WEBVTT 0:00:03.060000 --> 0:00:08.540000 In this video, we're going to take a look at role-based access control. 0:00:08.540000 --> 0:00:11.820000 Let's take a look at the topics that we're going to cover. 0:00:11.820000 --> 0:00:16.940000 We're going to start out looking at the concepts behind role-based access 0:00:16.940000 --> 0:00:22.340000 control, and then we'll take a look at an actual role definition. 0:00:22.340000 --> 0:00:24.000000 Let's start this out. 0:00:24.000000 --> 0:00:28.100000 By whiteboarding out what role -based access control is. 0:00:28.100000 --> 0:00:31.940000 If you've ever worked in a role-based access control environment before, 0:00:31.940000 --> 0:00:34.200000 then this is going to be pretty standard. 0:00:34.200000 --> 0:00:37.820000 If you've never worked with role-based access control, it's really, well, 0:00:37.820000 --> 0:00:40.060000 still pretty standard and pretty simple. 0:00:40.060000 --> 0:00:43.040000 All right, let's get started thinking about the major components that 0:00:43.040000 --> 0:00:45.760000 we have with role-based access control. 0:00:45.760000 --> 0:00:49.660000 And at the highest level, there's really two major components. 0:00:49.660000 --> 0:01:00.600000 I've got Azure Active Directory, we'll just say AAD, and I have Azure. 0:01:00.600000 --> 0:01:04.760000 And we'll refer to that right now as a subscription. 0:01:04.760000 --> 0:01:11.300000 I'm sure why I wanted you to watch me write that whole thing out, but 0:01:11.300000 --> 0:01:15.140000 that's okay. Now, for the purpose of this, we're going to break that down 0:01:15.140000 --> 0:01:21.720000 into resource groups and resources. 0:01:21.720000 --> 0:01:26.380000 And for the sake of discussion, we'll say this is a virtual machine. 0:01:26.380000 --> 0:01:29.540000 Now with virtual machines, start on this in first, and we'll go over to 0:01:29.540000 --> 0:01:30.660000 the other side in a moment. 0:01:30.660000 --> 0:01:32.180000 You have many permissions. 0:01:32.180000 --> 0:01:39.820000 For example, the permission to start and stop a virtual machine. 0:01:39.820000 --> 0:01:42.520000 There are many granular permissions for a virtual machine. 0:01:42.520000 --> 0:01:46.580000 As there are many granular permissions for all of the hundreds, if not 0:01:46.580000 --> 0:01:49.960000 thousands, I've never really counted, of different types of resources 0:01:49.960000 --> 0:01:52.700000 that are available within a subscription. 0:01:52.700000 --> 0:01:57.340000 Trying to manage those individual permissions would be pretty much untenable. 0:01:57.340000 --> 0:02:00.760000 All right, let's put that aside for a moment and think about our Azure 0:02:00.760000 --> 0:02:01.960000 Active Directory. 0:02:01.960000 --> 0:02:05.920000 With an Azure Active Directory, we've got principles, and there's three 0:02:05.920000 --> 0:02:07.420000 types of principles. 0:02:07.420000 --> 0:02:13.520000 There are users. 0:02:13.520000 --> 0:02:16.020000 There are groups. 0:02:16.020000 --> 0:02:24.980000 And there are service principles, which are really background process 0:02:24.980000 --> 0:02:29.360000 identities. You also now have what's called managed identities, which 0:02:29.360000 --> 0:02:32.040000 correlate very strongly to that. 0:02:32.040000 --> 0:02:34.380000 I have these principles. 0:02:34.380000 --> 0:02:39.080000 They need to access these various resources, but we don't want to go down 0:02:39.080000 --> 0:02:41.040000 to the granular permission level. 0:02:41.040000 --> 0:02:47.900000 And that is where roles or role-based access control comes into play. 0:02:47.900000 --> 0:02:54.100000 With role-based access control, you take a number of permissions and you, 0:02:54.100000 --> 0:02:56.680000 well, roll those up into a role. 0:02:56.680000 --> 0:03:03.340000 And for example, in Azure, there are three high-level roles, and any role 0:03:03.340000 --> 0:03:06.880000 -based access control system I've ever worked with has some variation of 0:03:06.880000 --> 0:03:14.500000 these. And the three high-level roles are owner, contributor. 0:03:14.500000 --> 0:03:19.000000 I'm just going to say, C-O-N-T so you don't have to watch me write the 0:03:19.000000 --> 0:03:22.580000 whole thing out. 0:03:22.580000 --> 0:03:35.160000 And reader. The idea here is that you take an identity, you take a principle. 