These Cisco Terms of Use (this “Agreement”) between You and Cisco cover Your use of the Software and Cloud Services (“Cisco Technology”) obtained through this site. The Cisco Technology is intended for use by business users. Definitions of capitalized terms are in Section 11.
You agree to be bound by the terms of this Agreement through (a) Your download, installation, or use of the Cisco Technology; or (b) Your express agreement to this Agreement. If You do not have authority to enter into this Agreement or You do not agree with its terms, do not use the Cisco Technology.
Section 2. Using Cisco Technology
2.1 License and Right to Use. Cisco grants You, for Your direct benefit during the Usage Term and for the full scope of Your Entitlement under this Agreement, a non-exclusive, non-transferable (except with respect to Software as permitted under the Cisco Software Transfer and Re-Use Policy) (a) license to use the Software; and (b) right to use the Cloud Services (collectively, the “Usage Rights”).
2.2 Use by Third Parties. You may permit Authorized Third Parties to exercise the Usage Rights on Your behalf, provided that You are responsible for (a) ensuring that such Authorized Third Parties comply with this Agreement; and (b) any breach of this Agreement by such Authorized Third Parties.
2.3 Free Service. Cisco is making this Cisco Technology available to You without charge, up to certain capacity limits as described in Section 10 below, and subject to the terms of this Agreement. You agree that Cisco, in its sole discretion and for any or no reason, may terminate Your Usage Rights (or any part thereof) and that any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your Usage Rights if (i) Cisco has reason to believe that You engaged in any fraudulent behaviour as it relates to the Cloud Services, or (ii) You use Cisco Technology beyond Your Entitlement. You are solely responsible for exporting Your customer data from the Cisco Technology prior to termination, and, except as required by law, Cisco will provide You a reasonable opportunity to retrieve such data.
2.4 Upgrades or Additional Copies of Software. You may only use Upgrades or additional copies of the Software beyond Your Entitlement if You have (a) acquired those rights under a support agreement covering the applicable Software; or (b) You have purchased the right to use Upgrades or additional copies separately.
2.5 Interoperability of Software. If required by law and upon Your request, Cisco will provide You with the information needed to achieve interoperability between the Software and another independently created program, provided You agree to any additional terms reasonably required by Cisco. You will treat such information as Confidential Information.
Section 3. Additional Conditions of Use
3.1 Cisco Technology Generally. Unless expressly agreed by Cisco, You may not (a) transfer, sell, sublicense, monetize, or make the functionality of any Cisco Technology available to any third party; (b) use the Software on second hand or refurbished Cisco equipment not authorized by Cisco, or use Software that is licensed for a specific device on a different device (except as permitted under Cisco’s Software License Portability Policy); (c) remove, modify, or conceal any product identification, copyright, proprietary, intellectual property notices or other marks; (d) reverse engineer, decompile, decrypt, disassemble, modify, or make derivative works of the Cisco Technology; or (e) use Cisco Content other than as part of Your permitted use of the Cisco Technology.
3.2 Cloud Services. You will not intentionally (a) interfere with other users’ access to, or use of, the Cloud Service, or with its security; (b) facilitate the attack or disruption of the Cloud Service, including a denial of service attack, unauthorized access, penetration testing, crawling, or distribution of malware (including viruses, trojan horses, worms, time bombs, spyware, adware, and cancelbots); (c) cause an unusual spike or increase in Your use of the Cloud Service that negatively impacts the Cloud Service’s operation; or (d) submit any information that is not contemplated in the applicable Documentation.
3.3 Evolving Cisco Technology. Cisco may: (a) enhance or modify the features, functionality, and capacity limits of this Cisco Technology at any time, in its sole discretion, without liability; and (b) perform scheduled maintenance of the infrastructure and software used to provide the Cloud Service, during which time You may experience some disruption to that Cloud Service. Whenever reasonably practicable, Cisco will provide You with advance notice of such maintenance. You acknowledge that, from time to time, Cisco may need to perform emergency maintenance without providing You advance notice, during which time Cisco may temporarily suspend Your access to, and use of, the Cloud Service.
Cisco reserves the right (a) to end the life of this Cisco Technology, including component functionality, (“EOL”), and/or (b) to incorporate all or some of the features and functionality of this Cisco Technology into a Cisco paid offer at any time, in its sole discretion, and without liability (“Cisco Offering”). Any new Cisco Offering will be subject to its own terms and conditions.
