- Using a web browser, open the Azure portal. Select All services.
- Select any resource, and the select it again.
- Select Access control (IAM).
- Select Roles.
- Review the list of built-in roles. Note that you can also create custom roles.
Here are four RBAC roles in Azure that apply to resource types:
- Owner. Has full access to all resources, including the right to delegate access to others.
- Contributor. Can create and manage all types of Azure resources but can’t grant access to others.
- Reader. Can view existing Azure resources.
- User access administrator. Can remove access to resources.
The rest of the RBAC roles in Azure allow for managing specific Azure resources. For example, the Virtual Machine Contributor role allows the user to create and manage virtual machines. It does not grant access to the virtual network or the subnet that the virtual machine connects to.
As a best practice when deploying Azure RBAC, consider creating new resource groups instead of new subscriptions for newly onboarded teams.
Resource groups allow you to implement RBAC so that users can contribute to services but not own them.
To manage access by using RBAC and Azure PowerShell, review the documentation page at https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell. It has examples of how to:
- List roles
- List access
- Grant access
- Remove access