RBAC Role to grant user access to Storage Account/Containers

grajee 351 Reputation points
2021-06-09T02:09:49.93+00:00

All,

Access to a Storage Account (and Containers) for a user/AD Group is actually granted by a separate security admin team similar to adding a member to an AD Group.

Given that "Storage Blob Data Owner", "Storage Blob Data Contributor" and "Storage Blob Data Reader" allows a user to manipulate object (read/upload/delete), what RBAC is there for the Security Team to add users? The Security Admin Team should not able to do anything else other than adding members/AD groups to roles.

Would the role "User Access Administrator" help?

Thanks,
grajee

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,464 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. PRADEEPCHEEKATLA-MSFT 88,716 Reputation points Microsoft Employee
    2021-06-09T04:34:40.827+00:00

    Hello @grajee ,

    Thanks for the question and using MS Q&A platform.

    Note: "Storage Blob Data Owner", "Storage Blob Data Contributor" and "Storage Blob Data Reader" doesn't allow a user to manipulate object (read/upload/delete),

    Only Storage Blob Data Contributor allow users to grant (read/write/delete) permissions to Blob storage resources.

    103649-image.png

    Azure provides the following Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth:

    • Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2. For more information, see Access control in Azure Data Lake Storage Gen2.
    • Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
    • Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
    • Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.
    • Storage Queue Data Contributor: Use to grant read/write/delete permissions to Azure queues.
    • Storage Queue Data Reader: Use to grant read-only permissions to Azure queues.
    • Storage Queue Data Message Processor: Use to grant peek, retrieve, and delete permissions to messages in Azure Storage queues.
    • Storage Queue Data Message Sender: Use to grant add permissions to messages in Azure Storage queues.

    For more details, refer to Use the Azure portal to assign an Azure role for access to blob and queue data.

    User Access Administrator - Lets you manage user access to Azure resources.

    103658-image.png

    Hope this helps. Do let us know if you any further queries.

    ---------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.