|
| 1 | +--- |
| 2 | +title: Custom roles for SQL Server to SQL Database managed instance online migrations | Microsoft Docs |
| 3 | +description: Learn to use the custom roles for SQL Server to SQL Database managed instance online migrations. |
| 4 | +services: database-migration |
| 5 | +author: HJToland3 |
| 6 | +ms.author: jtoland |
| 7 | +manager: craigg |
| 8 | +ms.reviewer: craigg |
| 9 | +ms.service: dms |
| 10 | +ms.workload: data-services |
| 11 | +ms.custom: mvc |
| 12 | +ms.topic: article |
| 13 | +ms.date: 10/25/2019 |
| 14 | +--- |
| 15 | + |
| 16 | +# Custom roles for SQL Server to SQL Database managed instance online migrations |
| 17 | + |
| 18 | +Azure Database Migration Service uses an APP ID to interact with Azure Services. The APP ID requires either the Contributor role at the Subscription level (which many Corporate security departments won't allow) or creation of custom roles that grant the specific permissions that Azure database Migrations Service requires. Since there's a limit of 2,000 custom roles in Azure Active Directory, you may want to combine all permissions required specifically by the APP ID into one or two custom roles, and then grant the APP ID the custom role on specific objects or resource groups (vs. at the subscription level). If the number of custom roles isn't a concern, you can split the custom roles by resource type, to create three custom roles in total as described below. |
| 19 | + |
| 20 | +The AssignableScopes section of the role definition json string allows you to control where the permissions appear in the **Add Role Assignment** UI in the portal. You'll likely want to define the role at the resource group or even resource level to avoid cluttering the UI with extra roles. Note that this doesn't perform the actual role assignment. |
| 21 | + |
| 22 | +## Minimum number of roles |
| 23 | + |
| 24 | +We currently recommend creating a minimum of two custom roles for the APP ID, one at the resource level and the other at the subscription level. |
| 25 | + |
| 26 | +> [!NOTE] |
| 27 | +> The last custom role requirement may eventually be removed, as new SQL Database managed instance code is deployed to Azure. |
| 28 | +
|
| 29 | +**Custom Role for the APP ID**. This role is required for Azure Database Migration Service migration at the *resource* or *resource group* level (for more information about the APP ID, see the article [Use the portal to create an Azure AD application and service principal that can access resources](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal)). |
| 30 | + |
| 31 | +```json |
| 32 | +{ |
| 33 | + "Name": "DMS Role - App ID", |
| 34 | + "IsCustom": true, |
| 35 | + "Description": "DMS App ID access to complete MI migrations", |
| 36 | + "Actions": [ |
| 37 | + "Microsoft.Storage/storageAccounts/read", |
| 38 | + "Microsoft.Storage/storageAccounts/listKeys/action", |
| 39 | + "Microsoft.Storage/storageaccounts/blobservices/read", |
| 40 | + "Microsoft.Storage/storageaccounts/blobservices/write", |
| 41 | + "Microsoft.Sql/managedInstances/read", |
| 42 | + "Microsoft.Sql/managedInstances/write", |
| 43 | + "Microsoft.Sql/managedInstances/databases/read", |
| 44 | + "Microsoft.Sql/managedInstances/databases/write", |
| 45 | + "Microsoft.Sql/managedInstances/databases/delete", |
| 46 | + "Microsoft.Sql/managedInstances/metrics/read", |
| 47 | + "Microsoft.DataMigration/locations/*", |
| 48 | + "Microsoft.DataMigration/services/*" |
| 49 | + ], |
| 50 | + "NotActions": [ |
| 51 | + ], |
| 52 | + "AssignableScopes": [ |
| 53 | + "/subscriptions/<subscription_id>/ResourceGroups/<StorageAccount_rg_name>", |
| 54 | + "/subscriptions/<subscription_id>/ResourceGroups/<ManagedInstance_rg_name>", |
| 55 | + "/subscriptions/<subscription_id>/ResourceGroups/<DMS_rg_name>", |
| 56 | + ] |
| 57 | +} |
| 58 | +``` |
| 59 | + |
| 60 | +**Custom role for the APP ID - subscription**. This role is required for Azure Database Migration Service migration at *subscription* level. |
| 61 | + |
| 62 | +```json |
| 63 | +{ |
| 64 | + "Name": "DMS Role - App ID - Sub", |
| 65 | + "IsCustom": true, |
