Shulou(Shulou.com)06/02 Report--

Today, I would like to share with you an article about the application of Azure Policy. The role of Policy has been introduced before. Friends who have not read it can move on to their previous blog.

Forcibly disable unmanaged disk VM using Azure Polcy

Https://blog.51cto.com/mxyit/2347943

The topic to be shared today is how to use Policy to restrict role assignment in Azure. Many people's first reaction to Role Assignment may be RBAC. This is actually quite normal, because Role assignment really belongs to the category of RBAC, so what is the difference between RBAC and Polcicy? There are two main points.

RBAC focuses on user actions in different ranges. You may be added to the participant role of the resource group, and changes can be made to that resource group.

The policy focuses on resource properties during deployment, as well as existing resources. Policy controls attributes, such as the type or location of the resource

Many people also use RBAC to limit the first reaction of role assignment, but in fact, it may be easier to use Policy to implement this requirement.

Some customers have mentioned such a situation before. The distribution of permissions in the Azure environment in the enterprise is very chaotic. People with authority privately add owner permissions for other accounts, and these people privately add owner permissions for others, resulting in the proliferation of permissions. Customers have spent a lot of energy to slowly recover the permissions. At the same time, in order to facilitate management, customers also want to limit the addition of owner permissions to users. One of the solutions is through Policy. Policy can only allow users to assign specific role, for example, only batch contributor or reader roles are allowed, while owner roles do not allow assign, so the possibility of flooding of permissions can be eliminated technically.

Let's take a look at how to implement it. The core of Policy is actually the JSON file that defines rules.

You can see that implementing our requirements is not complicated. The following policy means that if Role ID is not in the roleDefinitionIds array, refuse to add it. What is the concept of Role ID? In fact, each Role in Azure has an independent ID. It is actually very easy to query this ID. Here are two methods.

1: through PowerShell

Get-AzureRmRoleDefinition | ft name,id-AutoSize

2: find it directly in the web page

Https://docs.microsoft.com/zh-cn/azure/role-based-access-control/built-in-roles#reader

{

"if": {

"allOf": [

{

"field": "type"

"equals": "Microsoft.Authorization/roleAssignments"

}

{

"not": {

"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId"

"in": "[parameters ('roleDefinitionIds')]"

}

}

]

}

"then": {

"effect": "deny"

}

}

After we have Role ID, we first need to add the role id allowed to be added to the array. For example, if only contributor and reader permissions are allowed, we can add these two ID to an array.

[string] $ids= "acdd72a7-3385-48ef-bd42-f606fba81ae7"

$ids+= "b24988ac-6180-42a0-ab88-20f7382dd24c"

After that, we begin to define Role definition, and the JSON file containing the definition of rules has been placed in the file restrict-roleassignment-owner2. In addition, because role id is a variable parameter, we need to define attributes such as the type of the parameter in the parameter parameter.

You can see that this parameter is an array, that is, an array type, which also meets our needs.

{

"roleDefinitionIds": {

"type": "array"

"metadata": {

"description": "The list of role definition Ids"

"displayName": "Approved Role Definitions"

}

}

}

Once defined, you can start to assign the policy. In scope, you can choose which level of assign you need to go to. You can choose a subscription or a single resource or resource group. Here, you directly choose to assign policy to the subscription level.

After the definition, let's do a final test, and the strategy has taken effect! Try assign owner on assign role, but have prompted policy to forbid it

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.