Azure 5: Role-Based Access Control (RBAC)
easy⏱ 5 mincourseazure
RBAC Components
RBAC has three components: Security Principal (who — user, group, service principal, managed identity), Role Definition (what — a collection of permissions like Microsoft.Storage/*/read), and Scope (where — management group, subscription, resource group, or resource). Built-in roles include Owner, Contributor, Reader, and User Access Administrator.
// Azure CLI: Assign a role
az role assignment create \
--assignee user@example.com \
--role "Contributor" \
--scope /subscriptions/{sub-id}/resourceGroups/myRG
Build an RBAC permission checker
Create a RBACManager class with assignRole(principal, role, scope) and checkAccess(principal, action, scope) methods. Define at least three built-in roles (Owner, Contributor, Reader) with their permission patterns. Log the result of checking access.
Quiz: RBAC Scope Inheritance
If a user has Contributor role at the subscription level, can they modify resources in a resource group? Yes — RBAC is inherited. Roles assigned at a higher scope are inherited by all child scopes.