New and Improved Guidance: Grant Permission to Lab Resources

Published Friday, March 17, 2023

We are in progress of making many improvements to the documentation for the Azure Lab Services Update that was released this past August 2022 . One upcoming improvement, is that we're adding guidance on how to grant administrators and educators permission to lab resources. Please see an early release of this new guidance further below - this guidance includes the following topics:

Resource group and lab plan structure
- Permission to multiple resource groups
- Permission to multiple lab plans
Roles for common lab activities
Administrator roles
- Owner
- Contributor
- Lab Services Contributor
Educator roles
- Lab Creator
- Lab Contributor
- Lab Assistant
- Lab Services Reader
Moving role assignments from lab accounts to lab plans

We are interested to get your feedback on this content, including any points that may be unclear or where gaps may exist. Please share any feedback that you have by adding a comment to this blog post.

Thanks!

Azure Lab Services Team

----------------------------------------------------------------------------------------------------------

Granting users permission to lab resources

To give administrators and educators access to Azure Lab Services, they need to be assigned one of the following roles using Azure’s role-based access control (RBAC) .

Administrator roles
- Owner
- Contributor
- Lab Services Contributor
Educator roles
- Lab Creator

As shown by the arrows in the graphic below, roles can be assigned to users on resource groups, lab plans, and labs:

Resource groups are logical containers for grouping together resources. Role assignment at the resource group level grants permission to the resource group and all resources within the resource group, such as labs and lab plans.
Lab plans are used to apply common configuration settings when you create a lab. Role assignment at the lab plan level grants permission only to a specific lab plan.
Lab role assignment grants permission only to a specific lab.

IMPORTANT – Lab plans and labs are sibling resources to each other. As a result, labs don’t inherit any roles/permissions that are assigned at the lab plan level. However, roles/permissions assigned at the resource group level are inherited by both lab plans and labs.

Resource group and lab plan structure

Your organization should invest time up front to plan the structure of your resource groups and lab plans. This is especially important when users are assigned roles at the resource group level because they automatically will have permission to use all resources within the resource group. To ensure that users are only granted permission to the appropriate resources, we recommend that you:

Create resource groups that only contain lab-related resources.
Organize lab plans and labs into separate resource groups according to the users that should have access.

For example, you may want to create separate resource groups for different departments, such as one for Math and another for Engineering, so that each department’s lab resources are isolated from one another. Educators in the Engineering department can then be granted permission at the resource group level, which will only give them access to their department’s lab.

IMPORTANT – You should plan the structure of resource groups and labs plans up front because it’s not possible to move lab plans or labs to a different resource group once they are created.

Permission to multiple resource groups

Administrators and educators can be granted permission to more than one resource group. For example, when an educator is assigned the Lab Contributor role on labs from different resource groups, the educator will be prompted to choose from the list of resource groups to view their labs.

Permission to multiple lab plans

Likewise, administrators and educators can be granted permission to more than one lab plan. For example, when an educator is assigned the Lab Creator role on a resource group that contains more than one lab plan, the educator will be prompted to choose from the list of lab plans during lab creation.

Roles for common lab activities

The following table shows common lab activities and the role that needs to be assigned to an administrator or educator to perform each activity. For more details on all the lab roles available and the permissions that each role grants, see the below sections about administrator roles and educator roles.

IMPORTANT – The Owner/Contributor roles can also be assigned at the subscription level. An organization’s subscription is used to manage billing and security for all Azure resources and services. Typically, only administrators are given subscription level access because this includes full access to all resources in the subscription. Also, when assigned as an Owner, they have the ability to grant access to others.

Role Type	Activity	Role to Assign	Resource Assigment Level
Administrator	Grant permission to create a resource group (which needs to exist before a lab plan or lab can be created).	Owner or Contributor	Subscription*
Administrator	Grant permission to submit a Microsoft support ticket, including to request capacity	Owner, Contributor, Support Request Contributor	Subscription*
Administrator	Grant permission to: Assign roles to other users. Create/manage lab plans, labs, and other resources within the resource group. Enable/disable marketplace and custom images on a lab plan. Attach/detach compute gallery on a lab plan.	Owner	Resource Group
Administrator	Grant permission to: Create/manage lab plans, labs, and other resources within the resource group. Enable/disable marketplace and custom images on a lab plan. Attach/detach compute gallery on a lab plan. However, not the ability to assign roles to other users.	Contributor	Resource Group
Educator	Grant permission to create/manage their own labs: Using all lab plans within a resource group. Or, only for a specific lab plan.	Lab Creator	Resource Group or Lab Plan
Educator	Grant permission to co-manage a lab, but not the ability to create labs.	Lab Contributor	Lab
Educator	Grant permission to only start/stop/reset VMs for: All labs within a resource group. Or, only for a specific lab.	Lab Assistant	Resource Group or Lab

* The specified roles must be assigned at the resource group level.

Administrator roles

To grant users permission to manage Azure Lab Services within your organization’s subscription, you should assign them the Owner, Contributor, or the Lab Services Contributor role. These roles should be assigned at the resource group level.

IMPORTANT - Roles/permissions assigned at the resource group level are inherited by both lab plans and labs that are contained within the resource group.

The following table compares the administrator roles when they are assigned at the resource group level.

