Planning security access control on Microsoft Azure

To deploy and manage the IBM Storage Virtualize for Public Cloud software in Microsoft Azure, the user must have a set of specific permissions to deploy and manage the Microsoft Azure resources.

Microsoft Azure provides role-based access control (RBAC) to manage access to Microsoft Azure resources. It provides the ability to do fine grained access control to your resources hosted in Azure. For more information, see What is Azure role-based access control (Azure RBAC)? in the Microsoft Azure documentation.

When a subscription is created in Microsoft Azure, a default administrator role is created. The permissions on the default administrator role allow access related to subscriptions, management groups, and all resource groups that are configured within the subscription. You can use this role to install and manage your IBM Storage Virtualize for Public Cloud deployment; however, separate roles provide to granular control access and better protection to your resources. Several user roles can be created to manage resources in your IBM Storage Virtualize for Public Cloud deployment. Each of these user roles have specific permissions that allow or deny access to resources within your deployment. These roles divide actions among several users which minimizes unauthorized access to resources within your environment. The deployment template also creates roles automatically that provide access between the IBM Storage Virtualize for Public Cloud nodes and other objects within your configuration.

The following table describes all roles that are required for the deployment and management of IBM Storage Virtualize for Public Cloud software in Microsoft Azure.
Table 1. Required user roles for IBM Storage Virtualize for Public Cloud deployments
User role Description Tasks allow by this user role
Installer user role The installer user role is assigned to the user who is deploying the IBM Storage Virtualize for Public Cloud cluster. This user is responsible for installing the cluster through deployment template and has permissions that include creating virtual machines, provisioning virtual networks, attaching Azure disks, and other permissions.
Installation step: Deploying IBM Storage Virtualize for Public Cloud
Management User role The user role provides permissions to complete day-to-day operations on the IBM Storage Virtualize for Public Cloud cluster after it is deployed in Microsoft Azure. This user can run system setup and any related configuration tasks in IBM Storage Virtualize for Public Cloud management interfaces. Post-installation steps:
Completing system setup
Configuring pools and assigning storage
Configuring volumesConfiguring hosts and mappings
Bastion user role You can create a separate user role to manage all bastion connections between your public and private network or include these permissions as part of the user role or the installer user role. A bastion host allows public networks to access private virtual network. Post-installation step: Creating a bastion host

Permissions for the Installer user role

Before you install IBM Storage Virtualize for Public Cloud, ensure that an installer user role is created with the correct permissions. If permissions are not assigned, actions that are required for successful installation of the IBM Storage Virtualize for Public Cloud fail. You can use the Azure default administrator profile to install the IBM Storage Virtualize for Public Cloud software, or you can create an installer user profile that includes only the required permissions for deploying the software. When you create permissions in Microsoft Azure, you can select specific permissions in the Azure portal or add permissions in JSON format.

Ensure that an installer user profile must have the following permissions:


"Microsoft.Compute/virtualMachines/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/tags/write",
"Microsoft.Compute/proximityPlacementGroups/write",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.Authorization/roleDefinitions/write",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.KeyVault/vaults/write",
"Microsoft.Compute/disks/write",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Network/LoadBalancers/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/deploymentScripts/write",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read",
"Microsoft.Network/virtualNetworks/joinLoadBalancer/action",
"Microsoft.Resources/resources/read",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Compute/disks/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/ipconfigurations/read",
"Microsoft.Compute/proximityPlacementGroups/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Network/bastionHosts/read",
"Microsoft.Network/virtualNetworks/BastionHosts/action",
"Microsoft.Network/virtualNetworks/bastionHosts/default/action",
"Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
"Microsoft.Network/virtualNetworks/virtualMachines/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/bastionHosts/write",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/dnsAliases/read",
"Microsoft.ContainerInstance/containerGroups/write",
"Microsoft.ContainerInstance/containerGroups/read",
"Microsoft.ContainerInstance/containerGroups/delete",
"Microsoft.ContainerInstance/containerGroups/start/action",
"Microsoft.ContainerInstance/containerGroups/stop/action",
"Microsoft.ContainerInstance/containerGroups/restart/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/delete"
"Microsoft.Resources/deploymentScripts/logs/read",
"Microsoft.Resources/deploymentScripts/delete",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.KeyVault/locations/deletedVaults/read",
"Microsoft.KeyVault/locations/deletedVaults/purge/action"
"Microsoft.Resources/subscriptions/resourcegroups/delete"

Permissions for Management User Role

To create and manage IBM Storage Virtualize for Public Cloud operations, another user role can be created to complete these management tasks. The SV_Cloud_User_Role provides permissions to a user that completes the day-to-day configuration and management tasks of your IBM Storage Virtualize for Public Cloud cluster. The SV_Cloud_User_Role can be defined with the following permissions: 


"Microsoft.Compute/virtualMachines/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Network/LoadBalancers/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read",
"Microsoft.Network/virtualNetworks/joinLoadBalancer/action",
"Microsoft.Resources/resources/read",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Compute/disks/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/ipconfigurations/read",
"Microsoft.Compute/proximityPlacementGroups/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Network/bastionHosts/read",
"Microsoft.Network/virtualNetworks/BastionHosts/action",
"Microsoft.Network/virtualNetworks/bastionHosts/default/action",
"Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
"Microsoft.Network/virtualNetworks/virtualMachines/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/bastionHosts/write",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/dnsAliases/read"
"Microsoft.Resources/tags/write", 
"Microsoft.Compute/virtualMachines/write", 
"Microsoft.Compute/disks/write", 
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Resources/deployments/write"

Permissions for the Bastion User Role

If you plan to use an Azure Bastion Service to connect to your deployment, you can either create an additional user role or add the following permissions to the installer user profile. The Bastion_User_Role can be defined with the following permissions:


"Microsoft.Network/bastionHosts/read",
"Microsoft.Network/virtualNetworks/BastionHosts/action",
"Microsoft.Network/virtualNetworks/bastionHosts/default/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/ipconfigurations/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
"Microsoft.Network/virtualNetworks/virtualMachines/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/bastionHosts/write",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/dnsAliases/read"
"Microsoft.Resources/deployments/write"
For more information, see Configure Azure Bastion from VM settings in the Azure documentation.
Note: Permissions to the Azure Bastion Service are controlled by Microsoft Azure and are subject to change, refer to the Azure documentation for the latest information.