Skill 1.2 Manage Role-Based Access Control(RBAC) Flashcards
What does RBAC do
Allows you to manage the entities, called “Security Principals” that have access to Azure resources and the actions that those entities can perform
Who can RBAC access be granted to
Users, Groups, Service Principals, and managed identities through role assignments
What is Azure RBAC applicable to
management of resources created in Azure Resource Manager (ARM) deployment model
What is a role
definition of what actions are allows and/or denied. RBAC is configured by selecting a role and associated the role with a security princpal
What access takes precedence when you have overlapping assignments
Most privileged access
What does role permission contain
the list of permissions or declared permissions and those permissions define what actions can or cannot be performed against a type of resource, such as read, write, or delete
What are Azure AD administrative roles used for
to allow or restrict admins to perform identity tasks, such as creating new users, resetting passwords, and so on
When do security principals have access to Azure resources
when the roel assignment is made
Who can create or remove roles
people with the owner or user access administrator built-in roles
What can be used to make deny assignments at a child scope
Azure Blueprints and resource locks
How many custom roles can you have per directory
5000 Custom roles
How many role assignments can you have per subscription
2000
What can custom roles be created from
exisiting built-in roles
starting from scratch
JSON file to define custom permissions
What permissions are needed to create a custom role
Write permissions on all the items in a scope to create a custom role
how are deny assignments set and controlled
by applying a resource lock for resources created through Azure Blueprints
