Azure自定义角色:授权一组特定角色的角色分配 [英] Azure custom role: authorize role assignment for a specific set of roles
问题描述
我正在尝试在Azure中创建一个自定义角色,该角色将允许订阅所有者"执行除取消/重新命名自己的订阅或移入另一个管理组之外的所有工作.
我还希望他们能够向他们想要的人授予权限(特别是内置的贡献者"角色),但又不允许他们授予所有者"权限,否则我的自定义角色很容易被欺骗./p>
最后我得到了以下自定义角色定义,到目前为止,该定义很好并且可以正常工作,当然还有角色分配:
{名称":"MyCustomRole","IsCustom":是,"Description":为Azure订阅所有权限制而设计的角色",动作":["*"],"NotActions":["Microsoft.Management/managementGroups/subscriptions/write","Microsoft.Subscription/Cancel/action","Microsoft.Subscription/重命名/操作"],"DataActions":[],"NotDataActions":[],"AssignableScopes":["/providers/Microsoft.Management/managementGroups/root.mg"]}
在Azure文档中,我发现的用于角色分配的唯一操作是 Microsoft.Authorization/roleAssignments/write
.
是否有任何方法可以直接在自定义角色中将其限制为-例如贡献者角色分配?
从本质上讲,Azure策略可能会解决问题(甚至不确定),但是由于某些运营商/专家/其他人最终可能会成为所有者,因此我不希望策略引擎显示不符合规定"的资源.这会导致客户产生我想避免的误会.
您可能想尝试Azure策略,可以将其应用于IAM模型.您可以根据治理结构在订阅"或管理组"级别上分配策略.
以下策略定义将阻止所有尝试分配所有者"角色的请求,没有例外.内置所有者角色由"8e3af657-a8ff-443c-a75c-2fe8c4bcb635"表示,在所有Azure租户中均使用相同的GUID.
但是,其他RBAC角色的角色分配仍然可能.这应该可以满足您的用例.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
{"policyType":自定义","mode":全部","displayName":"DenyOwnerAssisgnment","policyRule":{如果": {所有的": [{"field":"Microsoft.Authorization/roleAssignments/roleDefinitionId",包含":"8e3af657-a8ff-443c-a75c-2fe8c4bcb635"},{"field":"type","equals":"Microsoft.Authorization/roleAssignments"}]},然后": {效果":拒绝"}},"type":"Microsoft.Authorization/policyDefinitions"}
I am trying to create a custom role in Azure that would allow Subscriptions "owners" to do quite everything but cancelling/renaming their own subscriptions or moving into another management group.
I would also like them to be able to grant right access to who they want (especially built-in "Contributor" role) but without allowing them to grant "Owner" right, otherwise my custom role could be tricked easily.
I ended up with the following custom role definition which is so far nice and working, apart from the role assignment of course:
{
"Name": "MyCustomRole",
"IsCustom": true,
"Description": "Role designed for Azure subscriptions ownership limitations",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Management/managementGroups/subscriptions/write",
"Microsoft.Subscription/cancel/action",
"Microsoft.Subscription/rename/action"
],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/providers/Microsoft.Management/managementGroups/root.mg"
]
}
In the Azure documentation, the only operation I found for role assignment is Microsoft.Authorization/roleAssignments/write
.
Is there any way to restrict that - to Contributor role assignment for instance - directly in the custom role?
Azure Policy might technically do the trick (not even sure), but since some operational/experts/whatever guys might end up as Owner, I do not want the policy engine to display "non-compliant" resources. It would lead customers to misunderstandings that I would like to avoid.
You might want to try Azure Policy, which you can apply on top of your IAM model. You can assign a policy on the Subscription or Management Group level, based on your governance structure.
Policy definition below will block EVERY request trying to assign "Owner" role with no exception. Built-in Owner role is represented by "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", same GUID across all Azure tenants.
However Role assignments of other RBAC roles would still be possible. This should fullfill your use case.
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
{
"policyType": "Custom",
"mode": "All",
"displayName": "DenyOwnerAssisgnment",
"policyRule": {
"if": {
"allOf": [
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"contains": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
},
{
"field": "type",
"equals": "Microsoft.Authorization/roleAssignments"
}
]
},
"then": {
"effect": "deny"
}
},
"type": "Microsoft.Authorization/policyDefinitions"
}
这篇关于Azure自定义角色:授权一组特定角色的角色分配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!