University of Bern
Dokumentationen
  1. Dokumentationen
  2. Cloud
  3. Azure
  4. First Steps
  5. Permissions

Dokumentationen

Permissions

Azure is based on the Role Based Access Control (RBAC) principle for almost all resources. The defined roles are either provided directly by Azure (so-called BuiltIn roles) or were individually created (so-called Custom roles).

In connection with the Subscription provided by the IT services, the following two roles are important:

  • Unibe-Application-Owner (mg-unibe) This role is assigned directly to individuals or groups. It authorizes the management of resources within a Subscription.

  • Unibe-Subscription-Owner (mg-unibe) This role is assigned exclusively via activatable groups and must be requested. It authorizes the management of the Subscription, including the configuration of settings, the assignment of permissions to additional individuals, and the management of budget settings.

Inheritance

Every permission is inherited by default. This means that a permission granted at the Subscription level also applies to all resources contained in this Subscription.

architecture-beta
    group azure[Azure]
    group mgz[Management Groups] in azure
    group subz[Subscriptions] in azure
    group rgz[Resource Groups] in azure
    group rz[Resources] in azure

    service mg(azure:management-groups) in mgz
    service sub(azure:subscriptions) in subz
    service rg(azure:resource-groups) in rgz
    service r1(azure:key-vaults) in rz
    service r2(azure:virtual-machine) in rz
    service r3(azure:virtual-networks) in rz

    mg{group}:B --> T:sub{group}
    sub{group}:B --> T:rg{group}
    rg{group}:B --> T:r3{group}

    r3:L -- R:r2
    r3:R -- L:r1

Permissions can be assigned in four places:

  1. In the Management Group (managed by IT services)
  2. In the Subscription
  3. In the Resource Group
  4. In the Resource

Roles for Resources

While the role Unibe-Subscription-Owner (mg-unibe) grants full access to most resources, there are some resources in Azure that have a special role concept. These include:

  • Storage Account
  • KeyVault
  • Azure VM

These resources offer more specific roles for access control. Thus, individuals with the role Unibe-Subscription-Owner (mg-unibe) have permission to manage the resource in Azure, but not necessarily to use the resource. For a Storage Account, for example, special roles are required for access to Blob, Queue, Table, and File data. For KeyVault, dedicated roles exist for access to Secrets, Keys, and Certificates. For Azure VMs with EntraID login, specific roles are also required for access.

Example

The role Storage Blob Data Contributor for a Storage Account controls write access to the Blob data. Without this role, there is no write access to the data, even if permission to assign roles is present.

These roles can be assigned via the role Unibe-Subscription-Owner (mg-unibe). The principle of inheritance also applies here. If a person is granted write access via the role Storage Blob Data Contributor for the entire Subscription, that person will have access to all Storage Accounts within the Subscription.

Guides

  • This guide describes how a role can be activated.
  • This guide describes how new individuals can be authorized for the Azure Subscription.

Next Steps

After the Owner rights for the Subscription have been assigned, the standard budget can be edited. Further information can be found in the article about the Budget.

Further Information