docs.microsoft.com
Open in
urlscan Pro
2a02:26f0:7100:588::353e
Public Scan
Submitted URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview#multiple-role-assignments
Effective URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Submission: On June 03 via api from US — Scanned from DE
Effective URL: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
Submission: On June 03 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form class="feedback-verbatim-form width-250-tablet" data-feedback-verbatim-form="" id="main-page-rating-container">
<div class="binary-rating-buttons">
<h3 id="binary-rating-heading" class="font-weight-semibold margin-top-none margin-bottom-xs font-size-h5 has-caret">Is this page helpful?</h3>
<div class="buttons">
<button class="thumb-rating like margin-right-xxs button button-clear button-sm" data-binary-rating-response="rating-yes" title="Yes" type="button" data-bi-name="rating-yes" data-bi-sat="1">
<span aria-hidden="true" class="icon docon docon-like"></span>
<span>Yes</span>
</button>
<button class="thumb-rating dislike button button-clear button-sm" data-binary-rating-response="rating-no" title="No" data-bi-name="rating-no" type="button" data-bi-sat="0">
<span aria-hidden="true" class="icon docon docon-dislike"></span>
<span>No</span>
</button>
</div>
</div>
<div id="binary-verbatim-container" class="font-size-xs margin-top-xs">
<div class="verbatim-textarea">
<label for="binary-rating-textarea" class="visually-hidden"> Any additional feedback? </label>
<textarea id="binary-rating-textarea" data-binary-rating-text="" rows="4" maxlength="999" placeholder="Any additional feedback?" class="textarea has-inner-focus"></textarea>
</div>
<p class="has-line-height-reset">Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.
<a href="https://privacy.microsoft.com/en-us/privacystatement">Privacy policy.</a></p>
<div class="buttons buttons-right margin-top-xs margin-right-xxs">
<button class="submit-rating button button-primary button-filled button-sm" data-bi-name="rating-verbatim" data-binary-rating-submit="" type="submit" disabled="">Submit</button>
</div>
</div>
</form>Text Content
Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info
Table of contents Exit focus mode
Read in English Save
Table of contents Read in English Save Feedback Edit
Twitter LinkedIn Facebook Email
Table of contents
WHAT IS AZURE ROLE-BASED ACCESS CONTROL (AZURE RBAC)?
* Article
* 01/12/2022
* 6 minutes to read
* 8 contributors
IS THIS PAGE HELPFUL?
Yes No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback
will be used to improve Microsoft products and services. Privacy policy.
Submit
Thank you.
IN THIS ARTICLE
Access management for cloud resources is a critical function for any
organization that is using the cloud. Azure role-based access control (Azure
RBAC) helps you manage who has access to Azure resources, what they can do with
those resources, and what areas they have access to.
Azure RBAC is an authorization system built on Azure Resource Manager that
provides fine-grained access management of Azure resources.
This video provides a quick overview of Azure RBAC.
WHAT CAN I DO WITH AZURE RBAC?
Here are some examples of what you can do with Azure RBAC:
* Allow one user to manage virtual machines in a subscription and another user
to manage virtual networks
* Allow a DBA group to manage SQL databases in a subscription
* Allow a user to manage all resources in a resource group, such as virtual
machines, websites, and subnets
* Allow an application to access all resources in a resource group
HOW AZURE RBAC WORKS
The way you control access to resources using Azure RBAC is to assign Azure
roles. This is a key concept to understand – it's how permissions are enforced.
A role assignment consists of three elements: security principal, role
definition, and scope.
SECURITY PRINCIPAL
A security principal is an object that represents a user, group, service
principal, or managed identity that is requesting access to Azure resources. You
can assign a role to any of these security principals.
ROLE DEFINITION
A role definition is a collection of permissions. It's typically just called a
role. A role definition lists the actions that can be performed, such as read,
write, and delete. Roles can be high-level, like owner, or specific, like
virtual machine reader.
Azure includes several built-in roles that you can use. For example, the Virtual
Machine Contributor role allows a user to create and manage virtual machines. If
the built-in roles don't meet the specific needs of your organization, you can
create your own Azure custom roles.
This video provides a quick overview of built-in roles and custom roles.
Azure has data actions that enable you to grant access to data within an object.
For example, if a user has read data access to a storage account, then they can
read the blobs or messages within that storage account.
For more information, see Understand Azure role definitions.
SCOPE
Scope is the set of resources that the access applies to. When you assign a
role, you can further limit the actions allowed by defining a scope. This is
helpful if you want to make someone a Website Contributor, but only for one
resource group.
In Azure, you can specify a scope at four levels: management group,
subscription, resource group, or resource. Scopes are structured in a
parent-child relationship. You can assign roles at any of these levels of scope.
For more information about scope, see Understand scope.
ROLE ASSIGNMENTS
A role assignment is the process of attaching a role definition to a user,
group, service principal, or managed identity at a particular scope for the
purpose of granting access. Access is granted by creating a role assignment, and
access is revoked by removing a role assignment.