0:03:35.160000 --> 0:03:40.000000 Let's say I put users into a group, I take that group, and I assign that 0:03:40.000000 --> 0:03:43.740000 group a role at a particular level. 0:03:43.740000 --> 0:03:48.460000 So if I take the contributors group, and I give it the contributor role 0:03:48.460000 --> 0:03:52.800000 on a particular resource group, I should label that as R-G. 0:03:52.800000 --> 0:03:54.080000 That's a resource group. 0:03:54.080000 --> 0:03:57.920000 Then everyone in that group will have the contributor rights not only 0:03:57.920000 --> 0:04:01.940000 on that resource group, but on every resource within it. 0:04:01.940000 --> 0:04:05.360000 And that is an important concept with role-based access control, that 0:04:05.360000 --> 0:04:07.880000 it is hierarchical and it inherits down. 0:04:07.880000 --> 0:04:12.000000 So if I give you a right on the subscription, you have that right on every 0:04:12.000000 --> 0:04:16.400000 resource group and thus on every resource in that subscription. 0:04:16.400000 --> 0:04:17.660000 And that's really what it comes down to. 0:04:17.660000 --> 0:04:21.180000 It's just a way to simplify the management of permissions. 0:04:21.180000 --> 0:04:26.500000 Just like I have groups for my users, I have roles for my permissions. 0:04:26.500000 --> 0:04:31.060000 And those three roles, owner, contributor, and reader, are by no means 0:04:31.060000 --> 0:04:40.640000 the only built-in roles. 0:04:40.640000 --> 0:04:43.620000 And you can also create your own custom roles. 0:04:43.620000 --> 0:04:50.820000 And all of these allow you to very carefully manage what rights your different 0:04:50.820000 --> 0:04:53.380000 users are going to have within Azure itself. 0:04:53.380000 --> 0:04:54.880000 A couple of things real quick. 0:04:54.880000 --> 0:04:59.520000 In addition to roles within the subscription, there are also a whole different 0:04:59.520000 --> 0:05:02.500000 set of roles within Azure AD itself. 0:05:02.500000 --> 0:05:05.640000 For example, I could be a global administrator. 0:05:05.640000 --> 0:05:08.880000 That's going to give me all rights within Azure AD. 0:05:08.880000 --> 0:05:13.300000 Or maybe I could just be a security administrator, password administrator, 0:05:13.300000 --> 0:05:17.200000 where I can just update people's passwords, for example, reset them. 0:05:17.200000 --> 0:05:21.960000 So there's a number of roles both at the subscription level and also at 0:05:21.960000 --> 0:05:24.700000 the Azure AD tenant level. 0:05:24.700000 --> 0:05:27.380000 If you're going to take an exam, for example, you want to make sure that 0:05:27.380000 --> 0:05:30.120000 you are familiar with what those built-in roles are. 0:05:30.120000 --> 0:05:34.860000 And there's certainly a pattern within the subscription, at least, where 0:05:34.860000 --> 0:05:38.600000 you can see kind of the repetition of the same roles just at different 0:05:38.600000 --> 0:05:41.100000 levels of granularity. 0:05:41.100000 --> 0:05:46.380000 All right. Let's take a look going forward here. 0:05:46.380000 --> 0:05:48.780000 Let's see if I can hear this off properly. 0:05:48.780000 --> 0:05:54.620000 There we go. Let's go ahead and take a look at some of these concepts. 0:05:54.620000 --> 0:05:57.780000 First of all, you need to define roles. 0:05:57.780000 --> 0:06:02.020000 And when you define roles, you're going to define them at the subscription 0:06:02.020000 --> 0:06:07.280000 level. And you can define a role, the same role, across multiple descriptions. 0:06:07.280000 --> 0:06:10.300000 And of course, when I say define role, these are for custom roles, not 0:06:10.300000 --> 0:06:11.960000 for the built-in roles. 0:06:11.960000 --> 0:06:14.700000 In order to define a role, you need to have a permission. 0:06:14.700000 --> 0:06:19.000000 One of the things I like about this in particular is that not only do 0:06:19.000000 --> 0:06:23.080000 we see what permission you need in order to define your own custom roles, 0:06:23.080000 --> 0:06:28.560000 but we see the definition of a permission. 0:06:28.560000 --> 0:06:33.160000 This is a very specific permission, and all permissions have this structure. 0:06:33.160000 --> 0:06:35.440000 I've got first a resource provider. 0:06:35.440000 --> 0:06:39.800000 In this case, it's the Microsoft authorization resource provider. 0:06:39.800000 --> 0:06:42.440000 Then I have the object. 0:06:42.440000 --> 0:06:45.200000 Now, the object in this case is a single entity. 