In the Management Groups episode of AZ900 course RBAC is mentioned as being involved with using management groups to work with subscriptions. How does this work? I watched the rbac episode again, and i don't see how it fits together. I'm having a hard time separating RBAC from security groups in my head. Where is the big difference between them?
RBAC and Management group in AZ900
Role-based Access Control (RBAC) is an authorization system to control access to resources. You create role assignments to enforce permissions. A role assignment has three components: security principal, role definition, and scope.
Security groups are a type of security principal. They are used to gather users that have the same access requirements. You use security groups in your role assignments.
A role definition is a collection of permissions, like read, write and delete.
Scope is the set of resources that the access applies to.
Lets say you have 20 developers that need contributor access to a set of virtual machines.
First, you would create a security group, and add all 20 developers to the group. This way you can assign the permissions to the group instead of each individual user.
Then you would create a role definition that grants the contributor permission.
Lastly you define the scope as a particular set of VMs.
Now, everyone in the security group has contributor permissions over the set of VMs. but only those VMs that are defined by the scope, not all VMs.
This is the same as using groups and NTFS permissions. The security group (security principal) is added to the ACL of a resource (scope) and assigned a permission (role definition).
Hope this helps
Would you use rbac as part of azure ad?