question

SenhorDolas-2197 avatar image
0 Votes"
SenhorDolas-2197 asked SenhorDolas-2197 commented

Azure File Shares - block inheritance

Hi all,

One thing I don't quite get:

Consider my on-prem file server where I have a structure of folders which I granted permissions to many users and groups. I add all IT Dept users in the AD group and then assigned the "Storage File Data SMB Share Reader" RBAC permissions to the AD group.

Inside one of those folders I created a new folder called "Private" which I block inheritance and only grant permissions to 3 x managers users (for example).

Will the users members of "Storage File Data SMB Share Reader" RBAC permissions still able to read inside "Private" folder?

Am I missing something obvious here?

Hope this makes sense...

Thanks, M



azure-files
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SumanthMarigowda-MSFT avatar image
1 Vote"
SumanthMarigowda-MSFT answered SenhorDolas-2197 commented

@SenhorDolas-2197 Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Will the users members of "Storage File Data SMB Share Reader" RBAC permissions still able to read inside "Private" folder? YES they can read the information

197353-image.png

This thread gives detailed information, How RBAC works

Any role that is assigned to the subscription, that flows down and gets inherited to all the resources, that comes under that subscription. Similarly, any role on a Resource Group, gets inherited to all the resources, within that Resource Groups. There is no way to block this inheritance as this is by design and RBAC roles will flow down from the top to bottom level based on where the RBAC role is applied.

One thing that can be done is to use "Deny Assignments", where you can specify certain users not to perform certain tasks on a particular resource.
You can read more on Deny Assignments here.

Please let us know if you have any further queries. I’m happy to assist you further.


Please do not forget to 197259-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Sumarigo-MSFT

Sorry for the late reply!

Let me give you some background.

We have an on-prem file server which has shares, inside those folder permissions are blocked to prevent users to see some folders.

What I am seeing is that Azure Files will not honour these permissions blocks as the Azure Files SMB permissions will give access to all folders regardless of the blocks.

Am I seeing this right?

Thanks for your help on this case.

M

0 Votes 0 ·