A common question we hear from IT departments is to how to get finer grain control over the permissions that are granted to teachers for managing labs. In this blog post, we’ll show how to create a custom role that only gives teachers the ability to:
This means that teachers will not be able to perform operations such as:
When a teacher uses the management portal, they will be shown an error message if they attempt to perform an operation that they don’t have permission to do. For example, if the teacher modifies the lab capacity and attempts to save this change, they will be shown the following error:
In the rest of this post, we’ll walk through the detailed steps for creating a custom role following directions that are outlined in the article Azure custom roles. You can use the custom role explained in this post as a starting point based on your school’s unique needs.
1. Using the Azure Portal, let’s start by cloning Azure Lab Services’ built-in Contributor role for an existing lab. First, you’ll need to select the lab and choose to Edit role assignments. Then, select the Roles and choose Clone. Follow the steps in the wizard to finish creating the cloned role. You will need to give the custom role a name. In this example, we'll name the custom role AzLabsCustomContributorRole.
NOTE: When a teacher is assigned the built-in Contributor role for an existing lab (and the Reader role on the lab account):
2. Next, let’s look at the permissions for the cloned role by selecting the role and choosing Edit.
As shown in the above screenshot, the cloned Contributor role includes both a wildcard (*) Action and several NotAction permissions:
Using this approach, we can add more NotAction permissions to deny a lab contributor access to specific management operations in Azure Lab Services.
3. To add more NotAction permissions, click the Exclude button. In the search field, enter labs to navigate to the permissions for Azure Lab Services. Finally, click on the Microsoft Azure Lab Services tile to view Azure Lab Services’ individual permissions.
NOTE: To view each permission's full name, click on the Information icon next to each permission.
Here is the list of permissions that we will add as NotActions:
Category |
Permission |
Microsoft.LabServices/labAccounts/labs/
|
Delete |
Microsoft.LabServices/labAccounts/labs/
|
Write |
Microsoft.LabServices/labAccounts/labs/environmentSettings
|
Delete |
Microsoft.LabServices/labAccounts/labs/environmentSettings
|
Write |
Microsoft.LabServices/labAccounts/labs/environmentSettings
|
Other (publish/action) |
Microsoft.LabServices/labAccounts/labs/environmentSettings
|
Other (start/action) |
Microsoft.LabServices/labAccounts/labs/environmentSettings
|
Other (stop/action) |
Microsoft.LabServices/labAccounts/labs/environmentSettings
|
Other (saveImage/action) |
Microsoft.LabServices/labAccounts/labs/environmentSettings
|
Other (resetPassword/action) |
Microsoft.LabServices/labAcounts/labs/environmentSettings/schedules
|
Delete |
Microsoft.LabServices/labAcounts/labs/environmentSettings/schedules
|
Write |
Microsoft.LabServices/labAccounts/labs/users
|
Write |
Another option, is to edit the custom role's JSON directly under the JSON tab:
4. Once you’re done making changes to the custom role’s permissions, click the Review + update button, followed by the Update button to save the custom role.
5. To grant these permissions to a teacher, you will need assign the teacher two roles – refer to the article about Managing Identity for more info:
6. When a teacher accesses the lab’s management screens, they will still be able to see the buttons for all the management operations. However, when they attempt to perform actions or save changes to permissions that are denied by the custom role, they will receive an error message and will be prevented from completing the operation.
We also have added a PowerShell script that you can use to automatically import this example custom role for you. You can find this script along with the steps to run it, in our GitHub repo.
When you create a custom role, if you get the error message "Role definition limit exceeded. No more role definitions can be created.", ensure that you haven't exceeded the 2000 role assignment limit per subscription. More details can be found in the article, Azure role assignments limit.
We hope that you find this post helpful!
~Az Labs team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.