Azure automation is great but one of the major features it has never had is the ability to give users access only to certain runbooks and not the whole automation account with every single runbook. Microsoft have now released the ability for us to assign permissions to individual runbooks for users or groups. As of writing this article the ability is only provided via powershell but i am sure a GUI version will be made available over the next few months.
In order to get this working there are two RBACs you need to apply, this first is give the users ability to run automation jobs which is set on the automation account (you only need to do this once) and the second is the ability for the users to see the runbook (you need to apply this to every runbook you want the users to see). Please also make sure that the users does not have read permission over the automation account resource group or they will be able to see all runbooks and run them.
Automation Job Operator – this is required once so the users or groups can run the runbooks and is set on automation account level
1
|
New-AzureRmRoleAssignment -ObjectId '<User or group object ID>' -RoleDefinitionName 'Automation Job Operator' -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation account name>'
|
Automation Runbook Operator – this is required for every runbook you want the user or group to be able to see
1
|
New-AzureRmRoleAssignment -ObjectId '<User or group object ID'> -RoleDefinitionName 'Automation Runbook Operator' -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation account name>/runbooks/<Runbook Name>'
|
Once you do this the users will be able to see individual runbooks only, i recommend you make a shared dashboard to make the user experience better.
This i what it will look like from a users perspective: