azuresecuritycloudazure-web-rolesazure-rbac

Azure Default Reader vs Built-in Monitoring Reader


I am trying to setup narrow down the best possible role for monitoring data from security perspective. My needs are slightly different so I don't want to use the Security Reader role (mainly because security reader only has access to the security center items and basic resource and resource group queries). So after reading more I stumbled upon Monitoring Reader role and just Reader role. I went through the permissions mentioned in the JSON. However I am not sure if all the differences are covered in the JSON.

For instance when we talk about "Monitoring Reader"

{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read all monitoring data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05",
  "name": "43d0d8ad-25c7-4714-9337-8ba259a9fe05",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Monitoring Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

The privileges are basically the same expect that I can query the logs. Compared to the Reader role which is

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view everything, but not make any changes.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Now from a logical standpoint if both the users are able to execute */read doesn't Reader role automatically qualify to query the logs? If not, how is it different? Also which role is superior in terms of access to readable data?

Reference : https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader

PS : I do know about custom roles but want to understand built-in roles better.


Solution

  • Now from a logical standpoint if both the users are able to execute */read doesn't Reader role automatically qualify to query the logs?

    They are both able to execute */read, but Reader cannot query the logs.

    If not, how is it different?

    The difference is Monitoring Reader can execute the Microsoft.OperationalInsights/workspaces/search/action and Microsoft.Support/* actions.

    Also which role is superior in terms of access to readable data?

    From the actions scope of the role definition, obviously the Monitoring Reader is superior in terms of access to readable data.