You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/lab-services/concept-lab-services-role-based-access-control.md
+18-8Lines changed: 18 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,6 +20,9 @@ Azure RBAC specifies built-in role definitions that outline the permissions to b
20
20
21
21
For more information, see [What is Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview)?
22
22
23
+
> [!NOTE]
24
+
> When you make role assignment changes, it can take a few minutes for these updates to propagate.
25
+
23
26
## Built-in roles
24
27
25
28
In this article, the Azure built-in roles are logically grouped into two role types, based on their scope of influence:
@@ -33,10 +36,10 @@ The following are the built-in roles supported by Azure Lab Services:
33
36
| --------- | ------------- | ----------- |
34
37
| Administrator | Owner | Grant full control to create/manage lab plans and labs, and grant permissions to other users. Learn more about the [Owner role](#owner-role). |
35
38
| Administrator | Contributor | Grant full control to create/manage lab plans and labs, except for assigning roles to other users. Learn more about the [Contributor role](#contributor-role). |
36
-
| Administrator | Lab Services Contributor | Grant the same permissions as the Owner role, except for assigning roles or modifying other users' labs. Learn more about the [Lab Services Contributor role](#lab-services-contributor-role). |
39
+
| Administrator | Lab Services Contributor | Grant the same permissions as the Owner role, except for assigning roles. Learn more about the [Lab Services Contributor role](#lab-services-contributor-role). |
37
40
| Lab management | Lab Creator | Grant permission to create labs and have full control over the labs that they create. Learn more about the [Lab Creator role](#lab-creator-role). |
38
41
| Lab management | Lab Contributor | Grant permission to help manage an existing lab, but not create new labs. Learn more about the [Lab Contributor role](#lab-contributor-role). |
39
-
| Lab management | Lab Assistant | Grant permission to view, start, stop, or reset an existing lab. Learn more about the [Lab Assistant role](#lab-assistant-role). |
42
+
| Lab management | Lab Assistant | Grant permission to view an existing lab. Can also start, stop, or reset any VM in the lab. Learn more about the [Lab Assistant role](#lab-assistant-role). |
40
43
| Lab management | Lab Services Reader | Grant permission to view existing labs. Learn more about the [Lab Services Reader role](#lab-services-reader-role). |
41
44
42
45
## Role assignment scope
@@ -57,7 +60,7 @@ For Azure Lab Services, consider the following scopes:
57
60
:::image type="content" source="./media/concept-lab-services-role-based-access-control/lab-services-role-assignment-scopes.png" alt-text="Diagram that shows the role assignment scopes for Azure Lab Services.":::
58
61
59
62
> [!IMPORTANT]
60
-
> In Azure Lab Services, lab plans and labs are *sibling* resources to each other. As a result, labs don’t inherit any roles assignments from the lab plan. However, role assignments from the resource group are inherited by lab plans and labs in that resource group.
63
+
> In Azure Lab Services, lab plans and labs are *sibling* resources to each other. As a result, labs don’t inherit any roles assignments from the *lab plan*. However, role assignments from the *resource group* are inherited by lab plans and labs in that resource group.
