This section explains the permission structure within the Azure portal. Here, roles are also discussed; however, these do not refer to roles assigned by the institution's role managers. Information about the roles assigned by the role manager before using Azure can be found in the article "Access for RWTH Institutions".

In the Azure portal, various roles can be assigned for use within the portal. An explanatory video on assigning roles will be provided further down (coming soon). It is recommended to use the following three roles:

• Owner: Grants full access to manage all resources, including the ability to assign roles in the Azure portal.
• Contributor: Grants full access to manage all eligible resources but does not allow assigning roles in the Azure portal.
• Reader: Allows viewing all eligible resources without being able to make changes.

During initial provisioning of a subscription, at least two individuals are designated as "owners." These individuals serve as administrative contacts and are responsible for keeping permissions for all project participants up-to-date.

Individuals with the role "Owner" are also responsible for monitoring costs within their subscription. They can grant additional persons (e.g., from accounting) appropriate permissions for cost control. The institution alone bears responsibility for cost control of its respective subscription; this is not centrally managed by IT Center.

Within project development, roles can be assigned independently by "owners." If an "owner" of a subscription no longer remains involved with RWTH or that project in future timeframes ,it is recommended proactively adding another “owner” onto said subscription .If there are no remaining “owners”, it will not be possible granting further roles (and thus permissions) on that particular subscription.In this case please contact IT Center via email at servicedesk@itc.rwth-aachen.de.

Permission Inheritance

The assignment of permissions is only inherited one way. When permissions are granted at a higher level, they automatically cascade downwards to underlying levels; however, this does not apply in reverse. The order of levels is as follows:

• Highest Level: Subscription
• Middle Level: Resource Groups
• Lowest Level: Resources

For example, permissions at a subscription level mean that users also have permissions on all underlying resource groups and their resources. However, if permissions are granted at a resource group level, users do not receive permissions at a subscription level or on other resource groups.

Individuals with the role "Owner" have full permissions and can assign specific permissions at each corresponding level—whether for a resource, a resource group, or the subscription itself. It is possible for an individual to receive specific permissions only on a particular resource without having access to higher-level resource groups or subscriptions. These permissions can be configured individually.

Within each subscription, it is each institution's responsibility to review and ensure that all permissions are correctly assigned across different levels of their Azure subscriptions.

If you have any further questions or concerns, please contact our IT Center.