Azure provides much flexible role-based access control for Azure resources through which you can efficiently manage users access to azure resources, can allow the level of permission, and can identify their access to various resources. This access control is called as Azure role-based access control i.e., Azure RBAC.
To know more details, on the concept of Azure RBAC, You can check my previous article: https://rijsat.com/2021/03/28/what-is-azure-role-based-access-control-rbac/
In this article, I will show how to manage role-based access control form Azure Portal. I will demonstrate step by step Azure RBAC with Azure app service, however, the process for any other resources, groups, and subscriptions is same.
The first Step is to login in Azure portal. If you do not have any subscriptions, then you can create a trail one.
After login to the azure portal, we will see screen something like as shown below with our recent resources.
We can choose any one the resource where we can manage the access/permissions. In my case, I am selecting one of my app service, however the process is same for every resources/service, resource groups, or subscriptions.
After that, we will select Access Control as shown:
Let me explain some the options in this page.
Add: On clicking this, we will get option for role assignment or co-administrator.
Download role assignments: We can download the exiting role assignments in a csv or json file.
Check access: We can check the access details of any user, group, or service principal. Additionally, we can view current user access.
Role Assignments: This option will give the list of users, groups and service principals with their role and scopes who are having access to this app service as given.
I have highlighted the necessary areas in this role assignments list view. We can all the users with their role and scope. Additionally, we can use filters of different types.
Roles and Roles (Preview): Roles option gives list of all the roles available, both built-in and custom created. Roles (preview) gives role with descriptions. We can add custom roles and can remove any roles from this screen.
Deny Assignments: This option will show you list of deny access. Deny assignments block users from performing specific actions even if a role assignment grants them access. At this time, the only way you can add your own deny assignments is by using Azure Blueprints.
Classic Administrators: List of administrators. Also, we will have option to remove the administrator based on permissions.
Grant Access or Add Role Assignments
In this section, I will show how to provide access to resource by assigning role to user(s) or group(s). We can do role assignments from the two options as shown:
As shown in above image with highlighted red, we can do role assignments to users with two options.
First, Click on Add role assignment then we will get options as depicted.
We will get three options to choose: Role, Assign access to (type of users/security principal) and Select (users).
Role: we use this option to select the role which we are going to assign. Here are the list roles available to azure app service:
There are several roles available for this app service like owner, contributor, reader, log analytics related, managed application related, monitoring related, user access administrator, website contributor etc.
Note: Role list can be different based on the resources like azure app service, azure SQL service, azure VM, resource group, subscriptions etc. will have different roles types.
However, there are some common roles like owner, contributor, reader etc. to every azure resources.
Assign access to: This option means to assign access to users, group, or security principal. Additionally, we can give access to system assigned managed identity like another app service, container instance, azure resources like data factory, function app, logic app, signalR Service, VMs likewise.
We can give access to system managed identity of other subscriptions as well as shown:
After selecting role and then access to like azure app, or any other system managed identity then we will get option to select subscription and resource form that subscription as portrayed:
Similarly, if we select user, group, or service principal then we will get option select users or groups as shown below:
Note: we can search and add single or multiple users from our organization or guest users.
Finally, we can grant access to users by selecting a role, assign access to, users and save it as depicted.
This is how, we can assign or grant access to azure resources that is called as Azure RBAC role-based access control.
In this article, I have demonstrated how to grant access to azure resources in details which is also called as Azure RBAC role-based access control. I have exemplified step by step using Azure App service with complete Azure RBAC and available additional options. However, the processes are same for another azure resources, resource groups, and subscriptions. Then again, role list/options might be different based on type of resources.