New and Improved Guidance: Grant Permission to Lab Resources
We are in progress of making many improvements to the documentation for the Azure Lab Services Update that was released this past August 2022 . One upcoming improvement, is that we're adding guidance on how to grant administrators and educators permission to lab resources. Please see an early release of this new guidance further below - this guidance includes the following topics:
- Resource group and lab plan structure
- Permission to multiple resource groups
- Permission to multiple lab plans
- Roles for common lab activities
- Administrator roles
- Owner
- Contributor
- Lab Services Contributor
- Educator roles
- Lab Creator
- Lab Contributor
- Lab Assistant
- Lab Services Reader
- Moving role assignments from lab accounts to lab plans
We are interested to get your feedback on this content, including any points that may be unclear or where gaps may exist. Please share any feedback that you have by adding a comment to this blog post.
Thanks!
Azure Lab Services Team
----------------------------------------------------------------------------------------------------------
Granting users permission to lab resources
To give administrators and educators access to Azure Lab Services, they need to be assigned one of the following roles using Azure’s role-based access control (RBAC) .
- Administrator roles
- Owner
- Contributor
- Lab Services Contributor
- Educator roles
- Lab Creator
As shown by the arrows in the graphic below, roles can be assigned to users on resource groups, lab plans, and labs:
- Resource groups are logical containers for grouping together resources. Role assignment at the resource group level grants permission to the resource group and all resources within the resource group, such as labs and lab plans.
- Lab plans are used to apply common configuration settings when you create a lab. Role assignment at the lab plan level grants permission only to a specific lab plan.
- Lab role assignment grants permission only to a specific lab.
IMPORTANT – Lab plans and labs are sibling resources to each other. As a result, labs don’t inherit any roles/permissions that are assigned at the lab plan level. However, roles/permissions assigned at the resource group level are inherited by both lab plans and labs.
Resource group and lab plan structure
Your organization should invest time up front to plan the structure of your resource groups and lab plans. This is especially important when users are assigned roles at the resource group level because they automatically will have permission to use all resources within the resource group. To ensure that users are only granted permission to the appropriate resources, we recommend that you:
- Create resource groups that only contain lab-related resources.
- Organize lab plans and labs into separate resource groups according to the users that should have access.
For example, you may want to create separate resource groups for different departments, such as one for Math and another for Engineering, so that each department’s lab resources are isolated from one another. Educators in the Engineering department can then be granted permission at the resource group level, which will only give them access to their department’s lab.
IMPORTANT – You should plan the structure of resource groups and labs plans up front because it’s not possible to move lab plans or labs to a different resource group once they are created.
Permission to multiple resource groups
Administrators and educators can be granted permission to more than one resource group. For example, when an educator is assigned the Lab Contributor role on labs from different resource groups, the educator will be prompted to choose from the list of resource groups to view their labs.
Permission to multiple lab plans
Likewise, administrators and educators can be granted permission to more than one lab plan. For example, when an educator is assigned the Lab Creator role on a resource group that contains more than one lab plan, the educator will be prompted to choose from the list of lab plans during lab creation.
Roles for common lab activities
The following table shows common lab activities and the role that needs to be assigned to an administrator or educator to perform each activity. For more details on all the lab roles available and the permissions that each role grants, see the below sections about administrator roles and educator roles.
IMPORTANT – The Owner/Contributor roles can also be assigned at the subscription level. An organization’s subscription is used to manage billing and security for all Azure resources and services. Typically, only administrators are given subscription level access because this includes full access to all resources in the subscription. Also, when assigned as an Owner, they have the ability to grant access to others.
| Role Type | Activity | Role to Assign | Resource Assigment Level |
| Administrator |
Grant permission to create a resource group (which needs to exist before a lab plan or lab can be created).
|
Owner or Contributor | Subscription* |
| Administrator |
Grant permission to submit a Microsoft support ticket, including to request capacity |
Owner, Contributor, Support Request Contributor
|
Subscription* |
| Administrator |
Grant permission to:
|
Owner | Resource Group |
| Administrator |
Grant permission to:
However, not the ability to assign roles to other users.
|
Contributor | Resource Group |
| Educator |
Grant permission to create/manage their own labs:
|
Lab Creator | Resource Group or Lab Plan |
| Educator |
Grant permission to co-manage a lab, but not the ability to create labs.
|
Lab Contributor | Lab |
| Educator |
Grant permission to only start/stop/reset VMs for:
|
Lab Assistant | Resource Group or Lab |
* The specified roles must be assigned at the resource group level.
Administrator roles
To grant users permission to manage Azure Lab Services within your organization’s subscription, you should assign them the Owner, Contributor, or the Lab Services Contributor role. These roles should be assigned at the resource group level.
IMPORTANT - Roles/permissions assigned at the resource group level are inherited by both lab plans and labs that are contained within the resource group.
The following table compares the administrator roles when they are assigned at the resource group level.
| Activity |
Resource Group Level | |||
| Owner | Contributor | Lab Services Contributor | ||
|
Lab plan activities |
View all lab plans within the resource group |
Yes | Yes | Yes |
| Create, change or delete all lab plans within the resource group | Yes | Yes | Yes | |
|
Assign roles to lab plans within the resource group |
Yes | No | No | |
| Lab activities |
Create labs within the resource group* |
Yes | Yes | Yes |
|
View other users’ labs within the resource group |
Yes | Yes | Yes | |
|
Change or delete other users’ labs within the resource group |
Yes | Yes | No | |
|
Assign roles to other users’ labs within the resource group |
Yes | No | No | |
* Users are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.
