Access Management Part 3: Role Based Access Control

00:00

Greetings, Saberi ins.

00:03

Welcome back to the in this 3 65 security administration course

00:07

I am pleasure to be your instructor

00:10

setting the same, right? Can I say that was Highbury

00:13

one plus

00:14

Okay.

00:15

It's my pleasure to be your instructor,

00:17

Jim Daniels.

00:19

And today we're a model to identity and access.

00:22

Lesson three, access management, part three. Role based access control.

00:29

In this lesson, we're gonna go over

00:31

how the planet configure role based access control are back in M s 3 65. The difference between azure or back rolls and azure admin roles

00:41

and monitoring are back usage.

00:45

Access management for cloud race forces is critical function

00:49

least privilege.

00:50

You can do the most damage when you have access to all of the management of those functions

00:55

as our back is an authorization system Built one azure resource manager that provides fine grained access. Management of azure resource is, as there are back, makes life easier

01:07

to use the principle of at least privileged access.

01:11

Charles Barkley.

01:11

He was famous for saying he is not a role model.

01:15

He didn't want kids Look up to him.

01:17

He's an honor role model.

01:19

You know what is a role no,

01:22

as a or back as a or back.

01:25

They have models of roles that you wonder if users to use.

01:29

So where is Charles Barkley? Not a role model? And Rohrback? Yes, definitely. Role models

01:34

worsen things you can do

01:36

with as or back.

01:38

You can allow a user to manage virtual machines and a subscription, and another demands virtual networks.

01:44

You can allow Deviate Group to manage sequel databases and a certain subscription.

01:49

You can allow the user to manners. All resource is in a resource. Stories.

01:52

You can allow an application, access all resources, and you can use as a or back for users for groups as well as application access

02:04

are back rolls on this.

02:06

As Rohrback uses, role is on its to control access.

02:08

Rose on has made a three key elements

02:13

security principal role. Definition scope.

02:15

Security Principle is an object that represents a user group, service principle or managed identity as requested access to resources and azure.

02:25

The user is an individual who has a profound as radi.

02:30

You can also assign roles to users and other tenants.

02:34

Group. A set of users created in as radi

02:38

service principle,

02:38

a security identity used by applications or services to access specific

02:45

as a resource is, think of it as a user identity for an application,

02:50

managed identity

02:52

and identity. And as Brady that's automatically manage. Lazar

02:55

typically managed identities air used with developing cloud applications to major credentials for authenticating to services.

03:04

Role definition.

03:05

It's a collection of permissions.

03:07

Typically, this is called a role.

03:09

A role definition. List. The operations that can be performed.

03:14

What read, write do it

03:16

Rose could be high level like owner or very specific, like a partial machine reader,

03:23

as your includes several building roles that we can use

03:29

some of those roles.

03:30

Owner contributor Raider User access at man

03:34

scope is a set of resource is that the access applies to

03:38

it's the what?

03:40

What do you have a role to control

03:44

When you sign a role, you can father limit the actions

03:47

by the fire in the skirt

03:50

and as your you can specify scope of multiple levels.

03:53

A national group

03:54

situation, resource group, or resource is

03:59

scopes are structured in a parent child relationship.

04:03

Now to exponentially confuse everyone,

04:06

let's look at as Rohrback roles and classic azar 80 administrator roles.

04:14

If it's little stocking cost for it was confusing.

04:16

Yeah, kind of

04:18

from the classic

04:19

subscription administrator roles.

04:21

Can't a man service at me and cut that man? Those were three classic subscription and managerial roles. In Asher.

04:29

There's classic subscription at men's At full access to our subscriptions

04:33

as a rolls

04:35

is the level above that as a rose. The authorizations Remember as her or back? We just talked about it.

04:42

So it's a more refined,

04:45

more detailed and grandeur

04:46

over the whole as your environment

04:49

as Ray D. Rose. That's a subset within Azure. Remember, as Brady is only a small service with an azure as a whole.

04:59

So as a radi rolls, those are the ones that you're probably most familiar with as a relation in that straight 65 global admin at Batman Building at Man,

05:10

those are Andy has Radi 10

05:15

by default as ER and as your 80 rolls do not overlap

05:19

as the global have make and elevate permissions to manage as your A D as a user access admin role

05:27

as your A D and office 3 65 Global Ammons do not have access to as a resource is

05:34

remember azure as a whole was much bigger than just azure 80.

05:39

As Ray D. Is a subset

05:42

of the services that you find within Asher

05:46

to configure, as there are back,

05:49

you could be permission and asked my yourself authorization role assigned that

05:55

role assignments. Dooley.

05:57

User access at man and owner As roles include those

06:00

use the

06:02

access control Azra blade in your eyes or subscription to configure or back roads.

06:09

Here we're actually and access control blade within. After with an as description,

06:14

we see where we have Rolla Sina Weaken do at a role assignment,

06:16

war Echo Administrator, which isn't on the classic role assignments or add a custom role, but we define

06:26

so we're gonna go to roll assignment.

06:28

And here we have the priest alighted roles

06:30

the canned

06:32

out of the box and there are back rolls.

06:34

This one we're into, Reader,

06:38

we're gonna sign access to a user. We have the user down there we've selected,

06:44

and this will add that users who the reader are back role.

06:47

We also can go in and look at the pretty define or custom

06:54

are the rules.

06:56

In this example, we went into the security admin

06:59

and Malouda permissions, So this is a type.

07:02

So this is a list of the permissions

07:05

that make up

07:08

the security admin role.

07:11

Yeah, we'll get analytics partial management

07:14

one down. The worst

07:15

really fine grained stuff

07:18

or about usage is monitored and audited.

07:23

It's in the azure activity log.

07:26

The actions monitored Role Assignment Creator rolled the leader role at a role. Custom role definition.

07:33

Great at a do it. All of those are assigned

07:36

here. We can see an example of an activity law where a role was created

07:42

and it was assigned.

07:45

When we click on the actual

07:47

event. For more information, we could see additional details.

07:53

Time stamps,

07:56

scope, roll everything

08:01

Quis role assignment is made of which three elements

08:07

security, principal role policy, scope,

08:09

security, principal role definition scope

08:13

are back. Principal role definition

08:15

parameter

08:16

or about principal role policy. Scope.

08:20

This was kind of struck me. I'll give you a little bit of time for

08:24

so a B, C or D. Which one is it?

08:31

If you said B, you're correct,

08:35

you win a virtual star

08:37

one. The virtual board

08:39

that is next to your name as an outstanding student

08:43

security principal role definition s scope. Those or three elements that make up a role assignment

08:52

to recap. Today's lesson,

08:54

as there are back, is an authorization system

08:56

bill on Azure resource manager that provides fine grain access. Management of Azure resource is

09:03

role assignments are comprised of security principle,

09:07

role definition and scope.

09:09

The answer. Activity log logic to monitor

09:13

and log as Rohrback activities.

09:16

Thank you for joining me. I hope to see you for the next video.