Recently we released a new version of Cloud Portam. In this release we included support for managing Custom Roles in your Azure Subscriptions and other enhancements. This blog post talks about these changes.
Summary of Enhancements
- Custom role management
- Azure DNS enhancements
- Resource provider audit logs
Custom Role Management
Roles are an important part of Azure’s Role-based access control (RBAC) in the new Azure Resource Manager (ARM). When the RBAC functionality was first released, it only had what is known as “Built In” roles (or in other words System Defined roles). Recently Azure announced the availability of “Custom” roles using which you can create your own roles with the permissions you want to grant. I am pleased to announce that using Cloud Portam you can now manage these custom roles in your Azure Subscription. You can create new roles (either from scratch or by copying an existing role), edit the custom roles and even delete them.
Before we start talking about managing roles, there are a few concepts I want to clear.
A role essentially has 5 properties: Name of the role, description, operations allowed in a role (called Allowed Actions or just Actions), operations not allowed in a role (called Not Allowed Actions or just Not Actions) and role scopes (where a role will be applied to – it could be at a subscription level, at a resource group level or even at a resource level). There can be zero or more actions and not actions and one or more role scopes.
As mentioned above, there are two ways by which you can create a custom role – either by copying an existing role or creating a brand new role from scratch. It is recommended that you start by copying an existing role. What you do is you find out an existing role which closely matches your requirement and copy that role to create a new role.
Please note that creating a role is backed by RBAC thus you will only be able to create a new role if you have appropriate permission to do so.
First, let’s see how you can create a new role by copying an existing role. To illustrate, what we’re going to do is we will create a custom role that will have read permissions on a subscription, read permissions on storage account (but not write/delete permissions) as well as permissions to list storage account keys (but not regenerate them).
If we look closely, there’re actually one built-in role that we can use – Storage Account Contributor. However this role has more permissions than we need so what we will do is we will explicitly deny the permissions on operations we don’t want this role to have (namely write/delete/regenerate key permissions).
To copy the role, simply select the role and then choose “Copy…” from the top button bar or context menu as shown below.
In the subsequent screen you will see the form filled with information from the role we’re trying to copy.
What we are going to do is first change the name of the role to say “Storage Account Key Reader”.
Next we want to explicitly deny update/delete and regenerate keys permission so what we will do is click on “Add Operations” and find these operations by selecting “Microsoft.Storage” resource provider and then setting the actions to “Not Allowed”.
Once we apply these changes, this is how our role would look:
Next we will define the scopes at which this role will be applied. As mentioned above, a role can be scoped at subscription level, at a resource group level or at a resource level.
Please note that even though you can specify a resource name as one of the role scope, to keep things simple Cloud Portam only allows you scope a role at either subscription level or at a resource group level.
Furthermore if you don’t specify any scope, Cloud Portam automatically scopes the role at the subscription level.
All we have to do at this time is save this role and a custom role will be created for us. It’s that simple!
If needed you can always create a new role by starting from scratch.
You will then add operations to allowed and not allowed operations list and set the scopes for the role to create a new role.
Using Cloud Portam you can edit a custom role. Editing a custom role allows you to change the allowed/not allowed operations as well as description and scopes for the role.
In this example, we will simply move one operation from allowed list to not allowed list.
Once you make all the necessary changes, all you have to do is save the role.
Please note that editing a role is backed by RBAC thus you will only be able to edit a role if you have appropriate permission to do so. Further more, only custom roles can be edited. Built in roles can’t be edited.
Cloud Portam enables you to delete one or more custom roles from your Azure Subscription.
Please note that deleting custom roles is again backed by role-based access control thus you will only be able to delete a custom role if you have the permission to do so. Further more, only custom roles can be deleted. Built in roles can’t be deleted.
Deleting a role is an irreversible process. To ensure that you really want to delete a role we have included a simple CAPTCHA on the delete confirmation box.
Azure DNS Enhancements
Easier Records Management
We have simplified the zone records management by consolidating everything on just one screen. In the 1st release, we had separate popup windows for managing individual record types and one popup window to view all records. We have merged these popup windows and now you just have one screen from where you can view and manage all records for a DNS zone.
DNS Zone File
We have also included a functionality using which you can view the zone file for a DNS zone in your Azure Subscription. You can also download this zone file as well on your local computer.
Resource Provider Audit Logs
We have added a new feature using which you can view audit logs for a resource provider.
When you click on “Audit Logs”, a new browser tab will be opened where you can find audit log entries for the selected resource provider.
There are a number of things in our immediate product pipeline. We will continue enhancing our Subscription management features by adding support for managing additional services, enhancing key vault management etc. So stay tuned for all these changes.
Try It Out!
We humbly request you to try out these updates in Cloud Portam. This is available in both “Personal” and “Team” editions of Cloud Portam. Though extreme care has been taken regarding testing the current functionality, it is quite possible that we may have overlooked something. If you find something missing or implemented incorrectly, please feel free to reach out to us and tell us. We will fix the issues ASAP.
As you can see we’re constantly investing in making the product more and more useful. Do try out Cloud Portam and these features and let us know what you think. If you think, we can improve it in any way, please feel free to share your thoughts. The link to our website is http://www.cloudportam.com.