What Azure role assignments would i need to allow a dba permissions to manage Azure SQL resources including storage accounts?

Question

I am looking at assigning role assignments to a DBA to manage Azure SQL resources from the Azure Portal including managing a specific storage account.

Currently, the permissions are set as follows:

Contributor
Reader
SQL Security Manager
SQL Managed Instance Contributor

Note: Our Security department wants to remove the Contributor role assignment.

Can someone please advise me on what role assignments i would need to achieve the requirements above?

Answer 1

Hi @Anonymous ,

Thanks for reaching out and apologies for delay in response.

I understand you are looking to allow permissions to manage Azure SQL resources along with storage accounts.

Azure SQL is family of SQL Server database engine products in the cloud: Azure SQL Database, Azure SQL Managed Instance, and SQL Server on Azure VM.

Different built-in roles have been provided to manage each:

SQL DB Contributor to manage SQL DB Databases
SQL Managed Instance Contributor to manage SQL managed instances
Virtual Machine Contributor to manage SQL Server on Azure VM
SQL Security Manager to manage the security-related policies of SQL servers and databases
Storage Account Contributor to manage all types of storage accounts.

You can add these roles to create Azure Custom roles to provide granular access control to resources in Azure. Each role has multiple actions where you can add or remove permissions based on the requirement to provide minimal access.

Contributor role is not recommended due to security concerns as contributor role allows to manage all the resources.

Hope this will help.

Thanks,
Shweta

---------------------------------------------

Please remember to "Accept Answer" if answer helped you.