Roles and permissions for Microsoft Azure accounts
The App Registration with Service Principal and the DSPM Analyzer role with some permissions are automatically created when you connect a Microsoft Azure account with IBM Guardium DSPM.
For more information about the functions of the App Registration with Service Principal and the DSPM Analyzer role, see the Results sub-section in the Connecting with Microsoft Azure cloud accounts section.
App Registration with Service Principal
The App Registration with Service principal is automatically created in the main account of every Azure account that is connected with Guardium DSPM. This principal has the following permissions to access the metadata and create various resources in the Azure environment:
- Action permission for Microsoft.Compute/virtualMachineScaleSets/manualUpgrade
- Reader
- Read permission for Graph API services, that includes read permissions for all the applications and users
- Read permission for Microsoft.Insights/autoscalesettings
- Write permission for Microsoft.Insights/autoscalesettings
- Write permission for Microsoft.Compute/virtualMachineScaleSets
- Write permission for Microsoft.Compute/virtualMachineScaleSets/virtualMachines
DSPM Analyzer role
The DSPM Analyzer role has access to Virtual Machine ScaleSets and all the required subscriptions of the connected Azure account. This role can scan all data in the Azure account. It is installed in the main subscription but can manage all the other connected subscriptions. This role has the following permissions:
Azure Service | Scope of permissions | Additional information about permissions |
---|---|---|
Compute | Read permission for Microsoft.Compute | |
Network | Read permission for Microsoft.Network | |
Storage |
|
Microsoft.Storage/storageAccounts write permission is conditioned only for the Guardium DSPM Storage account container. |
Resources |
|
|
CosmosDB | Read permission for Cosmos DB Account |