3.4 Protecting Account Access. You will keep all account information up to date, use reasonable means to protect Your account information, passwords and other login credentials, and promptly notify Cisco of any known or suspected unauthorized use of or access to Your account.
3.5 Use with Third-Party Products. If You use the Cisco Technology together with third-party products, such use is at Your risk. You are responsible for complying with any third-party provider terms, including its privacy policy. Cisco does not provide support or guarantee ongoing integration support for products that are not a native part of the Cisco Technology.
3.6 Open Source Software. Open source software not owned by Cisco is subject to separate license terms as set out at www.cisco.com/go/opensource. The applicable open source software licences will not materially or adversely affect Your ability to exercise Usage Rights in applicable Cisco Technology.
Section 4. Confidential Information and Use of Data
4.1 Confidentiality. Recipient will hold in confidence and use no less than reasonable care to avoid disclosure of any Confidential Information to any third party, except for its employees, affiliates, and contractors who have a need to know (“Permitted Recipients”). Recipient: (a) must ensure that its Permitted Recipients are subject to written confidentiality obligations no less restrictive than the Recipient’s obligations under this Agreement, and (b) is liable for any breach of this Section by its Permitted Recipients. Such nondisclosure obligations will not apply to information that: (i) is known by Recipient without confidentiality obligations; (ii) is or has become public knowledge through no fault of Recipient; or (iii) is independently developed by Recipient. Recipient may disclose Discloser’s Confidential Information if required under a regulation, law or court order provided that Recipient provides prior notice to Discloser (to the extent legally permissible) and reasonably cooperates, at Discloser’s expense, regarding protective actions pursued by Discloser. Upon the reasonable request of Discloser, Recipient will either return, delete or destroy all Confidential Information of Discloser and certify the same.
4.2 How We Use Data. Cisco will access, process and use data in connection with Your use of the Cisco Technology in accordance with applicable privacy and data protection laws. For further detail, please visit Cisco’s Security and Trust Center.
4.3 Notice and Consent. To the extent Your use of the Cisco Technology requires it, You are responsible for providing notice to, and obtaining consents from, individuals regarding the collection, processing, transfer and storage of their data through Your use of the Cisco Technology.
Section 5. Ownership
Except where agreed in writing, nothing in this Agreement transfers ownership in, or grants any license to, any intellectual property rights. You retain any ownership of Your content and Cisco retains ownership of the Cisco Technology and Cisco Content. You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about this Cisco Technology provided by You to Cisco (“Feedback”) are non-confidential and Cisco may use any Feedback You provide in connection with Your use of the Cisco Technology as part of its business operations without acknowledgment or compensation to You.
Section 6. Warranties and Representations
To the extent allowed by applicable law, Cisco expressly disclaims all warranties and conditions of any kind, express or implied, including without limitation any warranty, condition or other implied term as to merchantability, fitness for a particular purpose or non-infringement, or that the Cisco Technology will be secure, uninterrupted or error free. If You are a consumer, You may have legal rights in Your country of residence that prohibit the limitations set out in this Section from applying to You, and, where prohibited, they will not apply
Section 7. Liability
Neither party will be liable for indirect, incidental, exemplary, special, or consequential damages; loss or corruption of data or interruption or loss of business; or loss of revenues, profits, goodwill, or anticipated sales or savings. The maximum aggregate liability of each party under this Agreement is limited to $5,000 USD. These limitations of liability do NOT apply to liability arising from (a) Your breach of Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export). These limitations of liability apply whether the claims are in warranty, contract, tort (including negligence), infringement, or otherwise, even if either party has been advised of the possibility of such damages. Nothing in this Agreement limits or excludes any liability that cannot be limited or excluded under applicable law. These limitations of liability are cumulative and not per incident.
Section 8. Termination and Suspension
8.1 Suspension. Cisco may immediately suspend Your Usage Rights if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services) or 9.7 (Export).
8.2 Termination. Cisco, in its sole discretion and for any or no reason, may terminate Your access to this Cisco Technology or any part thereof and any termination may be without prior notice and without liability to Cisco. Cisco may, for example, suspend or terminate Your access immediately if You breach Sections 2.1 (License and Right to Use), 3.1 (Cisco Technology Generally), 3.2 (Cloud Services), or 9.7 (Export). Upon termination of this Agreement, You must stop using the Cisco Technology and destroy any copies of Software and Confidential Information within Your control.
