University of Bern
Dokumentationen
  1. Dokumentationen
  2. Cloud
  3. Azure
  4. First Steps
  5. Permissions

Dokumentationen

Permissions

Azure uses the Role Based Access Control (RBAC) principle for almost all resources. The defined roles are either provided directly by Azure (so-called BuiltIn roles) or you can create your own roles (so-called Custom roles).

In connection with the Subscription provided by the IT services, the following two roles are important:

  • Unibe-Application-Owner (mg-unibe) This role is assigned directly to individuals or groups. It allows management of resources within a Subscription.

  • Unibe-Subscription-Owner (mg-unibe) This role is only assigned via activatable groups, meaning you must request this role. It allows management of the Subscription, including making settings and authorizing other people. This role is also intended for budget settings within a Subscription.

Inheritance

Every permission is inherited by default. This means that if you allow a certain operation on the Subscription, it also applies to all resources offered in this Subscription.

architecture-beta
    group azure[Azure]
    group mgz[Management Groups] in azure
    group subz[Subscriptions] in azure
    group rgz[Resource Groups] in azure
    group rz[Resources] in azure

    service mg(azure:management-groups) in mgz
    service sub(azure:subscriptions) in subz
    service rg(azure:resource-groups) in rgz
    service r1(azure:key-vaults) in rz
    service r2(azure:virtual-machine) in rz
    service r3(azure:virtual-networks) in rz

    mg{group}:B --> T:sub{group}
    sub{group}:B --> T:rg{group}
    rg{group}:B --> T:r3{group}

    r3:L -- R:r2
    r3:R -- L:r1

You can assign permissions in four places:

  1. In the Management Group (managed by IT services).
  2. In the Subscription.
  3. In the Resource Group.
  4. In the Resource (the current Azure service).

Roles for Resources

While the Unibe-Subscription-Owner (mg-unibe) role grants full access to most resources, there are some resources in Azure that have a special role concept. These include:

  • Storage Account
  • KeyVault
  • Azure VM (login via EntraID)

These resources offer more specific roles to control access. Thus, even someone with the Unibe-Subscription-Owner (mg-unibe) role has permission to manage the resource in Azure, but not necessarily to use the resource.

Example

The Storage Blob Data Contributor role for a Storage Account controls write access to the Blob data. Someone without this role has no write access to the data, even if they have permission to assign roles.

These roles can be assigned via the Unibe-Subscription-Owner (mg-unibe) role. The principle of inheritance also applies here.

Example

If you grant a person write access via the Storage Blob Data Contributor role for the entire Subscription, that person will have access to all Storage Accounts within the Subscription.

Guides

  • In this guide you can see how to activate a role.
  • In this guide you can see how to authorize new people for the Azure Subscription.

Next Steps

After you have assigned yourself the Owner rights for the Subscription, you can edit the standard budget. See the article about the Budget.

Further Information