02/20/2024

Scope (Where) – Compliance and Cloud Governance

Scope (Where) – Compliance and Cloud Governance

Scope is not an unfamiliar word for us. You saw this term when we discussed management groups and policies. In RBAC, scope is used to define where exactly the security principal should have the permissions described in the definition.

Allowed scopes include management groups, subscriptions, resource groups, and resources. Unlike policies, you can have resource-level permissions. The access given to a higher scope is inherited by all child scopes.

FIGURE 2.16 Viewing the definition of a role using PowerShell

FIGURE 2.17 Viewing the definition of a role using the Azure CLI

Assignment

Combining the service principal (who), role definition (what), and scope (where) forms the assignment. In other words, the action of attaching a role definition to a security principal at a specific scope is called role assignment.

As an administrator, you will be creating the assignments to grant users access to particular scopes. The action mentioned in the role definition can be performed by these users as long as they have access to the scope.

Figure 2.18 illustrates how the security principal, role definition, and scope are combined to create a role assignment.

FIGURE 2.18 Role assignment process

Now that you are familiar with the concepts, let’s learn the fundamental roles for RBAC.

Azure RBAC Roles

In this section, we will discuss the fundamental roles that every administrator should know. Additionally, we will cover the key differences between Azure AD roles, Azure RBAC roles, and custom roles.

Fundamental RBAC Roles

Azure provides 100+ built-in roles meant for providing granular access to each service; however, memorizing all these roles is not possible. These fundamental roles are useful in scenarios where you want to give full access or read-only access to a specific scope. If the fundamental roles or built-in roles are not able to meet your requirements, then you will go with the custom roles. There are four Azure fundamental roles that you should be aware of.

Owner  Has full access to the scope to which this is assigned; also as an Owner you can delegate access to other users. For example, you as Owner can assign Owner or any other role to another user.

Contributor  Has the same level of resource permissions as Owner; however, Contributor cannot delegate access to others.

Reader  Assigns a read-only role.

User Access Administrator  Can delegate access to other users; however, this role cannot manage any resources.

A common dilemma that everyone has is how the Azure AD roles are different from Azure RBAC roles and where exactly the classic roles fit. Let’s understand the differences between these concepts.

Author:
Filed Under: Certification Exams of Microsoft AZ-104, Microsoft AZ-104 Certification Exams, Static and Dynamic Addressing

Leave a Reply

Your email address will not be published. Required fields are marked *