Section 9. General Provisions
9.1 Survival. Sections 4 (Confidential Information and Use of Data), 5 (Ownership), 7 (Liability), 8 (Termination and Suspension), and 9 (General Provisions) survive termination or expiration of this Agreement.
9.2 Third-Party Beneficiaries. This Agreement does not grant any right or cause of action to any third party.
9.3 Assignment and Subcontracting. Except as set out below, neither party may assign or novate this Agreement in whole or in part without the other party’s express written consent. Cisco may (a) by written notice to You, assign or novate this Agreement in whole or in part to an Affiliate of Cisco, or otherwise as part of a sale or transfer of any part of its business; or (b) subcontract any performance associated with the Cisco Technology to third parties, provided that such subcontract does not relieve Cisco of any of its obligations under this Agreement.
9.4 U.S. Government End Users. The Software, Cloud Services and Documentation are deemed to be “commercial computer software” and “commercial computer software documentation” pursuant to FAR 12.212 and DFARS 227.7202. All U.S. Government end users acquire the Cisco Technology and Documentation with only those rights set forth in this Agreement. Any provisions that are inconsistent with federal procurement regulations are not enforceable against the U.S. Government
9.5 Modifications to this Agreement. Cisco may change this Agreement or any of its components by updating it on Cisco.com and/or the Documentation page, which can be found at https://community.cisco.com/. Cisco will exercise commercially reasonable efforts to provide notice of any material changes to this Agreement, and within three (3) business days of posting changes to this Agreement, they will be binding. If you do not agree with the changes, you must discontinue using the Cisco Technology at that time. If you continue using the Cisco Technology after that time, you will be deemed to have accepted the changes to this Agreement.
9.6 Compliance with Laws. Each party will comply with all laws and regulations applicable to their respective obligations under this Agreement. Cisco may restrict the availability of the Cisco Technology in any particular location or modify or discontinue features to comply with applicable laws and regulations.
If You use the Cisco Technology in a location with local laws requiring a designated entity to be responsible for collection of data about individual end users and transfer of data outside of that jurisdiction (e.g., Russia and China), You acknowledge that You are the entity responsible for complying with such laws.
9.7 Export. Cisco’s Software, Cloud Services, products, technology, and services (collectively the “Cisco Products”) are subject to U.S. and local export control and sanctions laws. You acknowledge and agree to the applicability of and Your compliance with those laws, and You will not receive, use, transfer, export, or re-export any Cisco Products in a way that would cause Cisco to violate those laws. You also agree to obtain any required licenses or authorizations
9.8 Governing Law and Venue. This Agreement, and any disputes arising from it, will be governed exclusively by the applicable governing law below, based on Your primary place of business (or primary residence, if you are not a business) and without regard to conflicts of laws rules or the United Nations Convention on the International Sale of Goods. The courts located in the applicable venue below will have exclusive jurisdiction to adjudicate any dispute arising out of or relating to the Agreement or its formation, interpretation or enforcement. Each party hereby consents and submits to the exclusive jurisdiction of such courts. Regardless of the below governing law, either party may seek interim injunctive relief in any court of appropriate jurisdiction with respect to any alleged breach of Cisco’s intellectual property or proprietary rights
Your Primary Place of Business Governing Law Jurisdiction and Venue
Any location not specified below
| State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California
| Australia | Laws of the State of New South Wales, Australia | State and Federal Courts of New South Wales |
| Canada | Province of Ontario, Canada | Courts of the Province of Ontario |
| China | Laws of the People’s Republic of China | Hong Kong International Arbitration Center |
| Europe (excluding Italy), Middle East, Africa, Asia (excluding Japan and China), Oceania (excluding Australia) | Laws of England | English Courts |
| Italy | Laws of Italy | Court of Milan |
| Japan | Laws of Japan | Tokyo District Court of Japan |
| United States, Latin America or the Caribbean | State of California, United States of America | Superior Court of California, County of Santa Clara and Federal Courts of the Northern District of California |
If You are a United States public sector agency or government institution located in the United States, the laws of the primary jurisdiction in which You are located will govern this Agreement and any disputes arising from it. For U.S. Federal Government users, this Agreement will be controlled and construed under the laws of the United States of America.
