0

I need to configure a custom azure role which will give a user an explicit access to a file share ((with File Explorer). But the user shouldn't have access to the other services of the Storage service like blob storage, queue or tables. Currently with the following json file the user can see all sub-servives of the storage services.

{
"Name":  "Storage explicit contributor access",
"Id":  "-.......",
"IsCustom":  true,
"Description":  "",
"Actions":  [
              
                "Microsoft.Storage/storageAccounts/fileServices/shares/delete",
                "Microsoft.Storage/storageAccounts/fileServices/shares/read",
                "Microsoft.Storage/storageAccounts/fileServices/shares/write",
                "Microsoft.Storage/storageAccounts/fileServices/write",
                "Microsoft.Storage/storageAccounts/fileServices/read",
                "Microsoft.Storage/storageAccounts/listKeys/action",
                "Microsoft.Storage/storageAccounts/read"
            ],
"NotActions":  [ 
                "*"


               ],
"DataActions":  [
                ],
"NotDataActions":  [],
                      
"AssignableScopes":  [
                         "/subscriptions/....."
                     ]

}

Generally, is it possible to restrict the access on the level?

Nintox
  • 21
  • 2

1 Answers1

0

The permissions you have allocated currently allow the user to manage the actual Azure Files resource, through the portal, PowerShell etc. Currently the user can create, delete and edit shares. It sounds like this is not what you want, your just looking for the user to manage data in the fileshare.

Assuming that is the case you need to look at setting the "DataActions" in the role, this provide permissions at the data layer, not the resource layer. So something like:

"DataActions": [
    "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
    "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
    "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
],
Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • thanks for your answer. Thats not exactly what I want to do. Is it possible to Upload Files over the Azure Portal with this user and your DataAction rules. Or is it for the API? – Nintox Jul 11 '20 at 10:07
  • This should allow you to upload files through the portal as well, but you would need to grant "Microsoft.Storage/storageAccounts/fileServices/read" in the actions section. That said if users just need to upload files, I wouldn't reccomend the portal. I'd look at something like Azure Storage explorer. – Sam Cogan Jul 11 '20 at 21:00
  • Yes. my prefered option is azure storage explorer too. But a new client software it's not allowed for the users. So they have to login into the portal and use the webdashboard of azure storage explorer. Is it possibel to restrict the access only to this service and upload/downloas files? – Nintox Jul 12 '20 at 12:00