What additional role should I provision in an Azure resource group so that a contributor can see/accept/fix Azure SQL security recomendations?

Question

We are receiving security recommendations for one of our Azure SQL databases. I'm owner of the subscription and can see those recommendations in the Azure SQL Security Center. I would like to delegate the resolution to one of the resource group contributors, but the same recommendations doesn't appear to them.

What additional permissions an Azure resource group contributor needs to see/accept/fix alerts from an Azure SQL in that resource group?

score 2 · Accepted Answer · answered Apr 15 '21 at 07:47

2

To be able to see alerts in security centre you want to grant them the "security reader" role. If they need to dismiss alerts then this is a bit trickier as the only roles that have this are "Security Admin" or subscription contributor or owner. You can see the role definitions here. If you don't want to grant those roles you can create a custom role that has the "Microsoft.Security/locations/alerts/dismiss/action" permission.

To fix the issues in the alerts will come down to what needs to be done. The user fixing them will need to appropriate rights on the SQL Server to apply the fixes, but without knowing what they are it's difficult to say.

answered Apr 15 '21 at 07:47

Sam Cogan

38,736
6
78
114

Thank you, @Sam. I gave them the Security Admin role in the resource group and they do see the findings now, but still can't see the recommendations. Is there another role they should have? – lpacheco Apr 15 '21 at 09:25
From the page you referred it seems that being Contributor and Security Admin would allow all actions but "Add/Assign initiative", but it didn't show recommendations to them. Could it take a while to take effect or is there something else I should check? – lpacheco Apr 15 '21 at 09:29
1

You mentioned you applied these rights at the resource group level, I am wondering if recommendations are at the subscription level, can you apply the right there? – Sam Cogan Apr 15 '21 at 09:31
I will try that, but I can't allow these developers to have contributor/owner at subscription level. – lpacheco Apr 15 '21 at 09:34
1

If it does require subscription level rights I would recommend creating a custom role that only provides the rights needed for security centre and nothing else – Sam Cogan Apr 15 '21 at 09:37
You were right, it does require subscription level rights. Thank you! – lpacheco Apr 15 '21 at 18:05

What additional role should I provision in an Azure resource group so that a contributor can see/accept/fix Azure SQL security recomendations?

1 Answers1