3

How to restrict a user from accessing specific resource groups?

For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.

Madhur Asati
  • 185
  • 3
  • 13

3 Answers3

5

When you create a new user for Azure, they have no permissions at all against any subscriptions, logging into portal will present an empty view with no resources.

If you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything. As would be expected. With reader permission on the subscription, they cannot create anything, resource groups or otherwise.

If that user is only given permissions to a resource group, with no permission on the subscription, then they will only see the resource group they have permissions in. They will then have whatever permissions they have been granted within that group.

Under the surface, every contributer and reader role has the "Microsoft.Resources/subscriptions/resourceGroups/read" action, meaning that anyone with any contributer or reader role can see all resource groups.

There is no built in role that has explicitly defined resourceGroups/write or resourceGroups/* permission.

The only groups with that permission implicitly applied are contributer and owner, which have "*" applied.

This means that only contributers and owners can create resource groups in a subscription.

It would be possible to create a custom role that denied resourceGroup/write

So, to answer your question, to limit a user only to being able to see specific resource groups, ensure that they don't have any access at the subscription level (any access at all at this level will allow them to see resource groups), and only apply permissions to the resource groups you wish them to see.

Michael B
  • 11,887
  • 6
  • 38
  • 74
4

For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.

The above is possible with the following steps

  1. Add the user to the subscription. Dont assign any role at subscription level for this user.

  2. Add the User as contributor to the selected three resource groups (in Access Control (IAM)) property thru role assignment.

The above two configuration will enable the user to only view and operate on the explicit three resource groups, other resource group will not appear in Azure portal.

Best practice would be to add the user to security Group and assign the security group to the roles.

Venkatesh Muniyandi
  • 5,132
  • 2
  • 37
  • 40
2

Add the user to the Contributor role in those resource groups.

Go to the resource group, then open Access Control (IAM), and add the user to Contributor role. Repeat for each resource group.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Adding reader role will not help.As i want to restrict a user from creating a RG and wants them to do all the tasks with in the assigned groups. – Madhur Asati Mar 29 '18 at 11:26
  • Whoops, I meant Contributor. They will not be able to create new RGs if they are Contributors only at RG level. You can make them Owner if you want to allow them to add access for others too. – juunas Mar 29 '18 at 11:27
  • The scenario is like : I want to create a user with fine grained access which can have navigate to a assigned group say ABC-RG. Once i assign the RG to the user, the user should not have the authority to create a another RG,however the user can perform their any task within that RG like creating VM,DB,CDN.So in that case Can I assign them a "USER" in IAM and contributor role in RBAC, Would that work? – Madhur Asati Mar 29 '18 at 11:32
  • 1
    You can assign them to Contributor in the RG. It does exactly what you want. – juunas Mar 29 '18 at 11:33
  • 1
    Thanks, I shall get back to you. – Madhur Asati Mar 29 '18 at 11:35
  • I assigned the user as contributor role but the user is still able to create the RG. – Madhur Asati Mar 29 '18 at 11:53
  • Did you assign them to Contributor on the resource group? If you assign them to Contributor on subscription, then they will be able to create RGs too. You should probably check what is their role at the subscription level. – juunas Mar 29 '18 at 12:07
  • Yes I have checked it at Subscription level there no rule which is assigned to it. Steps which I have followed from the Owner's account i Created a RG,after the creation of RG i went to the RG and under IAM section I assigned Contributor role for that specific RG.and then i tried to login from the different account for which the role was assigned. Unfortunately i was able to see all the RG and i was able to create RG as well.Kindly let me know on which step i am doing wrong. – Madhur Asati Mar 29 '18 at 12:16
  • If they can see the other RGs, then they have a role on them or the subscription, there is no other way they could see them. – juunas Mar 29 '18 at 19:45