Manage access to resources in Azure Stack with role-based access control
Applies to: Azure Stack integrated systems and Azure Stack Development Kit
Azure Stack supports role-based access control (RBAC), the same security model for access management that Microsoft Azure uses. You can use RBAC to manage user, group, or app access to subscriptions, resources, and services.
Basics of access management
Role-based access control (RBAC) provides fine-grained access control that you can use to secure your environment. You give users the exact permissions they need by assigning an RBAC role at a certain scope. The scope of the role assignment can be a subscription, a resource group, or a single resource. For more detailed information about access management, see the Role-Based Access Control in the Azure portal article.
When Azure Stack is deployed using Active Directory Federation Services as the identity provider, only Universal Groups are supported for RBAC scenarios.
Azure Stack has three basic roles that you can apply to all resource types:
- Owner: can manage everything, including access to resources.
- Contributor: can manage everything, except access to resources.
- Reader: can view everything, but can't make any changes.
Resource hierarchy and inheritance
Azure Stack has the following resource hierarchy:
- Each subscription belongs to one directory.
- Each resource group belongs to one subscription.
- Each resource belongs to one resource group.
Access that you grant at a parent scope is inherited at child scopes. For example:
- You assign the Reader role to an Azure AD group at the subscription scope. The members of that group can view every resource group and resource in the subscription.
- You assign the Contributor role to an app at the resource group scope. The app can manage resources of all types in that resource group, but not other resource groups in the subscription.
You can assign more than one role to a user and each role can be associated with a different scope. For example:
- You assign TestUser-A the Reader role to Subscription-1.
- You assign TestUser-A the Owner role to TestVM-1.
The Azure role assignments article provides detailed information about viewing, assigning, and deleting roles.
Set access permissions for a user
The following steps describe how to configure permissions for a user.
Sign in with an account that has owner permissions to the resource you want to manage.
In the left navigation pane, choose Resource groups.
Choose the name of the resource group that you want to set permissions on.
In the resource group navigation pane, choose Access control (IAM).
The Role Assignments view lists the items that have access to the resource group. You can filter and group the results.
On the Access control menu bar, choose Add.
On Add permissions pane:
- Choose the role you want to assign from the Role drop-down list.
- Choose the resource you want to assign from the Assign access to drop-down list.
- Select the user, group, or app in your directory that you wish to grant access to. You can search the directory with display names, email addresses, and object identifiers.