none
Azure Managed Application Permissions RRS feed

  • Question


  • Hello,

    We are looking to develop a solution that uses Managed Applications to deploy to our customers. Part of the solution will use Linux VM's to host the solution. We'd like to be able to restrict customers access to the contents of the Virtual Machine to help protect our IP.

    From https://docs.microsoft.com/en-gb/azure/managed-applications/publish-marketplace-app "The */read action is automatically allowed so you don't need to include that setting.". This implies the customer can read the resources deployed as part of the managed application.

    • This makes me wonder, could the customer read the contents of the disk/VHD? I don't think */read would give the customer access to generate an access token and export the VHD. Could anyone confirm this?
    • With read access, I also don't think the customer could execute the "Run Command" option on a VM. Would I be correct in assuming this?
    • With read access, I also don't think the customer could read keys out of Key Vault (which could be used for disk encryption) without explicit key access. Would I be correct in assuming this too?

    Has anyone deployed a managed application in such a way and successfully protected their IP?

    Thanks for your help,

    Greg

    Monday, September 16, 2019 4:47 AM

Answers

  • Hi Greg,

    I have not deployed a managed application but I can confirm that your assumptions are correct. The read operation is just to allow them to see what resources are being built as part of the managed application. They will not be able to perform any other action on the resources. 

    Ref: https://docs.microsoft.com/en-gb/azure/managed-applications/overview#managed-resource-group


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    • Marked as answer by GregRoll Tuesday, September 17, 2019 11:17 PM
    Tuesday, September 17, 2019 3:42 PM

All replies

  • Hi Greg,

    I have not deployed a managed application but I can confirm that your assumptions are correct. The read operation is just to allow them to see what resources are being built as part of the managed application. They will not be able to perform any other action on the resources. 

    Ref: https://docs.microsoft.com/en-gb/azure/managed-applications/overview#managed-resource-group


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    • Marked as answer by GregRoll Tuesday, September 17, 2019 11:17 PM
    Tuesday, September 17, 2019 3:42 PM
  • Hi Manoj,

    Thanks very much for the answer. You have helped greatly.

    Greg

    Tuesday, September 17, 2019 11:18 PM