Search code examples
azure-web-app-serviceazure-sql-databaseazure-blob-storage

In Azure dashboard - give user access to a single App Server, SQL Database, & Azure Storage

I want to have my QA team do some load testing of the dev slot of our web app. I want to give them full administrative access to the dev slot app service and its associated SQL Database and BLOB Storage. I do not want them to have any administrative access to anything else. (I trust them, but people sometimes click the wrong button.)

Is there a way to do this? And if so, how.

Also, if the answer is to put it in a distinct subscription, can I swap the app service instance between subscriptions.

Solution

  • I want my QA team to do some load testing on the dev slot of our web app. I want to give them full administrative access to the dev slot app service and its associated SQL Database and BLOB Storage. I do not want them to have any administrative access to anything else. (I trust them, but people sometimes click the wrong button.)

    To control user access to specific resources, first create a group and add the people you need to give access to, then create custom roles.

    Note: that you need either Owner or User Access Administrator roles to create a custom RBAC role.

    Access to custom roles can only be restricted at the following levels: management group, subscription, and resource group.

    In your scenario, keep App Services, SQL database, and Blob storage in a single resource group and create the custom role at the resource group level.

    Portal:

    Step 1:
    enter image description here

    Step 2:
    enter image description here

    In the Permissions tab, select all the necessary permissions according to your requirements as shown below.

    enter image description here

    In the Assignable scopes tab, ensure that the type is set to Resource group, then select Review + create.

    enter image description here

    Once you have created it, the validation will be performed, and the custom role will be created successfully.

    Note: that this custom role will only be visible and accessible to the resources present in your resource group.

    Now you can assign this role to your group of users to access the web app, Storage, and SQL database. This will restrict the user from accessing other resources.

    If the answer is to put it in a distinct subscription, can I swap the app service instance between subscriptions?

    Regarding swapping the App Service instance between subscriptions, you could refer to this MS-Document to use the PowerShell script.

    Reference:
    Move resources to a new subscription or resource group - Azure Resource Manager | Microsoft Learn