Default Permissions
With default permissions, Tessell will not be able to automatically create/delete the networks and encryption keys in the future. Customers would be prompted to enter the details and execute an ARM template to create new encryption keys and networks.
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-07-01",
"name": "[variables('roleDefinitionNameTessellApp')]",
"properties": {
"roleName": "[concat('Tessell Operator - ', resourceGroup().name)]",
"description": "Allow deployment and management of resources in an Azure subscription on behalf of Tessell",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/runCommands/write",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.OperationalInsights/workspaces/sharedkeys/action",
"Microsoft.Compute/snapshots/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/natGateways/write",
"Microsoft.Network/natGateways/delete",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/delete",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KeyVault/vaults/secrets/write",
"Microsoft.KeyVault/operations/read",
"Microsoft.KeyVault/locations/operationResults/read",
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/versions/read",
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.Compute/snapshots/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.OperationalInsights/workspaces/datasources/write",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Compute/disks/endGetAccess/action",
"Microsoft.Compute/locations/operations/read",
"Microsoft.Storage/checknameavailability/read",
"Microsoft.Storage/operations/read",
"Microsoft.Storage/locations/checknameavailability/read",
"Microsoft.OperationalInsights/locations/operationstatuses/read",
"microsoft.operationalinsights/locations/operationStatuses/read",
"Microsoft.OperationalInsights/workspaces/tables/write",
"Microsoft.OperationalInsights/workspaces/tables/read",
"Microsoft.OperationalInsights/workspaces/tables/delete",
"Microsoft.OperationalInsights/workspaces/tables/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"microsoft.operationalinsights/workspaces/tables/write",
"microsoft.operationalinsights/workspaces/tables/read",
"microsoft.operationalinsights/workspaces/tables/delete",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/natGateways/join/action",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/galleries/images/versions/write",
"Microsoft.Compute/galleries/images/versions/delete",
"Microsoft.Network/privateLinkServices/read",
"Microsoft.Network/privateLinkServices/write",
"Microsoft.Network/privateLinkServices/delete",
"Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action",
"Microsoft.Network/privateLinkServices/notifyPrivateEndpointMove/action",
"Microsoft.Network/privateLinkServices/privateEndpointConnections/read",
"Microsoft.Network/privateLinkServices/privateEndpointConnections/write",
"Microsoft.Network/privateLinkServices/privateEndpointConnections/delete",
"Microsoft.Network/locations/autoApprovedPrivateLinkServices/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/write",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/health/action",
"Microsoft.Network/loadBalancers/backendAddressPools/queryInboundNatRulePortMapping/action",
"Microsoft.Network/loadBalancers/backendAddressPools/updateAdminState/action",
"Microsoft.Network/loadBalancers/backendAddressPools/health/action",
"Microsoft.Network/loadBalancers/backendAddressPools/write",
"Microsoft.Network/loadBalancers/backendAddressPools/read",
"Microsoft.Network/loadBalancers/backendAddressPools/delete",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/write",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/delete",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/read",
"Microsoft.Network/loadBalancers/inboundNatRules/read",
"Microsoft.Network/loadBalancers/inboundNatRules/write",
"Microsoft.Network/loadBalancers/inboundNatRules/delete",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/loadBalancingRules/read",
"Microsoft.Network/loadBalancers/loadBalancingRules/health/action",
"Microsoft.Network/loadBalancers/networkInterfaces/read",
"Microsoft.Network/loadBalancers/outboundRules/read",
"Microsoft.Network/loadBalancers/probes/read",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/virtualMachines/read",
"Microsoft.Network/locations/availablePrivateEndpointTypes/read",
"Microsoft.Network/virtualNetworks/joinLoadBalancer/action",
"Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action",
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/secrets/delete",
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/update/action",
"Microsoft.KeyVault/vaults/secrets/purge/action",
"Microsoft.KeyVault/vaults/secrets/setSecret/action",
"Microsoft.Compute/snapshots/download/action",
"Microsoft.Compute/snapshots/upload/action",
"Microsoft.Compute/disks/download/action",
"Microsoft.Compute/disks/upload/action"
],
"notDataActions": []
}
],
"assignableScopes": [
"[resourceGroup().Id]"
]
}
}The table below is a convenient representation of the permissions above.
Resource Type | Permissions to Create New? | Permissions to Manage Tessell created? | Created in subscription ARM template? |
Virtual Machines, Disks, Snapshots | ✅ | ✅ | ❌ |
Storage Accounts | ✅ | ✅ | ❌ |
Network Security Groups, Network Interfaces, NAT Gateways | ✅ | ✅ | ❌ |
Virtual Networks | ❌ | ✅ | ✅ |
Key Caults, Security Keys | ❌ | ✅ | ✅ |
Log Analytics Workspace | ❌ | ✅ | ✅ |
Additional Permissions
If allowed, Tessell will be given additional permission to automatically (without the customer having to run the ARM template) create/delete the networks and encryption keys in the future.
