General Security Rights Principles
- Access to resources are provided only through security groups that have been configured on the resources.
- Production security groups should generally have no members. For rotating support, or special implementations, members may be added on request.
- The person adding any members to a production security group are also responsible for removing the member from the group as soon as the rights are no longer needed.
- Add an Outlook meeting/appointment for yourself to remove the members you added.
- More than 2 weeks access is not acceptable under any circumstances.
- When requesting to be added to a security group, always send an email (in addition to any other form of communication like slack) outlining the request and the estimated time required. Ensure the following parties are included the email:
- the person you are asking to add you to the security group
- charl@nml.co.za
- kirsten@nml.co.za
- Only request to be added to the minimum number of security groups to complete your task.
Security Groups and Access
The following naming are/should be generally followed for security groups, but can differ from project to project. Each project should have a more complete write up of their security groups on their project wikis.
Production Security Groups
| Name |
Description |
| *-prod-support |
For production support purposes. Only users that are actively on support for a project |
| *-prod-contributors |
For general contributor rights on resources. Rarely be needed. |
| *-prod-database-managed-identities |
Azure managed identities with database access. NEVER ASSIGN USERS TO THIS GROUP! |
| *-prod-key-vault-reader |
For read-only access to secrets in key vault. |
| *-prod-key-vault-contributor |
For contributor rights to keys, secrets and certificates in key vault. Rarely needed. |
| *-prod-logic-app-contributors |
For contributor rights on logic apps. Rarely needed. |
| *-prod-vm-rdp |
For request Just In Time access to virtual machine via Azure Security Centre. |
| *-prod-web-contributor |
For managing web apps and app service plans. |
Development Security Groups
| Name |
Description |
| *-contributors |
For general contributor rights on resources. |
| *-database-managed-identities |
Azure managed identities with database access. NEVER ASSIGN USERS TO THIS GROUP! |
| *-key-vault-reader |
For read-only access to secrets in key vault. |
| *-key-vault-contributor |
For contributor rights to keys, secrets and certificates in key vault. |
| *-logic-app-contributors |
For contributor rights on logic apps. |
| *-vm-rdp |
For request Just In Time access to virtual machine via Azure Security Centre. |
| *-web-contributor |
For managing web apps and app service plans. |
| *-devops-devs |
For adding removing developers from the DevOps project |
| *-devops-pms |
For adding removing project managers from the DevOps project |
| *-devops-readers |
For adding or removing readers (stakeholders) from the DevOps project |
Assigning Security Rights
- Open Azure Portal
- If the project has their own Azure Active Directory, open
Directory + subscription and switch to the appropriate directory
- Select
Azure Active Directory
- Select
Groups
- Find the security group to which the member must be added and select it
- Select
Members
- Select
Add Members
- Find the directory principal to add and select
- Click
Select
Removing Security Rights
- Open Azure Portal
- If the project has their own Azure Active Directory, open
Directory + subscription and switch to the approprite directory
- Select
Azure Active Directory
- Select
Groups
- Find the security group to which the member must be added and select it
- Select
Members
- Check the members to remove
- Select
Remove
- Click
Yes on the confirmation box