9.9 Notice. Any notice delivered by Cisco to You under this Agreement will be delivered on Cisco.com. Notices to Cisco should be sent to Cisco Systems, Inc., Office of General Counsel, 170 West Tasman Drive, San Jose, CA 95134.
9.10 Force Majeure. Neither party will be responsible for failure to perform its obligations due to an event or circumstances beyond its reasonable control.
9.11 No Waiver. Failure by either party to enforce any right under this Agreement will not waive that right.
9.12 Severability. If any portion of this Agreement is not enforceable, it will not affect any other terms.
9.13 Entire agreement. This Agreement is the complete agreement between the parties with respect to the subject matter of this Agreement and supersedes all prior or contemporaneous communications, understandings or agreements (whether written or oral).
9.14 Translations. Cisco may provide local language translations of this Agreement in some locations. You agree that those translations are provided for informational purposes only and if there is any inconsistency, the English version of this Agreement will prevail.
9.15 Order of Precedence. If there is any conflict between this Agreement and any Cisco policies expressly referenced in this Agreement, the order of precedence is: (a) this Agreement; then (b) any applicable Cisco policy expressly referenced in this Agreement.
9.16 Language Election for Purchasers in Quebec. You confirm Your Agreement that this Cisco Technology is currently provided in English only.
Section 10. Additional Terms
10.1 Restrictions on Use by Minor Children. This Cisco Technology is not intended for use by persons younger than the age of consent in their relevant jurisdiction (e.g.,13 years old in the United States under the US Children’s Online Privacy Protection Act of 1998, or 16 or 13 years old in the European Union as per Member State law) (“Minor Children”). Minor Children are not permitted to create an account and You will not authorize Minor Children to access the Cisco Technology.
10.2 Capacity Restrictions. Your right to access and use this Cisco Technology is currently limited to five (5) nodes dedicated to applications/microservices.
10.3 Limited Community Support. This Cisco Technology is provided on a free-of-charge basis, as-is, and without support. Cisco has no obligation to maintain, repair, or upgrade this Cloud Service and Cisco will not provide user support services in connection with this Cisco Technology. User can refer to self-service help materials that cover a range of topics or reach out to our community forum to engage in community support discussions on our Documentation page at https://community.cisco.com/. Cisco makes no representations about and has no liability for these community support resources. All use of these resources, and the advice and guidance therein, is at Your own risk.
10.4 No Competitive Analysis. By agreeing to these terms, You represent and warrant that you will not use this Cisco Technology or its Documentation to (a) copy ideas, features, functions, or graphics; (b) develop competing products or services; or (c) perform competitive analyses.
10.5 Beta Functionality. User acknowledges and agrees that all or some components or functionality of the Cisco Technology may be in beta stage and may not have been (and may not become) productized or commercialized. You acknowledge that Your use and evaluation of this Cisco Technology is at Your own risk.
Section 11. Definitions
“Affiliate” means any corporation or company that directly or indirectly controls, or is controlled by, or is under common control with the relevant party, where “control” means to: (a) own more than 50% of the relevant party; or (b) be able to direct the affairs of the relevant party through any lawful means (e.g., a contract that allows control).
“Authorized Third Parties” means Your Users, Your Affiliates, Your third-party service providers, and each of their respective Users, permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“Cisco” “we” “our” or “us” means Cisco Systems, Inc. or its applicable Affiliate(s).
“Cisco Content” means any (a) content or data provided by Cisco to You as part of Your use of the Cisco Technology and (b) content or data that the Cisco Technology generates or derives in connection with Your use. Cisco Content includes geographic and domain information, rules, signatures, threat intelligence, and data feeds, and Cisco’s compilation of suspicious URLs.
“Cloud Service” means the Cisco hosted software-as-a-service offering or other Cisco cloud-enabled feature described in this Agreement. Cloud Services include applicable Documentation and may also include Software.
“Confidential Information” means non-public proprietary information of the disclosing party (“Discloser”) obtained by the receiving party (“Recipient”) in connection with this Agreement, which is (a) conspicuously marked as confidential or, if verbally disclosed, is summarized in writing to the Recipient within a reasonable time period after disclosure and marked as confidential; or (b) is information which by its nature should reasonably be considered confidential whether disclosed in writing or verbally.
