| title | description | services | documentationcenter | author | manager | editor | keywords | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Role-based access control in Azure Automation | Microsoft Docs |
Role-based access control (RBAC) enables access management for Azure resources. This article describes how to set up RBAC in Azure Automation. |
automation |
eslesar |
jwhit |
tysonn |
automation rbac, role based access control, azure rbac |
04b5625e-0ee8-4b5b-85cd-7734c1b3d4a3 |
automation |
na |
get-started-article |
na |
infrastructure-services |
09/30/2016 |
magoedte;sngun |
Role-based access control (RBAC) enables access management for Azure resources. Using RBAC, you can segregate duties within your team and grant only the amount of access to users, groups and applications that they need to perform their jobs. Role-based access can be granted to users using the Azure portal, Azure Command-Line tools, or Azure Management APIs.
In Azure Automation, access is granted by assigning the appropriate RBAC role to users, groups, and applications at the Automation account scope. Following are the built-in roles supported by an Automation account:
| Role | Description |
|---|---|
| Owner | The Owner role allows access to all resources and actions within an Automation account including providing access to other users, groups and applications to manage the Automation account. |
| Contributor | The Contributor role allows you to manage everything except modifying other user’s access permissions to an Automation account. |
| Reader | The Reader role allows you to view all the resources in an Automation account but cannot make any changes. |
| Automation Operator | The Automation Operator role allows you to perform operational tasks such as start, stop, suspend, resume, and schedule jobs. This role is helpful if you want to protect your Automation Account resources like credentials assets and runbooks from being viewed or modified but still allow members of your organization to execute these runbooks. |
| User Access Administrator | The User Access Administrator role allows you to manage user access to Azure Automation accounts. |
Note
You cannot grant access rights to a specific runbook or runbooks, only to the resources and actions within the Automation account.
In this article we walk through how to set up RBAC in Azure Automation. But first, let's take a closer look at the individual permissions granted to the Contributor, Reader, Automation Operator, and User Access Administrator so that we gain a good understanding before granting anyone rights to the Automation account. Otherwise it could result in unintended or undesirable consequences.
The following table presents the specific actions that can be performed by the Contributor role in Automation.
| Resource Type | Read | Write | Delete | Other Actions |
|---|---|---|---|---|
| Azure Automation Account |  |
|
|
|
| Automation Certificate Asset | |
|
|
|
| Automation Connection Asset | |
|
|
|
| Automation Connection Type Asset | |
|
|
|
| Automation Credential Asset | |
|
|
|
| Automation Schedule Asset | |
|
|
|
| Automation Variable Asset | |
|
|
|
| Automation Desired State Configuration | |
|||
| Hybrid Runbook Worker Resource Type | |
|
||
| Azure Automation Job | |
|
|
|
| Automation Job Stream | |
|||
| Automation Job Schedule | |
|
|
|
| Automation Module | |
|
|
|
| Azure Automation Runbook | |
|
|
|
| Automation Runbook Draft | |
|
||
| Automation Runbook Draft Test Job | |
|
|
|
| Automation Webhook | |
|
|
|
The following table presents the specific actions that can be performed by the Reader role in Automation.
| Resource Type | Read | Write | Delete | Other Actions |
|---|---|---|---|---|
| Classic subscription administrator | |
|||
| Management lock | |
|||
| Permission | |
|||
| Provider operations | |
|||
| Role assignment | |
|||
| Role definition | |
The following table presents the specific actions that can be performed by the Automation Operator role in Automation.
| Resource Type | Read | Write | Delete | Other Actions |
|---|---|---|---|---|
| Azure Automation Account | |
|||
| Automation Certificate Asset | ||||
| Automation Connection Asset | ||||
| Automation Connection Type Asset | ||||
| Automation Credential Asset | ||||
| Automation Schedule Asset | |
|
||
| Automation Variable Asset | ||||
| Automation Desired State Configuration | ||||
| Hybrid Runbook Worker Resource Type | ||||
| Azure Automation Job | |
|
|
|
| Automation Job Stream | |
|||
| Automation Job Schedule | |
|
||
| Automation Module | ||||
| Azure Automation Runbook | |
|||
| Automation Runbook Draft | ||||
| Automation Runbook Draft Test Job | ||||
| Automation Webhook |
For further details, the Automation operator actions lists the actions supported by the Automation operator role on the Automation account and its resources.
The following table presents the specific actions that can be performed by the User Access Administrator role in Automation.
| Resource Type | Read | Write | Delete | Other Actions |
|---|---|---|---|---|
| Azure Automation Account | |
|||
| Automation Certificate Asset | |
|||
| Automation Connection Asset | |
|||
| Automation Connection Type Asset | |
|||
| Automation Credential Asset | |
|||
| Automation Schedule Asset | |
|||
| Automation Variable Asset | |
|||
| Automation Desired State Configuration | ||||
| Hybrid Runbook Worker Resource Type | |
|||
| Azure Automation Job | |
|||
| Automation Job Stream | |
|||
| Automation Job Schedule | |
|||
| Automation Module | |
|||
| Azure Automation Runbook | |
|||
| Automation Runbook Draft | |
|||
| Automation Runbook Draft Test Job | |
|||
| Automation Webhook | |
-
Log in to the Azure portal and open your Automation account from the Automation Accounts page.
