question

AzureLearner-6244 avatar image
0 Votes"
AzureLearner-6244 asked stan published

Create Custom RBAC Role to manage PostgreSQL DB

Hello all,

I am looking to see if anyone can assist with implementing custom role based access control. My understanding is the Custom RBAC can only be created using portal, Powershell, CLI and REST API. Maybe I am getting it all wrong together.

Requirement is to create a custom role and provide with elevated privilege who can login with that role and manage the PostgreSQL DB. This role also should have the Azure Storage account access and Log Analytics workspace access to read and write logs.

Edit -- If I have 5 PostgreSQLDBs in the same resource group and if custom RBAC role is defined at resource group level as scope this role will be applied to all 5 DBs right? What if I need to restrict this role and permissions for one particular DB out of 5? Is this possible?

Can someone help me or guide me each step that I need to follow to create it?

azure-security-centerazure-database-postgresqlazure-rbac
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

stan avatar image
0 Votes"
stan answered stan published

Hi,
The level of where the custom role is created does not mean the custom role gives permissions at that level. In fact, just creating custom role does not give any permissions. After you have created the custom role, you will have to do role assignment. For one custom role you can do multiple role assignments as long as the scope of the role assignment is different or the Azure AD principal (user, MI, SP, group). Let's say you create the custom role for Subscription A. This means you can use that custom role for role assignments only on that level. If you want to use at Subscription B you will not be able to. You will need either to create the same role in Subscription B or create role at management group where both subscriptions are located. Moving back to the role assignments. You can do role assignment for the custom role at subscription level, that way the permissions will be given for the Azure AD principal to all resources (that are part of the custom role definition) under the subscription. You can do role assignment for the custom role at specific resource group, that way the permissions will be given for the Azure AD principal to all resources (that are part of the custom role definition) within the resource group. You can even do role assignment for the custom role to specific resource, that way the permissions will be given for the Azure AD principal only to that resource.

Source

Remember that there are certain limits of using custom roles at management group level and certain limits on the number of the role assignments possible.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.