| 66 | + "Description": "DMS App ID access at subscription level to complete MI migrations", |
| 67 | + "Actions": [ |
| 68 | + "Microsoft.Sql/locations/managedDatabaseRestoreAzureAsyncOperation/*" |
| 69 | + ], |
| 70 | + "NotActions": [ |
| 71 | + ], |
| 72 | + "AssignableScopes": [ |
| 73 | + "/subscriptions/<subscription_id>" |
| 74 | + ] |
| 75 | +} |
| 76 | +``` |
| 77 | + |
| 78 | +The json above must be stored in three text files, and you can use either the AzureRM, AZ PowerShell cmdlets, or Azure CLI to create the roles using either **New-AzureRmRoleDefinition (AzureRM)** or **New-AzRoleDefinition (AZ)**. |
| 79 | + |
| 80 | +For more information, see the article [Custom roles for Azure resources](https://docs.microsoft.com/azure/role-based-access-control/custom-roles). |
| 81 | + |
| 82 | +After you create these custom roles, you must add role assignments to users and APP ID(s) to the appropriate resources or resource groups: |
| 83 | + |
| 84 | +* The “DMS Role - App ID” role must be granted to the APP ID that will be used for the migrations, and also at the Storage Account, Azure Database Migration Service instance, and SQL Database managed instance resource levels. |
| 85 | +* The “DMS Role - App ID - Sub” role must be granted to the APP ID at the subscription level (granting at the resource or resource group will fail). This requirement is temporary until a code update is deployed. |
| 86 | + |
| 87 | +## Expanded number of roles |
| 88 | + |
| 89 | +If the number of custom roles in your Azure Active Directory isn't a concern, we recommend you create a total of three roles. You'll still need the “DMS Role - App ID – Sub” role, but the “DMS Role - App ID” role above is split by resource type into two different roles. |
| 90 | + |
| 91 | +**Custom role for the APP ID for SQL Database managed instance** |
| 92 | + |
| 93 | +```json |
| 94 | +{ |
| 95 | + "Name": "DMS Role - App ID - SQL MI", |
| 96 | + "IsCustom": true, |
| 97 | + "Description": "DMS App ID access to complete MI migrations", |
| 98 | + "Actions": [ |
| 99 | + "Microsoft.Sql/managedInstances/read", |
| 100 | + "Microsoft.Sql/managedInstances/write", |
| 101 | + "Microsoft.Sql/managedInstances/databases/read", |
| 102 | + "Microsoft.Sql/managedInstances/databases/write", |
| 103 | + "Microsoft.Sql/managedInstances/databases/delete", |
| 104 | + "Microsoft.Sql/managedInstances/metrics/read" |
| 105 | + ], |
| 106 | + "NotActions": [ |
| 107 | + ], |
| 108 | + "AssignableScopes": [ |
| 109 | + "/subscriptions/<subscription_id>/resourceGroups/<ManagedInstance_rg_name>" |
| 110 | + ] |
| 111 | +} |
| 112 | +``` |
| 113 | + |
| 114 | +**Custom role for the APP ID for Storage** |
| 115 | + |
| 116 | +```json |
| 117 | +{ |
| 118 | + "Name": "DMS Role - App ID - Storage", |
| 119 | + "IsCustom": true, |
| 120 | + "Description": "DMS App ID storage access to complete MI migrations", |
| 121 | + "Actions": [ |
| 122 | +"Microsoft.Storage/storageAccounts/read", |
| 123 | + "Microsoft.Storage/storageAccounts/listKeys/action", |
| 124 | + "Microsoft.Storage/storageaccounts/blobservices/read", |
| 125 | + "Microsoft.Storage/storageaccounts/blobservices/write" |
| 126 | + ], |
| 127 | + "NotActions": [ |
| 128 | + ], |
| 129 | + "AssignableScopes": [ |
| 130 | + "/subscriptions/<subscription_id>/resourceGroups/<StorageAccount_rg_name>" |
| 131 | + ] |
| 132 | +} |
| 133 | +``` |
| 134 | + |
| 135 | +## Role assignment |
| 136 | + |
| 137 | +To assign a role to users/APP ID, open the Azure portal, perform the following steps: |
| 138 | + |
| 139 | +1. Navigate to the resource group or resource (except for the role that needs to be granted on the subscription), go to **Access Control**, and then scroll to find the custom roles you just created. |
| 140 | + |
| 141 | +2. Select the appropriate role, select the APP ID, and then save the changes. |
| 142 | + |
| 143 | + Your APP ID(s) now appears listed on the **Role assignments** tab. |
| 144 | + |
| 145 | +## Next steps |
| 146 | + |
| 147 | +* Review the migration guidance for your scenario in the Microsoft [Database Migration Guide](https://datamigration.microsoft.com/). |
0 commit comments