Skip to main content

Overview

The Osservante RBAC Extension enables configuration of access to Azure resources in code.

It is available in the Visual Studio Marketplace

Manage resource groups, tags, and RBAC

It enables centralised management of Azure resource groups and role based access assignments (RBAC) in code.

  • Create resource groups
  • Set tags on resource groups
  • Set RBAC on resource groups
  • Set RBAC on resources
  • Set RBAC on subscriptions, management groups and tenants

Why manage RBAC Centrally?

Modes

The extension compares existing configuration in the Azure tenant with the configuration in the code. This enables the following modes:

ModeDescription
ExportCapture all existing resource groups and RBAC assignments for your entire Azure tenant (or tenants) to code.
PlanCompare the code with the current state of Azure and show a summary of what actions are required.
ApplyApply the changes that were detected during the plan stage.

The Export mode can be used both for the initial export and on-going to capture and changes made in the portal.

Approvals

Approvals can be configured between the plan and apply modes using the built in capabilities of Azure DevOps.

Pipeline Approval for RBAC

Example code

Example definition of a resource group in code

---
resourceGroupName: OSX-ARG-KEYVAULT-DEV
location: eastus
assignments:
- role: Contributor
objectName: Jennifer.Davies@osservantex.onmicrosoft.com
objectType: User
- role: Owner
objectName: Information Technology
objectType: Group
- role: Reader
objectName: Oliver.Walker@osservantex.onmicrosoft.com
objectType: User
- role: Key Vault Reader
objectName: Susan.Fisher@osservantex.onmicrosoft.com
objectType: User
scope: "/providers/Microsoft.KeyVault/vaults/osxkvappx"
tags:
Created: '2022-02-04'
Description: Dev keyvault resource group
Environment: Development