Grouping, categorizing and giving users access to resources
Moving to the cloud
When we decided to move all our resources to the cloud, we realized that we needed a new way of grouping and categorizing our resources. The move from big servers to cloud based storage, which is managed individually, reframed our resource management needs. If you don’t manage your storage you’ll quickly end up with a lot of unmanaged resources, unmanaged users and a big need for an easy-to-use permission structure.
The Azure hierarchy
So, all resources in Azure exist in one resource group, this is the lowest hierarchy in which your resources can be grouped. Since we have several different products in one platform we decided to group our resources in the easiest way possible: by product.
Setting up your environment
It’s a good idea to separate your production environments from your dev/test environments. At a minimum, you should separate them by using different resource groups but you should consider using a different subscription. If your company has an Enterprise Agreement (EA) you should use a Test Subscription to get some discounts on your resources.
Grouping resources by product
Since we grouped our recourses by product we need to assign access by product team.
- In Azure Active Directory, create security groups for each team
- Populate each team with the right members
- Assign resource groups to each team instead of each member
If you change team members remember too add or remove members from the group so the users get correct access to resources.
Example: “MyAwesomeApp” featuring Erik The Dev
We have a new web app with the name “MyAwesomeApp” that’s deployed with a database, storage account and a service bus. The app is deployed to three different environments dev, test and production, so we have 12 resources in total. Instead of giving Erik access to each of the 12 resources individually, and overloading the dev department with management work, we chose the smarter solution: to create two resource groups. One named “MyAwesomeApp-rg-dev” and one named “MyAwesomeApp-rg-prod”.
Moving, removing or firing Erik
By creating a security group for Erik and his team we can control access by the group instead of by the individual. So, when Erik moves to a different department or leaves the company we just remove him from his current security group and add him to a new one, or remove him definitely.
Fewer accounts, better security
The separation between production and dev/test gives us the possibility to give fewer accounts access to productions environments and the possibility to move production to a separate subscription if we decide to do that later.
- Resource – A manageable item that is available through Azure, for example web app, storage account, sql database.
- Resource group – A collection of resources that you want to manage as a group. To be able to assign access at one location to many resources.
- Subscription – An agreement between Microsoft and a customer. Usually you pay for the azure services grouped by subscription.
- Security Groups – A collection of users in the Azure Active Directory. This is used to manage access to more than one user at a time.