|
| 1 | +--- |
| 2 | +title: Azure role-based access control |
| 3 | +titleSuffix: Microsoft Dev Box |
| 4 | +description: Learn how Microsoft Dev Box provides protection with Azure role-based access control (Azure RBAC) integration. |
| 5 | +ms.service: dev-box |
| 6 | +author: RoseHJM |
| 7 | +ms.author: rosemalcolm |
| 8 | +ms.topic: concept-article |
| 9 | +ms.date: 07/31/2024 |
| 10 | + |
| 11 | +#Customer intent: As a platform engineer, I want to understand how to assign permissions in Dev Box so that I can give dev managers and developers only the permissions they need. |
| 12 | +--- |
| 13 | +# Azure role-based access control in Microsoft Dev Box |
| 14 | + |
| 15 | +This article describes the different built-in roles that Microsoft Dev |
| 16 | +Box supports, and how they map to organizational roles like platform |
| 17 | +engineer and dev manager. |
| 18 | + |
| 19 | +Azure role-based access control (RBAC) specifies built-in role |
| 20 | +definitions that outline the permissions to be applied. You assign a |
| 21 | +user or group this role definition via a role assignment for a |
| 22 | +particular scope. The scope can be an individual resource, a resource |
| 23 | +group, or across the subscription. In the next section, you learn which |
| 24 | +[built-in roles](#built-in-roles) Microsoft Dev Box supports. |
| 25 | + |
| 26 | +For more information, see [What is Azure role-based access control (Azure RBAC)](https://microsoft-my.sharepoint.com/azure/role-based-access-control/overview)? |
| 27 | + |
| 28 | +> [!Note] |
| 29 | +> When you make role assignment changes, it can take a few minutes for these updates to propagate. |
| 30 | +
|
| 31 | +## Built-in roles |
| 32 | + |
| 33 | +In this article, the Azure built-in roles are logically grouped into |
| 34 | +three organizational role types, based on their scope of influence: |
| 35 | + |
| 36 | +- Platform engineer roles: influence permissions for dev centers, |
| 37 | + catalogs, and projects |
| 38 | + |
| 39 | +- Dev manager: influence permissions for project-based resources |
| 40 | + |
| 41 | +- Developer roles: influence permissions for users |
| 42 | + |
| 43 | +The following are the built-in roles supported by Microsoft Dev Box: |
| 44 | + |
| 45 | +| Organizational role type | Built-in role | Description | |
| 46 | +|--------------------------|-----------------------|---------------------------------------------------------------------------------------------------| |
| 47 | +| Platform engineer | Owner | Grant full control to create/manage dev centers, catalogs, and projects, and grant permissions to other users. Learn more about the [Owner role](#owner-role). | |
| 48 | +| Platform engineer | Contributor | Grant full control to create/manage dev centers, catalogs, and projects, except for assigning roles to other users. Learn more about the [Contributor role](#contributor-role). | |
| 49 | +| Dev Manager | DevCenter Project Admin | Grant permission to manage certain aspects of projects and dev boxes. Learn more about the [DevCenter Project Admin role](#devcenter-project-admin-role). | |
| 50 | +| Developer | Dev Box User | Grant permission to create dev boxes and have full control over the dev boxes that they create. Learn more about the [Dev Box User role](#dev-box-user). | |
| 51 | + |
| 52 | +## Role assignment scope |
| 53 | + |
| 54 | +In Azure RBAC, *scope* is the set of resources that access applies to. |
| 55 | +When you assign a role, it\'s important to understand scope so that you |
| 56 | +grant just the access that is needed. |
| 57 | + |
| 58 | +In Azure, you can specify a scope at four levels: management group, |
| 59 | +subscription, resource group, and resource. Scopes are structured in a |
| 60 | +parent-child relationship. Each level of hierarchy makes the scope more |
| 61 | +specific. You can assign roles at any of these levels of scope. The |
| 62 | +level you select determines how widely the role is applied. Lower levels |
| 63 | +inherit role permissions from higher levels. Learn more about [scope for Azure RBAC](https://microsoft-my.sharepoint.com/azure/role-based-access-control/scope-overview). |
| 64 | + |
| 65 | +For Microsoft Dev Box, consider the following scopes: |
| 66 | + |
| 67 | + | Scope | Description | |
| 68 | + |-----------------|---------------------------------------------------------------------------------------------------| |
