IAM Permissions
Access to the ProvEn resources in Azure is controlled via four security groups:
- A reader group, which grants read access over all environments.
- Three contributor groups, one per environment (dev/test/prod).
All groups are owned by the below users:
- Jake Stanger
- Paul McGonigle
- Euan Eddie
Group membership is manually controlled by the owners listed above.
Role assignment is controlled via the Bicep templates included in this repo (<AppHost>/infra/roleAssignments).
Reader
Section titled “Reader”This is applied at the subscription level on both subscriptions. Administrator and non-administrator users are granted this role.
Access is controlled via membership to the SG-Core-ProvEn2-Reader security group.
The applied roles are active/permanent.
Roles:
ReaderStorage Blob Data ReaderStorage Queue Data ReaderStorage Table Data Reader
Contributor
Section titled “Contributor”These roles are applied to each resource group.
For dev, the applied roles are active/permanent. For test and production, group membership must be activated via PIM.
Access is controlled via membership to the following security groups:
SG-Core-ProvEn2-Dev-ContributorSG-Core-ProvEn2-Test-ContributorSG-Core-ProvEn2-Prod-Contributor
Roles:
ContributorKey Vault Secrets OfficerKey Vault Certificates OfficerStorage Blob Data ContributorStorage Queue Data ContributorStorage Table Data ContributorApp Configuration Data Owner