“Delivery Date” means the date on which the Cloud Service is made available for Your use or, when Usage Rights in Software and Cloud Services are granted together, the earlier of the date Software is made available for download, or the date on which the Cloud Service is made available for Your use.
“Documentation” means the technical specifications and usage materials officially published by Cisco or available on https://community.cisco.com/ specifying the functionalities and capabilities of the applicable Cisco Technology.
“Entitlement” means the specific metrics, duration, and quantity of Cisco Technology that You acquire from Cisco under this Agreement.
“Software” means the Cisco computer programs including Upgrades, firmware and applicable Documentation.
“Upgrades” means all updates, upgrades, bug fixes, error corrections, enhancements and other modifications to the Software.
“Usage Term” means the period commencing on the Delivery Date and continuing until expiration or termination of the Entitlement, during which period You have the right to use the applicable Cisco Technology.
“User” means the individuals (including contractors or employees) permitted to access and use the Cisco Technology on Your behalf as part of Your Entitlement.
“You” means the individual or legal entity using the Cisco Technology.
NEW Cloud Security Academy Level up your skills with hands-on lessons. Get started
Azure IAM Deep Dive: Enhancing Access Supervision with CNAPP Solutions
By:
Maya Parizer
Oct 30, 2024
Share
Have you ever experienced any of the following scenarios?
Have you ever given a friend, supplier, or someone outside of your family your Wi-Fi password and forgotten to change it afterwards? Have you ever given someone the password to your computer but forgotten to keep track of who had this information? Maybe you’ve logged into a service or platform using someone else’s device but then forgotten to log out? Well, you aren’t alone. Just as these small lapses in security judgement can lead to unintended access and potential risks in your personal life and data, the stakes are even higher for companies managing access to sensitive information on a much larger scale. Let’s take for instance a big company that has many employees giving permissions to other employees or clients. Without proper tracking on who has which permissions, or without ensuring that permissions are revoked after they complete tasks, their company is at risk for potential attacks resulting from data leakage or manipulation and privilege escalation. Privilege escalation is when a user can obtain additional permissions beyond what they began with, including unsupervised access and much more. In this blog, we will explain the importance of awareness of supervising access and using IAM (identity and access management). Then, we will deep dive into how it's being handled in Azure, and explore how Panoptica, Cisco’s Cloud Application Security platform can help identify and detect these issues.
What is IAM?
IAM, or Identity and Access Management, is a collection of policies and technologies for ensuring the right individuals have the appropriate access to specific resources, in our case, Azure resources. IAM systems provide administrators with the tools and processes to assign and manage user identities, roles, and permissions, ensuring secure access to networks, systems, and data. These systems are crucial for maintaining security and compliance, as they help prevent unauthorized access and mitigate risks associated with threats and data breaches.
IAM can be split into two main categories:
Identity Management: The identity, whether a person, machine, or software component, verifies its claimed identity. This involves the creation, maintenance, and deletion of user identities and profiles.
Access Management: The person, machine, or software component is either granted or denied permission to access specific resources. This emphasizes controlling what entities can perform within a system . It involves setting up and managing roles and permissions to ensure that entities have the appropriate level of access to perform their job functions, while minimizing the risk of unauthorized access to sensitive information.
How IAM Works in Azure
To understand access management in Azure, we first need to explore how Azure handles identities through Microsoft Entra ID.
As mentioned above, in Azure there is a hierarchy between different scopes. We have management groups, with the highest management group in the hierarchy called ‘Tenant Root group’, then we have subscriptions, resource-groups, and resources.
Management Groups: The highest level of scope within Azure, is used to manage access, policies, and compliance across multiple subscriptions. These groups serve as containers that can include several management groups or subscriptions. Each Entra ID tenant is provided with a single top-level management group called the ‘Tenant root group’. This root management group is the parent of all other management groups and subscriptions within the tenant's hierarchy. New subscriptions are automatically defaulted on to the root management group when created.
Subscriptions: A billing container that is used to provision and manage resources such as virtual machines, databases, and storage accounts. Within a subscription, resource groups organize these resources. Each subscription is linked to a directory within an Azure Entra ID tenant.
