Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible unnecessary permission assignments for Policy #952

Open
MikaelJcSoderberg opened this issue Feb 3, 2025 · 3 comments · May be fixed by #957
Open

Possible unnecessary permission assignments for Policy #952

MikaelJcSoderberg opened this issue Feb 3, 2025 · 3 comments · May be fixed by #957
Labels
Area: Policy 📝 Issues / PR's related to Policy Status: In PR 👉 This is when an issue is due to be fixed in an open PR Type: Bug 🪲 Something isn't working

Comments

@MikaelJcSoderberg
Copy link

As part of this commit, it was added a additional Management Group, "landingZones" for a secondary permission assignment.

301891f

There has been some addition to the ChangeTracking and monitor policies as well, in these followup issues:
#815
#943
#946

I agree that these seven policies that are assigned at landingZones Management Group also needs assignment on the Platform Management Group Scope, to be able to interact with the UAMI and DCR resources:
Deploy-vmArc-ChangeTrack
Deploy-VMSS-ChangeTrack
Deploy-VMSS-ChangeTrack
Deploy-vmHybr-Monitoring
Deploy-VM-Monitor-24
Deploy-VMSS-Monitor-24
Deploy-MDFC-DefSQL-AMA

What I dont agree with is that these seven policies that are assigned at Platform Management Group also assigns permissions at the landingZones Management Group scope:
Deploy-vmArc-ChangeTrack
Deploy-VMSS-ChangeTrack
Deploy-VMSS-ChangeTrack
Deploy-vmHybr-Monitoring
Deploy-VM-Monitor-24
Deploy-VMSS-Monitor-24
Deploy-MDFC-DefSQL-AMA

I just dont see why a policy that is asssigned at Platform would need permissions in the landingZones Management Group.
@oZakari
Copy link
Contributor

oZakari commented Feb 4, 2025
edited
Loading

Hi @MikaelJcSoderberg, agreed—I’ll include this change in the upcoming PR for the policy refresh. I may have overthought that one a bit! 😄

@oZakari oZakari added Type: Bug 🪲 Something isn't working Area: Policy 📝 Issues / PR's related to Policy labels Feb 4, 2025
@MikaelJcSoderberg
Copy link
Author

MikaelJcSoderberg commented Feb 10, 2025
edited
Loading

Do you know the reasoning behind having duplicate assignments(Platform and Landingzones).
I would assign at intermediate root and remove the problem from the start.
I assume the reason would be least privilege, I also assume you inhereted the assignment scope from Enterprise-Scale so there is not much to do.

@oZakari
Copy link
Contributor

oZakari commented Feb 11, 2025

Hey @MikaelJcSoderberg, I believe principle of least privilege is the reasoning, but @arjenhuitema can confirm as he was one of the architects for the overall design.

@oZakari oZakari linked a pull request Feb 13, 2025 that will close this issue
Open
10 tasks
@microsoft-github-policy-service microsoft-github-policy-service bot added the Status: In PR 👉 This is when an issue is due to be fixed in an open PR label Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Policy 📝 Issues / PR's related to Policy Status: In PR 👉 This is when an issue is due to be fixed in an open PR Type: Bug 🪲 Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Q2 FY25 Policy Refresh Azure/ALZ-Bicep
2 participants
@oZakari @MikaelJcSoderberg