Skip to content

Commit 89ed158

Browse files
JamesJBarnettJamesJBarnett
authored
Merge pull request #279947 from btray900/btray900/nexus-contrib-role
[operator-nexus] Add documentation for Nexus built-in role
2 parents 355c0f1 + ad522a2 commit 89ed158

File tree

1 file changed

+103
-7
lines changed

1 file changed

+103
-7
lines changed

articles/operator-nexus/concepts-security-access-identity.md

Lines changed: 103 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,17 +9,113 @@ ms.service: azure-operator-nexus
99
---
1010
# Provide access to Azure Operator Nexus Resources with an Azure role-based access control
1111

12-
Azure role-based access control (Azure RBAC) is an authorization system built on [Azure Resource Manager](../azure-resource-manager/management/overview.md) that provides fine-grained access management of Azure resources.
12+
Azure role-based access control (Azure RBAC) is an authorization system built
13+
on [Azure Resource Manager](../azure-resource-manager/management/overview.md) that
14+
provides fine-grained access management of Azure resources.
1315

14-
The Azure RBAC model allows users to set permissions on different scope levels: management group, subscription, resource group, or individual resources. Azure RBAC for key vault also allows users to have separate permissions on individual keys, secrets, and certificates
16+
The Azure RBAC model allows users to set permissions on different scope levels: management
17+
group, subscription, resource group, or individual resources. Azure RBAC for key
18+
vault also allows users to have separate permissions on individual keys, secrets,
19+
and certificates.
1520

