none
Read-only role for a storage account vulnerability assesment RRS feed

  • Question

  • Hi,

    Several users need to have access to Security Center - Overview > Data security > Vulnerabilities on your SQL databases should be remediated (Preview) > Vulnerability Assessment

    Just Reader RBAC role to storage account was not enough, they got access only with Reader and Data Access, but this role also allows users to remove containers and files from Storage Accounts.

    Is there any read-only role for security overview?

    Thursday, November 14, 2019 10:15 AM

Answers

  • For this access you need permissions both at the SQL level and the Storage account level and the Reader and Data Access role is required at the storage level.

    You could run a script to create a custom role that adds the actions that you need, as described in this article

    Connect-AzureRmAccount
    Select-AzureRmSubscription '......'
    $role = Get-AzureRmRoleDefinition -Name "SQL Security Manager"
    $role.Name = "DW Vulnerability Assessment"
    $role.Description = "Grants you permission to view Vulnerability Assessment"
    $role.IsCustom = $true
    $role.Actions.Add("Microsoft.Storage/storageAccounts/listKeys/action");
    $role.Actions.Add("Microsoft.Storage/storageAccounts/ListAccountSas/action");
    $role.Actions.Add("Microsoft.Storage/storageAccounts/read");
    $role.AssignableScopes.Clear()
    $role.AssignableScopes.Add("/subscriptions/xxxxxx-xxxx-xxxx-xxx-xxxxxxxxx")
    New-AzureRmRoleDefinition $role


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Friday, November 15, 2019 11:58 PM
    Moderator