search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.2k stars 21.34k forks source link

New role can manage locks #120313

Closed vegazbabz closed 6 months ago

vegazbabz commented 6 months ago

It seems like this role can also manage locks: [Storage Account Backup Contributor]. Although, it is not the intention of the role, it still has the correct actions to read, write, and delete locks if the role is assigned on a higher scope than just a resource group with the storage account(s).

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ManoharLakkoju-MSFT commented 6 months ago

@vegazbabz Thanks for your feedback! We will investigate and update as appropriate.

tfitzmac commented 6 months ago

The storage account back contributor has read access to authorization but not write or delete.

please-close

vegazbabz commented 6 months ago

The storage account back contributor has read access to authorization but not write or delete. #please-close

@tfitzmac you are incorrect. @KrishnaG-MSFT FYI. The link you provided is for "Backup Contributor" it is NOT the same as "Storage Account Backup Contributor".

"To create or delete management locks, you need access to Microsoft.Authorization/ or Microsoft.Authorization/locks/ actions. Only the Owner and the User Access Administrator built-in roles can create and delete management locks." https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#who-can-create-or-delete-locks

This is exactly what you have with the "Storage Account Backup Contributor". I have tested it and it can be used to create resource locks. image

To replicate, you can try to create a DINE policy using https://github.com/Azure/Community-Policy/blob/main/policyDefinitions/Regulatory%20Compliance/deploy-cannotdelete-resource-lock-on-resource-groups/azurepolicy.json - replace the roleDefinitionIds with Contributor AND Storage Account Backup Contributor. Run a remediation - this will add the resource locks.

tfitzmac commented 6 months ago

@vegazbabz - thanks for that info. I have updated the doc so it no longer states that Owner and User Access Administrator are the only roles with the required access. I mention some specialized roles also have access but did not go into details about which specialized roles have access.