Microsoft Azure environments - Adaptive Applications - BlueCat Gateway - 23.3.2

Cloud Discovery & Visibility Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.3.2

The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to Microsoft Azure environments.

Before you begin

Ensure that the following requirements are met:
  • You must have an Azure account to retrieve the Azure data with the following permissions set:
    • Common permissions for virtual networks, load balancers, DNS zones, and private DNS Zones:
      • "Microsoft.Authorization/*/read"
      • "Microsoft.Resources/subscriptions/resourceGroups/read"
      • "Microsoft.Resources/deployments/*"
      • "Microsoft.Compute/*/read"
      • "Microsoft.ClassicCompute/*/read"
      • "Microsoft.Network/*/read"
      • "Microsoft.ClassicNetwork/*/read"
      • "Microsoft.Storage/*/read"
  • Role permissions:
    • Allows for full access to Azure Service Bus resources (BuiltinRole)
      • "Microsoft.ServiceBus/*"
        Attention: You must not set the subscription policy to deny "Microsoft.ServiceBus/namespaces". If the subscription policy to deny "Microsoft.ServiceBus/namespaces" is enabled, the following message might appear in the Cloud Discovery & Visibility Azure UI when using the visibility feature:
        [ERROR] Something wrong when get Service Bus HT-PoC
    • Manage EventGrid event subscription operations (BuiltinRole)
      • "Microsoft.Authorization/*/read"
      • "Microsoft.EventGrid/systemTopics/read"
      • "Microsoft.EventGrid/eventSubscriptions/*"
      • "Microsoft.EventGrid/topicTypes/eventSubscriptions/read"
      • "Microsoft.EventGrid/locations/eventSubscriptions/read"
      • "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read"
      • "Microsoft.Insights/AlertRules/*"
      • "Microsoft.Resources/deployments/*"
      • "Microsoft.Resources/subscriptions/resourceGroups/read"
      • "Microsoft.Support/*"
    • Monitoring Reader (BuiltinRole)
      • "Microsoft.OperationalInsights/workspaces/search/action"
      • "Microsoft.Support/*"
    • Discovery permissions:
      • "Microsoft.Authorization/*/read"
      • "Microsoft.Resources/subscriptions/resourceGroups/read"
      • "Microsoft.Compute/*/read"
      • "Microsoft.ClassicCompute/*/read"
      • "Microsoft.Network/*/read"
      • "Microsoft.ClassicNetwork/*/read"
      • "Microsoft.Storage/*/read"
      You can use the following JSON code to add Discovery permissions:
      {
          "id": "/",
          "properties": {
              "roleName": "Discovery",
              "description": "",
              "assignableScopes": [
                  "/subscriptions/<subscription id>"
              ],
              "permissions": [
                  {
                      "actions": [
                          "Microsoft.Authorization/*/read",
                          "Microsoft.Resources/subscriptions/resourceGroups/read",
                          "Microsoft.Compute/*/read",
                          "Microsoft.ClassicCompute/*/read",
                          "Microsoft.Network/*/read",
                          "Microsoft.ClassicNetwork/*/read",
                          "Microsoft.Storage/*/read"
                      ],
                      "notActions": [],
                      "dataActions": [],
                      "notDataActions": []
                  }
              ]
          }
      }
    • Visibility permissions:
      • "Microsoft.ServiceBus/*"
      • "Microsoft.EventGrid/systemTopics/read"
      • "Microsoft.EventGrid/eventSubscriptions/*"
      • "Microsoft.EventGrid/topicTypes/eventSubscriptions/read"
      • "Microsoft.EventGrid/locations/eventSubscriptions/read"
      • "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read"
      • "Microsoft.Insights/alertRules/*"
      You can use the following JSON code to add Visibility permissions:
      {
          "id": "/",
          "properties": {
              "roleName": "Visibility",
              "description": "",
              "assignableScopes": [
                  "/subscriptions/<subscription id>"
              ],
              "permissions": [
                  {
                      "actions": [
                          "Microsoft.ServiceBus/*",
                          "Microsoft.EventGrid/systemTopics/read",
                          "Microsoft.EventGrid/eventSubscriptions/*",
                          "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
                          "Microsoft.EventGrid/locations/eventSubscriptions/read",
                          "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
                          "Microsoft.Insights/alertRules/*"
                      ],
                      "notActions": [],
                      "dataActions": [
                          "Microsoft.ServiceBus/*"
                      ],
                      "notDataActions": []
                  }
              ]
          }
      } 
    • Manually-created visibility system permissions:
      • "Microsoft.EventGrid/systemTopics/read"
      • "Microsoft.EventGrid/eventSubscriptions/write"
      • "Microsoft.EventGrid/eventSubscriptions/read"
      • "Microsoft.EventGrid/topictypes/eventSubscriptions/read"
      • "Microsoft.EventGrid/locations/eventSubscriptions/read"
      • "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read"
      • "Microsoft.ServiceBus/namespaces/read"
      • "Microsoft.ServiceBus/namespaces/authorizationRules/read"
      • "Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action"
      • "Microsoft.ServiceBus/namespaces/queues/read"
      • "Microsoft.ServiceBus/namespaces/queues/authorizationRules/read"
    • Custom visibility system location permissions:
      • "Microsoft.Resources/subscriptions/resourceGroups/write"
      • "Microsoft.Resources/subscriptions/resourceGroups/read"