'How to create custom RBAC/ABAC role in Azure?

The requirement is to create access package with few roles so that the users can perform below activities:

  • Read & write access to data stored in a given blob container ('abc' blob container).
  • Role to access azure data factory to build pipeline, process & load the data to a staging area (to Blob container or SQL server).
  • DDL & DML and execute permission role to access the data/database in SQL server environment.

I was referring Azure RBAC and built-in-roles but unable to get clear idea considering the above points.

My question is, is there any build in roles there OR do I need to create the custom role? And, how to create custom role (for above requirements) considering baseline security?

Is there any ways, can I get additional actions by referring which I can write custom JSON scripts?

My question is, Is the RBAC roles possible for SQL Server in a VM? If yes, how?

Additionally, if I have both PaaS instance of SQL Server and VM instance of SQL Server (that is, SQL Server in VM) - how the RBAC roles will be managed for both?

azureazure-active-directoryazure-sql-databaserbacazure-rbac


Solution 1:[1]

According to your requirements, please go through below workarounds if they are helpful:

Read & write access to data stored in a given blob container (‘abc' blob container).

You can make use of built-in role like Storage Blob Data Contributor which allows operations like read, write and delete Azure Storage containers and blobs. If you want to know more in detail, go through this reference.

Role to access azure data factory to build pipeline, process & load the data to a staging area (to Blob container or SQL server).

You can make use of built-in role like Data Factory Contributor which allows operations like create and manage data factories, as well as child resources within them. Those child resources include pipelines, datasets, linked services… With this role, you can build pipeline, process and load the data. If you want to know more in detail, go through this reference.

DDL & DML and execute permission role to access the data/database in SQL server environment.

You can make use of built-in role like SQL Server Contributor which allows operations like manage SQL Servers and Databases. If you want to know more in detail, go through this reference.

If you want to create a custom role for all these, make sure you have Owner or User Access Administrator role on the subscription. You can create a custom role in 3 ways:

  • Clone a role – You can make use of existing roles and modify the permissions by adding and deleting them according to your need.
  • Start from scratch – In this, you must add all permissions you need manually by picking them from their providers and excluding the permissions you don’t need.
  • Start from JSON – Here, you can just upload a JSON file where you can create separately by including all needed permissions in Actions variable whereas excluded permissions in notActions variable. If the permissions are related to data, then add them to DataActions and notDataActions based on your need. In Assignable scope, you can include the scope where the role should be available i.e., subscription or resource group as per need.

Considering baseline security, it is always suggested to give read permissions only. But as you need write permission for blob container and building pipeline, you can just add only those(read/write) in Actions section and remaining all(delete) in NotActions section.

If you want to add additional actions, simply include those permissions in Actions section in JSON file and make sure to give read permissions to resource groups.

A sample custom role JSON file for your reference:

{ 

  "assignableScopes": [ 

    "/" 

  ], 

  "description": "Combining all 3 requirements", 

  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/***************************", 

  "name": "**********************", 

  "permissions": [ 

    { 

   "actions": [ 

        "Microsoft.Authorization/*/read", 

        "Microsoft.Resources/subscriptions/resourceGroups/read", 

        "Microsoft.ResourceHealth/availabilityStatuses/read", 

        "Microsoft.Resources/deployments/*", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/read", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/write", 

        "Microsoft.DataFactory/dataFactories/*", 

        "Microsoft.DataFactory/factories/*", 

        "Microsoft.Sql/locations/*/read", 

        "Microsoft.Sql/servers/*", 

    ], 

  "notActions": [ 

        "Microsoft.Storage/storageAccounts/blobServices/containers/delete", 

        "Microsoft.Sql/servers/azureADOnlyAuthentications/delete", 

        "Microsoft.Sql/servers/azureADOnlyAuthentications/write" 

], 

 "dataActions": [ 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" 

      ], 

      "notDataActions": [] 

    } 

  ], 

  "roleName": "Custom Role Contributor", 

  "roleType": "CustomRole", 

  "type": "Microsoft.Authorization/roleDefinitions" 

}

Reference:

Azure custom roles - Azure RBAC | Microsoft Docs

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 SrideviMachavarapu-MT

Related Questions