Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assign users Azure ML and prevent the deployment of compute other than via TRE API #1204

Closed
marrobi opened this issue Jan 28, 2022 · 1 comment · Fixed by #2539
Closed

Assign users Azure ML and prevent the deployment of compute other than via TRE API #1204

marrobi opened this issue Jan 28, 2022 · 1 comment · Fixed by #2539
Assignees
@marrobi
Labels
feature

Comments

@marrobi
Copy link
Member

marrobi commented Jan 28, 2022
edited
Loading

Description

As a TRE Administrator
I want Workspace Researchers to be automatically granted access to Azure ML
So that they can access the workspace without configuration in Azure

As a TRE Administrator
I do not want AML Users to be able to create compute outside of that enabled via TRE user resources
So that compute is incorrectly configured allowing data exfiltration

This will likely need a group creating for each application role and that group assigning to an Azure ML RBAC role.

Or alternatively a script as part of the bundle that reads assigned users to the application role and grants them access to Azure ML. This will need to be "refreshed" via a custom action.
@marrobi marrobi added this to the Release 0.4 milestone Jan 28, 2022
@microsoft microsoft deleted a comment from CalMac-tns Mar 2, 2022
@marrobi marrobi modified the milestones: Release 0.4, Backlog Jun 29, 2022
@marrobi marrobi modified the milestones: Backlog, Release 0.5 Aug 17, 2022
@marrobi
Copy link
Member Author

marrobi commented Sep 2, 2022
edited
Loading

@LizaShak @anatbal I could do with passing the output of _get_batch_users_by_role_assignments_body to the resource processor so the AML bundle can assign AML roles to the principal Ids.

What approach would you take? I know we discussed having APIs returning users for a workspace.

For now I'm going to do it in the bundle with Bash, but that feels messy.

@marrobi marrobi self-assigned this Sep 3, 2022
@marrobi marrobi mentioned this issue Sep 3, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marrobi marrobi

Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create Azure ML RBAC roles marrobi/AzureTRE
1 participant
@marrobi