# RBAC & ABAC roles

Azure RBAC Roles or simply Azure roles, provides access management for Azure resources using the authorization system of ARM. There are over more than 120 built-in roles and we can define custom roles too.

However, there are five fundamental roles:

<figure><img src="/files/OSpr2gs5RqVRhK0nXOxS" alt=""><figcaption></figcaption></figure>

### RBAC Assignment

Something to remember:

{% hint style="info" %}
Principal HAS role ON scope
{% endhint %}

<figure><img src="/files/6qapdNWXB3mWpkZsO66H" alt=""><figcaption></figcaption></figure>

### ABAC

ABAC builds on RBAC and provides fine-grained access control based on attributes of a resource, security principal and environment. These are implemented using role assignment condition.

* Only used by storage accounts
* Low level functionality

<figure><img src="/files/3uREQn1NGtAfVklnEBLZ" alt=""><figcaption></figcaption></figure>

If these are all RBAC/ABAC managed, who manages them? Well this is where Entra ID roles come in.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/cloud/azure/architecture/rbac-and-abac-roles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.