In certain contexts e.g. Azure Authoritative DNS Resource, there is no granularity at the RR level.
So given a larger institution have multiple groups using the same Azure Tenant, there is no way to limi who can view/change/add RRs. I.e. using the Azure Dashboard, which has a nice GUI where one can view RRs, all users can see all the records.
Question: Does RBAC help us solve the problem, Given we have a one to one representation of our data in Integrity?
Answer: To the best of my knowledge, No.
A View combined with RBAC does not allow granularity down to the RR level.
So do others have any solutions to this “problem”.
I’ve used artificial subdomain names to branch out the ownership of different groups.
E.g. in the case of Azure Resource Domain Names:
privatelink.openai.azure.com.345 --→ Engineering Group
privatelink.mysql.database.azure.com.1123 -→ Web Development and Operations
One can also put the artificial group names at the other end of the FQDN and use more readable tokens:
eng.privatelink.openai.azure.com
finance.postgres.database.azure.com
etc.
In terms of automation, with other authoritative DNS servers, this requires merging data, or given regular hostname policy, division of data.
Would love to know what others have done, given similar requirements.
Question
Role Based Access Control: Ideas for making this work at the Resource Record level
Sign up
Already have an account? Login
Login to the community
No account yet? Create an account
Login or Create an Account:
Log in with your Customer Care credentialsor
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.