Manage Access to Microsoft Sentinel Workbooks with Lower Scoped RBAC

Leveraging Microsoft Sentinel workbooks for reporting to leadership is a common use case. A common concern is granting recipients access to Microsoft Sentinel or all of the tables within the workspace. Using some different RBAC components, this can be done.

Components:

  1. Table-level RBAC
  2. Resource-level RBAC

How It Works:

Table-level RBAC: Access to the data that is leveraged within the workspace is set at the table level. This prevents the user from being able to read data from the other tables while still being able to see the required data within the workbook.

Matt_Lowe_0-1692721169802.png

Resource-level RBAC: Access to just the resource as needed. The resource here is the workbook of interest. Setting access at the resource level prevents the user from being able to see all resources within the resource group.

Matt_Lowe_1-1692718378211.png

Configure:

Table-level RBAC: Table-level RBAC will leverage a custom role that enables the user to be able to see the workspace and run a query, and a reader role on the table itself. The process is highlighted in the documentation here.

Resource-level RBAC: Resource-level RBAC will limit the scope of visibility to be just to the resource. To set this:

  1. Go to the Azure Portal.
  2. Go to the resource group that has Microsoft Sentinel.
  3. Find the workbook of interest.
  4. Click on access control.
  5. Click on add.
  6. Choose role assignment.
  7. Select the workbook reader role.
  8. Select the user that should be able to see the workbook.
  9. Click review and assign.

Sharing the Workbook

Since the user is unable to see Microsoft Sentinel, the workbook will need to be shared directly with the user. To do so:

  1. Go to the Azure Portal.
  2. Go to Microsoft Sentinel or the resource group.
  3. Find the workbook of interest and open it.
  4. Click on share and copy the link. Matt_Lowe_2-1692718840044.pngMatt_Lowe_3-1692718854306.png
  5. Share the link with the user who should have limited access.

Anticipated Questions:

  1. I don't want the user to see the workspace so that they can't run a query on the data. Can I do that?
    1. No. The permission to see and query the workspace is required so that the user can view the data in the workbook, which queries the data.
  2. How does the user consistently view the workbook without having to use the link?
    1. The user can configure a dashboard that pins the workbook to the dashboard.
  3. What if the workbook uses several tables?
    1. Table-level RBAC will need to be configured for each one.
  4. What if I have multiple users who need this type of access?
    1. Consider creating an group that contains these users and assign permissions to the group.

And that's it. This is a fairly straightforward process that leads to good results. Go ahead and give it a shot and leave comments below if there are any issues.

 

This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.