0:06:45.200000 --> 0:06:46.300000 It might be hierarchical. 0:06:46.300000 --> 0:06:50.120000 For example, there are objects underneath the virtual machines. 0:06:50.120000 --> 0:06:53.540000 There are objects underneath of websites that you can then grant rights 0:06:53.540000 --> 0:06:56.560000 to. And then there's the actual specific right. 0:06:56.560000 --> 0:07:16.200000 In this case, write or read, I would grant Microsoft.authorization. 0:07:16.200000 --> 0:07:22.060000 The role definition itself has a number of attributes or elements. 0:07:22.060000 --> 0:07:22.880000 You've got a name. 0:07:22.880000 --> 0:07:24.640000 That's pretty obvious. 0:07:24.640000 --> 0:07:27.880000 You have a description, also, hopefully fairly obvious. 0:07:27.880000 --> 0:07:31.100000 And then you have actions and not actions. 0:07:31.100000 --> 0:07:38.400000 Actions and not actions apply to the specific rights at the Azure resource 0:07:38.400000 --> 0:07:41.620000 level. That's going to be important for the next one. 0:07:41.620000 --> 0:07:47.400000 Now, the relationship between actions and not actions, not actions, refines 0:07:47.400000 --> 0:07:52.280000 actions. I can have, let's say for example, a situation where maybe I 0:07:52.280000 --> 0:07:56.820000 grant you all rights for virtual machines, but I don't want you to be 0:07:56.820000 --> 0:07:59.160000 able to delete virtual machines. 0:07:59.160000 --> 0:08:04.200000 So I could grant you all rights in actions, but then add the delete right 0:08:04.200000 --> 0:08:06.300000 under not actions. 0:08:06.300000 --> 0:08:09.600000 The data goes another level deeper. 0:08:09.600000 --> 0:08:13.540000 And you can see there's data actions and no data action or not data actions. 0:08:13.540000 --> 0:08:19.400000 What that does is for some resources, you can actually control the access 0:08:19.400000 --> 0:08:23.400000 to the data in the resource itself. 0:08:23.400000 --> 0:08:26.920000 For example, maybe you've got SQL Server and you want to grant certain 0:08:26.920000 --> 0:08:29.200000 rights within a database. 0:08:29.200000 --> 0:08:30.140000 And you might do that. 0:08:30.140000 --> 0:08:33.060000 Now, I will tell you, I never personally use these. 0:08:33.060000 --> 0:08:35.120000 You need to know them if you're going to take the exam and it may be something 0:08:35.120000 --> 0:08:36.220000 you want to architect in. 0:08:36.220000 --> 0:08:40.720000 But personally, I really like having that split between my security at 0:08:40.720000 --> 0:08:45.020000 the Azure level and then security within a particular resource, such as 0:08:45.020000 --> 0:08:48.220000 a database or virtual machine or even a storage account. 0:08:48.220000 --> 0:08:51.340000 So I'd like to differentiate those, but you do have the ability and a 0:08:51.340000 --> 0:08:53.680000 limited way to use data actions. 0:08:53.680000 --> 0:08:59.560000 The last thing that we have is not, oh, excuse me, is assignable scopes. 0:08:59.560000 --> 0:09:04.360000 And what that defines is where a particular role can be assigned. 0:09:04.360000 --> 0:09:08.680000 For you, you're going to be able to assign roles, custom roles at the 0:09:08.680000 --> 0:09:11.280000 subscription level and below. 0:09:11.280000 --> 0:09:20.040000 Let's take a look at an actual definition. 0:09:20.040000 --> 0:09:22.180000 Oh, before we do, assigning the roles. 0:09:22.180000 --> 0:09:24.560000 Sorry, before I was getting ahead of myself. 0:09:24.560000 --> 0:09:28.220000 That's why it's good to have slides sometimes. 0:09:28.220000 --> 0:09:29.240000 Assignable roles. 0:09:29.240000 --> 0:09:29.780000 What do we have? 0:09:29.780000 --> 0:09:33.040000 First of all, the level at which you can assign a role. 0:09:33.040000 --> 0:09:36.920000 I can assign a role actually above the subscription level. 0:09:36.920000 --> 0:09:39.080000 This is going to apply to built in roles. 0:09:39.080000 --> 0:09:43.040000 I can apply a role at the management group level management group. 0:09:43.040000 --> 0:09:46.900000 If you have not familiar with management groups, they allow you to organize 0:09:46.900000 --> 0:09:51.580000 subscriptions. If I have multiple subscriptions associated with the same 0:09:51.580000 --> 0:09:58.880000 Azure AD tenant, then I can combine those and manage those as management 0:09:58.880000 --> 0:10:03.660000 groups. So if I wanted to apply a particular role to a particular group 0:10:03.660000 --> 0:10:08.540000 across a set of subscriptions, I could do that with management groups. 