NML

Azure security rights management

General Security Rights Principles

  • Access to resources are provided only through security groups that have been configured on the resources.
  • Production security groups should generally have no members. For rotating support, or special implementations, members may be added on request.
  • The person adding any members to a production security group are also responsible for removing the member from the group as soon as the rights are no longer needed.
    • Add an Outlook meeting/appointment for yourself to remove the members you added.
    • More than 2 weeks access is not acceptable under any circumstances.
  • When requesting to be added to a security group, always send an email (in addition to any other form of communication like slack) outlining the request and the estimated time required. Ensure the following parties are included the email:
    • the person you are asking to add you to the security group
    • charl@nml.co.za
    • kirsten@nml.co.za
  • Only request to be added to the minimum number of security groups to complete your task.

Security Groups and Access

The following naming are/should be generally followed for security groups, but can differ from project to project. Each project should have a more complete write up of their security groups on their project wikis.

Production Security Groups

NameDescription
*-prod-supportFor production support purposes. Only users that are actively on support for a project
*-prod-contributorsFor general contributor rights on resources. Rarely be needed.
*-prod-database-managed-identitiesAzure managed identities with database access. NEVER ASSIGN USERS TO THIS GROUP!
*-prod-key-vault-readerFor read-only access to secrets in key vault.
*-prod-key-vault-contributorFor contributor rights to keys, secrets and certificates in key vault. Rarely needed.
*-prod-logic-app-contributorsFor contributor rights on logic apps. Rarely needed.
*-prod-vm-rdpFor request Just In Time access to virtual machine via Azure Security Centre.
*-prod-web-contributorFor managing web apps and app service plans.

Development Security Groups

NameDescription
*-contributorsFor general contributor rights on resources.
*-database-managed-identitiesAzure managed identities with database access. NEVER ASSIGN USERS TO THIS GROUP!
*-key-vault-readerFor read-only access to secrets in key vault.
*-key-vault-contributorFor contributor rights to keys, secrets and certificates in key vault.
*-logic-app-contributorsFor contributor rights on logic apps.
*-vm-rdpFor request Just In Time access to virtual machine via Azure Security Centre.
*-web-contributorFor managing web apps and app service plans.
*-devops-devsFor adding removing developers from the DevOps project
*-devops-pmsFor adding removing project managers from the DevOps project
*-devops-readersFor adding or removing readers (stakeholders) from the DevOps project

Security Right Assigners

Charl Marais and Dave Eagle can assign rights on all projects. They should be included on all communication regarding requests for access on production environments.

NameCan Assign on Project
Rogan FlittonGraphite
Nicholas BarfknechtAfrican Rainbow Life
Francois NelSHA
Angus PollockStor-age
Charl MaraisNML internal projects
Saffia ManjooAurecon Web & STLE
Miles BarnettTenX

Assigning Security Rights

  • Open Azure Portal
  • If the project has their own Azure Active Directory, open Directory + subscription and switch to the appropriate directory
  • Select Azure Active Directory
  • Select Groups
  • Find the security group to which the member must be added and select it
  • Select Members
  • Select Add Members
  • Find the directory principal to add and select
  • Click Select

Removing Security Rights

  • Open Azure Portal
  • If the project has their own Azure Active Directory, open Directory + subscription and switch to the approprite directory
  • Select Azure Active Directory
  • Select Groups
  • Find the security group to which the member must be added and select it
  • Select Members
  • Check the members to remove
  • Select Remove
  • Click Yes on the confirmation box