src/Schemas/permissions.schema.json
|
{ "$schema": "http://json-schema.org/draft-07/schema", "type": "object", "title": "Azure Management RBAC Permissions Schema", "description": "Azure Permissions", "default": {}, "examples": [], "required": [ "permissions" ], "properties": { "permissions": { "$id": "#/properties/permissions", "type": "array", "title": "The permissions schema", "description": "Each object defines a permission to be deployed", "default": [], "examples": [], "additionalItems": false, "items": { "$id": "#/properties/permissions/items", "anyOf": [ { "$id": "#/properties/permissions/items/anyOf/0", "type": "object", "title": "Azure RBAC Permission", "description": "Apply an AAD Role to any scoped object", "default": {}, "examples": [ { "comment": "Security SP Needs to be able to manage lake permissions", "type": "rbac", "scope": "/subscriptions/312312-23123123-23131231/resourceGroups/RGNAME/providers/Microsoft.Storage/storageAccounts/strgAccountName", "principalType": "Application", "principalName": "my-application-name-from-aad", "role": "Storage Blob Data Reader" } ], "required": [ "type", "scope", "principalType", "principalName", "role" ], "properties": { "comment": { "$id": "#/properties/permissions/items/anyOf/0/properties/comment", "type": "string", "title": "Comment", "description": "Description or explanation for the permission", "default": "", "examples": [ "Application SP needs to read data in the lake" ] }, "type": { "$id": "#/properties/permissions/items/anyOf/0/properties/type", "type": "string", "enum": [ "rbac" ], "title": "The type of permissions", "description": "An explanation about the purpose of this instance.", "default": "rbac", "examples": [ "rbac" ] }, "scope": { "$id": "#/properties/permissions/items/anyOf/0/properties/scope", "type": "string", "title": "The scope schema", "description": "Scope to the Azure Resource (See the properties Blade in the portal)", "default": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}", "examples": [ "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}" ] }, "principalType": { "$id": "#/properties/permissions/items/anyOf/0/properties/principalType", "type": "string", "title": "AAD Object Type", "description": "Application/Group/User/MSI", "default": "Group", "enum": ["Group", "Application", "User", "MSI"], "examples": [ "Application" ] }, "principalName": { "$id": "#/properties/permissions/items/anyOf/0/properties/principalName", "type": "string", "title": "Principal Name", "description": "AAD Display Name of the principal - must be exact match", "default": "", "examples": [] }, "role": { "$id": "#/properties/permissions/items/anyOf/0/properties/role", "type": "string", "title": "Azure Role", "description": "The name of the Azure Role - such as Contributor", "default": "Reader", "examples": [ "Storage Blob Data Contributor", "Owner", "Contributor", "Reader" ] } }, "additionalProperties": false }, { "$id": "#/properties/permissions/items/anyOf/1", "type": "object", "title": "SQL Database Role Permission", "description": "Add an AAD Group, User or Application to a database role", "default": {}, "examples": [ { "comment": "Reader access for the Developers AD Group", "type": "sql", "scope": "Control", "principalType": "AAD", "principalName": "My AAD Group Name", "databaseRole": "db_datareader" } ], "required": [ "type", "scope", "principalType", "principalName", "databaseRole" ], "properties": { "comment": { "$id": "#/properties/permissions/items/anyOf/1/properties/comment", "type": "string", "title": "Comment", "description": "Description or explanation for the permission", "default": "", "examples": [ "Application SP needs to read data in the database" ] }, "type": { "$id": "#/properties/permissions/items/anyOf/1/properties/type", "type": "string", "title": "Type", "description": "Type of permission", "enum": ["sql"], "default": "sql", "examples": [ "sql" ] }, "scope": { "$id": "#/properties/permissions/items/anyOf/1/properties/scope", "type": "string", "title": "Database Name", "description": "Database name", "default": "", "examples": [ "MyDatabase" ] }, "principalType": { "$id": "#/properties/permissions/items/anyOf/1/properties/principalType", "type": "string", "title": "Pprincipal Type", "description": "Type of SQL Prinicpal (AAD Account/SQL Login)", "default": "AAD", "enum": ["AAD","SQL"], "examples": [ "AAD", "SQL" ] }, "principalName": { "$id": "#/properties/permissions/items/anyOf/1/properties/principalName", "type": "string", "title": "Principal Name", "description": "Name of the database principal to be created/added to role", "default": "MyUserName", "examples": [] }, "databaseRole": { "$id": "#/properties/permissions/items/anyOf/1/properties/databaseRole", "type": "string", "title": "Ddatabase Role", "description": "Role to add the user to - will be created if it does not exist", "default": "", "examples": [ "db_owner", "db_datareader", "db_datawriter" ] } }, "additionalProperties": false }, { "$id": "#/properties/permissions/items/anyOf/datalake", "type": "object", "title": "Data Lake ACL Permission", "description": "Apply data lake ACL - all are recursive", "default": {}, "examples": [ { "comment": "Example Lake permission for subfolder/AAD Group", "type": "datalake", "path": "LANDED/TEST1/", "principalType": "group", "principalName": "GDAI_Imperial_GDP", "permission": "xrw" } ], "required": [ "type", "principalType", "principalName", "path", "permission" ], "properties": { "comment": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/comment", "type": "string", "title": "Comment", "description": "Description or explanation for the permission", "default": "", "examples": [ ] }, "type": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/type", "type": "string", "title": "Type", "description": "Type of permission", "enum": ["datalake"], "default": "datalake", "examples": [ "datalake" ] }, "path": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/path", "type": "string", "title": "Path", "description": "Folder path from root (preceeding and trailing / is ignored) Slashes must be forward. Single / for root.", "default": "", "examples": [ "Sourced/System/Entity", "/" ] }, "principalType": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/principalType", "type": "string", "title": "Principal Type", "description": "Type of AAD Prinicpal", "default": "AAD", "enum": ["Group","User","MSI", "Application"], "examples": [ "AAD", "SQL" ] }, "principalName": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/principalName", "type": "string", "title": "Principal Name", "description": "Name of the principal to be added", "default": "My AAD Group Name", "examples": [] }, "permission": { "$id": "#/properties/permissions/items/anyOf/datalake/properties/databaseRole", "type": "string", "title": "Ddatabase Role", "description": "X = Execute (always required), R = Read, W = Write. Order required. Blank removes permissions.", "default": "xrw", "enum": ["xrw", "xr", "xw", "x", ""], "examples": [ "xrw", "xr", "xw", "x" ] } }, "additionalProperties": false } ] } } }, "additionalProperties": true } |