Azure Role assignment

Question

Azure Role assignment

Esra Gümüskaya 1

Hi,
I am using Azure for my Projects and looking for a Role for my case below. Can you help me what kind of role should I assign?

Each user can create every components on Azure (VM, resource group, database etc..)
But only the users who owner/admin of a Resource Group is, can authorize other users.

In my case, I have defined all users as Co-Administrators in the subscription level. That's why these users can also see the other resource groups and authorize the users for these resource groups. But I don't want that. I want only the RG owner/admin to be able to do this.

What role should I give to the users, or what do you recommend for my case.
Best regards

Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-26T07:52:25.397+00:00

Hello @Esra Gümüskaya

Just checking in to see if below answer provided helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
Mohammed Altamash Mohammed Suleman Khan 2,331 Reputation points

2022-09-26T09:41:19.473+00:00

Hi @Esra Gümüskaya

My recommendation is to create 2 group & defined the RBAC on base of groups

1st group - Reader access - where user can read all resources. - Add all users in this group.
2nd Group - Owner access -only admin are added.

Whenever you want to deployment something , the owner can deploy or owner can assign any user to deploy. Normal users will not be able to deploy until owner allow them access on that RG. Normal User will be able to read your RG.

Regards,
Mohammed Altamash

---------------- if you find this reply helpful , please accept the answer -----------------
Esra Gümüskaya 1 Reputation point

2022-09-27T11:44:21.69+00:00

Hi, Thank you for your answer.
What I actually need is :

Existing resource groups should get an owner. This Owner decides who is allowed to do something within the Resource Group.
And Users within the Subscription should be able to create any new resources, DBs or VMs,
but they should be able to see existing ones if they have been authorized by the Owner.

If an Owner does not allow, users should not see the contents of that resource group.
But in my case, everyone can see all RGs and their content as Users are co-Admin.

Thank you in advance
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-27T12:34:00.127+00:00
Hello @Esra Gümüskaya

I am sharing 2 responses to address your query:

Part 1
Existing resource groups should get an owner. This Owner decides who is allowed to do something within the Resource Group. And Users within the Subscription should be able to create any new resources, DBs or VMs, but they should be able to see existing ones if they have been authorized by the Owner.

Your requirements seem to be a bit contradictory. However best I can suggest is as below

Owner/Contributor role can be assigned at Subscription/Resource Group or Resource level.

Have one Owner on the subscription level who can view all the RGs and resources.

For all the users whom Owner have access to view all the resources within in Subscription - Assign those users with Reader role on Subscription level.

For some of the users whom Owner want them to be able to create resources within same subscription or specific resource group - Assign them Owner/Contributor Role.

To explain with an easy example this with an example, let's assume you have an Azure Subscription with 2RG and 2Users and Owner: RG1 and RG2 & User1 and User2. If Owner assigns Reader Role to both User1 and User2 on Subscription scope, then they would be able to view everything from RG1 as well as RG2. Now you identify that User1 should be able to create resources in RG2 you grant User2 Owner/Contributor access to User1 on RG2 Scope. This way user1 would be able to view everything in subscription however deploy new resources only in RG2.
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-27T12:34:22.79+00:00
Part 2

If an Owner does not allow, users should not see the contents of that resource group. But in my case, everyone can see all RGs and their content as Users are co-Admin.

If you would need to limit access at RG level you would need to remove Co-Admin role.

Assign the Reader role on the RG level which Owner wants to provide access to.
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-29T12:06:22.49+00:00

Hello @Esra Gümüskaya

Just wanted to check if the below answer helped. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 answer

Your answer

Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-26T07:52:25.397+00:00

Hello @Esra Gümüskaya

Just checking in to see if below answer provided helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
Mohammed Altamash Mohammed Suleman Khan 2,331 Reputation points

2022-09-26T09:41:19.473+00:00

Hi @Esra Gümüskaya

My recommendation is to create 2 group & defined the RBAC on base of groups

1st group - Reader access - where user can read all resources. - Add all users in this group.
2nd Group - Owner access -only admin are added.

Whenever you want to deployment something , the owner can deploy or owner can assign any user to deploy. Normal users will not be able to deploy until owner allow them access on that RG. Normal User will be able to read your RG.

Regards,
Mohammed Altamash

---------------- if you find this reply helpful , please accept the answer -----------------
Esra Gümüskaya 1 Reputation point

2022-09-27T11:44:21.69+00:00

Hi, Thank you for your answer.
What I actually need is :

Existing resource groups should get an owner. This Owner decides who is allowed to do something within the Resource Group.
And Users within the Subscription should be able to create any new resources, DBs or VMs,
but they should be able to see existing ones if they have been authorized by the Owner.

If an Owner does not allow, users should not see the contents of that resource group.
But in my case, everyone can see all RGs and their content as Users are co-Admin.

Thank you in advance
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-27T12:34:00.127+00:00

Hello @Esra Gümüskaya

I am sharing 2 responses to address your query:

Part 1
Existing resource groups should get an owner. This Owner decides who is allowed to do something within the Resource Group. And Users within the Subscription should be able to create any new resources, DBs or VMs, but they should be able to see existing ones if they have been authorized by the Owner.

Your requirements seem to be a bit contradictory. However best I can suggest is as below

Owner/Contributor role can be assigned at Subscription/Resource Group or Resource level.

Have one Owner on the subscription level who can view all the RGs and resources.

For all the users whom Owner have access to view all the resources within in Subscription - Assign those users with Reader role on Subscription level.

For some of the users whom Owner want them to be able to create resources within same subscription or specific resource group - Assign them Owner/Contributor Role.

To explain with an easy example this with an example, let's assume you have an Azure Subscription with 2RG and 2Users and Owner: RG1 and RG2 & User1 and User2. If Owner assigns Reader Role to both User1 and User2 on Subscription scope, then they would be able to view everything from RG1 as well as RG2. Now you identify that User1 should be able to create resources in RG2 you grant User2 Owner/Contributor access to User1 on RG2 Scope. This way user1 would be able to view everything in subscription however deploy new resources only in RG2.
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-27T12:34:22.79+00:00

Part 2

If an Owner does not allow, users should not see the contents of that resource group. But in my case, everyone can see all RGs and their content as Users are co-Admin.

If you would need to limit access at RG level you would need to remove Co-Admin role.

Assign the Reader role on the RG level which Owner wants to provide access to.
Harpreet Singh Matharoo 8,396 Reputation points Microsoft Employee Moderator

2022-09-29T12:06:22.49+00:00

Hello @Esra Gümüskaya

Just wanted to check if the below answer helped. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 1

Hello @Esra Gümüskaya

Thank you for reaching out. I would like to confirm following:

Account Administrator, Service Administrator, and Co-Administrator are the three classic subscription administrator roles in Azure. Classic subscription administrators have full access to the Azure subscription. They can manage resources using the Azure portal, Azure Resource Manager APIs, and the classic deployment model APIs.
For more information, please review following document: Classic subscription administrator roles

As per your requirement we would recommend you to assign RBAC Owner/Contributor Access to user on Resource Group or Child Resource scope. For steps to assign RBAC role to a user please review following documentation: Assign Azure roles using the Azure portal.

I hope this helps you achieve the results you are looking for.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Azure Role assignment

1 answer

Your answer