Resource Groups: Used as containers that hold related resources. They help manage and organize resources by grouping them together, allowing for easier deployment, monitoring, and access management.
Resources: Resources are individual services or components in Azure, such as virtual machines, databases, storage accounts, and networking components, that are used to build and run applications. Each resource is created within a resource group and is managed as part of that group or individually.
azure_iam
In the diagram above, we can see an example of a hierarchy in Azure. Under the default management group “Tenant Root Group” there is:
one management group called “Contoso” and one subscription called “Landing Zone B”.
Under the management group called “Contoso” lies a subscription called “Landing Zone A”. Under each subscription there is a resource group, with resources within it. For example, “VMforA” is a virtual machine instance, within “MyResourceGroupA” resource group, within “Landing Zone A” subscription, within “Contoso” management group, within “Tenant Root Group”.
The red marked boxes are a hierarchy where the subscription is under a management group different than the default “Tenant Root Group”, and the latter is a subscription that is within the default management group.
Identities in Azure
Identities in Azure originate from Entra ID, from the same directory as your tenant’s. There are a few types of identities in Entra ID:
User identities consist of individuals such as employees or external users, with distinctions based on authentication method and user type properties. Users can be split by User Type and Authentication Method.
User Type characterizes the user's association with the host organization's tenant. The options are Member or Guest.
azure_iam
Authentication Method may occur internally. These can be accounts within the organization, or externally including accounts from other Microsoft Entra instances, social networks, or external identity providers.
azure_iam
This is what a user page looks like in Entra ID.
azure_iam
Groups
There are two types of groups:
365 Group: Microsoft 365 Groups simplify working with Microsoft 365 tools so you can collaborate with your teammates when writing documents, creating spreadsheets, working on project plans, scheduling meetings, or sending emails. Note that in 365 groups there can only be users.
Security Group: Security groups simplify access management for users, service principals, or other groups through role-based access control (RBAC). Granting access to a group rather than individuals is simpler and safer. In security groups there can be all types of identities, including more security groups.
This is what a group page looks like in Entra ID.
azure_iam
Service Principal
An Azure service principle is an identity created for use with applications, hosted services (like virtual machine), and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving more control over which resources can be accessed and at which level.
When creating an application, both an app object and a service principal are created. These two components work together to enable the application to authenticate and access resources within Entra ID and other Azure services. Let’s take a closer look and see the differences and the similarities of App Object and Service Principal below.
2. Managed Identity
Managed identities provide an identity for some Azure resources such as virtual machines. They eliminate the need for developers to manage credentials, unlike applications, and simplify access management by seamlessly integrating with Azure services. To use a managed identity, it needs to be enabled. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. To oversee all managed identities, go to ‘Enterprise Applications’ in Entra ID and filter to see Managed identities.
There are 2 types of managed identities:
System-assigned
User-assigned
Let’s take a closer look and see the differences and the similarities of User Assigned and System Assigned Managed identities below.
azure_iam
Access Management in Azure - Meet ‘RBAC’
We talked before about the two parts of IAM: Identity Management and Access Management. We will focus on Access Management. We covered the type of identities in Azure that come from the directory. Those identities want to execute an action, and they will either be allowed to do so or denied. This is called RBAC - Role Based Access Control, an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources. Identities are assigned roles that grant them the ability to execute an action (like read, write, delete) within a scope. A role assignment consists of three elements: security principal, role definition, and scope. Now let's break down these components to get a better understanding of how Azure RBAC works.
Control plane operations are permissions for management actions such as creating a resource, deleting a resource, editing permissions, etc. It is specified in the Actions and NotActions properties of a role definition.
Data plane operations are permissions that specify what actions are allowed to be performed to your data within that resource, such as uploading data, reading data, downloading data, etc. It is specified in the DataActions and NotDataActions.
A role definition is a set of permissions, mostly referred to as arole. It contains the actions that can be performed. Roles can be high-level, like "Owner”, or specific, like virtual machine contributor . There are built-in roles and custom roles.
A Role definition consists of actions, notActions, dataActions, notDataActions, and assignableScope:
Actions - NotActions = Effective control plane permissions (taking all permissions under Action and putting them on a list; then removing all permissions under NotActions from that list; finally to give you the effective control plane permissions).
