0

I want to know if we assign somebody as a contributor role on Azure, then can he or she see the data by default for resources?

Armali
  • 18,255
  • 14
  • 57
  • 171
VIshal Tile
  • 33
  • 2
  • 8

2 Answers2

1

Of course, the Contributor role can create and manage all of types of Azure resources. But you should add the role under the subscription, if you just add it in e.g. storage, then it will not be able to access the other resource.

See : https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-rbac-roles

Update:

If we try to download the blob in the portal with an contributor role, we can download it successfully. But we should note, the permission is not from the contributor directly, because the contributor has the permission to list account keys, the portal will do the operations on behalf of us. So more accurately, the contributor could not access the blob directly.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • okay, so if we add user as a contributor to storage , can user see all the blob containers and its data? OR lets assume after adding user to DEV Azure SQL DB resource , can he/she directly login and see the tables data? – VIshal Tile Jan 23 '19 at 03:24
  • 1
    No, you can't use contributor role to access blob containers and their data in a storage account, since it needs other roles (Storage Blob Data Contributor/Reader/Owner). See this doc for more details: https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac – Zhaoxing Lu Jan 23 '19 at 04:21
  • @ZhaoxingLu-Microsoft Are you sure? AFAIK, the permissions of the `contributor` are more than the permissions of the preview roles you mentioned. BTW, I can download the blob via a service principal with a contributor role in the powershell, could you explain for it? – Joy Wang Jan 23 '19 at 05:46
  • Okay, I can elaborate one example here, one of my colleague was having contributor role on all dev resources however he was not able to connect to Azure dev database and see the tables. Later Admin of that database resource has given access to that user's principal account in database by creating login and db_datareader access. It means, even if user has contributor role , it only can manage the resources on portal but can not drill through the data contents. This is what I observed from my experience. – VIshal Tile Jan 23 '19 at 07:02
  • @VIshalTile Sql database is an exception, if you want to access the data, you need to configure the user account with the azure ad admin, go to your sql server -> `Active Directory admin` -> `Set admin` -> add your accunt, then it will work fine. More details see : https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication – Joy Wang Jan 23 '19 at 07:39
  • 1
    Yes, once you set yourself as admin then you can see all the data, else only if access permission given to database. That is correct. – VIshal Tile Jan 23 '19 at 09:52
  • @VIshalTile Most of the azure resources are applicable except some one like sql db. If my reply is helpful, you could accept it as the answer. – Joy Wang Jan 23 '19 at 09:55
  • @JoyWang Yes, only the roles mentioned in https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac#rbac-roles-for-blobs-and-queues can access storage blob/queue data. I've double confirmed this with internal team. – Zhaoxing Lu Jan 24 '19 at 03:14
  • @ZhaoxingLu-Microsoft But actually I can download the blob via a service principal only with a `contributor` role in the powershell, if I do something wrong? As you said, even if my account is an owner of the subscription, I could not download the blob? – Joy Wang Jan 24 '19 at 03:21
  • @JoyWang Could you share how your PowerShell commands look like? What's the version of your Azure PowerShell? – Zhaoxing Lu Jan 24 '19 at 05:36
  • @ZhaoxingLu-Microsoft My command: https://i.stack.imgur.com/W2wRc.png It is not related to the powershell version, the easiest way, I use the owner role account, I can download the blob in the portal, so `only the roles mentioned in learn.microsoft.com/en-us/azure/storage/common/… can access storage blob/queue data` is wrong. – Joy Wang Jan 24 '19 at 05:46
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/187224/discussion-between-zhaoxing-lu-microsoft-and-joy-wang). – Zhaoxing Lu Jan 24 '19 at 05:57
0

Generally, a contributor role is like a person who can contribute to the resources on Azure, to contribute he also gets read/write access as well. So if a user is a contribute on a database, he can view everything and modify everything in the database resource on Azure.

Ali Sufyan
  • 94
  • 1
  • 3