Azure Application Role Assignment
This page explains how to set application roles necessary to connect to Secberus.
Below are step-by-step instructions for assigning the Reader role to a Secberus-connected Azure AD App at the Subscription or Resource Group level in the Azure Portal.
At the end, you’ll also find a guide for granting User(s) access to provision Secberus-connected Apps with roles at both the Subscription and Resource Group levels.
When onboarding an Azure Data Provider onto the platform, you must grant permissions to read either a subscription or a resource group—only one is necessary. Assigning our App a role at the Subscription level gives it permissions to all of its nested Resource Groups, too, whereas granting permissions at the Resource Group level gives you fine-grained control over which parts of your cloud you want for us to access.
App Service Permissions
Note that you will need to add a Role Assignment at the subscription level for all of the following services:
- Reader
- Microsoft.Web/sites/config/list/action
- Microsoft.Storage/storageAccounts/listkeys/action
- Key Vault Reader
Granting Access to a Subscription
- Navigate to the Subscription service in your Azure Portal.
![Navigate to 'Subscriptions'](https://files.readme.io/6d41177-Screenshot_2023-04-12_at_5.26.07_PM.png)
Navigate to 'Subscriptions'
- Select the Subscription you would like to grant access to from the list.
![Select a subscription](https://files.readme.io/2a420fc-Screenshot_2023-04-12_at_5.27.20_PM.png)
Select a subscription
- From the Subscription Overview page, select the Access control (IAM) tab on the left side of the screen.
![Select 'Access control (IAM)'](https://files.readme.io/a558144-Screenshot_2023-04-12_at_5.28.27_PM.png)
Select 'Access control (IAM)'
- Click the +Add button toward the top-left of the page and select Add role assignment in the resultant dropdown menu.
![Select '+Add role assignment'](https://files.readme.io/2bdd44f-Screenshot_2023-04-12_at_5.30.27_PM.png)
Select '+Add role assignment'
- Leave the Assignment type set to Job function roles and select Next.
![Select 'Next'](https://files.readme.io/bd55c4d-Screenshot_2023-04-12_at_5.39.12_PM.png)
Select 'Next'
- Search for and select the Reader role and click Next.
![Search for and select 'Reader' and then click 'Next'](https://files.readme.io/c3479a9-Screenshot_2023-04-12_at_5.40.23_PM.png)
Search for and select 'Reader' and then click 'Next'
- Click + Select members and then search for and select the entry for the app created for a Secberus data source:
![Click '+ Select members' and then search for and select the Secberus app](https://files.readme.io/a703c53-Screenshot_2023-04-12_at_5.49.16_PM.png)
Click '+ Select members' and then search for and select the Secberus app
- Confirm the app is listed under Selected members and click Select.
![Confirm the app is under 'Selected members' and click 'Select'](https://files.readme.io/caa27c7-Screenshot_2023-04-12_at_6.09.18_PM.png)
Confirm the app is under 'Selected members' and click 'Select'
- Confirm the Selected role and Members are correct and select Review + assign.
![Confirm the 'Selected role' and 'Members' then click 'Review + assign'](https://files.readme.io/5989266-Screenshot_2023-04-12_at_6.14.40_PM.png)
Confirm the 'Selected role' and 'Members' then click 'Review + assign'
- Confirm the Scope is correct and click Review + assign.
![Confirm the 'Scope' and click 'Review + assign'](https://files.readme.io/1fd991b-Screenshot_2023-04-12_at_6.15.28_PM.png)
Confirm the 'Scope' and click 'Review + assign'
- Navigate to the Role assignments tab on the Access control (IAM) page and verify that the role assignment you’ve created is correct.
![Navigate to 'Role assignments' and confirm the assignment](https://files.readme.io/ca3fd30-Screenshot_2023-04-12_at_6.20.26_PM.png)
Navigate to 'Role assignments' and confirm the assignment
- Repeat these steps for the following permissions:
- Microsoft.Web/sites/config/list/action
- Microsoft.Storage/storageAccounts/listkeys/action
- Key Vault Reader
You have assigned an application role to your Secberus Application.
Now complete the Secberus onboarding by clicking "connect" on your Secberus Account.
Granting Access to a Resource Group
- Navigate to Resource groups in the Azure Portal.
![Navigate to 'Resource groups'](https://files.readme.io/efd9cfb-Screenshot_2023-04-12_at_6.22.29_PM.png)
Navigate to 'Resource groups'
- Select the Resource group you would like to grant access to from the list and follow the link in its Name.
![Select a resource group](https://files.readme.io/b669f69-Screenshot_2023-04-12_at_6.25.33_PM.png)
Select a resource group
- From the Resource group Overview page, select Access control (IAM).
![Select 'Access control (IAM)'](https://files.readme.io/2f7b164-Screenshot_2023-04-12_at_6.26.52_PM.png)
Select 'Access control (IAM)'
- Click +Add button and select Add role assignment in the resultant dropdown menu:
![Click '+ Add' and select 'Add role assignment'](https://files.readme.io/b96f73c-Screenshot_2023-04-12_at_6.28.47_PM.png)
Click '+ Add' and select 'Add role assignment'
- Leave the Assignment type set to Job function roles and select Next.
![Select 'Next'](https://files.readme.io/8cef4f7-Screenshot_2023-04-12_at_6.31.50_PM.png)
Select 'Next'
- Search for and select the Reader role and click Next.
![Search for and select the 'Reader' role and click 'Next'](https://files.readme.io/1dcce5a-Screenshot_2023-04-12_at_6.46.54_PM.png)
Search for and select the 'Reader' role and click 'Next'
- Click + Select members and then search for and select the Secberus app to assign.
![Click '+ Select members' then search for and select the Secberus app](https://files.readme.io/a704e5d-Screenshot_2023-04-12_at_6.49.53_PM.png)
Click '+ Select members' then search for and select the Secberus app
- Confirm the app is under Selected members and click Select.
![Confirm the app is under 'Selected members' and click 'Select'](https://files.readme.io/604bd9c-Screenshot_2023-04-12_at_6.51.40_PM.png)
Confirm the app is under 'Selected members' and click 'Select'
- Confirm the Selected role and Members and click Review + assign.
![Confirm the 'Selected role' and 'Members' then click 'Review + assign'](https://files.readme.io/764cbcd-Screenshot_2023-04-12_at_6.53.40_PM.png)
Confirm the 'Selected role' and 'Members' then click 'Review + assign'
- Confirm the scope and select Review + assign.
![Confirm the scope and select 'Review + assign'](https://files.readme.io/55fdf81-Screenshot_2023-04-12_at_6.54.54_PM.png)
Confirm the scope and select 'Review + assign'
- Repeat these steps for the following permissions:
- Microsoft.Web/sites/config/list/action
- Microsoft.Storage/storageAccounts/listkeys/action
- Key Vault Reader
You have assigned a resource group to your application.
Now complete the Secberus onboarding by clicking "connect" on your Secberus Account.
Updated 8 months ago