Beta

AZ-204: Developing Solutions for Microsoft Azure

Exploring Azure Event Grid

Controlling Access to Events

Azure Event Grid uses Role-Based Access Control (RBAC) to manage who can access and manage events. This article explains how to control access using Azure Event Grid's built-in roles and the corresponding permissions required for various operations. These guidelines ensure you can securely delegate tasks like listing events, creating subscriptions, managing those subscriptions, or generating keys for custom event ingestion.

Built-in Roles for Event Grid

Azure provides several built-in roles tailored for routine Event Grid tasks:

  • Event Grid Subscription Reader
    Grants read-only access to event subscriptions. This role is ideal for monitoring and viewing events without making any modifications.

  • Event Grid Subscription Contributor
    Enables users to create, modify, and delete event subscriptions. This role is suited for users who need to manage the lifecycle of subscriptions.

  • Event Grid Contributor
    Offers full control over various Event Grid resources, including topics and subscriptions. This role is not limited to the subscription scope and allows comprehensive management.

  • Event Grid Data Sender
    Provides restricted permissions; it allows users to send events to Event Grid topics without managing or modifying other resources.

Permissions for Event Subscriptions

When using an event handler that is not a webhook (for example, Event Hubs or Queue Storage), write access to the resource is required. These permissions help prevent unauthorized users from sending events.

For example, if you need to write events to an Azure Queue Storage, access keys or Entitlement ID authentication must be used. Without these security measures, anyone could potentially write to the Queue Storage.

Warning

Always ensure that proper access controls are in place on resources like Queue Storage to prevent unauthorized event writing.

Managing Topics and Subscriptions

Managing system topics and custom topics requires appropriate write permissions at the resource level:

  • For system topics, you must have write access at the scope of the publishing resource. For instance, capturing events from a storage account demands write permissions on that storage account.
  • When creating custom topics, it is necessary to have permissions to write a new event subscription at the scope of the Event Grid topic. This level of access guarantees complete control to deliver events correctly.

The image outlines permissions for event subscriptions, highlighting the need for write access for non-WebHook event handlers and ensuring only authorized users can send events. It also describes permissions for system and custom topics.

Receiving Events Using Webhooks

After securing access with proper roles and permissions, you can proceed to configure your webhook to receive events. In the upcoming sections, you will learn how to set up and use webhooks to process events efficiently, ensuring seamless integration with your event-driven applications.

Note

Webhooks are a robust method for real-time event processing. It is essential to secure your webhook endpoint and validate incoming events to maintain system integrity.

Watch Video

Watch video content

Previous
Exploring Event DeliverynbspDurability
Next
Receiving Events by UsingnbspWebhooks