Skip to content

Commit 2b79899

Browse files
author
Brian Tray
committed
Init
1 parent 887537a commit 2b79899

File tree

1 file changed

+106
-7
lines changed

1 file changed

+106
-7
lines changed

articles/operator-nexus/concepts-security-access-identity.md

Lines changed: 106 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,17 +9,116 @@ ms.service: azure-operator-nexus
99
---
1010
# Provide access to Azure Operator Nexus Resources with an Azure role-based access control
1111

12-
Azure role-based access control (Azure RBAC) is an authorization system built on [Azure Resource Manager](../azure-resource-manager/management/overview.md) that provides fine-grained access management of Azure resources.
12+
Azure role-based access control (Azure RBAC) is an authorization system built
13+
on [Azure Resource Manager](../azure-resource-manager/management/overview.md) that
14+
provides fine-grained access management of Azure resources.
1315

14-
The Azure RBAC model allows users to set permissions on different scope levels: management group, subscription, resource group, or individual resources. Azure RBAC for key vault also allows users to have separate permissions on individual keys, secrets, and certificates
16+
The Azure RBAC model allows users to set permissions on different scope levels: management
17+
group, subscription, resource group, or individual resources. Azure RBAC for key
18+
vault also allows users to have separate permissions on individual keys, secrets,
19+
and certificates.
1520

