WEBVTT 0:00:03.100000 --> 0:00:09.700000 In this video, we're going to take a look at policies and initiatives. 0:00:09.700000 --> 0:00:14.660000 And let's take a look at the topics that we're going to cover in the video. 0:00:14.660000 --> 0:00:19.120000 We're going to start out by defining what policies and initiatives are. 0:00:19.120000 --> 0:00:23.660000 Then we're going to take a look at an actual policy definition. 0:00:23.660000 --> 0:00:30.220000 And finally, we'll take a look at how policies interrelate with role-based 0:00:30.220000 --> 0:00:33.280000 access control. And there can be some confusion there because there's 0:00:33.280000 --> 0:00:39.200000 definitely some overlap conceptually between what role-based access control 0:00:39.200000 --> 0:00:41.480000 or RBAC does and what policies do. 0:00:41.480000 --> 0:00:44.260000 But we're going to focus on policies. 0:00:44.260000 --> 0:00:48.860000 So let's go ahead and let's get started with just that. 0:00:48.860000 --> 0:00:51.960000 So what are policies and initiatives? 0:00:51.960000 --> 0:00:54.680000 Well, let's start out by talking use cases. 0:00:54.680000 --> 0:00:57.380000 Policies, and we'll talk about initiatives that are just a combination 0:00:57.380000 --> 0:00:58.960000 of policies really. 0:00:58.960000 --> 0:01:04.960000 Policies are designed to control what happens with resources. 0:01:04.960000 --> 0:01:09.280000 And typically at the resource group level, although it can be applied 0:01:09.280000 --> 0:01:11.780000 at a higher level as well. 0:01:11.780000 --> 0:01:17.120000 So whereas RBAC controls what users can do, policy controls what you can 0:01:17.120000 --> 0:01:19.620000 do with specific resources. 0:01:19.620000 --> 0:01:22.640000 And there's four different ways that you can use policies. 0:01:22.640000 --> 0:01:27.400000 As you can see, first of all, I can deny certain activity. 0:01:27.400000 --> 0:01:32.340000 So if you want to create a virtual machine, that is an H series high performance. 0:01:32.340000 --> 0:01:33.900000 I can deny that. 0:01:33.900000 --> 0:01:35.900000 I can also monitor. 0:01:35.900000 --> 0:01:40.420000 So maybe I don't want to deny, but I just want to see for that example, 0:01:40.420000 --> 0:01:43.240000 where H series virtual machines are being used because that's going to 0:01:43.240000 --> 0:01:45.160000 be a fair bit of money. 0:01:45.160000 --> 0:01:47.560000 I can also audit. 0:01:47.560000 --> 0:01:52.360000 And so that gives me an audit log similar to monitoring, but giving me 0:01:52.360000 --> 0:01:54.280000 a more lasting audit log. 0:01:54.280000 --> 0:01:59.040000 You can also actually correct in some cases. 0:01:59.040000 --> 0:02:04.960000 So maybe for example, you want to make sure that all of your storage accounts 0:02:04.960000 --> 0:02:08.300000 require HTTPS for communications. 0:02:08.300000 --> 0:02:10.660000 And so again, that's what we're doing with policies. 0:02:10.660000 --> 0:02:12.500000 Concept is fairly straightforward. 0:02:12.500000 --> 0:02:15.920000 I want to apply this to control my resources. 0:02:15.920000 --> 0:02:20.460000 Now, what are the components of a policy? 0:02:20.460000 --> 0:02:23.760000 And the components are relatively straightforward. 0:02:23.760000 --> 0:02:25.900000 First and foremost, you have a filter. 0:02:25.900000 --> 0:02:31.340000 The filter is going to define what a policy applies to, what resources 0:02:31.340000 --> 0:02:35.320000 are going to be governed by a particular policy. 0:02:35.320000 --> 0:02:38.020000 Then you have the action. 0:02:38.020000 --> 0:02:43.820000 If a resource is under a particular policy, and the policy is applied, 0:02:43.820000 --> 0:02:45.080000 what's going to happen? 0:02:45.080000 --> 0:02:49.080000 Again, it could be a deny, could be an audit, could be a correct, could 0:02:49.080000 --> 0:02:51.720000 be a monitor. What do you want to do? 0:02:51.720000 --> 0:02:56.800000 And in some cases also with apply, you can do things like apply tags, 0:02:56.800000 --> 0:03:03.180000 for example. And then the last thing is parameters. 0:03:03.180000 --> 0:03:07.740000 So I can create a very flexible policy. 0:03:07.740000 --> 0:03:11.280000 So every time I change a little bit, I don't have to create a new policy. 0:03:11.280000 --> 0:03:18.060000 So you would define your parameters as part of that policy definition. 0:03:18.060000 --> 0:03:19.860000 So that's a policy. 0:03:19.860000 --> 0:03:21.740000 What then is an initiative? 0:03:21.740000 --> 0:03:24.600000 Well, that conceptually is actually pretty straightforward. 0:03:24.600000 --> 0:03:28.620000 An initiative is simply a grouping of policies. 0:03:28.620000 --> 0:03:33.320000 So I can create very granular, very modular policies, and then apply them 0:03:33.320000 --> 0:03:35.400000 as groups through initiatives. 