5 Replies Latest reply on Mar 30, 2018 6:10 AM by DionneNoella

    Azure Subscription Role

    DionneNoella Lurker
    VMware Employees

      Hello HzCAz Experts,

       

      In Horizon Cloud on Azure, do we emphasize using "Contributor" role from a security standpoint or something other reason?

       

      Per Msoft's Article: Azure Resource Manager Overview | Microsoft Docs

      1. The "Owner" can manage everything, including access
      2. Whilst the "Contributor" can manage everything except access

      ==> that the Owner is more privileged than a Contributor. So if I used an Owner role instead of Contributor role, my subscriptions should still work as expected - correct?

       

      Note: I tested this and couldn't get past the Node Subscription screen on the Admin Console. Only when I changed the role to Contributor only ( even with a owner/ contributor role the subscriptions did not work) was I able to proceed with the node setup post azure parameter validation for API plugin


      Kind Regards,
      Dionne-Noella

        • 1. Re: Azure Subscription Role
          lkowalski Enthusiast
          VMware Employees

          My current understanding is that the Node Deployment wizard validation step requires that Contributor role be used on the service principal.

          Meaning that if the service principal info entered into the wizard (info like the application ID and authentication key) do not match a service principal having the Contributor role, the wizard's validation step will not succeed to let you deploy the node.

           

          And that is why the doc topic "Create the Required Service Principal by Creating an Application Registration" in the Getting Started Guide states "...you must ... assign the Contributor role...".  ("must" = "the system requires it").

           

          Hope that helps,

          Lee Anne

          1 person found this helpful
          • 2. Re: Azure Subscription Role
            lkowalski Enthusiast
            VMware Employees

            my subscriptions should still work as expected

            A role is set on a specific *scope*.  It is described in the Access Control section of that article you provided the link for:

            docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-overview#access-control

            "Role assignments - associate a definition with an identity (user or group) for a particular scope (subscription, resource group, or resource)."

             

            For the node, Contributor role is set on the scope of the specific *service principal* that you're going to use for that node. I don' t believe it has to be set at a larger scope than the specific service principal.

             

            So I'm not sure why the question is "the subscriptions working as expected". Are you asking whether you must apply the Contributor role scoped at some level other than the specific service principal for use with the node?

            • 3. Re: Azure Subscription Role
              DionneNoella Lurker
              VMware Employees

              Yes, Lee Anne was just wondering if the 2 roles for (subscription, resource group, or resource) & the *service principal* were set differently then would the Node Details in HzC pass.

              ^ I imagine not as the Service Principal role will supersede all  other specifications

              Let me run a  few tests and come back on this thread

              • 4. Re: Azure Subscription Role
                peterbrown05 Expert
                VMware Employees

                Hi Dionne,

                Technically we could support Owner role as well as Contributor role. But as you mention, the Owner role means that with that service principle you have permissions to grant access to anyone you wish. As a result, VMware should not be given credentials with such 'power'. As such, our code explicitly checks (and will only allow) a service principle with the contributor level access.

                Owner access is not supported.

                 

                hope this helps clarify,

                 

                cheers

                peter

                • 5. Re: Azure Subscription Role
                  DionneNoella Lurker
                  VMware Employees

                  Most Certainly clarifies my confusion, Peter.
                  Thank You.