VMware Horizon Community
DionneNoella
Contributor
Contributor
Jump to solution

Azure Subscription Role

Hello HzCAz Experts,

In Horizon Cloud on Azure, do we emphasize using "Contributor" role from a security standpoint or something other reason?

Per Msoft's Article: Azure Resource Manager Overview | Microsoft Docs

  1. The "Owner" can manage everything, including access
  2. Whilst the "Contributor" can manage everything except access

==> that the Owner is more privileged than a Contributor. So if I used an Owner role instead of Contributor role, my subscriptions should still work as expected - correct?

Note: I tested this and couldn't get past the Node Subscription screen on the Admin Console. Only when I changed the role to Contributor only ( even with a owner/ contributor role the subscriptions did not work) was I able to proceed with the node setup post azure parameter validation for API plugin


Kind Regards,
Dionne-Noella

Dionne Noella
Labels (2)
1 Solution

Accepted Solutions
peterbrown05
VMware Employee
VMware Employee
Jump to solution

Hi Dionne,

Technically we could support Owner role as well as Contributor role. But as you mention, the Owner role means that with that service principle you have permissions to grant access to anyone you wish. As a result, VMware should not be given credentials with such 'power'. As such, our code explicitly checks (and will only allow) a service principle with the contributor level access.

Owner access is not supported.

hope this helps clarify,

cheers

peter

View solution in original post

5 Replies
lkowalski
VMware Employee
VMware Employee
Jump to solution

My current understanding is that the Node Deployment wizard validation step requires that Contributor role be used on the service principal.

Meaning that if the service principal info entered into the wizard (info like the application ID and authentication key) do not match a service principal having the Contributor role, the wizard's validation step will not succeed to let you deploy the node.

And that is why the doc topic "Create the Required Service Principal by Creating an Application Registration" in the Getting Started Guide states "...you must ... assign the Contributor role...".  ("must" = "the system requires it").

Hope that helps,

Lee Anne

lkowalski
VMware Employee
VMware Employee
Jump to solution

my subscriptions should still work as expected

A role is set on a specific *scope*.  It is described in the Access Control section of that article you provided the link for:

docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#access-control

"Role assignments - associate a definition with an identity (user or group) for a particular scope (subscription, resource group, or resource)."

For the node, Contributor role is set on the scope of the specific *service principal* that you're going to use for that node. I don' t believe it has to be set at a larger scope than the specific service principal.

So I'm not sure why the question is "the subscriptions working as expected". Are you asking whether you must apply the Contributor role scoped at some level other than the specific service principal for use with the node?

DionneNoella
Contributor
Contributor
Jump to solution

Yes, Lee Anne was just wondering if the 2 roles for (subscription, resource group, or resource) & the *service principal* were set differently then would the Node Details in HzC pass.

^ I imagine not as the Service Principal role will supersede all  other specifications

Let me run a  few tests and come back on this thread Smiley Happy

Dionne Noella
Reply
0 Kudos
peterbrown05
VMware Employee
VMware Employee
Jump to solution

Hi Dionne,

Technically we could support Owner role as well as Contributor role. But as you mention, the Owner role means that with that service principle you have permissions to grant access to anyone you wish. As a result, VMware should not be given credentials with such 'power'. As such, our code explicitly checks (and will only allow) a service principle with the contributor level access.

Owner access is not supported.

hope this helps clarify,

cheers

peter

DionneNoella
Contributor
Contributor
Jump to solution

Most Certainly clarifies my confusion, Peter. Smiley Happy
Thank You.

Dionne Noella
Reply
0 Kudos