There are the objects composing the ARM security model in Azure:
Azure Active Directory tenant contains:
Each are AD objects that can be part of a role assignment.
An Azure account contains subscriptions. Subscriptions contain Resource groups. Resource groups contain Resources. Each of these (Subcriptions, resource groups and resources) are scopes that can be part of a role assignment, and can be locked.
Resources are of a certain resource type (e.g. API management, webapps, Vnet, etc.).
- Types have operations (e.g. create web app, delete api management instance, edit vnet properties, read vm configuration, etc.).
- Operations can be aggregated into roles (e.g. API management contributor).
Roles assignments are assigning
- 1 role
- to 1 AD object
- to 1 scope.
E.g., “API management contributor” to “Futurax Admins” on Resource group “Futurax-Smartphone-App-Dev”.
Role assignments are inherited from one scope to its sub-scopes, e.g.: if you get a contributor permission at a resource group level, you also get it for all resources in that resource group. Inherited role assignments can be removed. E.g.: if you have contributor permission at a resource group level, someone can remove your contributor access to a resource contained in this resource group.
Any scope can be locked. Locks can override update or delete permissions on a given scope. There are two types of locks:
- Delete - no-one can delete the resource if there’s a lock, even if that user has delete permissions
- Read-only - no-one can delete or update the resource if there’s a lock, even if user has appropriate permissions.
Locks can be added or removed by any users with respective permissions Microsoft.Authorization/locks/write an Microsoft.Authorization/locks/delete on a corresponding scope.