You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sre-agent/security-context.md
+18-12Lines changed: 18 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,27 +33,33 @@ The security requirements for users are different depending on if you're creatin
33
33
34
34
## Agent security context
35
35
36
-
When you create an agent, a managed identity is created and automatically configured with the appropriate roles and permissions required for the agent to run in the assigned resource groups.
36
+
Azure SRE Agent has its own managed identity that gives the agent the required credentials to act on your behalf as it manages assigned resource groups. You have full control over the roles and permissions applied to the managed identity.
37
37
38
-
By default the agent is granted *Reader* permissions on the resource groups it manages. If higher privileges are needed for a specific operation, temporary *Contributor* permissions are granted with user approval.
38
+
When you create the agent from the portal, you can select from different permissions levels best suited for your situation. When you create an agent, you can apply the *Reader* or *Privileged* permission level.
39
39
40
-
When you create the agent, assigning the resource groups you select to manage are associated to the agent's managed identity.
40
+
The following table describes the difference between the two levels.
41
+
42
+
| Permission level | Description |
43
+
|---|---|
44
+
| Reader | Initially configured with read-only permissions on the resource groups it manages. When an action is required that requires elevated permissions, the agent prompts the user for temporary to complete the action. |
45
+
| Privileged | Initially configured to take approved actions on resources and resource types detected in its assigned resource groups. |
46
+
47
+
At any time, you can change which permissions are available to the agent's managed identity by modifying the access control (IAM) settings of a resource group manged by the agent.
41
48
42
49
As resource groups are added or removed from the agent's scope, the managed identity's permissions are updated accordingly. Removing a resource group revokes the agent's access to the group entirely.
43
50
44
-
If the agent lacks permissions for an action, it prompts the user for authorization to complete the action.
51
+
> [!NOTE]
52
+
> You can't directly remove specific permissions from the agent. To restrict the agent's access, you must remove the entire resource group from the agent's scope.
45
53
46
-
### Agent permissions level
54
+
### Roles
47
55
48
-
When you create an agent, you can allow the agent to run as a *Reader* or with a *Privileged* permission level. The following table describes the difference between the two levels.
56
+
The agent's managed identity is often preconfigured with the following role assignments for a managed resource group:
49
57
50
-
| Permission level | Description |
51
-
|---|---|
52
-
| Reader | The agent has read-only permissions on the resource groups it manages. When an action is required that requires elevated permissions, the agent prompts the user for temporary to complete the action. |
53
-
| Privileged | The agent has permissions to take approved actions on resources and resource types detected in its assigned resource groups. |
58
+
* Log Analytics Reader
59
+
* Azure Reader
60
+
* Monitoring Reader
54
61
55
-
> [!NOTE]
56
-
> You can't directly remove specific permissions from the agent. To restrict the agent's access, you must remove the entire resource group from the agent's scope.
62
+
Plus any required roles related to specific Azure services in resource groups managed by the agent.
Copy file name to clipboardExpand all lines: articles/sre-agent/troubleshoot.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,10 +14,14 @@ This guide covers the common problems faced when working with Azure SRE Agent an
14
14
15
15
## Common troubleshooting scenarios
16
16
17
-
The following table outlines frequent issues you might encounter and their solutions:
17
+
The following table outlines frequent issues you might encounter and their solutions. For more information about how roles and permissions are applied to an agent, see [Security contexts in Azure SRE Agent](./security-context.md).
18
18
19
19
| Scenario | Reason | Remarks |
20
20
|---|---|---|
21
21
| The agent shows a permissions error in the chat and knowledge graph. | The agent is created with a high-privileged account and low-privilege account attempts to interact with the agent. | Deny assignments or Azure Policy blocks identity assignment to the agent resource group. |
22
22
| The location dropdown is blank. | A non-US region policy blocks access to Sweden Central. | If your subscription or management group limits to US-only deployments, then the creation step fails. |
23
23
| The *Create* button is disabled. | Lack of administrative permissions. | Agent identity assignments fail if the user account lacks *Owner* or *User Access Administrator* permissions. |
0 commit comments