Please explain me the DevTest Lab roles

Question

Hi,

I'm using DevTest Lab (DTL) mainly for web-app services. In my DevTest lab settings, I can only give the user a Reader or a Contributor role to access the environment.

            

The default is Reader, which doesn't allow the user to configure the app, for example, connecting their GitHub account or choosing the runtime stack, etc. In other words, they can't use the environment which they created with DevTest Lab.

        

The Contributor role, on the other hand, allows them to create any resource in the resource group. For example, they can start a VM that costs 8000€ per month.

This isn't very clear and makes me wonder if I have misunderstood the DevTest Lab concepts.

To provide a platform for my developers to deploy their applications with a Web App, should I create custom roles and grant users Write permissions on the corresponding resource group? What if I have 100 developers?

The Contributor role depicted in the first image seems peculiar. If the goal is to permit a user to create various resources within a resource group, one could simply create an empty resource group and assign the user a Contributor role. In such a case, the necessity of utilizing DevTest Lab becomes questionable.

What am I missing?

Regards,

Masih

Answer 1

@Masih Shekarak Thanks for posting your query on Microsoft Q&A.

Yes, one possible solution would be to create a custom role that grants users write permissions on the resource group where the DevTest Lab environment is located, but limits their ability to create other types of resources or modify existing ones. This could be achieved by creating a custom Azure role definition that includes only the permissions necessary for deploying and configuring web apps in the DevTest Lab environment, and then assigning that role to the appropriate users or groups. You can also use Azure role-based access control (Azure RBAC) to assign roles to users and set resource and access-level permissions

If you have a large number of developers, you could also consider using Azure Active Directory (AAD) groups to manage access to the DevTest Lab environment. This would allow you to assign permissions to the group rather than individual users, which can simplify management and reduce the risk of errors or omissions.

Regarding your concern about the peculiarities of the Contributor role in DevTest Lab, it's worth noting that this role provides full access to all resources within the resource group, not just those related to DevTest Lab. This means that if a user is assigned the Contributor role, they could potentially create or modify any resource within the resource group, including VMs, databases, storage accounts, and other services. This is why it's important to carefully consider the scope and permissions of any role that you assign to users in Azure.

In summary, creating a custom role or using AAD groups to manage access to DevTest Lab can help you provide your developers with the necessary permissions to use the environment while minimizing the risk of unintended consequences. It's important to carefully consider the scope and permissions of any role that you assign to users in Azure, and to regularly review and audit access to ensure that it remains appropriate for your needs.

If you have any questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

If this helps, please 'Accept answer' so that it can help others in the community looking for help on the same topic.