Owner
You should assign the Owner role to give a user full control to create/manage lab plans and labs, and grant permissions to other users. When a user is assigned the Owner role at the resource group level, they can do the following activities across all resources within the resource group:
- Assign roles to administrators so they can manage lab-related resources.
- Assign roles to educators so they can create and manage labs.
- Create lab plans and labs.
- View, delete, and change settings for all lab plans; this includes attaching/detaching the compute gallery and enabling/disabling marketplace and custom images on lab plans.
- View, delete, and change settings for all labs.
IMPORTANT – Owner/Contributor permissions assigned at the resource group level also applies to non-lab related resources that may exist within a resource group.
Contributor
You should assign the Contributor role to give an user full control to create/manage lab plans and labs within a resource group. The Contributor role is nearly the same as the Owner role, except that a Contributor:
- Can’t assign roles to other administrators or educators.
Lab Services Contributor
The Lab Services Contributor is the most restrictive of the administrator roles. You should assign the Lab Services Contributor role to enable the same activities as the Owner role; however, a Lab Services Contributor:
- Can’t assign roles to other administrators or educators.
- Can’t change or delete other users’ labs.
Educator roles
The following roles should be used to grant educators permission to create and manage labs:
- Lab Creator
- Lab Contributor
- Lab Assistant
- Lab Services Reader
IMPORTANT – The educator roles only grant permission to view lab plans. Users assigned educator roles can’t create, change, delete, or assign roles to lab plans. In addition, they can’t attach/detach a compute gallery or enable/disable images.
Lab Creator
You should assign the Lab Creator role to a user so that they can create labs and have full control over the labs that they create. For example, they can change their labs’ settings, delete their labs, and even grant other users permission to their labs. The Lab Creator role should be assigned at either the resource group or lab plan level.
The following table compares the Lab Creator role when it’s assigned at the resource group level versus the lab plan level.
|
Lab Activity |
Resource Group Level |
Lab Plan Level |
|
Lab Creator |
Lab Creator |
|
|
Create labs within the resource group* |
Yes |
Yes |
|
View other users’ labs within the resource group |
Yes |
No |
|
Change or delete other users’ labs within the resource group |
No |
No |
|
Assign roles to other users’ labs within the resource group |
No |
No |
* Lab Creators are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.
When the Lab Creator role is assigned at the resource group level, the user can:
- View all labs within the resource group, including those created by other users.
- Create new labs from all labs plans within the resource group.
- Change and delete labs that they created; they can’t change or delete other users’ labs.
You can also assign the Lab Creator role at the lab plan . With the Lab Creator role assigned on the lab plan, the user can:
- Create new labs using only that specific lab plan.
- View, change, or delete labs that they created; they can’t view, change, or delete other users’ labs.
Lab Contributor
You should assign the Lab Contributor role to give an user permission to help manage an existing lab. The Lab Contributor role should be assigned at the lab level.
When the Lab Contributor role is assigned at the lab level, the user can manage the assigned lab. Specifically, the user:
- Can view, change all settings, or delete the assigned lab; they can’t view other users’ labs.
- Can’t create new labs.
Lab Assistant
You should assign a user the Lab Assistant role if you only want them to be able to start/stop/reset lab VMs. The Lab Assistant role should be assigned at the resource group or lab level.
When the Lab Assistant role is assigned at the resource group level, the user:
- Can view all labs within the resource group and start/stop/reset student VMs for each lab; otherwise, they can’t delete or make any other changes to the labs.
When the Lab Assistant role is assigned at the lab level, the user:
- Can view the assigned lab and start/stop/reset student VMs; otherwise, they can’t delete or make any other changes to the lab.
- Can’t create new labs.
Lab Services Reader
The Lab Services Reader role enables user to view existing labs; they can’t make any changes. The Lab Services Reader role should be assigned at the resource group or lab level.
When the Lab Services Reader role is assigned at the resource group level, the user can view all labs within the resource group. Otherwise, when the Lab Services Reader role is assigned at the lab level, the user can only view that specific lab.
Moving role assignment from lab accounts to lab plans
If you are moving from lab accounts to lab plans, it’s important to understand differences between lab accounts and lab plans and how this impacts role assignments:
- Lab accounts serve as a parent to labs; as a result, the roles assigned on a lab account are automatically inherited by its child labs.
- Lab plans and labs are siblings to each other; this means that labs don’t inherit roles from lab plans.
For example, if you have users that are assigned the Owner or Contributor role at the lab account level, you should instead assign the Owner and Contributor roles at the resource group level for your lab plans. Roles assigned on a lab plan’s resource group will automatically grant permission to all labs within the resource group.
The table below shows recommendations to map roles from the earlier version of Azure Lab Services to roles in the August 2022 Update (Classic).
|
Role Type |
Classic Version ----------------------------------> |
August 2022 Update
|
||
|
Role |
Assignment level |
Role |
Assignment level |
|
|
Administrator |
Owner |
Lab account |
Owner |
Resource group |
|
Contributor |
Lab account |
Contributor |
Resource group |
|
|
Educator |
Lab Creator |
Lab account |
Lab Creator |
Lab plan |
|
Owner* |
Lab |
Owner |
Resource group or lab |
|
|
Contributor* |
Lab |
Lab Contributor |
Lab |
|
* In the earlier version, the lab’s Contributor and Owner roles required that the Reader role also be assigned on the lab account. In the August 2022 update, you do not need to assign the role at the lab plan or resource group level.
Published on:
Learn more