Search code examples
azureazure-web-app-servicerbac

Azure deployment slots RBAC

I need to give different level of access to different users (or groups) on an Azure WebApp and its deployment slots.

  1. If I give a user access to only a deployment slot, he cannot see it on the Azure Management Portal.

  2. If I give a user access as "Reader" to the entire web app, he can change application settings (it was not supposed to happen)

  3. If I give a user access as "Reader" to the entire web app and as "Owner" to a particular slot, he can change application settings and he can swap the LIVE app (both they were not supposed to happen)

Someone can explain to me how to give "Owner" permission only to a deployment slot and not to the whole application? Thanks!

Solution

  • I'll tackle the 3 questions below

    If I give a user access to only a deployment slot, he cannot see it on the Azure Management Portal

    It's a portal bug (it will get fixed). Luckily, there is a workaround which is not too painful:

    • While logged on as the owner, go to the slot in the portal. The URL will look like this:

    https://portal.azure.com/#resource/subscriptions/{sub}/resourceGroups/{ResourceGroup}/providers/Microsoft.Web/sites/{AppName}/slots/{SlotName}

    • Copy the URL and send it to your user
    • They'll then be able to go straight to the slot, even though they can't access the Web App. They'll even be able to 'pin' it to their dashboard, so they can easily find it next time without having to go back to the link.

    If I give a user access as "Reader" to the entire web app, he can change application settings

    It just looks that way due to another Portal bug, but they really can't. e.g.

    • they won't be able to see any of the current settings
    • if they change something, it says the Save is successful, but in fact nothing happens

    The Portal team is aware of it and will address it. But security wise, it is harmless.

    If I give a user access as "Reader" to the entire web app and as "Owner" to a particular slot, he can swap the LIVE app

    That sounds like a bug and I will report it. Good catch!

    The good news is that if you don't give them Reader access to the Web App, they won't be able to do this. So just use the technique I described in the first question, and everything should work fine for your scenario