You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/role-assignments-portal.md
+24-14Lines changed: 24 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.devlang: na
12
12
ms.topic: conceptual
13
13
ms.tgt_pltfrm: na
14
14
ms.workload: identity
15
-
ms.date: 11/25/2019
15
+
ms.date: 01/25/2020
16
16
ms.author: rolyon
17
17
ms.reviewer: bagovind
18
18
---
@@ -29,9 +29,9 @@ To add or remove role assignments, you must have:
29
29
30
30
-`Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/roleAssignments/delete` permissions, such as [User Access Administrator](built-in-roles.md#user-access-administrator) or [Owner](built-in-roles.md#owner)
31
31
32
-
## Overview of Access control (IAM)
32
+
## Access control (IAM)
33
33
34
-
**Access control (IAM)** is the blade that you use to assign roles. It's also known as identity and access management and appears in several locations in the Azure portal. The following shows an example of the Access control (IAM) blade for a subscription.
34
+
**Access control (IAM)** is the blade that you use to assign roles to grant access to Azure resources. It's also known as identity and access management and appears in several locations in the Azure portal. The following shows an example of the Access control (IAM) blade for a subscription.
35
35
36
36
37
37
@@ -43,30 +43,34 @@ To be the most effective with the Access control (IAM) blade, it helps if you ca
43
43
44
44
1.**What role do they need?**
45
45
46
-
Permissions are grouped together into roles. You can select from a list of several [built-in roles](built-in-roles.md) or you use your own custom roles.
46
+
Permissions are grouped together into roles. You can select from a list of several [built-in roles](built-in-roles.md) or you can use your own custom roles.
47
47
48
48
1.**Where do they need access?**
49
49
50
50
Where refers to the set of resources that the access applies to. Where can be a management group, subscription, resource group, or a single resource such as a storage account. This is called the *scope*.
51
51
52
52
## Add a role assignment
53
53
54
-
Follow these steps to assign a role at different scopes.
54
+
In Azure RBAC, to grant access to an Azure resource, you add a role assignment. Follow these steps to assign a role.
55
55
56
-
1. In the Azure portal, click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
56
+
1. In the Azure portal, click **All services** and then select the scope that you want to grant access to. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
57
57
58
-
1. Click the specific resource.
58
+
1. Click the specific resource for that scope.
59
59
60
60
1. Click **Access control (IAM)**.
61
61
62
-
1. Click the **Role assignments** tab to view all the role assignments at this scope.
62
+
1. Click the **Role assignments** tab to view the role assignments at this scope.
63
63
64
-
1. Click **Add** > **Add role assignment** to open the Add role assignment pane.
64
+
65
+
66
+
1. Click **Add** > **Add role assignment**.
65
67
66
68
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
71
75
72
76
1. In the **Role** drop-down list, select a role such as **Virtual Machine Contributor**.
@@ -77,24 +81,30 @@ Follow these steps to assign a role at different scopes.
77
81
78
82
After a few moments, the security principal is assigned the role at the selected scope.
79
83
84
+
85
+
80
86
## Assign a user as an administrator of a subscription
81
87
82
88
To make a user an administrator of an Azure subscription, assign them the [Owner](built-in-roles.md#owner) role at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. These steps are the same as any other role assignment.
83
89
84
90
1. In the Azure portal, click **All services** and then **Subscriptions**.
85
91
86
-
1. Click the subscription where you want to add a role assignment.
92
+
1. Click the subscription where you want to grant access.
87
93
88
94
1. Click **Access control (IAM)**.
89
95
90
-
1. Click the **Role assignments** tab to view all the role assignments for this subscription.
96
+
1. Click the **Role assignments** tab to view the role assignments for this subscription.
97
+
98
+
91
99
92
-
1. Click **Add** > **Add role assignment** to open the Add role assignment pane.
100
+
1. Click **Add** > **Add role assignment**.
93
101
94
102
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
99
109
100
110
1. In the **Role** drop-down list, select the **Owner** role.
@@ -107,7 +117,7 @@ To make a user an administrator of an Azure subscription, assign them the [Owner
107
117
108
118
## Remove a role assignment
109
119
110
-
In RBAC, to remove access, you remove a role assignment. Follow these steps to remove a role assignment.
120
+
In Azure RBAC, to remove access from an Azure resource, you remove a role assignment. Follow these steps to remove a role assignment.
111
121
112
122
1. Open **Access control (IAM)** at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
113
123
@@ -123,7 +133,7 @@ In RBAC, to remove access, you remove a role assignment. Follow these steps to r
123
133
124
134
1. In the remove role assignment message that appears, click **Yes**.
125
135
126
-
Inherited role assignments cannot be removed. If you need to remove an inherited role assignment, you must do it at the scope where the role assignment was created. In the **Scope** column, next to **(Inherited)** there is a link that takes you to the scope where this role was assigned. Go to the scope listed there to remove the role assignment.
136
+
If you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child scope. You should open Access control (IAM) at the scope where the role was assigned and try again. A quick way to open Access control (IAM) at the correct scope is to look at the **Scope** column and click the link next to **(Inherited)**.
127
137
128
138
0 commit comments