1621
For more information, see [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md).
1722

18-
#### Built-in roles
23+
## Operator Nexus built-in roles
1924

2025
Azure Operator Nexus provides the following built-in roles.
2126

22-
| Role | Description |
23-
|----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
24-
| Operator Nexus Keyset Administrator Role (Preview) | Manage interactive access to Azure Operator Nexus Compute resources by adding, removing, and updating baremetal machine (BMM) and baseboard management (BMC) keysets. |
25-
| | |
27+
[Operator Nexus Compute Contributor Role (Preview)](#operator-nexus-compute-contributor-role-preview)
28+
29+
[Operator Nexus Keyset Administrator Role (Preview)](#operator-nexus-keyset-administrator-role-preview)
30+
31+
> [!NOTE]
32+
> Preview roles are subject to change.
33+
34+
---
35+
36+
### Operator Nexus Compute Contributor Role (Preview)
37+
38+
The user with this role can have full access to manage and configure Nexus resources,
39+
including creating, modifying, and deleting resources related to Nexus infrastructure.
40+
41+
| Actions | Description |
42+
|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
43+
| Microsoft.Authorization/*/read | Read roles and role assignments |
44+
| Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |
45+
| Microsoft.ExtendedLocation/customLocations/read | Gets a Custom Location resource |
46+
| Microsoft.HybridCompute/machines/extensions/read | Reads any Azure Arc extensions |
47+
| Microsoft.HybridCompute/machines/read | Read any Azure Arc machines |
48+
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
49+
| Microsoft.Kubernetes/connectedClusters/read | Read connectedClusters |
50+
| Microsoft.KubernetesConfiguration/extensions/read | Gets extension instance resource |
51+
| Microsoft.ManagedNetworkFabric/networkFabricControllers/join/action | Join action for Network Fabric Controller resource. |
52+
| Microsoft.ManagedNetworkFabric/networkFabrics/join/action | Join action for Network Fabric resource. |
53+
| Microsoft.ManagedNetworkFabric/networkRacks/join/action | Join action for Network Rack resource. |
54+
| Microsoft.NetworkCloud/bareMetalMachines/cordon/action | Cordon the provided bare metal machine's Kubernetes node |
55+
| Microsoft.NetworkCloud/bareMetalMachines/delete | Delete the provided bare metal machine. All customer initiated requests will be rejected as the life cycle of this resource is managed by the system. |
56+
| Microsoft.NetworkCloud/bareMetalMachines/powerOff/action | Power off the provided bare metal machine |
57+
| Microsoft.NetworkCloud/bareMetalMachines/read | Get properties of the provided bare metal machine |
58+
| Microsoft.NetworkCloud/bareMetalMachines/reimage/action | Reimage the provided bare metal machine |
59+
| Microsoft.NetworkCloud/bareMetalMachines/replace/action | Replace the provided bare metal machine |
60+
| Microsoft.NetworkCloud/bareMetalMachines/restart/action | Restart the provided bare metal machine |
61+
| Microsoft.NetworkCloud/bareMetalMachines/runDataExtracts/action | Run one or more data extractions on the provided bare metal machine. |
62+
| Microsoft.NetworkCloud/bareMetalMachines/runReadCommands/action | Run one or more read-only commands on the provided bare metal machine. |
63+
| Microsoft.NetworkCloud/bareMetalMachines/start/action | Start the provided bare metal machine |
64+
| Microsoft.NetworkCloud/bareMetalMachines/uncordon/action | Uncordon the provided bare metal machine's Kubernetes node |
65+
| Microsoft.NetworkCloud/bareMetalMachines/write | Create a new bare metal machine or update the properties of the existing one. All customer initiated requests will be rejected while life cycling the resource. |
66+
| Microsoft.NetworkCloud/clusterManagers/delete | Delete the provided cluster manager |
67+
| Microsoft.NetworkCloud/clusterManagers/read | Get the properties of the provided cluster manager |
68+
| Microsoft.NetworkCloud/clusterManagers/write | Create a new cluster manager or update properties of the cluster manager if it exists |
69+
| Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets/read | Get bare metal machine key set of the provided cluster |
70+
| Microsoft.NetworkCloud/clusters/bmcKeySets/read | Get baseboard management controller key set of the provided cluster |
71+
| Microsoft.NetworkCloud/clusters/continueUpdateVersion/action | Trigger the continuation of an update for a cluster with a matching update strategy that has paused after completing a segment of the update |
72+
| Microsoft.NetworkCloud/clusters/delete | Delete the provided cluster |
73+
| Microsoft.NetworkCloud/clusters/deploy/action | Deploy the cluster using the rack configuration provided during creation |
74+
| Microsoft.NetworkCloud/clusters/metricsConfigurations/delete | Delete the metrics configuration of the provided cluster |
75+
| Microsoft.NetworkCloud/clusters/metricsConfigurations/read | Get metrics configuration of the provided cluster |
76+
| Microsoft.NetworkCloud/clusters/metricsConfigurations/write | Create new or update the existing metrics configuration of the provided cluster |
77+
| Microsoft.NetworkCloud/clusters/read | Get properties of the provided cluster |
78+
| Microsoft.NetworkCloud/clusters/scanRuntime/action | Triggers the execution of a runtime protection scan to detect and remediate detected issues, in accordance with the cluster configuration |
79+
| Microsoft.NetworkCloud/clusters/updateVersion/action | Update the version of the provided cluster to one of the available supported versions |
80+
| Microsoft.NetworkCloud/clusters/write | Create a new cluster or update the properties of the cluster if it exists |
81+
| Microsoft.NetworkCloud/locations/operationStatuses/read | Read operation status |
82+
| Microsoft.NetworkCloud/operations/read | Read operation |
83+
| Microsoft.NetworkCloud/rackSkus/read | Get the properties of the provided rack SKU |
84+
| Microsoft.NetworkCloud/racks/delete | Delete the provided rack. All customer initiated requests will be rejected as the life cycle of this resource is managed by the system |
85+
| Microsoft.NetworkCloud/racks/join/action | Join a Nexus rack |
86+
| Microsoft.NetworkCloud/racks/read | Get properties of the provided rack |
87+
| Microsoft.NetworkCloud/racks/write | Create a new rack or update properties of the existing one. All customer initiated requests will be rejected as the life cycle of this resource is managed by the system |
88+
| Microsoft.NetworkCloud/register/action | Register the subscription for Microsoft.NetworkCloud |
89+
| Microsoft.NetworkCloud/registeredSubscriptions/read | Read registered subscriptions |
90+
| Microsoft.NetworkCloud/storageAppliances/read | Get properties of the provided storage appliance |
91+
| Microsoft.NetworkCloud/unregister/action | Unregister the subscription for Microsoft.NetworkCloud |
92+
| Microsoft.Resources/deployments/* | Create and manage a deployment |
93+
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups |
94+
95+
> [!NOTE]
96+
> In some instances, it may be necessary to assign additional actions to the user.
97+
> One solution would be to create a custom role with the below actions to be assigned to
98+
> the user in conjunction with the Operator Nexus Compute Contributor role.
99+
100+
#### Ancillary Operator Nexus Compute Contributor Actions
101+
102+
| Actions | Description |
103+
|---------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------|
104+
| Microsoft.OperationalInsights/workspaces/write | Creates a new workspace or links to an existing workspace by providing the customer id from the existing workspace. |
105+
| Microsoft.OperationalInsights/workspaces/read | Gets an existing workspace |
106+
| Microsoft.Resources/subscriptions/resourcegroups/write | Creates or updates a resource group. |
107+
108+
### Operator Nexus Keyset Administrator Role (Preview)
109+
110+
Manage interactive access to Azure Operator Nexus Compute resources by adding, removing,
111+
and updating baremetal machine (BMM) and baseboard management (BMC) keysets. |
112+
113+
| Actions | Description |
114+
|----------------------------------------------------------------|----------------------------------------------------------------------------------------------------|
115+
| Microsoft.ExtendedLocation/customLocations/deploy/action | Deploy permissions to a Custom Location resource |
116+
| Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets/delete | Delete a bare metal machine key set of the provided cluster |
117+
| Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets/read | Get bare metal machine key set of the provided cluster |
118+
| Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets/write | Create a new or update an existing bare metal machine key set of the provided cluster |
119+
| Microsoft.NetworkCloud/clusters/bmcKeySets/read | Get baseboard management controller key set of the provided cluster |
120+
| Microsoft.NetworkCloud/clusters/bmcKeySets/write | Create a new or update an existing baseboard management controller key set of the provided cluster |
121+
| Microsoft.NetworkCloud/clusters/bmcKeySets/delete | Delete a baseboard management controller key set of the provided cluster

0 commit comments

Comments
 (0)