search

NetAppDocs / bluexp-setup-admin

Open-source documentation for BlueXP setup and administration
https://docs.netapp.com/us-en/bluexp-setup-admin/
0 stars 4 forks source link

Needs to verify a step #318

Closed jwallsnetapp closed 4 months ago

jwallsnetapp commented 4 months ago

Page URL

https://docs.netapp.com/us-en/bluexp-setup-admin/task-install-connector-azure-marketplace.html

Page title

Create a Connector from the Azure Marketplace

Summary

Hello Team,

Step 5: Provide permissions to BlueXP, Sub-step 4: In the members tab, complete the following steps, Tertiary step: Select Select members, select the subscription in which the Connector virtual machine was created, choose Virtual machine, and then select the Connector virtual machine.

We believe the following above step is wrong and needs to be fixed. We believe that you actually need to select subscriptions, not Virtual Machine.

A TSE created this KB article to resolve. https://kb.netapp.com/Cloud/BlueXP/Cloud_Backup_Service/Backup_and_Recovery_list_of_existing_resource_groups_empty

Please escalate this as this may be a crucial issue for other customers. Also, please let me know if there is any further clarification needed from.

Please email or teams me for detailed business impact.

Regards,

Jacob Walls

Public issues must not contain sensitive information

netapp-bcammett commented 4 months ago

Thank you for letting me know. I'm taking a look at it right now.

netapp-bcammett commented 4 months ago

Jacob,

I believe the documentation is correct. I followed the steps and the role was assigned to the Connector VM at the subscription scope.

image

I confirmed my understanding by digging into the Azure documentation:

When you create a role assignment, you need to specify the scope at which it's applied. The scope represents the resource, or set of resources, that the principal is allowed to access. You can scope a role assignment to a single resource, a resource group, a subscription, or a management group.

You specify the scope based on the Azure service that you start from:

In the Search box at the top, search for the scope you want to grant access to. For example, search for Management groups, Subscriptions, Resource groups, or a specific resource.

The first step in the BlueXP docs say to start from the Subscriptions service, so applying the role to the VM should set the role at the subscription level:

From the Azure Portal, open the Subscriptions service and select your subscription.

My assumption is that the customer started from Home > Virtual Machines and not from Home > Subscriptions.

I can add a clarifying point to the steps to note the ramifications of not starting from subscriptions. That could help to ensure that customers choose the correct starting point.

Thanks, Ben

netapp-bcammett commented 4 months ago

I added the following clarification to the page:

Steps

  1. From the Azure Portal, open the Subscriptions service and select your subscription.

It's important to assign the role from the Subscriptions service because this specifies the scope of the role assignment at the subscription level. The scope defines the set of resources that the access applies to. If you specify a scope at a different level (for example, at the virtual machine level), your ability to complete actions from within BlueXP will be affected.

Microsoft Azure documentation: Understand scope for Azure RBAC

netapp-bcammett commented 4 months ago

Thanks for submitting this issue. Please let me know if you think any additional changes are required.