0:10:08.540000 --> 0:10:11.260000 Typically, though, you're looking at the subscription level. 0:10:11.260000 --> 0:10:16.280000 Or below that, you can apply to the resource group level or the resource. 0:10:16.280000 --> 0:10:20.420000 And just as with defining a role, if you're going to assign a role, you 0:10:20.420000 --> 0:10:22.720000 have to have the appropriate right. 0:10:22.720000 --> 0:10:28.340000 Notice that his role assignments as opposed to role definitions. 0:10:28.340000 --> 0:10:35.360000 All right, now I think we're okay to move on to a role definition. 0:10:35.360000 --> 0:10:37.740000 This is an example of a role definition. 0:10:37.740000 --> 0:10:45.060000 This is actually a JSON file that was exported from a built-in role definition. 0:10:45.060000 --> 0:10:48.140000 So some of the things that are in this role definition would not typically 0:10:48.140000 --> 0:10:50.560000 be in one, for example, that you created. 0:10:50.560000 --> 0:10:51.540000 We do have the name. 0:10:51.540000 --> 0:10:52.980000 That's going to be pretty common. 0:10:52.980000 --> 0:10:55.100000 In this case, the name is Website Contributor. 0:10:55.100000 --> 0:10:59.600000 Now, if you're creating your own custom role definition, when you create 0:10:59.600000 --> 0:11:03.740000 it, you would not specify the ID or whether or not it's custom. 0:11:03.740000 --> 0:11:06.020000 Those are going to be automatically generated. 0:11:06.020000 --> 0:11:12.100000 You can define the description, and you can also define the actions. 0:11:12.100000 --> 0:11:17.120000 And this is where the bulk of what you'll probably do is going to be found. 0:11:17.120000 --> 0:11:20.940000 And you'll notice that every action starts with a resource provider. 0:11:20.940000 --> 0:11:23.920000 So here I've got Microsoft authorization. 0:11:23.920000 --> 0:11:25.460000 And then I've got a wildcard. 0:11:25.460000 --> 0:11:26.300000 I've got asterisk. 0:11:26.300000 --> 0:11:29.800000 So any objects underneath of that and the right that I want to sign is 0:11:29.800000 --> 0:11:35.140000 read. Likewise, with Microsoft Insights, I have the providers Microsoft 0:11:35.140000 --> 0:11:39.020000 Insights. I have alert rules, and I want you to be able to do anything 0:11:39.020000 --> 0:11:40.300000 with alert rules. 0:11:40.300000 --> 0:11:47.800000 So I can use that wildcard either to represent kind of a group of objects 0:11:47.800000 --> 0:11:51.840000 within a provider, a group of resources within a provider, or a group 0:11:51.840000 --> 0:11:59.640000 of permissions. Now, beyond this, we have the rest of the role definition. 0:11:59.640000 --> 0:12:03.040000 And you've got the not actions, and you'll notice data actions, and the 0:12:03.040000 --> 0:12:05.380000 not data actions in this case are all blank. 0:12:05.380000 --> 0:12:09.260000 And that's going to be the case for most of your role definitions. 0:12:09.260000 --> 0:12:11.100000 You do want to be careful. 0:12:11.100000 --> 0:12:13.040000 This assignable scopes. 0:12:13.040000 --> 0:12:17.400000 Now, that is an array, meaning you can assign to multiple scopes. 0:12:17.400000 --> 0:12:22.940000 However, if you have a custom role definition, you cannot assign it to 0:12:22.940000 --> 0:12:29.680000 the backslash. The backslash is the actual cloud, the Azure Cloud. 0:12:29.680000 --> 0:12:31.200000 So in this case, the Azure Public Cloud. 0:12:31.200000 --> 0:12:35.420000 As it turns out, Microsoft is not going to allow you to define your own 0:12:35.420000 --> 0:12:39.440000 custom roles that are going to apply to the entire Azure Public Cloud, 0:12:39.440000 --> 0:12:42.660000 or Government Cloud, or any other cloud. 0:12:42.660000 --> 0:12:47.440000 So in that case, yours would be backslash subscriptions, backslash, your 0:12:47.440000 --> 0:12:51.080000 subscription ID, and then typically backslash, or if you go down to the 0:12:51.080000 --> 0:12:54.720000 resource group, or even a resource level, you can have that Azure assignable 0:12:54.720000 --> 0:12:59.200000 scope. So that is our back as a role definition. 0:12:59.200000 --> 0:13:03.300000 Again, it's really, if you've used roles, frankly, if you've used permissions 0:13:03.300000 --> 0:13:07.560000 and anything, the concept of role-based access control is really pretty 0:13:07.560000 --> 0:13:09.000000 easy to pick up.