DataActions - NotDataActions = Effective data plane permissions. (Same calculations but subtracting the NotDataActions from DataActions).
AssignableScope is the scope.
The permissions for control plane operations and data plane operations are distinct and you cannot mix them. Specifically, a data plane permission cannot be used in the ‘Action’ section of a role definition, and vice versa. Although Actions and NotActions, as well as DataActions and NotDataActions, can share the same strings, their purposes are different: Actions and DataActions define allowed operations, while NotActions and NotDataActions define excluded operations.
Having the same action appear both in Action and in notAction will not give permissions to execute the action.
Assignable Scope
This property specifies the scopes where a role definition can be assigned. The options are:
Root “/” - available for assignment in all scopes. You cannot assign roles at this scope or create custom roles with this scope.
Management Group
Subscription
Resource-group
When creating a custom role, the options of scope are only between management group, subscription, or resource groups.
For example, when the AssignableScopes is set to a specific subscription, the role will be available in all resource groups and resources under that subscription but will not be available in management groups or in a different subscription. Built-in roles have AssignableScopes set to the root scope ("/").
See below an example of Role Definition.
{
"assignableScopes": [ "/" ],
"description": "Grants full access to manage all resources but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [ "*" ],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Purview/consents/write",
"Microsoft.Purview/consents/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
If you desire to use all actions, or all actions under a provider, instead of making an extensive list, use the wildcard '*'. It lists all actions under the scope. In the example above, we can see that in Actions we have '*', a wildcard. This means all Actions. But we see there are 8 actions under NotActions, so the effective control plane operations consist of all Actions except for the 8 listed under NotActions. The wildcard can be put throughout the permission format. Some examples are:
Microsoft.Compute/* - all permissions that begin with Microsoft.Compute
Microsoft.Compute/virtualMachines/* - All permissions that begin with Microsoft.Compute/virtualMachines
Microsoft. Compute/virtualMachines/*/read - All permissions of Microsoft. Compute/virtualMachines/ with the action ‘read’.
*/read - All permissions that end with read
While the wildcard '*' can simplify permissions management, it is important to remember that using it may lead to overly broad permissions. It’s always best to adhere to the principle of least privilege by granting only the specific permissions required for a given role or task and avoiding the ‘*’.
Role Assignments
Access to Azure resources is granted by creating a role assignment, and access is revoked by removing a role assignment.
A role assignment has several components, including:
The security principal who is assigned the role
The specific role granted to the security principal
The scope of which the role is assigned
The name of the role assignment, along with a description that clarifies the rationale for the assignment
Conditions - an additional check that you can add to provide more fine-grained control
A role assignment is an extension resource. An extension resource is a resource that adds to another resource's capabilities. They always exist as an extension of another resource. For example, a role assignment at subscription scope is an extension resource of the subscription. The name of a role assignment is always the name of the resource you are extending plus /Microsoft.Authorization/roleAssignments/{roleAssignmentId}.
What happens if you have multiple overlapping role assignments? Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments in a scope. Meaning between two or more role assignments under the same scope for the same identity with different permissions, the identity will receive the permissions from all role assignments. This is called the Effective Permission.
The diagram below shows the effective permission process:
azure_iam
The effective permission for both roles is the union of each role’s effective permissions. Since all the actions in both control and data plane for the reader role are in the contributor role, their effective permission includes all permissions from the contributor role.
The diagram below shows the example effective permission for each scope:
azure_iam
To understand the diagram, the right arrows indicate a role assignment at the current scope, whereas the down arrows indicate the role assignment inherited from the scope above. In the example we see the calculation of the effective permission in each scope after understanding how the calculation works.
AssignableScope differences
It is important to talk about the difference between the scope of role definition and role assignments. The scope in the role definition specifies the context in which the role will be visible and available for assignment to an identity. The scope of role assignment is the scope where the permissions from the role definitions are given.
Like a role assignment, a deny assignment links a set of deny actions to a specific user, group, or service principal at a defined scope. This is done to deny access, either to the specified identity or to all identities except those explicitly excluded in the deny assignment. Just as Actions and DataActions in the 'allow' policy specify permitted operations, in deny assignments, the Actions and DataActions represent the denied control plane and data plane actions, and the NotActions and NotDataActions represent the excluded actions from the denied actions.
