Schemas/permissions.schema.json
|
{
"$schema": "http://json-schema.org/draft-07/schema", "type": "object", "title": "Azure Management RBAC Permissions Schema", "description": "Azure Permissions", "default": {}, "examples": [], "required": [ "permissions" ], "properties": { "permissions": { "$id": "#/properties/permissions", "type": "array", "title": "The permissions schema", "description": "Each object defines a permission to be deployed", "default": [], "examples": [], "additionalItems": false, "items": { "$id": "#/properties/permissions/items", "anyOf": [ { "$id": "#/properties/permissions/items/anyOf/0", "type": "object", "title": "Azure RBAC Permission", "description": "Apply an AAD Role to any scoped object", "default": {}, "examples": [ { "comment": "Security SP Needs to be able to manage lake permissions", "type": "rbac", "scope": "/subscriptions/312312-23123123-23131231/resourceGroups/RGNAME/providers/Microsoft.Storage/storageAccounts/strgAccountName", "principalType": "Application", "principalName": "my-application-name-from-aad", "role": "Storage Blob Data Reader" } ], "required": [ "type", "scope", "principalType", "principalName", "role" ], "properties": { "comment": { "$id": "#/properties/permissions/items/anyOf/0/properties/comment", "type": "string", "title": "Comment", "description": "Description or explanation for the permission", "default": "", "examples": [ "Application SP needs to read data in the lake" ] }, "type": { "$id": "#/properties/permissions/items/anyOf/0/properties/type", "type": "string", "enum": [ "rbac" ], "title": "The type of permissions", "description": "An explanation about the purpose of this instance.", "default": "rbac", "examples": [ "rbac" ] }, "scope": { "$id": "#/properties/permissions/items/anyOf/0/properties/scope", "type": "string", "title": "The scope schema", "description": "Scope to the Azure Resource (See the properties Blade in the portal)", "default": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}", "examples": [ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}" ] }, "principalType": { "$id": "#/properties/permissions/items/anyOf/0/properties/principalType", "type": "string", "title": "AAD Object Type", "description": "Application/Group/User/MSI", "default": "Group", "enum": ["Group", "Application", "User", "MSI"], "examples": [ "Application" ] }, "principalName": { "$id": "#/properties/permissions/items/anyOf/0/properties/principalName", "type": "string", "title": "Principal Name", "description": "AAD Display Name of the principal - must be exact match", "default": "", "examples": [] }, "role": { "$id": "#/properties/permissions/items/anyOf/0/properties/role", "type": "string", "title": "Azure Role", "description": "The name of the Azure Role - such as Contributor", "default": "Reader", "examples": [ "Storage Blob Data Contributor", "Owner", "Contributor", "Reader" ] } }, "additionalProperties": false }, { "$id": "#/properties/permissions/items/anyOf/1", "type": "object", "title": "SQL Database Role Permission", "description": "Add an AAD Group, User or Application to a database role", "default": {}, "examples": [ { "comment": "Reader access for the Developers AD Group", "type": "sql", "scope": "/subscriptions/c56006d3-f9cd-48e8-ad27-a501d64f190c/resourceGroups/rg-nucleus-dev-euw-001/providers/Microsoft.Sql/servers/my-sql-server/databases/my-sql-db", "principalType": "AAD", "principalName": "My AAD Group Name", "databaseRole": "db_datareader" } ], "required": [ "type", "scope", "principalType", "principalName", "databaseRole" ], "properties": { "comment": { "$id": "#/properties/permissions/items/anyOf/1/properties/comment", "type": "string", "title": "Comment", "description": "Description or explanation for the permission", "default": "", "examples": [ "Application SP needs to read data in the database" ] }, "type": { "$id": "#/properties/permissions/items/anyOf/1/properties/type", "type": "string", "title": "Type", "description": "Type of permission", "enum": ["sql"], "default": "sql", "examples": [ "sql" ] }, "scope": { "$id": "#/properties/permissions/items/anyOf/1/properties/scope", "type": "string", "title": "The scope schema", "description": "Scope to the Azure Resource (See the properties Blade in the