Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Clarification Needed: Custom Role Creation through GitOps

Open Mahesh-MSFT opened this issue 4 years ago • 5 comments

Identity and Access Management for Contoso reference implementation discusses creation of custom roles (i.e. Platform Owner, NetOps, SecOps, Landing Zone Owner, AppOps/DevOps). However, I do not see these roles implemented though ARM templates.

Are these roles expected to be created manually? or Am I missing something?

These templates will help replicating them as and when new landing zones will be created.

Mahesh-MSFT avatar Jan 27 '21 14:01 Mahesh-MSFT

I added them here, and am using the preview option to scope the roles to a management group: https://github.com/edm-ms/AzureLandingZone/tree/main/Identity

It would be nice to have them as templates in this repo, but I don't believe it's too difficult for a customer to add custom roles.

edm-ms avatar Feb 17 '21 00:02 edm-ms

Have done some work around this topic; feel free to take a look ESLZcustomRBAC.zip

pkorolo avatar Mar 11 '21 21:03 pkorolo

thanks @pkorolo ! this is super-helpful!!

is there a plan to have these role definitions along with assignments as part of the azopsreference folder in reference implementation?

currently customers can copy policy assignments from azopsreference folder to their eslz implementation. having same process for role assignments also will make customer experience more consistent.

Mahesh-MSFT avatar Mar 12 '21 09:03 Mahesh-MSFT

@Mahesh-MSFT currently the custom role definitions (could) be virtually part of the reference implementation, but this is a parallel discussion going on right now afaik.

From my side, I have created those custom roles, as part of a mini-project of mine, along with some baseline RBAC model (groups' creation, role-to-group assignments, etc.), which unfortunately goes through PS win (AAD module(s) for group creation, PIM or no-PIM variations) & PS core for role-to-group assignment.

This work was practically targeted to enhance the CAF Landing Zone Offerings we have in (former) "Premier" (now Customer Success), so it is (was) meant to go into the respective IPKit.

pkorolo avatar Mar 12 '21 10:03 pkorolo

We will work to include the roleDefinitions that @pkorolo created as part of the reference implementation

krnese avatar Sep 10 '21 15:09 krnese

Trigger ADO Sync 1

jtracey93 avatar Sep 11 '22 07:09 jtracey93

Trigger ADO Sync 2

jtracey93 avatar Sep 11 '22 07:09 jtracey93

Hey just wanted to close this one out and say it is available here in ALZ-Bicep: https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/customRoleDefinitions

With this i will close this issue out

jtracey93 avatar Sep 28 '22 16:09 jtracey93