Create and Assign Custom Roles to Users using Azure Role-Based Access Control

Overview

In this article, we will see how to create and assign custom roles to users and the importance of role-based access control in Azure. Also, we will get to know when to use RBAC and how to implement RBAC in any organization. We will use JSON files to create a custom role in Azure.

What is RBAC?

BAC stands for Role-Based access control. We can assign or provide exact roles and permission to any external user or employees using this. We can use the in-built Azure role to provide RBAC or create custom roles using JSON policies. Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) help organizations to manage and assign roles and permission to the user. In a nutshell, RBAC is an authorization system on Azure that helps provide users with fine-grained access to complete their job.

Why We Need RBAC?

The diagram shows how Azure AD admin and RBAC roles are highly related.

In any organization, we have many roles to complete any job, and to complete the job, employees need access and exact permissions. To provide exact permission to external users or employees within the organization, we need a strong authorization system to give the users fine-grained access.

Azure came with RBAC, which will help organizations to assign exact roles to users, groups, and applications at a certain scope. The scope can be a subscription, a resource group, or a single resource. Role assignment at the parent scope will be applied to the child scope within that parent scope.

How to use RBAC in any Organization?

Azure provides many in-built roles which can be used to assign exact roles required to complete any task. For instance, we can assign a Virtual machine contributor if anyone wants access to manage a virtual machine in the Azure portal. The same goes for other resources present in the Azure portal. Otherwise, we can create a custom role using JSON policy, or Azure create a custom role feature on the Azure portal.

We can assign roles to groups, users, and applications. If we want to provide the same access to multiple users, we can create a group of that users and assign the role to the group. Similarly, we can use a management group as a scope for multiple subscriptions and assign the role to the management group.

In-built roles in Azure

Azure provides many in-built roles which can be used to provide direct access to users without any difficulty in creating any roles.

Some of the popular roles in Azure are:

Owner: This role provides owner access to the user, and users have full access to manage resources and assign roles to users.

Contributor: This role will grant access to manage resources but not give permission to assign roles to users.

Reader: This role will give access to view all resources but cannot create or update resources.

User Access Administrator: This role will let you manage user access to Azure resources.

Assign roles through JSON

Azure provides a feature to create a custom role using json policy. Json policy contains many fields where we define Actions and DataActions.

Actions – NotActions = Effective management permissions

DataActions – NotDataActions = Effective data permissions

Assignable Scope – /Subscription/management Group/resource Group

Here this JSON policy has contributor access to the scope:

Conclusion

This article taught us about Azure RBAC and when to use RBAC. Role-Based Access Control (RBAC) allows us to assign the exact permission required to perform any certain task. Azure has many in-built roles which will give required access. If we want custom roles, Azure also allows us to create your role and assign it to desired users. RBAC provides roles for each resource so that no extra permission is granted to users who do not need it. We cannot assign roles to subscriptions; we can only give roles to users, groups, resource groups, and resources. Parents scope role will be inherited to the child’s scope also.

About CloudThat