Voiced by Amazon Polly |
Overview
In this article, we will see how to create and assign custom roles to users and the importance of role-based access control in Azure. Also, we will get to know when to use RBAC and how to implement RBAC in any organization. We will use JSON files to create a custom role in Azure.
Freedom Month Sale — Upgrade Your Skills, Save Big!
- Up to 80% OFF AWS Courses
- Up to 30% OFF Microsoft Certs
What is RBAC?
BAC stands for Role-Based access control. We can assign or provide exact roles and permission to any external user or employees using this. We can use the in-built Azure role to provide RBAC or create custom roles using JSON policies. Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) help organizations to manage and assign roles and permission to the user. In a nutshell, RBAC is an authorization system on Azure that helps provide users with fine-grained access to complete their job.
Why We Need RBAC?
The diagram shows how Azure AD admin and RBAC roles are highly related.
In any organization, we have many roles to complete any job, and to complete the job, employees need access and exact permissions. To provide exact permission to external users or employees within the organization, we need a strong authorization system to give the users fine-grained access.
Azure came with RBAC, which will help organizations to assign exact roles to users, groups, and applications at a certain scope. The scope can be a subscription, a resource group, or a single resource. Role assignment at the parent scope will be applied to the child scope within that parent scope.
How to use RBAC in any Organization?
Azure provides many in-built roles which can be used to assign exact roles required to complete any task. For instance, we can assign a Virtual machine contributor if anyone wants access to manage a virtual machine in the Azure portal. The same goes for other resources present in the Azure portal. Otherwise, we can create a custom role using JSON policy, or Azure create a custom role feature on the Azure portal.
We can assign roles to groups, users, and applications. If we want to provide the same access to multiple users, we can create a group of that users and assign the role to the group. Similarly, we can use a management group as a scope for multiple subscriptions and assign the role to the management group.
In-built roles in Azure
Azure provides many in-built roles which can be used to provide direct access to users without any difficulty in creating any roles.
Some of the popular roles in Azure are:
Owner: This role provides owner access to the user, and users have full access to manage resources and assign roles to users.
Contributor: This role will grant access to manage resources but not give permission to assign roles to users.
Reader: This role will give access to view all resources but cannot create or update resources.
User Access Administrator: This role will let you manage user access to Azure resources.
Assign roles through JSON
Azure provides a feature to create a custom role using json policy. Json policy contains many fields where we define Actions and DataActions.
Actions – NotActions = Effective management permissions
DataActions – NotDataActions = Effective data permissions
Assignable Scope – /Subscription/management Group/resource Group
Here this JSON policy has contributor access to the scope:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
{ "properties": { "roleName": "RoleCustom", "description": "", "assignableScopes": [ "/subscriptions/{subscription_id}" ], "permissions": [ { "actions": [], "notActions": [], "dataActions": [], "notDataActions": [] } ] } } |
Conclusion
This article taught us about Azure RBAC and when to use RBAC. Role-Based Access Control (RBAC) allows us to assign the exact permission required to perform any certain task. Azure has many in-built roles which will give required access. If we want custom roles, Azure also allows us to create your role and assign it to desired users. RBAC provides roles for each resource so that no extra permission is granted to users who do not need it. We cannot assign roles to subscriptions; we can only give roles to users, groups, resource groups, and resources. Parents scope role will be inherited to the child’s scope also.
Freedom Month Sale — Discounts That Set You Free!
- Up to 80% OFF AWS Courses
- Up to 30% OFF Microsoft Certs
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. Can we assign roles to a subscription?
ANS: – No, we can create a role in the subscription scope.
2. Can we add more than one role to a user?
ANS: – Yes, we can add multiple roles to users.

WRITTEN BY Kishan Singh
Kishan Singh works as Research Associate (Infra, Migration, and Security) at CloudThat. He is Azure Administrator and Azure Developer certified. He is highly organized and an excellent communicator with good experience in Cyber Security and Cloud technologies. He works with a positive attitude and has a good problem-solving approach.
Comments