Deny assignments block users from performing actions even if a role assignment grants them access.
Note that you cannot directly create a deny assignment; they are created and managed by Azure. However, you can specify deny settings when creating a deployment stack, which creates a deny assignment that is owned by the deployment stack resources.
An example of a deny assignment:
azure_iam
In the example above, we can see the deny assignment blocks all delete actions (“*/delete) except for these two delete actions: Microsoft.Authorization/locks/delete and Microsoft.Storage/storageAccounts/delete.
Differences Between NotActions and NotDataActions and Deny Assignments
NotActions and Deny assignments are not the same and serve different purposes.
NotActions and NotDataActions are a convenient way to subtract specific actions from a wildcard (*) action and Deny assignments block users from performing specific actions even if a role assignment grants them access.
Azure Resource Manager
Azure Resource Manager (ARM) is the service that manages Azure resources. To interact with ARM, an identity first acquires a token from Entra ID. This token is then used to make API calls to ARM. When ARM receives a request, it checks the token’s claims against the resource's deny assignments and role assignments to determine access. ARM effectively controls and authorizes access to resources based on these role assignments and the identity’s permissions.
Flow of IAM
Suppose a user with id: ‘1111’ gets assigned with the built in role ‘Reader’ on a subscription with id ‘0000’. The reader-built in role is as follows:
{
"assignableScopes": [ "/" ],
"description": "View all resources, but does not allow you to make any changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"permissions": [
{
"actions": [ "*/read" ],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Suppose this user wants to read a blob in a storage account called ‘demostorage’ in subscription ‘0000’. Let’s see how Azure determines if the user will be granted access or not. Follow the diagram below to see how Azure determines if an identity can execute the action on a scope.
As you can see, because the identity did not have any role assignments with the DataAction permission ״Microsoft.Storage/storageAccounts/blobServices/containers/read” necessary for reading the blob, the identity was not able to get access to read the blob in the scope subscription ‘0000’.
High-level Roles in IAM
High privileged roles in Azure, such as "Owner," "Contributor," and "User Access Administrator," grant extensive permissions across resources. The "Owner" role provides full access to all resources, including the ability to delegate access to others. The "Contributor" role allows users to create and manage all types of resources but does not permit them to grant access to others. The "User Access Administrator" role enables users to manage user access to resources. These are some examples of built-in Azure roles that grant high access for management, but identities can also create custom roles with high data privileges using dataActions or high management privileges using actions, which can lead to many attacks. This is called over-permissive access.
Over-permissive access can pose significant security risks. For instance, assigning the "Owner" role to users who only need read access, granting "Contributor" access to developers who should only manage specific resources, or giving "User Access Administrator" rights to individuals who do not require the ability to manage user access, can lead to unauthorized changes, data breaches, or accidental deletions.
These are the risks that we aim to address at Cisco and in particular through our Cloud Application Security product, Panoptica. We provide analysis and insights to companies to ensure they do not have unsupervised identities with over-permissive access.
Azure IAM Analyzer in Panoptica ensures secure and efficient management of identities and access through key components like Role-Based Access Control (RBAC) and Microsoft Entra ID. Similar to how Azure analyzes access, we at Panoptica have our own analyzer that calculates effective permissions for all our clients’ identities. We provide analysis and insights into identities so that our clients are aware of over permissive roles at a broader scale including subscription or management groups. Our goal is to help them adhere to the principle of least privilege so that identities are given the minimum access needed within the smallest scope possible.
Conclusion
In many cases, we overlook the assignment of high-privilege roles to identities, forget to remove roles from identities who no longer need them, or opt for the 'easy' solution of granting all privileges instead of applying the practices of least necessary privileges. This approach can be very dangerous for an enterprise with vast amounts of data at its disposal. Unsupervised identities with excessive access can lead to security breaches and attacks.
Our analyzer addresses this critical issue by helping clients become more aware of their identities' access levels and ensuring that privileges are kept to a minimum necessary for their roles.
Now more than ever, having IAM awareness is crucial. Azure is not an easy cloud platform to understand, and it is essential that our team shares our extensive findings and research on Azure identity models and the implementation of the Azure Analyzer into Panoptica. If you have any questions, please feel free to reach out directly to our team, and we hope you take care of your IAM ASAP!
SIGN UP FREE
