Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 16, 2017 8:53 PM
What roles do you grant to someone if they need access to add, modify or delete tags on resources in Azure?
Tommy Skaue
All replies (7)
Friday, February 17, 2017 5:39 PM ✅Answered
owner or contributor to the resources where TAGS need to be managed
Cheers Christophe - Kindly click Mark as Answer on the post that helps you - www.cloudcrusader.com
Friday, February 17, 2017 4:37 PM
Tags enable you to retrieve related resources that reside in different resource groups. This approach is helpful when you need to organize resources for billing or management.
Hence, you may check the below links to get further details about your query:
https://azure.microsoft.com/en-us/updates/organize-your-azure-resources-with-tags/
/en-us/azure/azure-resource-manager/resource-group-using-tags
/en-us/azure/azure-resource-manager/resource-manager-policy-tags
Sapna G
Friday, February 17, 2017 8:55 PM
Hi Christophe
That sounds reasonable, but I could not find any documentation stating this. Both "owner" and "contributor" is fairly broad permissions. Are you stating this out of experience, or did you find this stated somewhere "official"?
Tommy Skaue
Saturday, February 18, 2017 3:35 PM
Hi Tommy,
I agree, these are broad permissions and documentation is scarce.
Tags are part of every resource/resource group and I don't see a way to create a custom role for this
Cheers Christophe - Kindly click Mark as Answer on the post that helps you - www.cloudcrusader.com
Wednesday, February 22, 2017 5:43 PM | 1 vote
If you need to enforce tagging on resources within a resource group you can use ‘Resource Manager Policies’.
/en-us/azure/azure-resource-manager/resource-manager-policy
Thursday, February 23, 2017 11:22 AM
Adding a bit more information:
- RBAC doesn’t support tag management
- Automatic propagation of RG tags to nested resources is not supported and not on foreseeable roadmap either
Thursday, February 23, 2017 11:47 AM
That is interesting.
So basically, if you use tags for any operational processes, you run the risk of abusing what they are intended for? We use tags in cooperation with Automation in Azure. Tags are used for example for controlling downtime of VMs, and sometimes I want to allow someone to edit those tags, but I don't want them to have too much control over the VMs. The new DevTest Lab role is the one I prefer to use, but it does not allow for editing of Tags. I am contemplating looking at a custom role, but I don't want to waste time on a strategy that is soon standardized or reorganized by Microsoft.
Tommy Skaue