| 69 | + | Subscription | Used to manage billing and security for all Azure resources and services. Typically, only Platform engineers have subscription-level access because this role assignment grants access to all resources in the subscription. | |
| 70 | + | Resource group | A logical container for grouping together resources. Role assignment for the resource group grants permission to the resource group and all resources within it, such as dev centers, dev box definitions, dev box pools, projects, and dev boxes. | |
| 71 | + | Dev center (resource) | A collection of projects that require similar settings. Role assignment for the dev center grants permission to the dev center itself. Permissions assigned for the dev centers aren't inherited by other dev box resources. | |
| 72 | + | Project (resource) | An Azure resource used to apply common configuration settings when you create a dev box. Role assignment for the project grants permission only to that specific project. | |
| 73 | + | Dev box pool (resource) | A collection of dev boxes that you manage together and to which you apply similar settings. Role assignment for the dev box pool grants permission only to that specific dev box pool. | |
| 74 | + | Dev box definition (resource) | An Azure resource that specifies a source image and size, including compute size and storage size. Role assignment for the dev box definition grants permission only to that specific dev box definition. | |
| 75 | + |
| 76 | +:::image type="content" source="media/concept-dev-box-role-based-access-control/dev-box-scopes.png" lightbox="media/concept-dev-box-role-based-access-control/dev-box-scopes.png" alt-text="Diagram that shows the role assignment scopes for Microsoft Dev Box."::: |
| 77 | + |
| 78 | +## Roles for common Dev Box activities |
| 79 | + |
| 80 | +The following table shows common Dev Box activities and the role needed for a user to perform that activity. |
| 81 | + |
| 82 | +| Activity | Role type | Role | Scope | |
| 83 | +|-----------------------------------------------------------------------------------------------------------------------|------------------|-------------------------------------------|----------------| |
| 84 | +| Grant permission to create a resource group. | Platform engineer| Owner or Contributor | Subscription | |
| 85 | +| Grant permission to submit a Microsoft support ticket, including to request capacity. | Platform engineer| Owner, Contributor, Support Request Contributor | Subscription | |
| 86 | +| Grant permission to create virtual networks and subnets. | Platform engineer| Network Contributor | Resource group | |
| 87 | +| Grant permission to create a network connection. | Platform engineer| Owner or Contributor | Resource group | |
| 88 | +| Grant permission to assign roles to other users. | Platform engineer| Owner | Resource group | |
| 89 | +| Grant permission to: </br> - Create / manage dev centers. </br> - Add / remove network connections. </br> - Add / remove Azure compute galleries. </br> - Create / manage dev box definitions. </br> - Create / manage projects. </br> - Attach / manage catalog to a dev center or project (project-level catalogs must be enabled on the dev center). </br> - Configure dev box limits. | Platform engineer| Contributor | Resource group | |
| 90 | +| Grant permission to add or remove a network connection for a dev center. | Platform engineer| Contributor | Dev center | |
| 91 | +| Grant permission to enable / disable project catalogs. | Dev Manager | Contributor | Dev center | |
| 92 | +| Grant permission to: </br> - Add, sync, remove catalog (project-level catalogs must be enabled on the dev center). </br> - Create dev box pools. </br> - Stop, start, delete dev boxes in pools. | Dev Manager | DevCenter Project Admin | Project | |
| 93 | +| Create and manage your own dev boxes in a project. | User | Dev Box User | Project | |
| 94 | +| Create and manage catalogs in a GitHub or Azure Repos repository. | Dev Manager | Not governed by RBAC. </br> - The user must be assigned permissions through Azure DevOps or GitHub. | Repository | |
| 95 | + |
| 96 | +> [!Important] |
| 97 | +> An organization's subscription is used to manage billing and security for all Azure resources and services. You |
| 98 | +> can assign the Owner or Contributor role on the subscription. |
| 99 | +> Typically, only Platform engineers have subscription-level access because this includes full access to all resources in the subscription. |
