Example RBAC configuration for multiple business users
Many Azure Sphere customers want to configure RBAC access to enable engineering teams to perform development related functions on engineering owned devices and device groups, but prevent engineering teams from directly accessing production device groups typically managed by an operations team. The following scenario details how to configure a set of RBAC user groups and permissions to give both the engineering team and the operations team access only to the features and resources they need. In this scenario, there are 3 different business user groups with the following common job responsibilities:
- Azure Sphere Administrator users – the highest privilege Azure Sphere user group for users who need to create, configure, and manage new Azure Sphere catalogs and their child resources, including claiming devices to catalogs (permanently associating the claimed devices with only that catalog), and integrating existing Azure Sphere (Legacy) tenants to Azure Sphere (Integrated) catalogs.
- Product Team users – for users who need privileges for items belonging to the catalog resource itself, such as images and certificates, but who should not have privileges for all device groups belonging to the catalog, such as the potentially sensitive Production device group. This user group is especially appropriate for product development users who download device capability files, move devices between the Development, Field Test, and Field Test OS Evaluation devices groups, and who deploy new software and potentially collect crash dump files in the Field Test and Field Test OS Evaluation device groups, but who are not authorized to manage production devices in the Production and Production OS Evaluation device groups.
- Operations Team users – for users who manage the production device fleet, needing permissions to the Production device group where they will deploy new software and firmware images, potentially enable crash dump file collection, and to validate that OS retail eval releases work as expected in the Production OS Evaluation device group.
Warning
Users who need to integrate Azure Sphere (Legacy) tenants to Azure Sphere (Integrated) catalogs must have the Azure Sphere Contributor role applied to the resource group that owns the subscription to which the tenant belongs.
While it is possible to assign a user an RBAC role only on a product or device group but not its parent catalog, the user will not be able to search for the product or device group, or its parent catalog, from their Azure home screen. They can only access the product or device group via a URL that points directly to it. For the sake of user convenience, we recommend that all users have at least Azure Sphere Reader access to the catalog.