Reputation: 261
Azure Resource Group Access
How to restrict a user from accessing specific resource groups?
For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.
Upvotes: 3
Views: 9893
Answers (3)
Reputation: 5640
For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.
The above is possible with the following steps
Add the user to the subscription. Dont assign any role at subscription level for this user.
Add the User as contributor to the selected three resource groups (in Access Control (IAM)) property thru role assignment.
The above two configuration will enable the user to only view and operate on the explicit three resource groups, other resource group will not appear in Azure portal.
Best practice would be to add the user to security Group and assign the security group to the roles.
Upvotes: 4
Reputation: 12228
When you create a new user for Azure, they have no permissions at all against any subscriptions, logging into portal will present an empty view with no resources.
If you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything. As would be expected. With reader permission on the subscription, they cannot create anything, resource groups or otherwise.
If that user is only given permissions to a resource group, with no permission on the subscription, then they will only see the resource group they have permissions in. They will then have whatever permissions they have been granted within that group.
Under the surface, every contributer and reader role has the "Microsoft.Resources/subscriptions/resourceGroups/read" action, meaning that anyone with any contributer or reader role can see all resource groups.
There is no built in role that has explicitly defined resourceGroups/write or resourceGroups/* permission.
The only groups with that permission implicitly applied are contributer and owner, which have "*" applied.
This means that only contributers and owners can create resource groups in a subscription.
It would be possible to create a custom role that denied resourceGroup/write
So, to answer your question, to limit a user only to being able to see specific resource groups, ensure that they don't have any access at the subscription level (any access at all at this level will allow them to see resource groups), and only apply permissions to the resource groups you wish them to see.
Upvotes: 5
Reputation: 58898
Add the user to the Contributor role in those resource groups.
Go to the resource group, then open Access Control (IAM), and add the user to Contributor role. Repeat for each resource group.
Upvotes: 2
Related Questions
- Azure Permission - needed for creating resource group - RBAC
- Azure RBAC Permission
- 'Microsoft.Authorization/roleAssignments' scope to refer Storage Account from different resource group
- How can an Azure user create a Resource Group if user is not Contributor or Owner?
- Azure Access Control for Resource Groups
- Resource based authorization with Azure AD?
- Can we restrict user access from a resource group?
- Azure Resource Group not available for deployed Resource
- Azure Resource Group name capitilisation
- Sharing resource groups on Microsoft Azure