0:03:35.400000 --> 0:03:37.340000 That's really what they do. 0:03:37.340000 --> 0:03:46.960000 Now, let's go ahead and take a look at a definition of a policy. 0:03:46.960000 --> 0:03:52.460000 Here I've got a simple definition of a policy. 0:03:52.460000 --> 0:04:01.440000 And really, the key to the policy is down in the policy rules. 0:04:01.440000 --> 0:04:05.140000 And I'm going to go ahead and mark this up. 0:04:05.140000 --> 0:04:09.720000 This is a JSON definition, JavaScript object notation. 0:04:09.720000 --> 0:04:12.480000 It's just a structure that policies are defined with. 0:04:12.480000 --> 0:04:13.660000 And I've got a policy. 0:04:13.660000 --> 0:04:16.580000 It's got some pretty standard properties. 0:04:16.580000 --> 0:04:18.100000 I've got a display name. 0:04:18.100000 --> 0:04:19.860000 I've got a policy type. 0:04:19.860000 --> 0:04:23.400000 This is a built in as opposed to custom policy that I pulled out. 0:04:23.400000 --> 0:04:27.240000 I've got the mode, which is indexed. 0:04:27.240000 --> 0:04:29.360000 Now, there's two modes. 0:04:29.360000 --> 0:04:34.860000 I can have index where I can have all all properties available. 0:04:34.860000 --> 0:04:40.040000 Certain properties are universal, such as tags and such as type. 0:04:40.040000 --> 0:04:41.260000 Those are indexed. 0:04:41.260000 --> 0:04:45.780000 But then some resources have or more detailed properties that you can 0:04:45.780000 --> 0:04:50.300000 work with. In this case, this particular property is going to apply only 0:04:50.300000 --> 0:04:53.920000 to those that are, or this particular policy is going to apply only to 0:04:53.920000 --> 0:04:55.260000 those that are indexed. 0:04:55.260000 --> 0:04:57.520000 You can, of course, have a description. 0:04:57.520000 --> 0:05:00.760000 There's metadata that can apply. 0:05:00.760000 --> 0:05:03.060000 And then really, the key to this, there's parameters. 0:05:03.060000 --> 0:05:08.100000 In this case, and this, by the way, is a built-in policy. 0:05:08.100000 --> 0:05:13.460000 And here, I've got a list of allowed SKUs. 0:05:13.460000 --> 0:05:17.600000 That's going to be a list of SKUs that are allowed, in this case, virtual 0:05:17.600000 --> 0:05:20.080000 machine SKUs. And then I have the policy rule. 0:05:20.080000 --> 0:05:21.980000 And the policy rule has two parts. 0:05:21.980000 --> 0:05:25.300000 It has an if part, and it has a then part. 0:05:25.300000 --> 0:05:30.320000 And if the conditions are met, oh, let's see if we can get that back here. 0:05:30.320000 --> 0:05:35.340000 There we go. If the conditions are met, then I apply whatever the effect 0:05:35.340000 --> 0:05:39.040000 is. In this case, the effect is to deny. 0:05:39.040000 --> 0:05:44.400000 So if the parameters, if somebody's trying to create a virtual machine 0:05:44.400000 --> 0:05:49.960000 that doesn't meet the allowed SKUs, then it will be denied. 0:05:49.960000 --> 0:05:56.000000 All right. Now, let's talk about policy and role-based access control, 0:05:56.000000 --> 0:06:00.460000 or RBAC. It is what are key concepts. 0:06:00.460000 --> 0:06:04.720000 First of all, if you think about RBAC, RBAC is going to focus on permissions. 0:06:04.720000 --> 0:06:08.280000 What users are allowed to do. 0:06:08.280000 --> 0:06:13.020000 Policy focuses on resource properties. 0:06:13.020000 --> 0:06:19.400000 What are valid resource properties, or even just tracking resource policies? 0:06:19.400000 --> 0:06:22.080000 RBAC defaults to deny. 0:06:22.080000 --> 0:06:27.280000 If I do not grant you a particular right through a role, you do not have 0:06:27.280000 --> 0:06:29.180000 that right. Simple as that. 0:06:29.180000 --> 0:06:33.600000 Whereas policy, if there is no policy, then there is no control. 0:06:33.600000 --> 0:06:41.360000 Simple as that. Now, you generally want to use these two concepts together. 0:06:41.360000 --> 0:06:47.000000 And so, for example, I might grant someone the VM contributor role on 0:06:47.000000 --> 0:06:51.520000 a resource group, meaning that they can provision virtual machines and 0:06:51.520000 --> 0:06:57.460000 several of the components necessary, such as managed disks, for example. 0:06:57.460000 --> 0:07:03.500000 But I may want to limit what types, what SKUs, what sizes of virtual machines 0:07:03.500000 --> 0:07:05.840000 that somebody can create. 0:07:05.840000 --> 0:07:09.800000 So maybe in my development environment, I want to allow you to create 0:07:09.800000 --> 0:07:13.540000 several out of the D series and maybe a few out of the A series, just 0:07:13.540000 --> 0:07:18.540000 as an example. But using those two together gives you very tight and yet 0:07:18.540000 --> 0:07:24.160000 still straightforward control over what users can do and what can be done 0:07:24.160000 --> 0:07:26.120000 with resources within Azure.