Source: Tenable Blog
Author: Lior Zatlavi
URL: https://www.tenable.com/blog/creating-elegant-azure-custom-roles-putting-notactions-into-action
# ONE SENTENCE SUMMARY:
Using Azure’s “NotActions” and “NotDataActions” attributes simplifies custom Role creation, making them more manageable, secure, and efficient.
# MAIN POINTS:
1. Azure RBAC enables assigning permissions via built-in or custom Roles using JSON-based role definitions.
2. “Actions” and “DataActions” define allowed control plane and data plane operations, respectively.
3. “NotActions” and “NotDataActions” exclude specific permissions from those granted in “Actions” and “DataActions.”
4. Wildcards (*) help simplify permission definitions by grouping multiple related actions.
5. “NotActions” is not a deny rule; permissions excluded here can still be granted in other assignments.
6. Tenable Cloud Security analyzes permissions and suggests least-privileged custom Roles based on actual usage.
7. Automatically generated least-privileged Roles reduce security risks by limiting unnecessary permissions.
8. Using “NotActions” significantly reduces Role definition size, improving readability and manageability.
9. Compact, structured Roles make debugging and auditing permissions much easier.
10. Testing in a lower environment before applying custom Roles in production is crucial for security.
# TAKEAWAYS:
1. Leveraging “NotActions” and “NotDataActions” streamlines custom Role creation and enhances security.
2. Wildcards simplify permission management by avoiding lengthy, repetitive role definitions.
3. Least-privileged Roles mitigate security risks by restricting unnecessary access.
4. Tenable Cloud Security automates permission analysis and generates optimized Role suggestions.
5. Properly structured custom Roles improve operational efficiency and ease of maintenance.