src/Schemas/permissions.schema.json

{
    "$schema": "http://json-schema.org/draft-07/schema",
    "type": "object",
    "title": "Azure Management RBAC Permissions Schema",
    "description": "Azure Permissions",
    "default": {},
    "examples": [],
    "required": [
        "permissions"
    ],
    "properties": {
        "permissions": {
            "$id": "#/properties/permissions",
            "type": "array",
            "title": "The permissions schema",
            "description": "Each object defines a permission to be deployed",
            "default": [],
            "examples": [],
            "additionalItems": false,
            "items": {
                "$id": "#/properties/permissions/items",
                "anyOf": [
                    {
                        "$id": "#/properties/permissions/items/anyOf/0",
                        "type": "object",
                        "title": "Azure RBAC Permission",
                        "description": "Apply an AAD Role to any scoped object",
                        "default": {},
                        "examples": [
                            {
                                "comment": "Security SP Needs to be able to manage lake permissions",
                                "type": "rbac",
                                "scope": "/subscriptions/312312-23123123-23131231/resourceGroups/RGNAME/providers/Microsoft.Storage/storageAccounts/strgAccountName",
                                "principalType": "Application",
                                "principalName": "my-application-name-from-aad",
                                "role": "Storage Blob Data Reader"
                            }
                        ],
                        "required": [
                            "type",
                            "scope",
                            "principalType",
                            "principalName",
                            "role"
                        ],
                        "properties": {
                            "comment": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/comment",
                                "type": "string",
                                "title": "Comment",
                                "description": "Description or explanation for the permission",
                                "default": "",
                                "examples": [
                                    "Application SP needs to read data in the lake"
                                ]
                            },
                            "type": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/type",
                                "type": "string",
                                "enum": [
                                    "rbac"
                                ],
                                "title": "The type of permissions",
                                "description": "An explanation about the purpose of this instance.",
                                "default": "rbac",
                                "examples": [
                                    "rbac"
                                ]
                            },
                            "scope": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/scope",
                                "type": "string",
                                "title": "The scope schema",
                                "description": "Scope to the Azure Resource (See the properties Blade in the portal)",
                                "default": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",
                                "examples": [
                                    "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}"
                                ]
                            },
                            "principalType": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/principalType",
                                "type": "string",
                                "title": "AAD Object Type",
                                "description": "Application/Group/User/MSI",
                                "default": "Group",
                                "enum": ["Group", "Application", "User", "MSI"],
                                "examples": [
                                    "Application"
                                ]
                            },
                            "principalName": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/principalName",
                                "type": "string",
                                "title": "Principal Name",
                                "description": "AAD Display Name of the principal - must be exact match",
                                "default": "",
                                "examples": []
                            },
                            "role": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/role",
                                "type": "string",
                                "title": "Azure Role",
                                "description": "The name of the Azure Role - such as Contributor",
                                "default": "Reader",
                                "examples": [
                                    "Storage Blob Data Contributor",
                                    "Owner",
                                    "Contributor",
                                    "Reader"
                                ]
                            }
                        },
                        "additionalProperties": false
                    },
                    {
                        "$id": "#/properties/permissions/items/anyOf/1",
                        "type": "object",
                        "title": "SQL Database Role Permission",
                        "description": "Add an AAD Group, User or Application to a database role",
                        "default": {},
                        "examples": [
                            {
                                "comment": "Reader access for the Developers AD Group",
                                "type": "sql",
                                "scope": "Control",
                                "principalType": "AAD",
                                "principalName": "My AAD Group Name",
                                "databaseRole": "db_datareader"
                            }
                        ],
                        "required": [
                            "type",
                            "scope",
                            "principalType",
                            "principalName",
                            "databaseRole"
                        ],
                        "properties": {
                            "comment": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/comment",
                                "type": "string",
                                "title": "Comment",
                                "description": "Description or explanation for the permission",
                                "default": "",
                                "examples": [
                                    "Application SP needs to read data in the database"
                                ]
                            },
                            "type": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/type",
                                "type": "string",
