在特定用户中隐藏天蓝色表中的数据 [英] Hide data in an azure table from a specific audience

问题描述

我在Azure中有一个资源组，其中包含云服务和一个存储帐户.我想将对资源组的访问权授予开发人员，以便他们可以访问资源并进行更改.但是，存储帐户中有一个特定的表，其中包含敏感的用户详细信息.该表正在使用SAS令牌通过我们的客户端应用程序进行更新.

我希望从团队中选拔的几个人能够看到表格的完整内容.有什么办法天真地做到这一点吗?

解决方案

Azure存储访问由其帐户名+密钥控制.有权访问该密钥的任何人都可以访问存储帐户中的任何对象，无论是blob，队列还是(在您的情况下)表.

如果开发人员可以访问资源组，并且资源组包含存储帐户，则这些开发人员可以完全访问存储帐户内容.

如果您想阻止开发人员访问存储，则该存储帐户将需要驻留在另一个资源组中(开发人员没有权限访问该资源组).然后，您可以选择为开发人员提供存储帐户+密钥，或者为特定表提供SAS.

但是::如果开发人员已被授予Azure订阅本身的共同管理员权限，则无论资源组或SAS，他们都可以访问该订阅中100％的资源.

I have a resource group in Azure which contains cloud service and a storage account. I want to give access to the resource group to my developers so that they can access the resources and make changes. However, there is one particular table in the storage account which contains sensitive user details. The table is being updated through our client app using SAS tokens.

I want only few selected people from my team to be able to see the complete contents of the table. Is there any way in azure to do this?

解决方案

Azure Storage access is gated by its account name+key. Anyone with access to that key has access to any object(s) within a storage account, whether, blob, queue, or (in your case) table.

If developers have access to the resource group, and the resource group contains the storage account, then those developers have full access to the storage account contents.

If you wanted to prevent your developers from accessing storage, this storage account would need to reside within another resource group (which the developer does not have access to). And then you would have the choice to provide the developer(s) with the storage account+key, or with a SAS to a particular table.

However: If a developer has been granted co-admin permissions to the Azure subscription itself, then they have access to 100% of resources within the subscription, regardless of resource group or SAS.

这篇关于在特定用户中隐藏天蓝色表中的数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！