none
Is it better to configure IAM roles and policies from the resource group level perspective versus configuring them in from the account level perspective? RRS feed

  • Question

  • Is it better to configure IAM roles and policies from the Resource Group level versus configuring them in from the account level?

    Resource Group level perspective:

    Click on RG > IAM >policies, roles

    Account level perspective:

    Subscriptions > IAM > policies , roles


    dsk

    Sunday, December 1, 2019 2:33 PM

All replies

  • Assigning a role at Resource Group (RG) or Subscription level depends on your business and permission scope requirements.

    If you plan to add a user to access resources specific to the RG, the user would be able to access only resources of that particular RG unless there are other roles assigned at a different scope. 

    Same goes with subscription level, If you want user to have access at subscription level without any restriction to any specific resource, you can add that user at a subscription scope.




    Tuesday, December 3, 2019 7:39 AM
    Moderator
  • Would also recommend checking out the following content to get a better idea on best practices for assigning permission scopes in Azure.


    Wednesday, December 4, 2019 1:23 AM
    Moderator