question

IvanKarimov-9942 avatar image
0 Votes"
IvanKarimov-9942 asked ·

Is there any way to create a managed application that contains a DB server that publisher can't access data on it but customer can?

Hello,

I planning to create Azure Managed Application that will contain Linux VM with the application server and DB. As far as I understand from this article https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/overview I as a publisher can access to all resources from the Managed Resource Group of Managed Application. But customer can store confidential data on DB that I have access.

Is there any way to limit access for a publisher to some resources in Managed Resource Group that can store customer internal data?

azure-managed-applications
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@IvanKarimov-9942 Welcome to Microsoft Q & A Community Forum. If in case you want restrict access to Storage account, kindly note management access is not inherited to your data provided that the container authentication method is set to "Azure AD User Account" and not "Access Key". This separation prevents roles with wildcards (*) from having unrestricted access to your data. For example, if a user has a Reader role on a resource group , then they can view the storage account, but by default they can't view the underlying data. This might be a workaround in your scenario.

Or you can take advantage of just-in-time access feature which gives permission for specific time period. For more information about just-in-time access feature, kindly check this documentation.


1 Vote 1 ·
IvanKarimov-9942 avatar image IvanKarimov-9942 SwathiDhanwada-MSFT ·

Hello @SwathiDhanwada-MSFT
Thank you for your clarification. I'll read that documentation.

0 Votes 0 ·

1 Answer

JoydeepDutt-2506 avatar image
1 Vote"
JoydeepDutt-2506 answered ·

Hi @IvanKarimov-9942 One of ways can be --- restrict publisher account access on DB.(assuming its SQL -SQL managed Studio) ---- Create a user (publisher) account (make sure its not mapped to any Database)---Right Click on the upper section of the SQL (SQLSERVER Name)>Properties>Permissions>Click on the user account, and select Deny to view databases.---Right Click on the newly created DB, Properties,Files, and change the Owner to the newly created account.
At this point, once the user/publisher logs in to Db he will see the Master,tempdb and will also see the new DB which he is a DB Owner of.

OR
DENY VIEW any DATABASE TO PUBLIC;
GRANT CREATE DATABASE TO PUBLIC;

Ref: https://stackoverflow.com/questions/13809456/sql-database-restrict-view-of-data

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JoydeepDutt-2506
Thank you for that information. I want to use another Db type. But I got it. And I'll try in this way.

0 Votes 0 ·