61
64
62
65
## Roles for common lab activities
63
66
@@ -68,10 +71,12 @@ The following table shows common lab activities and the role that's needed for a
68
71
| Grant permission to create a resource group. A resource group is a logical container in Azure to hold the lab plans and labs. *Before* you can create a lab plan or lab, this resource group needs to exist. | Administrator |[Owner](#owner-role) or [Contributor](#contributor-role)| Subscription |
69
72
| Grant permission to submit a Microsoft support ticket, including to [request capacity](./capacity-limits.md). | Administrator |[Owner](#owner-role), [Contributor](#contributor-role), [Support Request Contributor](/azure/role-based-access-control/built-in-roles#support-request-contributor)| Subscription |
70
73
| Grant permission to: <br/>- Assign roles to other users.<br/>- Create/manage lab plans, labs, and other resources within the resource group.<br/>- Enable/disable marketplace and custom images on a lab plan.<br/>- Attach/detach compute gallery on a lab plan. | Administrator |[Owner](#owner-role)| Resource group |
71
-
| Grant permission to: <br/>- Create/manage lab plans, labs, and other resources within the resource group.<br/>- Enable or disable Azure Marketplace and custom images on a lab plan.<br/>- Attach or detach a compute gallery on a lab plan.<br/><br/>However, *not* the ability to assign roles to other users. | Administrator |[Contributor](#contributor-role)| Resource group |
72
-
| Grant permission to create or manage your own labs:<br/>- Using *all* lab plans within a resource group.<br/>- Or, only for a specific lab plan. | Lab management |[Lab Creator](#lab-creator-role)| Resource group or Lab plan |
74
+
| Grant permission to: <br/>- Create/manage lab plans, labs, and other resources within the resource group.<br/>- Enable or disable Azure Marketplace and custom images on a lab plan.<br/><br/>However, *not* the ability to assign roles to other users. | Administrator |[Contributor](#contributor-role)| Resource group |
75
+
| Grant permission to create or manage your own labs for *all* lab plans within a resource group. | Lab management |[Lab Creator](#lab-creator-role)| Resource group |
76
+
| Grant permission to create or manage your own labs for a specific lab plan. | Lab management |[Lab Creator](#lab-creator-role)| Lab plan |
73
77
| Grant permission to co-manage a lab, but *not* the ability to create labs. | Lab management |[Lab Contributor](#lab-contributor-role)| Lab |
74
-
| Grant permission to only start/stop/reset VMs for: <br/>- All labs within a resource group.<br/>- Or, only for a specific lab. | Lab management |[Lab Assistant](#lab-assistant-role)| Resource group or Lab |
78
+
| Grant permission to only start/stop/reset VMs for *all* labs within a resource group. | Lab management |[Lab Assistant](#lab-assistant-role)| Resource group |
79
+
| Grant permission to only start/stop/reset VMs for a specific lab. | Lab management |[Lab Assistant](#lab-assistant-role)| Lab |
75
80
76
81
> [!IMPORTANT]
77
82
> An organization’s subscription is used to manage billing and security for all Azure resources and services. You can assign the Owner or Contributor role on the [subscription](./administrator-guide.md#subscription). Typically, only administrators have subscription-level access because this includes full access to all resources in the subscription.
@@ -109,7 +114,7 @@ Assign the Owner role to give a user full control to create or manage lab plans
109
114
- View, delete, and change settings for all labs.
110
115
111
116
> [!CAUTION]
112
-
> When you assign the Owner or Contributor role on the resource group, then these permissions also apply to non-lab related resources that exist in the resource group. For example, resources such as virtual networks, storage account, and more.
117
+
> When you assign the Owner or Contributor role on the resource group, then these permissions also apply to non-lab related resources that exist in the resource group. For example, resources such as virtual networks, storage accounts, compute galleries, and more.
113
118
114
119
### Contributor role
115
120
@@ -124,6 +129,9 @@ The Lab Services Contributor is the most restrictive of the administrator roles.
124
129
- Performing role assignments
125
130
- Changing or deleting other users’ labs
126
131
132
+
> [!NOTE]
133
+
> The Lab Services Contributor role doesn't allow changes to resources that unrelated to Azure Lab Services. On the other hand, the *Contributor* role allows changes to all Azure resources within the resource group.
134
+
127
135
## Lab management roles
128
136
129
137
Use the following roles to grant users permissions to create and manage labs:
@@ -172,7 +180,7 @@ When you assign the Lab Contributor role on the lab, the user can manage the ass
172
180
173
181
### Lab Assistant role
174
182
175
-
Assign the Lab Assistant role to grant a user permission to start, stop, and reset lab virtual machines.
183
+
Assign the Lab Assistant role to grant a user permission to view a lab, and start, stop, and reset lab virtual machines for the lab.
176
184
177
185
Assign the Lab Assistant role on the *resource group or lab*.
178
186
@@ -189,6 +197,8 @@ When you assign the Lab Assistant role on the lab, the user:
189
197
- Can’t delete or make any other changes to the lab.
190
198
- Can’t create new labs.
191
199
200
+
When you have the Lab Assistant role, to view other labs you're granted access to, make sure to choose the **All labs** filter in the Azure Lab Services website.
201
+
192
202
### Lab Services Reader role
193
203
194
204
Assign the Lab Services Reader role to grant a user permission view existing labs. The user can’t make any changes to existing labs.
0 commit comments