Azure Sphere pre-built RBAC roles and resource hierarchy
Azure resources are managed in a structured hierarchy, and when you apply an Azure RBAC user role to a given Azure resource, the permissions for the role are granted for the resource itself, as well for its child resources. For example, if you apply the RBAC Owner role to a product resource, the user has Owner permissions for the product resource, as well as all its child device groups and devices.
The figure shows the hierarchy of the Azure Sphere resource types. Azure Sphere resources include catalog, product, device group, and device, and you can apply an RBAC role to any of these resources. Note that Azure Sphere images, catalog certificates, and deployments are not stand-alone resources; permission for those items are governed by the resource that owns them. For example, permissions for deployments are governed by the owning device group.
Azure Sphere built-in RBAC roles
To enable easy RBAC user permissions management, Azure provides pre-configured roles known as built-in roles. There are general Azure pre-built roles that apply to all services, as well as customized built-in roles for specific services that address common user needs of the given service, including Azure Sphere. If your organization has user needs not met by the available built-in roles, you can create custom RBAC roles with granular permissions appropriate to your business needs.
The table below outlines the Azure Sphere built-in RBAC roles.
| Role Name | Permissions | Example Usage |
|---|---|---|
| Azure Sphere Reader | Read-only permissions + download images + download certificate and certificate chain | - Assign to a catalog to allow the user read-only access to all resources in the catalog, and to allow the user to download the catalog certificate and certificate chain. - Assign to a product to allow the user read-only access to that product and its child device groups and devices. - Assign to a device group to allow the user read-only access to that device group and its child devices |
| Azure Sphere Publisher | Sphere Reader permissions + add images + download proof of possession certificate + download device capabilities | - Assign to a catalog to allow a user to add images to the catalog, and to download the catalog certificate, certificate chain, and proof of possession certificate, while also limiting the user to read-only access for the catalog’s child products, device groups, and devices. The read-only access to a given child resource can be overridden by assigning the Azure Sphere Contributor, Azure Sphere Owner, or greater permissions role to the child resource - Assign to a resource group if the user needs Azure Sphere Publisher permissions on all Azure Sphere catalogs in the resource group. - When assigned to products, device groups, and devices, the role provides nothing more than read-only permissions; we recommend assigning the Azure Sphere Reader role instead |
| Azure Sphere Contributor | Azure Sphere Publisher permissions + permissions for all Azure Sphere user actions on the resource and its child resources | - Apply to a resource group for high permissions users who need to create new Azure Sphere catalogs within that resource group, or integrate existing Azure Sphere (Legacy) tenants to the resource group. - Apply to a specific catalog for users who need to perform all user actions and view all child resources belonging only to that catalog. - Apply to a product or device group for users who need to perform all user actions and view all child resources belonging only to that product or device group |
| Azure Sphere Owner | Azure Sphere Contributor permissions + Azure RBAC user administration permissions for Azure-Sphere-related user roles only | - Apply to a resource group for highest permissions Azure Sphere users who need to create and manage all Azure Sphere resources within the group, as well as assign Azure-Sphere-related RBAC user roles to all Azure Sphere resources within the group. - Apply to a specific catalog for users who need to perform all user actions, view all child resources belonging only to that catalog, and to assign Azure-Sphere-related RBAC user roles to the catalog or any of its child resources. - Apply to a product or device group for users who need to perform all user actions and view all child resources belonging only to that product or device group, as well as assign Azure-Sphere-related RBAC user roles to the product or device group. Note: The Azure-Sphere-related RBAC user roles are: Azure Sphere Owner, Azure Sphere Contributor, Azure Sphere Publisher, Azure Sphere Reader, Monitoring Contributor and Monitoring Reader. The latter two roles relate to Azure Monitor. |