1621
For more information, see [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md).
1722

18-
#### Built-in roles
23+
## Operator Nexus Built-in Roles
1924

2025
Azure Operator Nexus provides the following built-in roles.
2126

22-
| Role | Description |
23-
|----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
24-
| Operator Nexus Keyset Administrator Role (Preview) | Manage interactive access to Azure Operator Nexus Compute resources by adding, removing, and updating baremetal machine (BMM) and baseboard management (BMC) keysets. |
25-
| | |
27+
[Operator Nexus Infrastructure Contributor Role (Preview)](#operator-nexus-infrastructure-contributor-role-preview)
28+
29+
[Operator Nexus Keyset Administrator Role (Preview)](#operator-nexus-keyset-administrator-role-preview)
30+
31+
> NOTE
32+
>
33+
> Preview roles are subject to change.
34+
35+
---
36+
37+
### Operator Nexus Infrastructure Contributor Role (Preview)
38+
39+
The user with this role can have full access to manage and configure Nexus resources,
40+
including creating, modifying, and deleting resources related to Nexus Infrastructure.
41+
42+
| Actions | Description |
43+
|-----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
44+
| Microsoft.Authorization/*/read | Read roles and role assignments |
45+
| Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |
46+
| Microsoft.ExtendedLocation/customLocations/read | Gets an Custom Location resource |
47+
| Microsoft.HybridCompute/machines/extensions/read | Reads any Azure Arc extensions |
48+
| Microsoft.HybridCompute/machines/read | Read any Azure Arc machines |
49+
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
50+
| Microsoft.Kubernetes/connectedClusters/read | Read connectedClusters |
51+
| Microsoft.KubernetesConfiguration/extensions/read | Gets extension instance resource |
52+
| Microsoft.NetworkCloud/bareMetalMachines/cordon/action | Cordon the provided bare metal machine's Kubernetes node |
53+
| Microsoft.NetworkCloud/bareMetalMachines/delete | Delete the provided bare metal machine. All customer initiated requests will be rejected as the life cycle of this resource is managed by the system. |
54+
| Microsoft.NetworkCloud/bareMetalMachines/powerOff/action | Power off the provided bare metal machine |
55+
| Microsoft.NetworkCloud/bareMetalMachines/read | Get properties of the provided bare metal machine |
56+
| Microsoft.NetworkCloud/bareMetalMachines/reimage/action | Reimage the provided bare metal machine |
57+
| Microsoft.NetworkCloud/bareMetalMachines/replace/action | Replace the provided bare metal machine |
58+
| Microsoft.NetworkCloud/bareMetalMachines/restart/action | Restart the provided bare metal machine |
59+
| Microsoft.NetworkCloud/bareMetalMachines/runDataExtracts/action | Run one or more data extractions on the provided bare metal machine. |
60+
| Microsoft.NetworkCloud/bareMetalMachines/runReadCommands/action | Run one or more read-only commands on the provided bare metal machine. |
61+
| Microsoft.NetworkCloud/bareMetalMachines/start/action | Start the provided bare metal machine |
62+
| Microsoft.NetworkCloud/bareMetalMachines/uncordon/action | Uncordon the provided bare metal machine's Kubernetes node |
63+
| Microsoft.NetworkCloud/bareMetalMachines/write | Create a new bare metal machine or update the properties of the existing one. All customer initiated requests will be rejected while life cycling the resource. |
64+
| Microsoft.NetworkCloud/clusterManagers/delete | Delete the provided cluster manager |
65+
| Microsoft.NetworkCloud/clusterManagers/read | Get the properties of the provided cluster manager |
66+
| Microsoft.NetworkCloud/clusterManagers/write | Create a new cluster manager or update properties of the cluster manager if it exists |
67+
| Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets/read | Get bare metal machine key set of the provided cluster |
68+
| Microsoft.NetworkCloud/clusters/bmcKeySets/read | Get baseboard management controller key set of the provided cluster |
69+
| Microsoft.NetworkCloud/clusters/continueUpdateVersion/action | Trigger the continuation of an update for a cluster with a matching update strategy that has paused after completing a segment of the update |
70+
| Microsoft.NetworkCloud/clusters/delete | Delete the provided cluster |
71+
| Microsoft.NetworkCloud/clusters/deploy/action | Deploy the cluster using the rack configuration provided during creation |
72+
| Microsoft.NetworkCloud/clusters/metricsConfigurations/delete | Delete the metrics configuration of the provided cluster |
73+
| Microsoft.NetworkCloud/clusters/metricsConfigurations/read | Get metrics configuration of the provided cluster |
74+
| Microsoft.NetworkCloud/clusters/metricsConfigurations/write | Create new or update the existing metrics configuration of the provided cluster |
75+
| Microsoft.NetworkCloud/clusters/read | Get properties of the provided cluster |
76+
| Microsoft.NetworkCloud/clusters/scanRuntime/action | Triggers the execution of a runtime protection scan to detect and remediate detected issues, in accordance with the cluster configuration |
77+
| Microsoft.NetworkCloud/clusters/updateVersion/action | Update the version of the provided cluster to one of the available supported versions |
78+
| Microsoft.NetworkCloud/clusters/write | Create a new cluster or update the properties of the cluster if it exists |
79+
| Microsoft.NetworkCloud/locations/operationStatuses/read | Read operation status |
80+
| Microsoft.NetworkCloud/operations/read | Read operation |
81+
| Microsoft.NetworkCloud/rackSkus/read | Get the properties of the provided rack SKU |
82+
| Microsoft.NetworkCloud/racks/delete | Delete the provided rack. All customer initiated requests will be rejected as the life cycle of this resource is managed by the system |
83+
| Microsoft.NetworkCloud/racks/join/action | Join a Nexus rack |
84+
| Microsoft.NetworkCloud/racks/read | Get properties of the provided rack |
85+
| Microsoft.NetworkCloud/racks/write | Create a new rack or update properties of the existing one. All customer initiated requests will be rejected as the life cycle of this resource is managed by the system |
86+
| Microsoft.NetworkCloud/register/action | Register the subscription for Microsoft.NetworkCloud |
87+
| Microsoft.NetworkCloud/registeredSubscriptions/read | Read registered subscriptions |
88+
| Microsoft.NetworkCloud/storageAppliances/read | Get properties of the provided storage appliance |
89+
| Microsoft.NetworkCloud/unregister/action | Unregister the subscription for Microsoft.NetworkCloud |
90+
| Microsoft.Resources/deployments/* | Create and manage a deployment |
91+
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups |
92+
93+
> NOTE
94+
>
95+
> In some instances, it may be necessary to assign additional actions to the user.
96+
> One solution would be to create a custom role with the below actions to be assigned to
97+
> the user in conjunction with the Oerator Nexus Infrastructure Contributor role.
98+
99+
#### Ancillary Oerator Nexus Infrastructure Contributor Actions
100+
101+
| Actions | Description |
102+
|---------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
103+
| Microsoft.ManagedNetworkFabric/networkFabricControllers/join/action | Join action for Network Fabric Controller resource. |
104+
| Microsoft.ManagedNetworkFabric/networkFabrics/join/action | Join action for Network Fabric resource. |
105+
| Microsoft.ManagedNetworkFabric/networkRacks/join/action | Join action for Network Rack resource. |
106+
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
107+
| Microsoft.OperationalInsights/workspaces/write | Creates a new workspace or links to an existing workspace by providing the customer id from the existing workspace. |
108+
| Microsoft.OperationalInsights/workspaces/read | Gets an existing workspace |
109+
| Microsoft.Resources/subscriptions/resourcegroups/write | Creates or updates a resource group. |
110+
111+
### Operator Nexus Keyset Administrator Role (Preview)
112+
113+
Manage interactive access to Azure Operator Nexus Compute resources by adding, removing,
114+
and updating baremetal machine (BMM) and baseboard management (BMC) keysets. |
115+
116+
| Actions | Description |
117+
|----------------------------------------------------------------|----------------------------------------------------------------------------------------------------|
118+
| Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |
119+
| Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets/delete | Delete a bare metal machine key set of the provided cluster |
120+
| Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets/read | Get bare metal machine key set of the provided cluster |
121+
| Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets/write | Create a new or update an existing bare metal machine key set of the provided cluster |
122+
| Microsoft.NetworkCloud/clusters/bmcKeySets/read | Get baseboard management controller key set of the provided cluster |
123+
| Microsoft.NetworkCloud/clusters/bmcKeySets/write | Create a new or update an existing baseboard management controller key set of the provided cluster |
124+
| Microsoft.NetworkCloud/clusters/bmcKeySets/delete | Delete a baseboard management controller key set of the provided cluster

0 commit comments

Comments
 (0)