What role is required to allow users to read/modify Firewall Rules from a SQL Server resource via Security > Networking?

Luke Singh 0 Reputation points
2024-02-13T10:08:17.9866667+00:00

Hi,

We are using Entra's Bult-In roles in our organisation to control user RBAC. We have a requirement to allow users to self-serve the creation/deletion of Firewall Rules, specifically created on SQL Server resources, under the Security - Networking section. The way a firewall rule would be amended would be:

  1. Login to Azure.
  2. Browse to Resource Groups, select the desired Resource Group.
  3. Drill down into the SQL Server resource.
  4. Down the left-hand pane select "Networking" under the Security category.
  5. Create/Delete/Update Firewall Rules from this sectioUser's image

What role would give a user the ability to perform creation/deletion/updating of Firewall Rules from this section? We'd only wish for the user to be able to have this ability and no other network related access.

Thanks in advance.

Luke

Azure SQL Database
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Oury Ba-MSFT 20,931 Reputation points Microsoft Employee Moderator
    2024-02-13T17:36:51.1466667+00:00

    @Luke Singh

    Thank you for reaching out.

    My understanding is that you are looking for the right role to give to users the ability to perform creation/deletion/updating of Firewall Rules.

    To be able to create and manage IP firewall rules for the Azure SQL Server, you will need to either be:

    1. SQL Security Manager:
      • This role is designed to give access to security aspects of a SQL Server.
      • Users with this role can manage IP firewall rules for the Azure SQL Server.
      • They can create, delete, and update firewall rules directly from the Azure portal.
      • Importantly, this role provides the desired ability without granting other network-related access.
      • Assign this role to users who need to work with firewall rules for SQL Server resources.
    2. SQL Server Contributor:
      • This role provides more extensive permissions related to SQL Server management.
      • Users with this role can also manage firewall rules for SQL Server resources.
      • However, it includes additional permissions beyond just firewall rules.
      • If you want to limit access strictly to firewall rules, consider using the SQL Security Manager role instead.

    Make sure to assign these roles at the appropriate scope (management group, subscription, resource group, or resource level) based on your organization’s requirements.

    https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure?view=azuresql

    Hope that helps.

    Regards,

    Oury


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.