portal)", "default": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}", "examples": [ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/databases/{dbName}" ] }, "principalType": { "$id": "#/properties/permissions/items/anyOf/1/properties/principalType", "type": "string", "title": "Pprincipal Type", "description": "Type of SQL Prinicpal (AAD Account/SQL Login)", "default": "AAD", "enum": ["AAD","SQL"], "examples": [ "AAD", "SQL" ] }, "principalName": { "$id": "#/properties/permissions/items/anyOf/1/properties/principalName", "type": "string", "title": "Principal Name", "description": "Name of the database principal to be created/added to role", "default": "MyUserName", "examples": [] }, "databaseRole": { "$id": "#/properties/permissions/items/anyOf/1/properties/databaseRole", "type": "string", "title": "Database Role", "description": "Role to add the user to - will be created if it does not exist", "default": "", "examples": [ "db_owner", "db_datareader", "db_datawriter" ] } }, "additionalProperties": false }, { "$id": "#/properties/permissions/items/anyOf/datalake", "type": "object", "title": "Data Lake ACL Permission", "description": "Apply data lake ACL - all are recursive", "default": {}, "examples": [ { "comment": "Example Lake permission for subfolder/AAD Group", "type": "datalake", "path": "LANDED/TEST1/", "principalType": "group", "principalName": "GDAI_Imperial_GDP", "permission": "xrw", "ignoreUpperFolders": true } ], "required": [ "type", "principalType", "principalName", "path", "permission" ], "properties": { "comment": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/comment", "type": "string", "title": "Comment", "description": "Description or explanation for the permission", "default": "", "examples": [ ] }, "type": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/type", "type": "string", "title": "Type", "description": "Type of permission", "enum": ["datalake"], "default": "datalake", "examples": [ "datalake" ] }, "path": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/path", "type": "string", "title": "Path", "description": "Folder path from root (preceeding and trailing / is ignored) Slashes must be forward. Single / for root.", "default": "", "examples": [ "Sourced/System/Entity", "/" ] }, "principalType": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/principalType", "type": "string", "title": "Principal Type", "description": "Type of AAD Prinicpal", "default": "AAD", "enum": ["Group","User","MSI", "Application"], "examples": [ "AAD", "SQL" ] }, "principalName": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/principalName", "type": "string", "title": "Principal Name", "description": "Name of the principal to be added", "default": "My AAD Group Name", "examples": [] }, "permission": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/permission", "type": "string", "title": "Database Role", "description": "X = Execute (always required), R = Read, W = Write. Order required. Blank removes permissions.", "default": "xrw", "enum": ["xrw", "xr", "xw", "x", ""], "examples": [ "xrw", "xr", "xw", "x" ] }, "aclType": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/aclType", "type": "string", "title": "ACL Type", "description": "Enum for selecting the type of ACL which should be applied. Access applies directly to target directory. Default applies a template for future child objects to inherit from. Both applies both Access and Default.", "default": "Access", "enum": [ "Access", "Default", "Both" ], "examples": [ "Access", "Default", "Both" ] }, "applyMinimumPermissionsToParentFolders": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/applyMinimumPermissionsToParentFolders", "type": "boolean", "title": "Apply Minimum Permissions to Parent Folders", "description": "Boolean value indicating whether or not to apply Read/Execute permissions to Parent objects. These permissions are required from the root directory to the target folder so they can be viewed within Storage Explorer. Set to false if access is already provided by other permissions, or you are assigning access to the root directory.", "default": true, "examples": [true, false] }, "applyToSubFolders": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/applyToSubFolders", "type": "boolean", "title": "Apply to Sub Folders", "description": "Boolean value indicating whether or not ACL permissions should be propagated to child folders.", "default": true, "examples": [true, false] } }, "additionalProperties": false } ] } } }, "additionalProperties": true } |