Azure策略将基于角色的访问控制(IAM)限制为Azure中资源组级别的用户 [英] Azure Policy to restrict role based access control(IAM) to users at Resource group level in Azure
问题描述
我们试图以天蓝色实施一项政策,以限制基于角色的分配.我们在下面的github策略中进行了引用,但是在测试过程中,我们观察到它没有对参数中定义的roledefinitionIds进行评估.
We were trying to implement a policy in azure to restrict role based assignment. We referenced below github policy, but during testing we observed it's not evaluating the roledefinitionIds defined in the parameter.
https://github.com/Azure/azure-policy/blob/master/samples/Authorization/allowed-role-definitions/azurepolicy.json
使用下面的roleIDs参数进行了测试-
Tested with below roleIDs parameter -
b24988ac-6180-42a0-ab88-20f7382dd24c(贡献者角色)
b24988ac-6180-42a0-ab88-20f7382dd24c (Contributor Role)
acdd72a7-3385-48ef-bd42-f606fba81ae7(读者角色)
acdd72a7-3385-48ef-bd42-f606fba81ae7 (Reader Role)
理想情况下,它应该将参数中定义的角色ID列入白名单,并拒绝其他角色ID的角色分配.但是由于某些原因,在评估期间,Azure策略服务没有考虑参数中定义的那些角色ID,而是限制了所有角色的基于角色的分配.在解决此问题时需要帮助.
Ideally, it should whitelist the role IDs defined in the parameter, and deny the role assignment for other role IDs. But for some reason, during evaluation Azure policy service is not taking into account those role IDs defined in the parameter and instead restricting role based assignment for all the roles. Need help in troubleshooting this.
推荐答案
我尝试使用此角色定义ID并为我工作:
I tried with this Role Definition ID and worked for me:
/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c
如果要从Azure Portal分配策略,并且要提供多个值,则需要在这些值之间使用(;)分号.
And if you are assigning the policy from Azure Portal and you want to provide multiple values, you need to put (;) semi-colon between the values.
这篇关于Azure策略将基于角色的访问控制(IAM)限制为Azure中资源组级别的用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
