-
Notifications
You must be signed in to change notification settings - Fork 98
AAD Rbac Issue Investigation
- Overview
Rbac (Role-Based Access Control) is an authorization mechanism to determine if a user is authorized to perform an operation a resource. Let review each term.
- What is a user?
A user is an entity created under an AAD directory (aka. tenant). It has a set of properties like name, first name, email, etc. It is uniquely identified by an objectId (guid); sometimes the term principalId is also used. The tenant, where user is originally created, is called home tenant. The same user can be added to other tenants; in this case, it becomes foriegn entity. The user is given different objectId for different tenant.
- What is a group?
A group is an entity created under an AAD directory (aka. tenant). It has a set of properties like group name, etc. It is uniquely identified by an objectId (guid); sometimes the term principalId is also used. The group has members which are a collection of users.
- What is an operation?
The operation is an action; for instance, read, write etc.
- What is a resource?
In this context, the resource is an ARM resource identified by a url such as https://management.azure.com//subscriptions/%sub%/resourceGroups/%rg%/providers/Microsoft.Web/sites/%site%.
- What is a authorization policy?
The authorization policy contains a description about what users can perform what operations on what resources. Lacking of, a user will be denied access. The policy is represented by role definitions and role assignments.
- What is a role definition?
A role definition describe what role can perform what operation. For instance, "Web Site Contributors" role have full permissions to "WebApps resource type".
- What is a role assignment?
A role assignment describe what users/groups belong to what roles for what resources (scope). For instance, user with objectId "foo" belongs to "Web Site Contributors" role for "bar" resource. In a way, it means a user "foo" has full permissions on "bar" WebApp resource.
A user can also be giving permissions via group. For instance, a group with objectId "foo" belongs to "Web Site Contributors" role for "bar" resource. In a way, it means any user in "foo" group has full permissions on "bar" WebApp resource.