need to implement admin access on linux sql vms excluding other vms in the subscription

arun kumar 71

Hi Team

I want to apply RBAC role on subscription level that should provide admin access only on linux sql vms under the subscription excluding other linux and windows vms on the same subscription.

For windows vms we can restrict access using gro

Please suggest a proper solution to acheive this requirement.

Thanks

Yuki Sun-MSFT 40,866 Reputation points

2022-06-07T07:50:40.187+00:00

Hi @arun kumar ,

The “office-teams-linux-itpro” tag is for general questions about Teams client on Linux. Since from the description you question is not related to Teams, I’ll remove the tag “office-teams-linux-itpro”. Thanks for your understanding.
JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-06-07T22:24:01.417+00:00
@arun kumar
Thank you for your post!

Is there a reason you want the RBAC role to be applied at the Subscription level?

Especially since you want to exclude other VMs (Linux/Windows) within the same subscription.

When it comes to Admin Access only on Linux SQL VMs, are you referring to Admin access during login? For example, logging into the VM as an Admin.

Or do you mean Admin access as in managing the resource(s) within the Portal/VM resource group?

Any additional information, screenshots, or documentation would be greatly appreciated.
Thank you for your time and patience throughout this issue!
arun kumar 71 Reputation points

2022-06-08T01:46:10.77+00:00
Hi @Yuki Sun-MSFT

we are managing RBAC roles on the subscription level. we had created custom role on the subscription and we are adding multiple required users to that group so that they will have particular access on the subscription level since having large number of resources and rg’s. some particular group of people are there they needs to work only on sql vms so they need admin access only on IAAS sql vms and not on other vms in the same subscription.

i need to provide admin access for those particular group of users only on sql vms for login to sql vms as admin and do their operations inside sql vms. and i want to restrict access to other vms in the same subscription.

since we are having huge number sql vms and deployed in multiple rg’s we can‘t able to create custom roles on rg level/resource level. 4. i need a way to restrict access to other windows and linux vms and want to provide admin access only on sql vms with custom role on subscription level.

Thanks

1 answer

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-06-09T22:31:32.103+00:00

@arun kumar
Thank you for follow up on this!

Since you're assigning RBAC roles at the Subscription level and have a few users that only need to work on SQL VMs and no other VMs within the same Subscription. You can look into leveraging the Azure deny assignments feature to block users/groups from performing specific Azure resource actions, even if a role assignment grants them access. Additionally, you can also leverage Azure custom roles to create a role that meets your needs when it comes to user access.

Additional Link:
Best practices for Azure RBAC

I've also added azure-sql-virtual-machines tag to this thread so their community can look into the specific admin access within a Linux SQL VM, since admin permissions within a VM aren't controlled via RBAC.
,

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please sign in to rate this answer.
JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-06-16T16:09:57.397+00:00

@arun kumar
Thank you for your time and patience on this!

Since you haven't received a response from the azure-sql-virtual-machines community, I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-07-01T23:44:13.757+00:00

@arun kumar
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sign in to comment