-
Click on the Access control at the top right corner. This opens the Users page where you can add new users, groups and applications to manage your Automation account and view existing roles that can be configured for the Automation Account.
Note
Subscription admins already exists as the default user. The subscription admins active directory group includes the service administrator(s) and co-administrator(s) for your Azure subscription. The Service admin is the owner of your Azure subscription and its resources, and will have the owner role inherited for the automation accounts too. This means that the access is Inherited for service administrators and co-admins of a subscription and it’s Assigned for all the other users. Click Subscription admins to view more details about their permissions.
-
From the Users page, click Add to open the Add access page where you can add a user, group, or application, and assign a role to them.
-
Select a role from the list of available roles. We will choose the Reader role, but you can choose any of the available built-in roles that an Automation Account supports or any custom role you may have defined.
-
Click on Add users to open the Add users page. If you have added any users, groups, or applications to manage your subscription then those users are listed and you can select them to add access. If there aren’t any users listed, or if the user you are interested in adding is not listed then click invite to open the Invite a guest page, where you can invite a user with a valid Microsoft account email address such as Outlook.com, OneDrive, or Xbox Live Ids. Once you have entered the email address of the user, click Select to add the user, and then click OK.
Now you should see the user added to the Users page with the Reader role assigned.
You can also assign a role to the user from the Roles page.
-
Click Roles from the Users page to open the Roles page. From here, you can view the name of the role, the number of users and groups assigned to that role.
[!NOTE] Role-based access control can only be set at the Automation Account level and not at any resource below the Automation Account.
You can assign more than one role to a user, group, or application. For example, if we add the Automation Operator role along with the Reader role to the user, then they can view all the Automation resources, as well as execute the runbook jobs. You can expand the dropdown to view a list of roles assigned to the user.
You can remove the access permission for a user who is not managing the Automation Account, or who no longer works for the organization. Following are the steps to remove a user:
-
From the Users page, select the role assignment that you wish to remove.
-
Click the Remove button in the assignment details pane.
-
Click Yes to confirm removal.
When a user assigned to a role logs in to their Automation account, they can now see the owner’s account listed in the list of Default Directories. In order to view the Automation account that they have been added to, they must switch the default directory to the owner’s default directory.
When a user, who is assigned to the Automation Operator role views the Automation account they are assigned to, they can only view the list of runbooks, runbook jobs and schedules created in the Automation account but can’t view their definition. They can start, stop, suspend, resume, or schedule the runbook job. The user does not have access to other Automation resources such as configurations, hybrid worker groups or DSC nodes.
When the user clicks on the runbook, the commands to view the source or edit the runbook are not provided as the Automation operator role doesn’t allow access to them.
The user has access to view and to create schedules, but does not have access to any other asset type.
This user also doesn’t have access to view the webhooks associated with a runbook
Role-based access can also be configured to an Automation Account using the following Azure PowerShell cmdlets.
• Get-AzureRmRoleDefinition lists all RBAC roles that are available in Azure Active Directory. You can use this command along with the Name property to list all the actions that can be performed by a specific role.
Example:
• Get-AzureRmRoleAssignment lists Azure AD RBAC role assignments at the specified scope. Without any parameters, this command returns all the role assignments made under the subscription. Use the ExpandPrincipalGroups parameter to list access assignments for the specified user as well as the groups the user is a member of.
Example: Use the following command to list all the users and their roles within an automation account.
Get-AzureRMRoleAssignment -scope “/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation Account Name>”
• New-AzureRmRoleAssignment to assign access to users, groups and applications to a particular scope.
Example: Use the following command to assign the “Automation Operator” role for a user in the Automation Account scope.
New-AzureRmRoleAssignment -SignInName <sign-in Id of a user you wish to grant access> -RoleDefinitionName "Automation operator" -Scope “/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation Account Name>”
• Use Remove-AzureRmRoleAssignment to remove access of a specified user, group or application from a particular scope.
Example: Use the following command to remove the user from the “Automation Operator” role in the Automation Account scope.
Remove-AzureRmRoleAssignment -SignInName <sign-in Id of a user you wish to remove> -RoleDefinitionName "Automation Operator" -Scope “/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation Account Name>”
In the above examples, replace sign in Id, subscription Id, resource group name and Automation account name with your account details. Choose yes when prompted to confirm before continuing to remove user role assignment.
- For information on different ways to configure RBAC for Azure Automation, refer to manage RBAC with Azure PowerShell.
- For details on different ways to start a runbook, see Starting a runbook
- For information about different runbook types, refer to Azure Automation runbook types