Support Azure access management delegation to others via ABAC | Feature Requests

Support Azure access management delegation to others via ABAC

Thomas Abbe

Currently, we set up custom Azure RBAC Roles for Azure landing zones. In order to prevent privilege escalation, the Microsoft.Authorization/roleAssignments/write permission is prohibited.
However, in an Azure eco-system, this permission is often needed so that we provided an Azure RBAC OSB marketplace service which checks the roles and principal Ids in order to prevent privilege escalation.
In the same time, we collect feedback from our users and they complain that many Azure Out-of-the-box Biceps/ARM templates do not work anymore.
That is why we reconsider our intitial approach and want to allow RBAC to our project admins - under certain conditions (privilege escalation).
What we would need herefore is the ABAC support for Azure Role-Mappings for Azure landing zones.
The following article describes the concept:
https://learn.microsoft.com/en-us/azure/role-based-access-control/delegate-role-assignments-overview?tabs=template#a-more-secure-method-delegate-role-assignments-with-conditions-preview

September 10, 2024

Rebecca

Hi, thank you for reaching out. I have a general understanding of your feature request and the direction you're heading. I’d like to have a brief discussion to better understand the permission architecture you have in mind. I’ll send you an invite via email shortly as this is an urgent matter.

Fabian

incredibly important to us, and also urgent!

the main thing you would have to add is one parameter to the role assignment, namely "condition": "xyz"