Voiced by Amazon Polly |
Overview
In this article, we will see how to create and assign custom roles to users and the importance of role-based access control in Azure. Also, we will get to know when to use RBAC and how to implement RBAC in any organization. We will use JSON files to create a custom role in Azure.
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
What is RBAC?
BAC stands for Role-Based access control. We can assign or provide exact roles and permission to any external user or employees using this. We can use the in-built Azure role to provide RBAC or create custom roles using JSON policies. Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) help organizations to manage and assign roles and permission to the user. In a nutshell, RBAC is an authorization system on Azure that helps provide users with fine-grained access to complete their job.
Why We Need RBAC?
The diagram shows how Azure AD admin and RBAC roles are highly related.
In any organization, we have many roles to complete any job, and to complete the job, employees need access and exact permissions. To provide exact permission to external users or employees within the organization, we need a strong authorization system to give the users fine-grained access.
Azure came with RBAC, which will help organizations to assign exact roles to users, groups, and applications at a certain scope. The scope can be a subscription, a resource group, or a single resource. Role assignment at the parent scope will be applied to the child scope within that parent scope.
How to use RBAC in any Organization?
Azure provides many in-built roles which can be used to assign exact roles required to complete any task. For instance, we can assign a Virtual machine contributor if anyone wants access to manage a virtual machine in the Azure portal. The same goes for other resources present in the Azure portal. Otherwise, we can create a custom role using JSON policy, or Azure create a custom role feature on the Azure portal.
We can assign roles to groups, users, and applications. If we want to provide the same access to multiple users, we can create a group of that users and assign the role to the group. Similarly, we can use a management group as a scope for multiple subscriptions and assign the role to the management group.
In-built roles in Azure
Azure provides many in-built roles which can be used to provide direct access to users without any difficulty in creating any roles.
Some of the popular roles in Azure are:
Owner: This role provides owner access to the user, and users have full access to manage resources and assign roles to users.
Contributor: This role will grant access to manage resources but not give permission to assign roles to users.
Reader: This role will give access to view all resources but cannot create or update resources.
User Access Administrator: This role will let you manage user access to Azure resources.
Assign roles through JSON
Azure provides a feature to create a custom role using json policy. Json policy contains many fields where we define Actions and DataActions.
Actions – NotActions = Effective management permissions
DataActions – NotDataActions = Effective data permissions
Assignable Scope – /Subscription/management Group/resource Group
Here this JSON policy has contributor access to the scope:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
{ "properties": { "roleName": "RoleCustom", "description": "", "assignableScopes": [ "/subscriptions/{subscription_id}" ], "permissions": [ { "actions": [], "notActions": [], "dataActions": [], "notDataActions": [] } ] } } |
Conclusion
This article taught us about Azure RBAC and when to use RBAC. Role-Based Access Control (RBAC) allows us to assign the exact permission required to perform any certain task. Azure has many in-built roles which will give required access. If we want custom roles, Azure also allows us to create your role and assign it to desired users. RBAC provides roles for each resource so that no extra permission is granted to users who do not need it. We cannot assign roles to subscriptions; we can only give roles to users, groups, resource groups, and resources. Parents scope role will be inherited to the child’s scope also.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.
FAQs
1. Can we assign roles to a subscription?
ANS: – No, we can create a role in the subscription scope.
2. Can we add more than one role to a user?
ANS: – Yes, we can add multiple roles to users.

WRITTEN BY Kishan Singh
Kishan Singh works as Research Associate (Infra, Migration, and Security) at CloudThat. He is Azure Administrator and Azure Developer certified. He is highly organized and an excellent communicator with good experience in Cyber Security and Cloud technologies. He works with a positive attitude and has a good problem-solving approach.
Comments