Custom Role Management In Azure Sentinel
As we know that Information Security is all about how, where, and whom data should be made available, accessed by, and authorized for through properly secured channels. A very strong concept where resource access is controlled within the organization is termed Role-based Access Control ( RBAC ).
Here we are about to discuss what Role-based Accesses are and how we can implement them in our Azure environment.
RBAC is widely used to differentiate the kind of accesses users have on the particular data in any resource. So before diving into how can we implement accesses and restrictions by using RBAC we need to know about the four fundamental roles in Azure, which are:
And the roles which have the power to create, edit or delete roles in Azure are:
Role-based Access Control in Azure has 120 built-in roles to choose from with thousands of different permissions or we can create our own custom role to specify permissions assigned to the users of different departments or regions.
Creating a Custom Role using RBAC
In order to create a custom role use the below steps:
NOTE: You can create a role at the Subscription level, Resource Group level, or at any particular Resource level. A custom role can be created at Subscription level or Resource Group level. In order to facilitate custom role for Azure Sentinel we will create the role at Resource Group level
5. Click on + Add button to begin creating a custom role.
6. Give your custom role a name and a description
7. Select Clone a role check who's permissions comes closer to your desired role, here we are using an azure sentinel reader to whom only limited permissions will be assigned.
8. Permissions from the cloned role can be viewed in Permissions, you can further modify it from here if you want the role to limit read only access of the resources as well.
9. Next is the assignable scopes, since we are creating this role at the Resource Group level, the same will be reflected here, but we can add further resources from
10. Now at the JSON level, we have four role definitions which are defined as:
a. Action
i. This definition consists of a set of things a role can perform on a resource.
b. NotAction
i. This definition consists of a set of things a role can not perform on a resource.
c. DataAction
i. This definition consists of a set of things that can be performed on data of the resource or entity being used.
d. NotDataAction
i. This definition consists of a set of things that can be performed on data of the resource or entity being used.
11. In the JSON view, you can see all the allowed permissions in the defined actions in the below picture for the reader role of the Azure Sentinel resources and notActions, DataActions and NotActions are left empty as no definitions have been defined in them.
12. Now we are allowing this user who only had reading rights, access to creating and updating Watchlists which is a granular level access to one of the resources in Azure Sentinel by defining following permissions in the Actions
"Microsoft.SecurityInsights/Watchlists/*/write"
"Microsoft.SecurityInsights/Watchlists/*/read"
"Microsoft.SecurityInsights/Watchlists/*/delete"
13. Now review and Create the role.
Implementation of Custom Role
2. Go to the Resource Group,
3. Go to the Access Control (IAM)
4. Go to the Roles and search for your created custom role?
5. Select the role and view it
6. Click on + Add Assignment?
7. Go to Members
8. Select User you want to assign the Role by clicking on +Select members
9. Review and assign
10. You will be prompted when the user role will be assigned
Now login with the user and check, you will be able to create, update and delete watchlists, instead of it only will be able to read resources.
ICT/OT Cyber Security | Project Management - MS(IS) | CISSP - Let's build a safer cyberspace together!
3 年Nice read! Very helpful!