azure.mgmt.authorization resources¶
azure.roleassignment¶
Role assignments map role definitions to principals. The Azure object only contains the unique ID of the principal, however we attempt to augment the object with the prinicpal name, display name and type from AAD.
Augmenting with data from AAD requires executing account to have permissions to read from the Microsoft AAD Graph. For Service Principal Authorization the Service Principal must have the permissions to read all users’ full profiles. Azure CLI authentication will provide the necessary permissions to run the policy locally.
- example
policies:
- name: role-assignment-owner
resource: azure.roleassignment
filters:
- type: role
key: properties.roleName
op: eq
value: Owner
Filters¶
resource-access¶
Filters role assignments that have access to a certain type of azure resource.
- example
policies:
- name: assignments-by-azure-resource
resource: azure.roleassignment
filters:
- type: resource-access
relatedResource: azure.vm
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
relatedResource:
type: string
type:
enum:
- resource-access
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- relatedResource
- type
role¶
Filters role assignments based on role definitions
- example
policies:
- name: assignments-by-role-definition
resource: azure.roleassignment
filters:
- type: role
key: properties.roleName
op: in
value: Owner
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- role
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
scope¶
Filter role assignments by assignment scope.
- examples
Role assignments that have subscription level scope access
policies:
- name: assignments-with-subscription-scope
resource: azure.roleassignment
filters:
- type: scope
value: subscription
Role assignments with scope other than Subscription or Resource Group.
policies:
- name: assignments-other-level-scope
resource: azure.roleassignment
filters:
- not:
- type: scope
value: subscription
- not:
- type: scope
value: resource-group
properties:
type:
enum:
- scope
value:
enum:
- subscription
- resource-group
type: string
required:
- type
azure.roledefinition¶
Role definitions define sets of permissions that can be assigned to an identity.
- example
policies:
- name: role-definition-permissions
resource: azure.roledefinition
filters:
- type: value
key: properties.permissions[].actions[]
value: Microsoft.Authorization/*/read
op: contains