| 100 | +
|
| 101 | +## Platform engineer roles |
| 102 | + |
| 103 | +To grant users permission to manage Microsoft Dev Box within your |
| 104 | +organization's subscription, you should assign them the |
| 105 | +[Owner](#owner-role) or [Contributor](#contributor-role) role. |
| 106 | + |
| 107 | +Assign these roles to the *resource group*. The dev centers, network |
| 108 | +connections, dev box definitions, dev box pools, and projects within the |
| 109 | +resource group inherit these role assignments. |
| 110 | + |
| 111 | +:::image type="content" source="media/concept-dev-box-role-based-access-control/dev-box-administrator-scope.png" lightbox="media/concept-dev-box-role-based-access-control/dev-box-administrator-scope.png" alt-text="Diagram that shows the administrator role assignments at the subscription for Azure Deployment Environments."::: |
| 112 | + |
| 113 | +### Owner role |
| 114 | + |
| 115 | +Assign the Owner role to give a user full control to create or manage |
| 116 | +Dev Box resources and grant permissions to other users. When a user has |
| 117 | +the Owner role in the resource group, they can do the following |
| 118 | +activities across all resources within the resource group: |
| 119 | + |
| 120 | +- Assign roles to platform engineers, so they can manage Dev Box |
| 121 | + resources. |
| 122 | + |
| 123 | +- Create dev centers, network connections, dev box definitions, dev |
| 124 | + box pools, and projects. |
| 125 | + |
| 126 | +- View, delete, and change settings for all dev centers, network |
| 127 | + connections, dev box definitions, dev box pools, and projects. |
| 128 | + |
| 129 | +- Attach and detach catalogs. |
| 130 | + |
| 131 | +> [!Caution] |
| 132 | +> When you assign the Owner or Contributor role on the resource group, then these permissions also apply to non-Dev Box related resources that exist in the resource group. |
| 133 | +
|
| 134 | +### Contributor role |
| 135 | + |
| 136 | +Assign the Contributor role to give a user full control to create or |
| 137 | +manage dev centers and projects within a resource group. The Contributor |
| 138 | +role has the same permissions as the Owner role, *except* for: |
| 139 | + |
| 140 | +- Performing role assignments. |
| 141 | + |
| 142 | +## Dev Manager role |
| 143 | + |
| 144 | +There's one dev manager role: DevCenter Project Admin. This role has |
| 145 | +more restricted permissions at lower-level scopes than the platform |
| 146 | +engineer roles. You can assign this role to dev managers to enable them |
| 147 | +to perform administrative tasks for their team. |
| 148 | + |
| 149 | +:::image type="content" source="media/concept-dev-box-role-based-access-control/dev-box-project-scope.png" lightbox="media/concept-dev-box-role-based-access-control/dev-box-project-scope.png" alt-text="Diagram that shows the dev manager role assignment at the project level scopes for Microsoft Dev Box."::: |
| 150 | + |
| 151 | +### DevCenter Project Admin role |
| 152 | + |
| 153 | +Assign the DevCenter Project Admin to enable: |
| 154 | + |
| 155 | +- Add, sync, remove catalog (project-level catalogs must be enabled on |
| 156 | + the dev center). |
| 157 | + |
| 158 | +- Create dev box pools. |
| 159 | + |
| 160 | +- Stop, start, delete dev boxes in pools. |
| 161 | + |
| 162 | +## Developer role |
| 163 | + |
| 164 | +There's one developer role: Dev Box User. This role enables developers |
| 165 | +to create and manage their own dev boxes. |
| 166 | + |
| 167 | +:::image type="content" source="media/concept-dev-box-role-based-access-control/dev-box-user-scope.png" lightbox="media/concept-dev-box-role-based-access-control/dev-box-user-scope.png" alt-text="Diagram that shows the user role assignments at the project for Microsoft Dev Box."::: |
| 168 | + |
| 169 | +### Dev Box User |
| 170 | + |
| 171 | +Assign the Dev Box User role to give users permission to create dev |
| 172 | +boxes and have full control over the dev boxes that they create. |
| 173 | +Developers can perform the following actions on any dev box they create: |
| 174 | + |
| 175 | +- Create |
| 176 | +- Start / stop |
| 177 | +- Restart |
| 178 | +- Delay scheduled shutdown |
| 179 | +- Delete |
| 180 | + |
| 181 | +## Identity and access management (IAM) |
| 182 | + |
| 183 | +The **Access control (IAM)** page in the Azure portal is used to |
| 184 | +configure Azure role-based access control on Microsoft Dev Box |
