Permissions for Azure Cloud
When you grant read and write permissions to Illumio Cloud, the following roles are created in the Azure tenant:
Reader Role - Built In Role
{
"assignableScopes": [
"/"
],
"description": "View all resources, but does not allow you to make any changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Illumio Network Security Administrator Role - Custom Role
{
"properties": {
"roleName": "Illumio Network Security Administrator",
"description": "Illumio Network Administration Role",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.Network/networksecuritygroups/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.Network/networkWatchers/securityGroupView/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Illumio Firewall Administrator Role - Custom Role
{
"properties": {
"roleName": "Illumio Firewall Administrator",
"description": "Illumio Firewall Administrator role",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Network/azurefirewalls/read",
"Microsoft.Network/azurefirewalls/learnedIPPrefixes/action",
"Microsoft.Network/azureFirewalls/applicationRuleCollections/write",
"Microsoft.Network/azureFirewalls/applicationRuleCollections/delete",
"Microsoft.Network/azureFirewalls/applicationRuleCollections/read",
"Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.Network/azureFirewalls/natRuleCollections/write",
"Microsoft.Network/azureFirewalls/natRuleCollections/read",
"Microsoft.Network/azureFirewalls/natRuleCollections/delete",
"Microsoft.Network/azureFirewalls/networkRuleCollections/read",
"Microsoft.Network/azureFirewalls/networkRuleCollections/write",
"Microsoft.Network/azureFirewalls/networkRuleCollections/delete",
"Microsoft.Network/azureFirewallFqdnTags/read",
"Microsoft.Network/azurefirewalls/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/firewallPolicies/read",
"Microsoft.Network/firewallPolicies/write",
"Microsoft.Network/firewallPolicies/join/action",
"Microsoft.Network/firewallPolicies/certificates/action",
"Microsoft.Network/firewallPolicies/delete",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/read",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/write",
"Microsoft.Network/firewallPolicies/ruleCollectionGroups/delete",
"Microsoft.Network/firewallPolicies/ruleGroups/read",
"Microsoft.Network/firewallPolicies/ruleGroups/write",
"Microsoft.Network/firewallPolicies/ruleGroups/delete",
"Microsoft.Network/ipGroups/read",
"Microsoft.Network/ipGroups/write",
"Microsoft.Network/ipGroups/validate/action",
"Microsoft.Network/ipGroups/updateReferences/action",
"Microsoft.Network/ipGroups/join/action",
"Microsoft.Network/ipGroups/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}