Guestblog: Create a custom RBAC role in Azure

Hi there,

The Azureman is back, and today with a guest post from another Azureman, Dennis van Doorn. Dennis is a colleague from inovativ, who is currently getting acquainted with the Azure platform. Recently he decided to dive into the new Role Based Access Control features in Azure, and I’m thankful that I have the privilege to share this blog from Dennis. You can find his own website through this link.

With this short introduction, enjoy Dennis’ blog!

 

In Azure it is very easy to delegate rights to internal or external users. Some times the standard RBAC Role Defininitions are not sufficient to delegate at the right level of access. And that’s where custom RBAC roles come in. In this post we will go trough the process of creating a custom RBAC role in Azure.

You will need the Azure PowerShell module for this. In case you have not installed this yet, you can download it from here.

In case you are not yet familiair with Azure RBAC Role Definitions, it is good to first explore the existing role definitions and operations a bit in PowerShell.

#Login with your Azure Account and select the subscription you want to use.

Login-AzureRmAccount
Get-AzureRmSubscription
Select-AzureRmSubscription -SubscriptionName “Developer Program Benefit”

First we will get the standard role definitions.

#List all standard role definitions
Get-AzureRmRoleDefinition | FT Name , Description – Autosize

Dennis01

As you can see there are already many Role Definitions. Before creating your own custom roles you should examine if you can use a standard role for what you want to achieve.  In some cases it can be handy to use a standard role as a base for your custom role.

Now let’s zoom in a bit on the actions for a specific role. In this case we look at the “Virtual Machine Contributor” role.

# Get all actions for a specific role definition
# In this example “Virtual Machine Contributor”
$VMContribRole = Get-AzureRmRoleDefinition “Virtual Machine Contributor”
$VMContribRole.Actions

Dennis02

As you can see a role defines several actions a user can do when the “Virtual Machine Contributor” role is assigned to the user. On the first line you will see an action that is included in almost all standard roles: “Microsoft/Authorization/*/Read”. We will include this one in our custom role as well.

To get a full list of all the resources and the actions that can be assigned to a user, use the PowerShell line below:

Get-AzureRmProviderOperation *

With this extensive list of actions it is possible to create your own custom Role Definitions.

Example

In the following example we need to delegate the administration of The Notification Hub to a external user. We will create a custom role to be able to give the external user access to the Notification Hub. The Notification Hub is created in a Resource Group named “RGNotificationHub”.

From the full operation action listing it is clear we need something to do with “Microsoft.Notificationhubs” and “Microsoft.Resources/Subscriptions/ResourceGroups” in our custom role. We will scope the custom role to the Resource Group name “RGNotificationHub” so we can only assign the custom role to users for this resource group.

We are going to create a JSON file to create our own Custom Role Definition. Put in your own subscription ID and resource group name if applicable. If you want the custom role to be available throughout the subscription you can leave out the resource group part.

{
“Name”: “Notification Hub Administrators”,
“Description”: “Can manage Notification Hubs”,
“Actions”: [
“Microsoft.Authorization/*/read”,
“Microsoft.Notificationhubs/*”,
“Microsoft.Resources/Subscriptions/ResourceGroups/read”,
“Microsoft.Resources/Subscriptions/ResourceGroups/resources/read”
],
“AssignableScopes”: [“/subscriptions/12345678-1234-1234-1234-123456789012/ResourceGroups/RGNotificationHub”]
}

From powershell we will now create a new Custom Role with use of the created JSON file:

New-AzureRmRoleDefinition -InputFile “C:\Temp\NotificationHubAdmin.json”

Dennis03

Now we can assign the custom role to a user or group on a certain scope. This can be on Subscription Level for instance, but also on Resource Group Level. The test user used in the example is a standard user account and does not have any rights to Azure Subscriptions and Resources. We will assign the custom role to the scope, in this case the ResourceGroup RGNotificationHub.

Dennis04

When we sign in with the test user, we only have access to the Resource Group RGNotificationHub and the NotificationHub resources in it. We have now successfully delegated the administrator of the Notification Hub.

Dennis05

For other custom roles, the procedure is basically the same. Just let your imagination go wild.

Thanks Dennis, for this great explanation!

Want to know more, or did any questions come up when you were reading this? Do you have some feedback for me or Dennis? Leave a comment or drop me an email.

Until the next time, keep it cloudy!

Bert Wolters
http://www.twitter.com/BertWolters

Leave A Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.