Skip to content

Commit a4ac6c0

Browse files
Merge pull request #102334 from rolyon/rolyon-rbac-csat
[Azure RBAC] Refresh add role assignments in portal
2 parents 6923010 + 15ef9f5 commit a4ac6c0

9 files changed

+24
-14
lines changed
36.6 KB
Loading
2.89 KB
Loading
8.04 KB
Loading
726 Bytes
Loading
6.19 KB
Loading
-2.6 KB
Loading
3.78 KB
Loading
63.4 KB
Loading

articles/role-based-access-control/role-assignments-portal.md

Lines changed: 24 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ ms.devlang: na
1212
ms.topic: conceptual
1313
ms.tgt_pltfrm: na
1414
ms.workload: identity
15-
ms.date: 11/25/2019
15+
ms.date: 01/25/2020
1616
ms.author: rolyon
1717
ms.reviewer: bagovind
1818
---
@@ -29,9 +29,9 @@ To add or remove role assignments, you must have:
2929

3030
- `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/roleAssignments/delete` permissions, such as [User Access Administrator](built-in-roles.md#user-access-administrator) or [Owner](built-in-roles.md#owner)
3131

32-
## Overview of Access control (IAM)
32+
## Access control (IAM)
3333

34-
**Access control (IAM)** is the blade that you use to assign roles. It's also known as identity and access management and appears in several locations in the Azure portal. The following shows an example of the Access control (IAM) blade for a subscription.
34+
**Access control (IAM)** is the blade that you use to assign roles to grant access to Azure resources. It's also known as identity and access management and appears in several locations in the Azure portal. The following shows an example of the Access control (IAM) blade for a subscription.
3535

3636
![Access control (IAM) blade for a subscription](./media/role-assignments-portal/access-control-subscription.png)
3737

@@ -43,30 +43,34 @@ To be the most effective with the Access control (IAM) blade, it helps if you ca
4343

4444
1. **What role do they need?**
4545

46-
Permissions are grouped together into roles. You can select from a list of several [built-in roles](built-in-roles.md) or you use your own custom roles.
46+
Permissions are grouped together into roles. You can select from a list of several [built-in roles](built-in-roles.md) or you can use your own custom roles.
4747

4848
1. **Where do they need access?**
4949

5050
Where refers to the set of resources that the access applies to. Where can be a management group, subscription, resource group, or a single resource such as a storage account. This is called the *scope*.
5151

5252
## Add a role assignment
5353

54-
Follow these steps to assign a role at different scopes.
54+
In Azure RBAC, to grant access to an Azure resource, you add a role assignment. Follow these steps to assign a role.
5555

56-
1. In the Azure portal, click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
56+
1. In the Azure portal, click **All services** and then select the scope that you want to grant access to. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.
5757

58-
1. Click the specific resource.
58+
1. Click the specific resource for that scope.
5959

6060
1. Click **Access control (IAM)**.
6161

62-
1. Click the **Role assignments** tab to view all the role assignments at this scope.
62+
1. Click the **Role assignments** tab to view the role assignments at this scope.
6363

64-
1. Click **Add** > **Add role assignment** to open the Add role assignment pane.
64+
![Access control (IAM) and Role assignments tab](./media/role-assignments-portal/role-assignments.png)
65+
66+
1. Click **Add** > **Add role assignment**.
6567

6668
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
6769

6870
![Add menu](./media/role-assignments-portal/add-menu.png)
6971

72+
The Add role assignment pane opens.
73+
7074
![Add role assignment pane](./media/role-assignments-portal/add-role-assignment.png)
7175

7276
1. In the **Role** drop-down list, select a role such as **Virtual Machine Contributor**.
@@ -77,24 +81,30 @@ Follow these steps to assign a role at different scopes.
7781

7882
After a few moments, the security principal is assigned the role at the selected scope.
7983

84+
![Add role assignment saved](./media/role-assignments-portal/add-role-assignment-save.png)
85+
8086
## Assign a user as an administrator of a subscription
8187

8288
To make a user an administrator of an Azure subscription, assign them the [Owner](built-in-roles.md#owner) role at the subscription scope. The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. These steps are the same as any other role assignment.
8389

8490
1. In the Azure portal, click **All services** and then **Subscriptions**.
8591

86-
1. Click the subscription where you want to add a role assignment.
92+
1. Click the subscription where you want to grant access.
8793

8894
1. Click **Access control (IAM)**.
8995

90-
1. Click the **Role assignments** tab to view all the role assignments for this subscription.
96+
1. Click the **Role assignments** tab to view the role assignments for this subscription.
97+
98+
![Access control (IAM) and Role assignments tab](./media/role-assignments-portal/role-assignments.png)
9199

92-
1. Click **Add** > **Add role assignment** to open the Add role assignment pane.
100+
1. Click **Add** > **Add role assignment**.
93101

94102
If you don't have permissions to assign roles, the Add role assignment option will be disabled.
95103

96104
![Add menu](./media/role-assignments-portal/add-menu.png)
97105

106+
The Add role assignment pane opens.
107+
98108
![Add role assignment pane](./media/role-assignments-portal/add-role-assignment.png)
99109

100110
1. In the **Role** drop-down list, select the **Owner** role.
@@ -107,7 +117,7 @@ To make a user an administrator of an Azure subscription, assign them the [Owner
107117

108118
## Remove a role assignment
109119

110-
In RBAC, to remove access, you remove a role assignment. Follow these steps to remove a role assignment.
120+
In Azure RBAC, to remove access from an Azure resource, you remove a role assignment. Follow these steps to remove a role assignment.
111121

112122
1. Open **Access control (IAM)** at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
113123

@@ -123,7 +133,7 @@ In RBAC, to remove access, you remove a role assignment. Follow these steps to r
123133

124134
1. In the remove role assignment message that appears, click **Yes**.
125135

126-
Inherited role assignments cannot be removed. If you need to remove an inherited role assignment, you must do it at the scope where the role assignment was created. In the **Scope** column, next to **(Inherited)** there is a link that takes you to the scope where this role was assigned. Go to the scope listed there to remove the role assignment.
136+
If you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child scope. You should open Access control (IAM) at the scope where the role was assigned and try again. A quick way to open Access control (IAM) at the correct scope is to look at the **Scope** column and click the link next to **(Inherited)**.
127137

128138
![Remove role assignment message](./media/role-assignments-portal/remove-role-assignment-inherited.png)
129139

0 commit comments

Comments
 (0)