Role-Based Access Control (RBAC)
For Role-Based Access Control (RBAC) questions or issues, contact the AI Platform team.
Overview
Our AI Platform uses Role-Based Access Control (RBAC) as the exclusive method for managing access to all resources and assets. Instead of access keys or shared credentials, we enforce secure and scalable permissions through RBAC across the entire platform.
Access is granted by assigning users to Azure security groups, which are then linked to specific roles on each resource. This allows fine-grained control over who can view, modify, or manage assets such as compute, datasets, models, environments, and more.
Every resource on the platform is configured to respect RBAC permissions, enabling teams to define exactly which users or groups can access which components, with no exceptions and no manual key handling.
AI Platform's managed Azure ML infrastructure was built upon EurekaML's Archimedes platform. For this reason, you might find some names and IDs with reference to the EurekaML team.
Admin accounts
For privileged administrator roles (Owner and Contributor) of top level Azure resources, Omnia requires use of admin accounts of the az_<shortname>@equinor.com type.
To obtain an admin account:
- Go to AccessIT and apply for the Application Developer with Admin key (AAD) (MICROSOFT ENTRA ID), which also grants the AZ key for the Application Developer role required to setup Service Principals.
Depending on your Equinor account, you might have to navigate to the Citrix Workspace and open the Chrome web browser within it to go to either AccessIT or Access & Network Services (ANS).
- After it has been approved and granted such accounts can be activated using the ANS tool, available by VPN.
- Navigate to the FunctionKeys -> Personal Admin Keys tab.
- Click Edit on the AZ key (not to be confused with an A key).
- Click Get Temporary Access Pass.
- Using this temporary access pass, you can login to the Azure portal using the AZ admin user and configure the Microsoft Authenticator sign-in method here. For manual navigation:
- Go to Azure portal -> View Account (click your profile picture top right) -> Security Info -> Add sign-in method -> Microsoft Authenticator.
- After this sign-in method has been added, you can now go back to the ANS tool and set a permanent password through clicking
Edit -> Reset passwordon the AZ key.
Please pay attention to the fact that without the Microsoft Authenticator sign-in method you will not be allowed to reset the password for the AZ admin user.
Subscriptions
Rights to PIM to Owner and Contributor on subscriptions are governed by membership in AccessIT. As a minimum, the technical owner of a subscription shall be owner of the two AZAPPL groups.
Members of the AZAPPL groups may PIM to become Owner or Contributor on the subscription for a limited time.
More information can be found here
App registrations
Both AI Platform devs and user admin members should be Owners of app registrations for a given instance.
To create a new app registration, or to update an existing one, you need to do the following:
- Switch to the correct account.
- Then use the automation scripts (equivalent to
az ad app createoraz ad app updatecommands).
- Make sure to have applied for Application Developer with Admin key (AAD) (MICROSOFT ENTRA ID) on AccessIT ahead of time. You can read more on Application Management in Azure AD here.
- For user-assigned managed identities, app registration is created automatically when the UAMI resource is deployed. Make sure to add owners to the app registration after UAMI deployment.
Security groups
Membership in Archimedes - <INSTANCE_NAME> - Admin shall be reserved for AI Platform dev members and the team admins of the instance.
Security groups
Resource access is managed through use of Security groups in Microsoft Entra ID. These are set initially set up upon deployment of an Archimedes instance, and maintained by the teams. EurekaML devs has access to administrate all security groups. Members of security groups are granted access given to the group, and Owners of security groups can in addition manage members and owners.
| Security group | Owners | Members | Accesses |
|---|---|---|---|
Archimedes - <INSTANCE_NAME> - Admin | EurekaML devs | Archimedes Owners, Archimedes user team admins | Grants and revokes access to the Developer, Contributor and Reader groups |
Archimedes - <INSTANCE_NAME> - Developer | EurekaML devs, Admin members | Archimedes user team members | Contributor-level access to Dev resource groups and PIM contributor-level access to Test and Prod resource groups |
Archimedes - <INSTANCE_NAME> - Contributor Dev/Test/Prod | EurekaML devs | Managed identities and instance Service principal (if applicable) | Contributor-level access to Dev/Test/Prod |
Archimedes - <INSTANCE_NAME> - Reader | EurekaML devs, Admin members (when PIMed) | Contributor and Developer members | Reader access to all instance resources |
Archimedes - <INSTANCE_NAME> - Online Endpoint Consumer | EurekaML devs | Users/Managed Identities consuming online endpoints | Access to consume online endpoints |
Contributor-level access means access to most relevant roles for using and managing resources, such as Contributor, Storage blob Data Contributor, and Azure AI Developer.