The following diagram shows an example of a role assignment. In this example,
the Marketing group has been assigned the Contributor role for the pharma-sales
resource group. This means that users in the Marketing group can create or
manage any Azure resource in the pharma-sales resource group. Marketing users do
not have access to resources outside the pharma-sales resource group, unless
they are part of another role assignment.
You can assign roles using the Azure portal, Azure CLI, Azure PowerShell, Azure
SDKs, or REST APIs.
For more information, see Steps to assign an Azure role.
GROUPS
Role assignments are transitive for groups which means that if a user is a
member of a group and that group is a member of another group that has a role
assignment, the user will have the permissions in the role assignment.
MULTIPLE ROLE ASSIGNMENTS
So what happens if you have multiple overlapping role assignments? Azure RBAC is
an additive model, so your effective permissions are the sum of your role
assignments. Consider the following example where a user is granted the
Contributor role at the subscription scope and the Reader role on a resource
group. The sum of the Contributor permissions and the Reader permissions is
effectively the Contributor role for the subscription. Therefore, in this case,
the Reader role assignment has no impact.
DENY ASSIGNMENTS
Previously, Azure RBAC was an allow-only model with no deny, but now Azure RBAC
supports deny assignments in a limited way. Similar to a role assignment, a deny
assignment attaches a set of deny actions to a user, group, service principal,
or managed identity at a particular scope for the purpose of denying access. A
role assignment defines a set of actions that are allowed, while a deny
assignment defines a set of actions that are not allowed. In other words, deny
assignments block users from performing specified actions even if a role
assignment grants them access. Deny assignments take precedence over role
assignments.
For more information, see Understand Azure deny assignments.
HOW AZURE RBAC DETERMINES IF A USER HAS ACCESS TO A RESOURCE
The following are the high-level steps that Azure RBAC uses to determine if you
have access to a resource. These steps apply to Azure Resource Manager or data
plane services integrated with Azure RBAC. This is helpful to understand if you
are trying to troubleshoot an access issue.
1. A user (or service principal) acquires a token for Azure Resource Manager.
The token includes the user's group memberships (including transitive group
memberships).
2. The user makes a REST API call to Azure Resource Manager with the token
attached.
3. Azure Resource Manager retrieves all the role assignments and deny
assignments that apply to the resource upon which the action is being taken.
4. If a deny assignment applies, access is blocked. Otherwise, evaluation
continues.
5. Azure Resource Manager narrows the role assignments that apply to this user
or their group and determines what roles the user has for this resource.
6. Azure Resource Manager determines if the action in the API call is included
in the roles the user has for this resource. If the roles include Actions
that have a wildcard (*), the effective permissions are computed by
subtracting the NotActions from the allowed Actions. Similarly, the same
subtraction is done for any data actions.
Actions - NotActions = Effective management permissions
DataActions - NotDataActions = Effective data permissions
7. If the user doesn't have a role with the action at the requested scope,
access is not allowed. Otherwise, any conditions are evaluated.
8. If the role assignment includes conditions, they are evaluated. Otherwise
access is allowed.
9. If conditions are met, access is allowed. Otherwise access is not allowed.
The following diagram is a summary of the evaluation logic.
WHERE IS AZURE RBAC DATA STORED?
Role definitions, role assignments, and deny assignments are stored globally to
ensure that you have access to your resources regardless of the region you
created the resource.
When a role assignment or any other Azure RBAC data is deleted, the data is
globally deleted. Principals that had access to a resource via Azure RBAC data
will lose their access.
WHY IS AZURE RBAC DATA GLOBAL?
Azure RBAC data is global to ensure that customers can timely access resources
regardless from where they are accessing. Azure RBAC is enforced by Azure
Resource Manager, which has a global endpoint and requests are routed to the
nearest region for speed and resilience. Therefore, Azure RBAC must be enforced
in all regions and the data is replicated to all regions. For more information,
see Resiliency of Azure Resource Manager.
Consider the following example. Arina creates a virtual machine in East Asia.
Bob, who is a member of Arina's team, works in the United States. Bob needs to
access the virtual machine that was created in East Asia. To grant Bob timely
access to the virtual machine, Azure needs to globally replicate the role
assignment that grants Bob access to the virtual machine from anywhere Bob is.
LICENSE REQUIREMENTS
Using this feature is free and included in your Azure subscription.
NEXT STEPS
* Assign Azure roles using the Azure portal
* Understand the different roles
* Cloud Adoption Framework: Resource access management in Azure
FEEDBACK
Submit and view feedback for
This product This page
View all page feedback
Theme
* Light
* Dark
* High contrast
*
* Previous Version Docs
* Blog
* Contribute
* Privacy & Cookies
* Terms of Use
* Trademarks
* © Microsoft 2022
IN THIS ARTICLE
Theme
* Light
* Dark
* High contrast
*
* Previous Version Docs
* Blog
* Contribute
* Privacy & Cookies
* Terms of Use
* Trademarks
* © Microsoft 2022