Skip to content

Latest commit

 

History

History
92 lines (67 loc) · 5.04 KB

devtest-lab-grant-user-permissions-to-specific-lab-policies.md

File metadata and controls

92 lines (67 loc) · 5.04 KB
title description services documentationcenter author manager editor ms.assetid ms.service ms.workload ms.tgt_pltfrm ms.devlang ms.topic ms.date ms.author
Grant user permissions to specific lab policies | Microsoft Docs
Learn how to grant user permissions to specific lab policies in DevTest Labs based on each user's needs
devtest-lab,virtual-machines,visual-studio-online
na
tomarcher
douge
5ca829f0-eb69-40a1-ae26-03a629db1d7e
devtest-lab
na
na
na
article
11/25/2016
tarcher

Grant user permissions to specific lab policies

Overview

This article illustrates how to use PowerShell to grant users permissions to a particular lab policy. That way, permissions can be applied based on each user's needs. For example, you might want to grant a particular user the ability to change the VM policy settings, but not the cost policies.

Policies as resources

As discussed in the Azure Role-based Access Control article, RBAC enables fine-grained access management of resources for Azure. Using RBAC, you can segregate duties within your DevOps team and grant only the amount of access to users that they need to perform their jobs.

In DevTest Labs, a policy is a resource type that enables the RBAC action Microsoft.DevTestLab/labs/policySets/policies/. Each lab policy is a resource in the Policy resource type, and can be assigned as a scope to an RBAC role.

For example, in order to grant users read/write permission to the Allowed VM Sizes policy, you would create a custom role that works with the Microsoft.DevTestLab/labs/policySets/policies/* action, and then assign the appropriate users to this custom role in the scope of Microsoft.DevTestLab/labs/policySets/policies/AllowedVmSizesInLab.

To learn more about custom roles in RBAC, see the Custom roles access control.

Creating a lab custom role using PowerShell

In order to get started, you’ll need to read the following article, which will explain how to install and configure the Azure PowerShell cmdlets: https://azure.microsoft.com/blog/azps-1-0-pre.

Once you’ve set up the Azure PowerShell cmdlets, you can perform the following tasks:

  • List all the operations/actions for a resource provider
  • List actions in a particular role:
  • Create a custom role

The following PowerShell script illustrates examples of how to perform these tasks:

‘List all the operations/actions for a resource provider.
Get-AzureRmProviderOperation -OperationSearchString "Microsoft.DevTestLab/*"

‘List actions in a particular role.
(Get-AzureRmRoleDefinition "DevTest Labs User").Actions

‘Create custom role.
$policyRoleDef = (Get-AzureRmRoleDefinition "DevTest Labs User")
$policyRoleDef.Id = $null
$policyRoleDef.Name = "Policy Contributor"
$policyRoleDef.IsCustom = $true
$policyRoleDef.AssignableScopes.Clear()
$policyRoleDef.AssignableScopes.Add("/subscriptions/<SubscriptionID> ")
$policyRoleDef.Actions.Add("Microsoft.DevTestLab/labs/policySets/policies/*")
$policyRoleDef = (New-AzureRmRoleDefinition -Role $policyRoleDef)

Assigning permissions to a user for a specific policy using custom roles

Once you’ve defined your custom roles, you can assign them to users. In order to assign a custom role to a user, you must first obtain the ObjectId representing that user. To do that, use the Get-AzureRmADUser cmdlet.

In the following example, the ObjectId of the SomeUser user is 05DEFF7B-0AC3-4ABF-B74D-6A72CD5BF3F3.

PS C:\>Get-AzureRmADUser -SearchString "SomeUser"

DisplayName                    Type                           ObjectId
-----------                    ----                           --------
[email protected]                                          05DEFF7B-0AC3-4ABF-B74D-6A72CD5BF3F3

Once you have the ObjectId for the user and a custom role name, you can assign that role to the user with the New-AzureRmRoleAssignment cmdlet:

PS C:\>New-AzureRmRoleAssignment -ObjectId 05DEFF7B-0AC3-4ABF-B74D-6A72CD5BF3F3 -RoleDefinitionName "Policy Contributor" -Scope /subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.DevTestLab/labs/<LabName>/policySets/default/policies/AllowedVmSizesInLab

In the previous example, the AllowedVmSizesInLab policy is used. You can use any of the following polices:

  • MaxVmsAllowedPerUser
  • MaxVmsAllowedPerLab
  • AllowedVmSizesInLab
  • LabVmsShutdown

[!INCLUDE devtest-lab-try-it-out]

Next steps

Once you've granted user permissions to specific lab policies, here are some next steps to consider: