navigate back to a resource group we also remember that for this specific virtual machine we're assigned a virtual machine contributor a more privileged role in azure since this virtual machine is currently running i can select stop to stop this virtual machine and as a virtual machine contributor i should be allowed to do that and as you see virtual machine has been stopped so our role has been assigned properly so let's summarize a role based access control in azure is an authorization system built on top of azure resource manager which allows you to manage the access to your azure resources with very high granularity additionally a role assignment is a combination of three things a role definition which is a list of permissions actions that you can take a security principle it's a user group or application and they scope so to where we assign those permissions too in this case it can be resource resource group subscription or a management group it is also important to know that scopes are hierarchical so if you assign a role on a management group level it will affect all the subscriptions resource groups and resources and last but not least built-in and custom roles are supported microsoft provides you with a very long list of already available roles in azure you can use those to manage the access for your azure resources but if you will be doing a lot of operations a lot of automations you might find that those built-in roles might not suit your needs might not cover all of the corner cases in this case azure allows you to create a custom roles so define your own collections of actions and then assign those as a regular role in azure and it works anywhere across azure the same way so you can either use built-in or a custom roles all the materials for this episode can be found under episode 28 on my website and this is it for this episode if you want to move to the next one use the playlist or hit the icon on the side our next topic are azure resource logs and how they help us protect our azure resources when it comes to operations if you like my work support the channel by subscribing liking and commenting and see in the next one
Info
Channel: Adam Marczak - Azure for Everyone
Views: 49,268
Rating: 4.9838581 out of 5
Keywords: Azure Fundamentals, Full Course, az 900, azure, RBAC, roles, role based access control, access control
Id: 4v7ffXxOnwU
Channel Id: undefined
Length: 13min 41sec (821 seconds)
Published: Fri Nov 06 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.