stackoom
  简体   繁体   中英

Azure Resource Group Access

 原文  2018-03-29 11:15:52       azure/ azure-resource-manager/ azure-rbac

Question

How to restrict a user from accessing specific resource groups?

For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.

3 answers

solution1
 4  2018-03-29 16:36:49

When you create a new user for Azure, they have no permissions at all against any subscriptions, logging into portal will present an empty view with no resources.

If you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything. As would be expected. With reader permission on the subscription, they cannot create anything, resource groups or otherwise.

If that user is only given permissions to a resource group, with no permission on the subscription, then they will only see the resource group they have permissions in. They will then have whatever permissions they have been granted within that group.

Under the surface, every contributer and reader role has the "Microsoft.Resources/subscriptions/resourceGroups/read" action, meaning that anyone with any contributer or reader role can see all resource groups.

There is no built in role that has explicitly defined resourceGroups/write or resourceGroups/* permission.

The only groups with that permission implicitly applied are contributer and owner, which have "*" applied.

This means that only contributers and owners can create resource groups in a subscription.

It would be possible to create a custom role that denied resourceGroup/write

So, to answer your question, to limit a user only to being able to see specific resource groups, ensure that they don't have any access at the subscription level (any access at all at this level will allow them to see resource groups), and only apply permissions to the resource groups you wish them to see.

solution2
 2  2018-03-29 11:17:52

Add the user to the Contributor role in those resource groups.

Go to the resource group, then open Access Control (IAM), and add the user to Contributor role. Repeat for each resource group.

solution3
 2  2019-12-13 08:36:48

For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.

The above is possible with the following steps

  1. Add the user to the subscription. Dont assign any role at subscription level for this user.

  2. Add the User as contributor to the selected three resource groups (in Access Control (IAM)) property thru role assignment.

The above two configuration will enable the user to only view and operate on the explicit three resource groups, other resource group will not appear in Azure portal.

Best practice would be to add the user to security Group and assign the security group to the roles.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Terraform-Azure: Grant Access to azure resource for group How to grant access to azure resource group to an external user programmatically Azure giving subscription level resource group access to application Access to Cost analysis in Azure Databricks managed resource group How to restrict/deny access to a resource group for a specific user in azure? Azure resource group URL Azure Resource Group Sharing Access Azure Data Factory V2 programmatically: The Resource Microsoft.DataFactory/dataFactories/ under resource group was not found Azure Policy to restrict role based access control(IAM) to users at Resource group level in Azure Parallel Processing in Azure Resource Group
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM