Permissions required for customers deploying KX Managed Application
There are 3 supported scenarios that differ mainly by the initial role that is assigned to the user on the subscription they wish to install the KX Managed KX Insights Platform into.
1. User is Owner of the Subscription
Allows
- the creation of new Resource Groups
- the creation of the required Role Assignments
- registration of the required Resource Providers
Managed resource group inherits the required permissions.
2. User is Contributor on the Subscription
Allows
- the creation of new Resource Groups
- registration of the required Resource Providers
Managed resource group inherits the required permissions.
Requires one of the below
Ask your Azure Subscription administrator to either:
2.a.) Assign User Access Administrator role to user on the Subscription
or alternatively to:
2.b.) Create a new resource group and assign User Access Administrator role to user on the new Resource Group
3. User is Reader on the Subscription
Allows
- the reading of all Resources
Managed resource group inherits the required permissions.
Requires one of the below
Ask your Azure Subscription administrator to follow the below steps of either Option 1 or Option 2, depending on their preferred process;
Option 1
This method requires only one Custom Role but it provides slightly wider permission to the user on the entire Subscription.
-
Create the below custom role definition. You can achieve this by either using the Azure Portal or the Azure CLI.
-
Using the Azure Portal:
{ "properties": { "roleName": "Managed application installer", "description": "Allows user to install Managed Applications in the Subscription", "assignableScopes": [ "/subscriptions/{your-subscription-id}" ], "permissions": [ { "actions": [ "Microsoft.Resources/deployments/cancel/action", "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/resourceGroups/delete", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.Solutions/applications/delete", "Microsoft.Solutions/applications/write", "Microsoft.Solutions/register/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }
-
Using the Azure CLI
az role definition create --role-definition role.json
command:{ "Name": "Managed application installer", "IsCustom": true, "Description": "Allows user to install Managed Applications in the Subscription", "Actions": [ "Microsoft.Resources/deployments/cancel/action", "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/resourceGroups/delete", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.Solutions/applications/delete", "Microsoft.Solutions/applications/write", "Microsoft.Solutions/register/action" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{your-subscription-id}" ] }
-
-
Assign the Managed application installer role to the user on the Subscription.
Option 2
This method requires several steps and multiple Custom Roles but in exchange it provides only the least amount of permissions to the user on the Subscription. For every subsequent Managed Application deployment the Managed application admin role will have to be assigned to the user on a new Resource Group again before the installation can begin (steps 3. to 5.).
-
Create the below custom role definition. You can achieve this by either using the Azure Portal or the Azure CLI.
-
Using the Azure Portal:
{ "properties": { "roleName": "Resource Group writer", "description": "Allows user to create new Resource Group in the Subscription", "assignableScopes": [ "/subscriptions/{your-subscription-id}" ], "permissions": [ { "actions": [ "Microsoft.Resources/subscriptions/resourceGroups/write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }
-
Using the Azure CLI
az role definition create --role-definition role.json
command:{ "Name": "Resource Group writer", "IsCustom": true, "Description": "Allows user to create new Resource Group in the Subscription", "Actions": [ "Microsoft.Resources/subscriptions/resourceGroups/write" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{your-subscription-id}" ] }
-
-
Assign Resource Group writer role to the user on the Subscription
-
Create the below custom role definition. You can achieve this by either using the Azure Portal or the Azure CLI.
-
Using the Azure Portal:
{ "properties": { "roleName": "Managed application admin", "description": "Allows user to install and delete Managed Applications", "assignableScopes": [ "/subscriptions/{your-subscription-id}/resourceGroups/{your-resourcegroup-id}" ], "permissions": [ { "actions": [ "Microsoft.Resources/deployments/cancel/action", "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/write", "Microsoft.Solutions/applications/delete", "Microsoft.Solutions/applications/write" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } }
-
Using the Azure CLI
az role definition create --role-definition role.json
command:{ "Name": "Managed application admin", "IsCustom": true, "Description": "Allows user to install and delete Managed Applications", "Actions": [ "Microsoft.Resources/deployments/cancel/action", "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/write", "Microsoft.Solutions/applications/delete", "Microsoft.Solutions/applications/write" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": [ "/subscriptions/{your-subscription-id}/resourceGroups/{your-resourcegroup-id}" ] }
-
-
Create a new resource group in the same Subscription
-
Assign the Managed application admin role to the user on the above Resource Group