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-07-01",
"name": "[variables('roleDefinitionNameTessellApp')]",
"properties": {
"roleName": "[concat('Tessell Operator - ', resourceGroup().name)]",
"description": "Allow deployment and management of resources in an Azure subscription on behalf of Tessell",
"type": "customRole",
"permissions": [
{
"actions": [
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/runCommands/write",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.OperationalInsights/workspaces/sharedkeys/action",
"Microsoft.Compute/snapshots/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/natGateways/write",
"Microsoft.Network/natGateways/delete",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/delete",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KeyVault/vaults/secrets/write",
"Microsoft.KeyVault/operations/read",
"Microsoft.KeyVault/locations/operationResults/read",
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/versions/read",
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.Compute/snapshots/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.OperationalInsights/workspaces/datasources/write",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Compute/disks/endGetAccess/action",
"Microsoft.Compute/locations/operations/read",
"Microsoft.Storage/checknameavailability/read",
"Microsoft.Storage/operations/read",
"Microsoft.Storage/locations/checknameavailability/read",
"Microsoft.OperationalInsights/locations/operationstatuses/read",
"microsoft.operationalinsights/locations/operationStatuses/read",
"Microsoft.OperationalInsights/workspaces/tables/write",
"Microsoft.OperationalInsights/workspaces/tables/read",
"Microsoft.OperationalInsights/workspaces/tables/delete",
"Microsoft.OperationalInsights/workspaces/tables/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"microsoft.operationalinsights/workspaces/tables/write",
"microsoft.operationalinsights/workspaces/tables/read",
"microsoft.operationalinsights/workspaces/tables/delete",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/natGateways/join/action",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/galleries/images/versions/write",
"Microsoft.Compute/galleries/images/versions/delete",
"Microsoft.Network/privateLinkServices/read",
"Microsoft.Network/privateLinkServices/write",
"Microsoft.Network/privateLinkServices/delete",
"Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action",
"Microsoft.Network/privateLinkServices/notifyPrivateEndpointMove/action",
"Microsoft.Network/privateLinkServices/privateEndpointConnections/read",
"Microsoft.Network/privateLinkServices/privateEndpointConnections/write",
"Microsoft.Network/privateLinkServices/privateEndpointConnections/delete",
"Microsoft.Network/locations/autoApprovedPrivateLinkServices/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/write",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/health/action",
"Microsoft.Network/loadBalancers/backendAddressPools/queryInboundNatRulePortMapping/action",
"Microsoft.Network/loadBalancers/backendAddressPools/updateAdminState/action",
"Microsoft.Network/loadBalancers/backendAddressPools/health/action",
"Microsoft.Network/loadBalancers/backendAddressPools/write",
"Microsoft.Network/loadBalancers/backendAddressPools/read",
"Microsoft.Network/loadBalancers/backendAddressPools/delete",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/backendPoolAddresses/read",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/read",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/write",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/delete",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/loadBalancerPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/read",
"Microsoft.Network/loadBalancers/inboundNatRules/read",
"Microsoft.Network/loadBalancers/inboundNatRules/write",
"Microsoft.Network/loadBalancers/inboundNatRules/delete",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/loadBalancingRules/read",
"Microsoft.Network/loadBalancers/loadBalancingRules/health/action",
"Microsoft.Network/loadBalancers/networkInterfaces/read",
"Microsoft.Network/loadBalancers/outboundRules/read",
"Microsoft.Network/loadBalancers/probes/read",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/virtualMachines/read",
"Microsoft.Network/locations/availablePrivateEndpointTypes/read",
"Microsoft.Network/virtualNetworks/joinLoadBalancer/action",
"Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action",
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.KeyVault/vaults/write",
"Microsoft.Compute/diskEncryptionSets/write",
"Microsoft.Compute/diskEncryptionSets/delete",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.OperationalInsights/workspaces/delete",
"Microsoft.KeyVault/vaults/delete",
"Microsoft.KeyVault/vaults/keys/write",
"Microsoft.KeyVault/vaults/accessPolicies/write",
"Microsoft.Network/virtualNetworks/peer/action"
],
"notActions": [
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/secrets/delete",
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/update/action",
"Microsoft.KeyVault/vaults/secrets/purge/action",
"Microsoft.KeyVault/vaults/secrets/setSecret/action",
"Microsoft.Compute/snapshots/download/action",
"Microsoft.Compute/snapshots/upload/action",
"Microsoft.Compute/disks/download/action",
"Microsoft.Compute/disks/upload/action",
"Microsoft.KeyVault/vaults/keys/create/action",
"Microsoft.KeyVault/vaults/keys/update/action",
"Microsoft.KeyVault/vaults/keys/delete",
"Microsoft.KeyVault/vaults/keys/purge/action",
"Microsoft.KeyVault/vaults/keys/import/action"
],
"notDataActions": []
}
],
"assignableScopes": [
"[resourceGroup().Id]"
]
}
}The table below is a convenient representation of the permissions above.
Resource Type | Permissions to Create New? | Permissions to Manage Tessell created? | Created in subscription ARM template? |
Virtual Machines, Disks, Snapshots | ✅ | ✅ | ❌ |
Storage Accounts | ✅ | ✅ | ❌ |
Network Security Groups, Network Interfaces, NAT Gateways | ✅ | ✅ | ❌ |
Virtual Networks | ✅ | ✅ | ✅ |
Key Caults, Security Keys | ✅ | ✅ | ✅ |
Log Analytics Workspace | ✅ | ✅ | ✅ |