Enforcing Permission "Jails" with Role Definitions


Enforcing Permission "Jails" with Role Definitions

Kion enhances your normal ability to grant users access to Azure Resources by effectively allowing you to deny permissions across your role definitions. In doing this, you
can set "permission jails" so your users can't grant themselves too much permission on certain resources in Azure.

When Kion applies your Azure Role Definitions to your Azure Subscriptions, it will merge the contents of all of the role definitions for individual Cloud Access Roles and
their Cloud Rules. This means if you have two Cloud Rules and two Cloud Access Roles on a project in Kion, the first Cloud Access Role's Azure Role Definitions will be merged
together with the roles in the two Cloud Rules but not the roles in the second Cloud Access Role. Likewise, the second Cloud Access Role will have its Azure Role Definitions merged with
the roles in the two Cloud Rules.

How does this benefit us though? As an example, let's pretend we want to ensure that we want to prevent usage of Azure Cosmos Database only for certain sets of users. We can't do this with
Azure Policies because doing this with Azure Policy would make it so either everyone or no one can create Azure Cosmos Databases in a given subscription. However, because of Kion's
Azure Role Definition merging we can create a definition with the following contents:


Because of the Role Definition merging, this will prevent access to Azure Cosmos Database only for specific sets of users. When Kion merges the Azure Role Definition with (for example)
the Owner role, it would actually apply this Role Definition:


This new Role Definition will make it so users accessing Azure will be able to perform all of the actions that an Owner can perform, but nothing involving Azure Cosmos Database.

Now, we attach this Azure Role Definition to a place high up in our OU structure so all the OUs and projects underneath cannot use Azure Cosmos Database. If a team needs to use it, they may
create a Cloud Access Role with an exemption from the Cloud Rule, then any users who can access Azure through that Cloud Access Role may perform actions with Azure Cosmos Database, and any other users cannot.