User Guide
English
English
  • Welcome aboard to SpaceONE
  • About SpaceONE
    • SpaceONE
    • Key Differentiators
  • Getting Started
  • Basic Setup
  • Power Scheduler Quick Start
  • ADVANCED TOPIC
    • Excel Export
    • Custom Table
  • Dashboard
    • Domain Dashboard
  • Project
    • Project Group Management
    • Project Management
  • Inventory
    • Server
    • CloudService
  • Identity
    • Service Account
      • (AWS) Service Account Policy Management
      • (Google Cloud) Service Account Policy Management
      • (Azure) Access Control (IAM) Policy Management
      • (Oracle Cloud Infrastructure) Identity and Access Management(IAM) Policy Management
      • (Alibaba Cloud) Service Account Policy Management
  • Monitoring
    • Alert Manager
      • Webhook Settings
        • AWS SNS
        • Grafana
  • Automation
    • Power Scheduler
  • ETC
    • Profile
  • Reference Link
  • Admin Guide
  • API Guide
  • FAQ
    • FAQs
Powered by GitBook
On this page
  • Access Control Policy
  • General Collector
  • Troubleshooting
  • Authorization

Was this helpful?

  1. Identity
  2. Service Account

(Azure) Access Control (IAM) Policy Management

Previous(Google Cloud) Service Account Policy ManagementNext(Oracle Cloud Infrastructure) Identity and Access Management(IAM) Policy Management

Last updated 4 years ago

Was this helpful?

Access Control Policy

SpaceONE highly recommends to set appropriate permissions to Resource groups for each purpose.

Please, Set service account, To Create API for each use case:

General Collector

Collector requires appropriate authorities to collect cloud resources. We strongly recommend to limit collector's service account its permission to read only access.

Otherwise, you can add more restrictions per resource groups or actions. One of the useful example is to restrict its rights within resource groups.

Prerequisite

This user guide tutorial assumes that a subscription id is already created.

There are two options for giving permission to Azure resources which SpaceONE is going to collect.

  • Grant Reader role to resource group where resources are located. If you give a role to resource group, SpaceONE can only collect resources located in this resource group.

  • Grant Reader role to subscription where resources are located. If you give a role to the subscription, SpaceONE can collect resources in all resource groups in this subscription.

If you want to know more about Azure's access control policies, visit the link below.

Grant Roles to resource groups

STEP 1. Log in Azure Portal > Resource groups

Select the resource group for which the collector will collect resources.

STEP 2. Click Access control (IAM) Navigation tab, and click +Add button.

STEP 3: Assign the Reader role to the account. The account should have an access permission in this resource group.

Troubleshooting

Authorization

Please, follow the steps on troubleshooting guide below if you face any of error messages above.

1. (AuthorizationFailed) Client does not have authorization

The client client_id with object id object_id does not have authorization to perform action Microsoft.Resources/subscriptions/resourcegroups/read over scope subscription_id or the scope is invalid. If access was recently granted, please refresh your credentials

STEP 1: Log in Azure Portal and Drive to > Subscriptions

STEP 2: Click the subscription name where resources are located.

STEP 3: Click +Add role assignment button.

STEP 4: Add role assignment for followings as below

  • Role

    • Reader

  • Assign access to

    • User, group, or service principal

  • Select

    • App that has registered on Active directory at > Azure ActiveDirectory > Registered App

Note: Service Account name and Registered App name may be confused. Please, Select Registered App as below (Different Icons).

General Collector
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal