Role-based access control

After authenticating and gaining access to the Azure environment, there is an additional layer that checks for access authorization to the resource and resource group. This additional layer is role-based access control (RBAC), which checks whether the user who is trying to access the resource has permissions to access and perform the activity it intends to perform. It is composed of three different components:

• Permissions: Also known as role definition
• Scope: The scope on which the permissions are evaluated. They are resource groups and resources
• Principal: The actor trying to access the resources. It could be a user, group, or a service principle

RBAC assigns permissions to a principle at a given scope. For example, contributor permission is assigned to a service principal for a resource group.

It is also hierarchical and flows down from subscription to the resource group, and finally to the resource level.

Any permissions assigned to a principal at a resource group scope automatically gets the same access for resources contained within that resource group.