                                "title": "Type",
                                "description": "Type of permission",
                                "enum": ["sql"],
                                "default": "sql",
                                "examples": [
                                    "sql"
                                ]
                            },
                            "scope": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/scope",
                                "type": "string",
                                "title": "Database Name",
                                "description": "Database name",
                                "default": "",
                                "examples": [
                                    "MyDatabase"
                                ]
                            },
                            "principalType": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/principalType",
                                "type": "string",
                                "title": "Pprincipal Type",
                                "description": "Type of SQL Prinicpal (AAD Account/SQL Login)",
                                "default": "AAD",
                                "enum": ["AAD","SQL"],
                                "examples": [
                                    "AAD", "SQL"
                                ]
                            },
                            "principalName": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/principalName",
                                "type": "string",
                                "title": "Principal Name",
                                "description": "Name of the database principal to be created/added to role",
                                "default": "MyUserName",
                                "examples": []
                            },
                            "databaseRole": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/databaseRole",
                                "type": "string",
                                "title": "Ddatabase Role",
                                "description": "Role to add the user to - will be created if it does not exist",
                                "default": "",
                                "examples": [
                                    "db_owner",
                                    "db_datareader",
                                    "db_datawriter"
                                ]
                            }
                        },
                        "additionalProperties": false
                    },
                    {
                        "$id": "#/properties/permissions/items/anyOf/datalake",
                        "type": "object",
                        "title": "Data Lake ACL Permission",
                        "description": "Apply data lake ACL - all are recursive",
                        "default": {},
                        "examples": [
                            {
                                "comment": "Example Lake permission for subfolder/AAD Group",
                                "type": "datalake",
                                "path": "LANDED/TEST1/",
                                "principalType": "group",
                                "principalName": "GDAI_Imperial_GDP",
                                "permission": "xrw"
                            }
                        ],
                        "required": [
                            "type",
                            "principalType",
                            "principalName",
                            "path",
                            "permission"
                        ],
                        "properties": {
                            "comment": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/comment",
                                "type": "string",
                                "title": "Comment",
                                "description": "Description or explanation for the permission",
                                "default": "",
                                "examples": [ ]
                            },
                            "type": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/type",
                                "type": "string",
                                "title": "Type",
                                "description": "Type of permission",
                                "enum": ["datalake"],
                                "default": "datalake",
                                "examples": [
                                    "datalake"
                                ]
                            },
                            "path": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/path",
                                "type": "string",
                                "title": "Path",
                                "description": "Folder path from root (preceeding and trailing / is ignored) Slashes must be forward. Single / for root.",
                                "default": "",
                                "examples": [
                                    "Sourced/System/Entity",
                                    "/"
                                ]
                            },
                            "principalType": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/principalType",
                                "type": "string",
                                "title": "Principal Type",
                                "description": "Type of AAD Prinicpal",
                                "default": "AAD",
                                "enum": ["Group","User","MSI", "Application"],
                                "examples": [
                                    "AAD", "SQL"
                                ]
                            },
                            "principalName": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/principalName",
                                "type": "string",
                                "title": "Principal Name",
                                "description": "Name of the principal to be added",
                                "default": "My AAD Group Name",
                                "examples": []
                            },
                            "permission": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/databaseRole",
                                "type": "string",
                                "title": "Ddatabase Role",
                                "description": "X = Execute (always required), R = Read, W = Write. Order required. Blank removes permissions.",
                                "default": "xrw",
                                "enum": ["xrw",
                                    "xr",
                                    "xw",
                                    "x",
                                    ""],
                                "examples": [
                                    "xrw",
                                    "xr",
                                    "xw",
                                    "x"
                                ]
                            }
                        },
                        "additionalProperties": false
                    }
                ]
            }
        }
    },
    "additionalProperties": true
}