	Activity	Resource Group Level
	Activity	Owner	Contributor	Lab Services Contributor
Lab plan activities	View all lab plans within the resource group	Yes	Yes	Yes
	Create, change or delete all lab plans within the resource group	Yes	Yes	Yes
	Assign roles to lab plans within the resource group	Yes	No	No
Lab activities	Create labs within the resource group*	Yes	Yes	Yes
	View other users’ labs within the resource group	Yes	Yes	Yes
	Change or delete other users’ labs within the resource group	Yes	Yes	No
	Assign roles to other users’ labs within the resource group	Yes	No	No

* Users are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.

Owner

You should assign the Owner role to give a user full control to create/manage lab plans and labs, and grant permissions to other users. When a user is assigned the Owner role at the resource group level, they can do the following activities across all resources within the resource group:

Assign roles to administrators so they can manage lab-related resources.
Assign roles to educators so they can create and manage labs.
Create lab plans and labs.
View, delete, and change settings for all lab plans; this includes attaching/detaching the compute gallery and enabling/disabling marketplace and custom images on lab plans.
View, delete, and change settings for all labs.

IMPORTANT – Owner/Contributor permissions assigned at the resource group level also applies to non-lab related resources that may exist within a resource group.

Contributor

You should assign the Contributor role to give an user full control to create/manage lab plans and labs within a resource group. The Contributor role is nearly the same as the Owner role, except that a Contributor:

Can’t assign roles to other administrators or educators.

Lab Services Contributor

The Lab Services Contributor is the most restrictive of the administrator roles. You should assign the Lab Services Contributor role to enable the same activities as the Owner role; however, a Lab Services Contributor:

Can’t assign roles to other administrators or educators.
Can’t change or delete other users’ labs.

Educator roles

The following roles should be used to grant educators permission to create and manage labs:

Lab Creator
Lab Contributor
Lab Assistant
Lab Services Reader

IMPORTANT – The educator roles only grant permission to view lab plans. Users assigned educator roles can’t create, change, delete, or assign roles to lab plans. In addition, they can’t attach/detach a compute gallery or enable/disable images.

Lab Creator

You should assign the Lab Creator role to a user so that they can create labs and have full control over the labs that they create. For example, they can change their labs’ settings, delete their labs, and even grant other users permission to their labs. The Lab Creator role should be assigned at either the resource group or lab plan level.

The following table compares the Lab Creator role when it’s assigned at the resource group level versus the lab plan level.

Lab Activity	Resource Group Level	Lab Plan Level
Lab Activity	Lab Creator	Lab Creator
Create labs within the resource group*	Yes	Yes
View other users’ labs within the resource group	Yes	No
Change or delete other users’ labs within the resource group	No	No
Assign roles to other users’ labs within the resource group	No	No

* Lab Creators are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.

When the Lab Creator role is assigned at the resource group level, the user can:

View all labs within the resource group, including those created by other users.
Create new labs from all labs plans within the resource group.
Change and delete labs that they created; they can’t change or delete other users’ labs.

You can also assign the Lab Creator role at the lab plan . With the Lab Creator role assigned on the lab plan, the user can:

Create new labs using only that specific lab plan.
View, change, or delete labs that they created; they can’t view, change, or delete other users’ labs.

Lab Contributor

You should assign the Lab Contributor role to give an user permission to help manage an existing lab. The Lab Contributor role should be assigned at the lab level.

When the Lab Contributor role is assigned at the lab level, the user can manage the assigned lab. Specifically, the user:

Can view, change all settings, or delete the assigned lab; they can’t view other users’ labs.
Can’t create new labs.

Lab Assistant

You should assign a user the Lab Assistant role if you only want them to be able to start/stop/reset lab VMs. The Lab Assistant role should be assigned at the resource group or lab level.

When the Lab Assistant role is assigned at the resource group level, the user:

Can view all labs within the resource group and start/stop/reset student VMs for each lab; otherwise, they can’t delete or make any other changes to the labs.

When the Lab Assistant role is assigned at the lab level, the user:

Can view the assigned lab and start/stop/reset student VMs; otherwise, they can’t delete or make any other changes to the lab.
Can’t create new labs.

Lab Services Reader

The Lab Services Reader role enables user to view existing labs; they can’t make any changes. The Lab Services Reader role should be assigned at the resource group or lab level.

When the Lab Services Reader role is assigned at the resource group level, the user can view all labs within the resource group. Otherwise, when the Lab Services Reader role is assigned at the lab level, the user can only view that specific lab.

Moving role assignment from lab accounts to lab plans

If you are moving from lab accounts to lab plans, it’s important to understand differences between lab accounts and lab plans and how this impacts role assignments:

Lab accounts serve as a parent to labs; as a result, the roles assigned on a lab account are automatically inherited by its child labs.
Lab plans and labs are siblings to each other; this means that labs don’t inherit roles from lab plans.

For example, if you have users that are assigned the Owner or Contributor role at the lab account level, you should instead assign the Owner and Contributor roles at the resource group level for your lab plans. Roles assigned on a lab plan’s resource group will automatically grant permission to all labs within the resource group.

The table below shows recommendations to map roles from the earlier version of Azure Lab Services to roles in the August 2022 Update (Classic).

Role Type	Classic Version ---------------------------------->		August 2022 Update
Role Type	Role	Assignment level	Role	Assignment level
Administrator	Owner	Lab account	Owner	Resource group
Administrator	Contributor	Lab account	Contributor	Resource group
Educator	Lab Creator	Lab account	Lab Creator	Lab plan
	Owner*	Lab	Owner	Resource group or lab
	Contributor*	Lab	Lab Contributor	Lab

* In the earlier version, the lab’s Contributor and Owner roles required that the Reader role also be assigned on the lab account. In the August 2022 update, you do not need to assign the role at the lab plan or resource group level.