Use Custom Role to Tailor Teachers' Lab Management Permissions
Published Feb 16 2021 08:12 AM 3,044 Views
Microsoft

A common question we hear from IT departments is to how to get finer grain control over the permissions that are granted to teachers for managing labs.  In this blog post, we’ll show how to create a custom role that only gives teachers the ability to:

  • Add\remove students from a lab
  • Send an email invitation to a student
  • Start\stop\reset a student’s VM

This means that teachers will not be able to perform operations such as:

  • Change a lab’s quota
  • Increase the number of VMs in the pool
  • Set a lab’s schedule

When a teacher uses the management portal, they will be shown an error message if they attempt to perform an operation that they don’t have permission to do.  For example, if the teacher modifies the lab capacity and attempts to save this change, they will be shown the following error:

 

AzLabsError.png

 

In the rest of this post, we’ll walk through the detailed steps for creating a custom role following directions that are outlined in the article Azure custom roles.  You can use the custom role explained in this post as a starting point based on your school’s unique needs.

 

Steps to Create and Assign a Custom Role

1. Using the Azure Portal, let’s start by cloning Azure Lab Services’ built-in Contributor role for an existing lab.  First, you’ll need to select the lab and choose to Edit role assignments.  Then, select the Roles and choose Clone.  Follow the steps in the wizard to finish creating the cloned role.  You will need to give the custom role a name.  In this example, we'll name the custom role AzLabsCustomContributorRole.

 

AzLabsLabList.png

AzLabsClone.png

 

NOTE: When a teacher is assigned the built-in Contributor role for an existing lab (and the Reader role on the lab account):

  • They can’t create new labs.
  • They have access to view and change all the lab’s settings.
  • They only have access to view\change settings for the specific lab that they are assigned to as a lab contributor.

2.  Next, let’s look at the permissions for the cloned role by selecting the role and choosing Edit.

AzLabsEditRole.png

AzLabsPermissions.png

As shown in the above screenshot, the cloned Contributor role includes both a wildcard (*) Action and several NotAction permissions:

  • The wildcard Action grants access to view\change all the lab’s management settings. 
  • The NotAction permissions allow you to subtract specific permissions from the wildcard permission.

Using this approach, we can add more NotAction permissions to deny a lab contributor access to specific management operations in Azure Lab Services.

 

3.  To add more NotAction permissions, click the Exclude button.  In the search field, enter labs to navigate to the permissions for Azure Lab Services.  Finally, click on the Microsoft Azure Lab Services tile to view Azure Lab Services’ individual permissions.

 

AzLabsAllPermissions.png

AzLabsPermissionsList.png

NOTE: To view each permission's full name, click on the Information icon next to each permission.

 

Here is the list of permissions that we will add as NotActions:

 

Category

Permission

Microsoft.LabServices/labAccounts/labs/

  • Description: Delete labs.

Delete

Microsoft.LabServices/labAccounts/labs/

  • Description: Add or modify labs.
Write

Microsoft.LabServices/labAccounts/labs/environmentSettings

  • Description: Delete environment setting.
Delete

Microsoft.LabServices/labAccounts/labs/environmentSettings

  • Description: Adds or modifies environment setting.
Write

Microsoft.LabServices/labAccounts/labs/environmentSettings

  • Description: Provisions/deprovisions VM resources.
Other (publish/action)

Microsoft.LabServices/labAccounts/labs/environmentSettings

  • Description: Starts the template VM.
Other (start/action)

Microsoft.LabServices/labAccounts/labs/environmentSettings

  • Description: Stops the template VM.
Other (stop/action)

Microsoft.LabServices/labAccounts/labs/environmentSettings

  • Description: Save current template VM image to the Shared Image Gallery.
Other (saveImage/action)

Microsoft.LabServices/labAccounts/labs/environmentSettings

  • Description: Resets password on the template VM.
Other (resetPassword/action)

Microsoft.LabServices/labAcounts/labs/environmentSettings/schedules

  • Description: Delete a scheduled event.
Delete

Microsoft.LabServices/labAcounts/labs/environmentSettings/schedules

  • Description: Add or modify a scheduled event.
Write

Microsoft.LabServices/labAccounts/labs/users

  • Description: Modifies user, such as an individual's quota.
Write

 

Another option, is to edit the custom role's JSON directly under the JSON tab:

 

{
    "properties": {
        "roleName""AzLabsCustomContributorRole",
        "description""Custom contributor role for labs",
        "assignableScopes": [
            "/subscriptions/{Your Sub ID}"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [
                    "Microsoft.Authorization/*/Delete",
                    "Microsoft.Authorization/*/Write",
                    "Microsoft.Authorization/elevateAccess/Action",
                    "Microsoft.Blueprint/blueprintAssignments/write",
                    "Microsoft.Blueprint/blueprintAssignments/delete",
                    "Microsoft.LabServices/labAccounts/labs/delete",
                    "Microsoft.LabServices/labAccounts/labs/write",
                    "Microsoft.LabServices/labAccounts/labs/environmentSettings/Start/action",
                    "Microsoft.LabServices/labAccounts/labs/environmentSettings/Stop/action",
                    "Microsoft.LabServices/labAccounts/labs/environmentSettings/SaveImage/action",
                    "Microsoft.LabServices/labAccounts/labs/environmentSettings/ResetPassword/action",
                    "Microsoft.LabServices/labAccounts/labs/environmentSettings/Publish/action",
                    "Microsoft.LabServices/labAccounts/labs/environmentSettings/write",
                    "Microsoft.LabServices/labAccounts/labs/users/write",
                    "Microsoft.LabServices/labAccounts/labs/environmentSettings/schedules/delete",
                    "Microsoft.LabServices/labAccounts/labs/environmentSettings/schedules/write",
                    "Microsoft.LabServices/labAccounts/labs/environmentSettings/delete"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}
 
NOTE: In the above JSON, make sure that you replace "{Your Sub ID}" with the ID of your Azure subscription.

 

4.  Once you’re done making changes to the custom role’s permissions, click the Review + update button, followed by the Update button to save the custom role.

 

5. To grant these permissions to a teacher, you will need assign the teacher two roles – refer to the article about Managing Identity for more info:

  • The Reader role at the lab account level.
  • The custom role that you defined in the previous steps, at the lab level.

6.  When a teacher accesses the lab’s management screens, they will still be able to see the buttons for all the management operations.  However, when they attempt to perform actions or save changes to permissions that are denied by the custom role, they will receive an error message and will be prevented from completing the operation.

 

PowerShell Script

We also have added a PowerShell script that you can use to automatically import this example custom role for you.   You can find this script along with the steps to run it, in our GitHub repo.

 

Troubleshooting

When you create a custom role, if you get the error message "Role definition limit exceeded.  No more role definitions can be created.", ensure that you haven't exceeded the 2000 role assignment limit per subscription.  More details can be found in the article, Azure role assignments limit.

 

We hope that you find this post helpful!

~Az Labs team

 

 

 

Co-Authors
Version history
Last update:
‎Feb 16 2021 08:12 AM
Updated by: