Skip to content

Commit c287c95

Browse files
schefflerscheffler
authored
Correct permissions for requesting JIT access
The current set of permissions listed in the documentation for 'Request JIT access to a VM' are insufficient to allow a user with just those rights to see the request access button for JIT on the virtual machine blade or initiate the JIT request action. I created a custom role definition with just these 4 permissions and verified that they do allow you to successfully request JIT access.
1 parent a90507a commit c287c95

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

articles/security-center/security-center-just-in-time.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ When a user requests access to a VM, Security Center checks that the user has [R
4646
| --- | --- |
4747
| Configure or edit a JIT policy for a VM | *Assign these actions to the role:* <ul><li>On the scope of a subscription or Resource Group that is associated with the VM:<br/> ```Microsoft.Security/locations/jitNetworkAccessPolicies/write``` </li><li> On the scope of a subscription or Resource Group or VM: <br/>```Microsoft.Compute/virtualMachines/write```</li></ul> |
4848
| ||
49-
|Request JIT access to a VM | *Assign these actions to the user:* <ul><li>On the scope of a subscription or Resource Group that is associated with the VM:<br/> ```Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action``` </li><li> On the scope of a Subscription or Resource Group or VM:<br/> ```Microsoft.Compute/virtualMachines/read``` </li></ul>|
49+
|Request JIT access to a VM | *Assign these actions to the user:* <ul><li>On the scope of a subscription or Resource Group that is associated with the VM:<br/> ```Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action``` </li><li>On the scope of a subscription or Resource Group that is associated with the VM:<br/> ```Microsoft.Security/locations/jitNetworkAccessPolicies/*/read``` </li><li> On the scope of a Subscription or Resource Group or VM:<br/> ```Microsoft.Compute/virtualMachines/read``` </li><li> On the scope of a Subscription or Resource Group or VM:<br/> ```Microsoft.Network/networkInterfaces/*/read``` </li></ul>|
5050

5151

5252
## Configure JIT on a VM

0 commit comments

Comments
 (0)