| 185 | +resources. You can use built-in roles for individuals and groups in |
| 186 | +Active Directory. The following screenshot shows Active Directory |
| 187 | +integration (Azure RBAC) using access control (IAM) in the Azure portal: |
| 188 | + |
| 189 | +:::image type="content" source="media/concept-dev-box-role-based-access-control/access-control-page.png" alt-text="Screenshot that shows the Access control (IAM) page for a dev center."::: |
| 190 | + |
| 191 | +For detailed steps, see [Assign Azure roles using the Azure portal](https://microsoft-my.sharepoint.com/azure/role-based-access-control/role-assignments-portal). |
| 192 | + |
| 193 | +## Dev center, resource group, and project structure |
| 194 | + |
| 195 | +Your organization should invest time up front to plan the placement of |
| 196 | +your dev centers, and the structure of resource groups and projects. |
| 197 | + |
| 198 | +**Dev centers:** Organize dev centers by the set of projects you would |
| 199 | +like to manage together, applying similar settings, and providing |
| 200 | +similar templates. |
| 201 | + |
| 202 | +Organizations can use one or more dev center. Typically, each sub-organization within the organization has its own dev center. You might consider creating multiple dev centers in the following cases: |
| 203 | + |
| 204 | +- If you want specific configurations to be available to a subset of |
| 205 | + projects. |
| 206 | + |
| 207 | +- If different teams need to own and maintain the dev center resource |
| 208 | + in Azure. |
| 209 | + |
| 210 | +**Projects:** Associated with each dev team or group of people working |
| 211 | +on one app or product. |
| 212 | + |
| 213 | +Planning is especially important when you assign roles to the resource |
| 214 | +group because it also applies permissions to all resources in the |
| 215 | +resource group, including dev centers, network connections, dev box |
| 216 | +definitions, dev box pools, and projects. |
| 217 | + |
| 218 | +To ensure that users are only granted permission to the appropriate |
| 219 | +resources: |
| 220 | + |
| 221 | +- Create resource groups that only contain Dev Box resources. |
| 222 | + |
| 223 | +- Organize projects according to the dev box definition and dev box |
| 224 | + pools required and the developers who should have access. It\'s |
| 225 | + important to note that dev box pools determine the location of dev |
| 226 | + box creation. Developers should create dev boxes in a location close |
| 227 | + to them for the least latency. |
| 228 | + |
| 229 | +For example, you might create separate projects for different developer |
| 230 | +teams to isolate each team's resources. Dev Managers in a project can |
| 231 | +then be assigned to the Project Admin role, which only grants them |
| 232 | +access to the resources of their team. |
| 233 | + |
| 234 | +> [!Important] |
| 235 | +> Plan the structure upfront because it's not possible to move Dev Box resources like projects to a different resource group after they\'re created. |
| 236 | +
|
| 237 | +## Catalog structure |
| 238 | + |
| 239 | +Microsoft Dev Box uses catalogs to enable developers to deploy |
| 240 | +customizations for dev boxes by using a catalog of tasks and a |
| 241 | +configuration file to install software, add extensions, clone |
| 242 | +repositories, and more. |
| 243 | + |
| 244 | +Microsoft Dev Box stores catalogs in either a [GitHub repository](https://docs.github.com/repositories/creating-and-managing-repositories/about-repositories) or an [Azure DevOps Services repository](/azure/devops/repos/get-started/what-is-repos). You can attach a catalog to a dev center or to a project. |
| 245 | + |
| 246 | +You can attach one or more catalogs to your dev center and manage all |
| 247 | +customizations at that level. To provide more granularity in how |
| 248 | +developers access customizations, you can attach catalogs at the project |
| 249 | +level. In planning where to attach catalogs, you should consider the |
| 250 | +needs of each development team. |
| 251 | + |
| 252 | +## Related content |
| 253 | + |
| 254 | +- [What is Azure role-based access control (Azure RBAC)](https://microsoft-my.sharepoint.com/azure/role-based-access-control/overview) |
| 255 | +- [Understand scope for Azure RBAC](https://microsoft-my.sharepoint.com/azure/role-based-access-control/scope-overview) |
0 commit comments