Azure RBAC / PIM
Definition
Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of Azure resources, enabling users to have only the permissions necessary to perform their jobs. Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources within your organization. PIM allows for just-in-time privileged access, time-bound access, and requires approval to activate privileged roles, enhancing security by reducing the risk of excessive, unnecessary, or misused access permissions.
Secure Settings Example
{
"roleDefinitionId": "/subscriptions/{subscription-id}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}",
"principalId": "{user-object-id}",
"scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}",
"properties": {
"roleAssignmentName": "{role-assignment-name}",
"justInTimeAccess": {
"enabled": true,
"maximumActivationDuration": "PT1H"
}
}
}
Insecure Settings Example
{
"roleDefinitionId": "/subscriptions/{subscription-id}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}",
"principalId": "{user-object-id}",
"scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}",
"properties": {
"roleAssignmentName": "{role-assignment-name}",
"justInTimeAccess": {
"enabled": false
}
}
}