Create Custom RBAC Role to manage PostgreSQL DB

AzureLearner 1 Reputation point
2021-08-05T06:04:17.157+00:00

Hello all,

I am looking to see if anyone can assist with implementing custom role based access control. My understanding is the Custom RBAC can only be created using portal, Powershell, CLI and REST API. Maybe I am getting it all wrong together.

Requirement is to create a custom role and provide with elevated privilege who can login with that role and manage the PostgreSQL DB. This role also should have the Azure Storage account access and Log Analytics workspace access to read and write logs.

Edit -- If I have 5 PostgreSQLDBs in the same resource group and if custom RBAC role is defined at resource group level as scope this role will be applied to all 5 DBs right? What if I need to restrict this role and permissions for one particular DB out of 5? Is this possible?

Can someone help me or guide me each step that I need to follow to create it?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
808 questions
Azure Database for PostgreSQL
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,373 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stanislav Zhelyazkov 24,051 Reputation points MVP
    2021-08-06T10:29:09.777+00:00

    Hi,
    The level of where the custom role is created does not mean the custom role gives permissions at that level. In fact, just creating custom role does not give any permissions. After you have created the custom role, you will have to do role assignment. For one custom role you can do multiple role assignments as long as the scope of the role assignment is different or the Azure AD principal (user, MI, SP, group). Let's say you create the custom role for Subscription A. This means you can use that custom role for role assignments only on that level. If you want to use at Subscription B you will not be able to. You will need either to create the same role in Subscription B or create role at management group where both subscriptions are located. Moving back to the role assignments. You can do role assignment for the custom role at subscription level, that way the permissions will be given for the Azure AD principal to all resources (that are part of the custom role definition) under the subscription. You can do role assignment for the custom role at specific resource group, that way the permissions will be given for the Azure AD principal to all resources (that are part of the custom role definition) within the resource group. You can even do role assignment for the custom role to specific resource, that way the permissions will be given for the Azure AD principal only to that resource.

    Source

    Remember that there are certain limits of using custom roles at management group level and certain limits on the number of the role assignments possible.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.