What Azure role assignments would i need to allow a dba permissions to manage Azure SQL resources including storage accounts?

Schieman, Paul 21 Reputation points
2022-06-10T12:42:30.167+00:00

I am looking at assigning role assignments to a DBA to manage Azure SQL resources from the Azure Portal including managing a specific storage account.

Currently, the permissions are set as follows:

Contributor
Reader
SQL Security Manager
SQL Managed Instance Contributor

Note: Our Security department wants to remove the Contributor role assignment.

Can someone please advise me on what role assignments i would need to achieve the requirements above?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
851 questions
{count} votes

Accepted answer
  1. Shweta Mathur 30,181 Reputation points Microsoft Employee
    2022-06-14T11:37:57.42+00:00

    Hi @Anonymous ,

    Thanks for reaching out and apologies for delay in response.

    I understand you are looking to allow permissions to manage Azure SQL resources along with storage accounts.

    Azure SQL is family of SQL Server database engine products in the cloud: Azure SQL Database, Azure SQL Managed Instance, and SQL Server on Azure VM.

    Different built-in roles have been provided to manage each:

    SQL DB Contributor to manage SQL DB Databases
    SQL Managed Instance Contributor to manage SQL managed instances
    Virtual Machine Contributor to manage SQL Server on Azure VM
    SQL Security Manager to manage the security-related policies of SQL servers and databases
    Storage Account Contributor to manage all types of storage accounts.

    You can add these roles to create Azure Custom roles to provide granular access control to resources in Azure. Each role has multiple actions where you can add or remove permissions based on the requirement to provide minimal access.

    Contributor role is not recommended due to security concerns as contributor role allows to manage all the resources.

    Hope this will help.

    Thanks,
    Shweta

    ---------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.