Check for Required IAM Permissions in Azure
GigaVUE‑FM allows you to validate whether the policy attached to the GigaVUE-FM using "Managed Identity" or "Application ID with client secret" has the required IAM permissions and notifies the users about the missing permissions. You can check permissions while creating a Monitoring Domain and deploying GigaVUE Fabric Components using GigaVUE-FM by clicking the Check Permissions button on the Create Monitoring Domain page and Azure Fabric Launch page. The GigaVUE‑FM displays the minimum required IAM permissions.
IMPORTANT: "Microsoft.Authorization/roleAssignments/read" permission is required for validating the required permissions. Ensure to include "Microsoft.Authorization/roleAssignments/read" permission in your IAM policy.
The following are the prerequisites that are required to deploy GigaVUE Cloud Suite for Azure:
- IAM permissions - Check whether the minimum required permissions are granted for the instance where the GigaVUE‑FM is deployed. Refer to Permissions and Privileges (Azure) for more detailed information on configuring the required permissions in Azure.
- Access to public cloud endpoints - Check for access to the Azure cloud endpoint APIs.
- Subscription to the GigaVUE Cloud Suite for Azure- Before deploying the solution, you must subscribe to the GigaVUE Cloud Suite components from the Azure marketplace. Refer to Enable Subscription for GigaVUE Cloud Suite for Azure for more detailed information on how to subscribe to Gigamon Products.
- Security Group - Checks whether the required ports are configured in the security group. For more information on the security groups, see Network Security Groups
After you press the Check Permissions button, GigaVUE‑FM will verify the minimum required permissions. Any missing permissions will be highlighted with the respective message against the permission in a dialog box. You can use the displayed IAM Policy JSON as a reference and update the policy that is attached to the GigaVUE‑FM.
Points to Note
- When using Managed Identity (MSI), the IAM policy modified in Azure Portal takes a long duration to reflect in GigaVUE-FM. Refer to the Limitation of using managed identities for authorization section in Azure Documentation for more detailed information.
- The Check Permissions feature is not supported when the Traffic Acquisition Method is set to vTAP.
The following table lists the different available status and their descriptions.
|
Access Status |
Description |
|
Allowed |
This status is displayed if permission is configured correctly. |
|
Denied |
This status is displayed if permission is missing. For Example: If a permission is not configured in the IAM policy or if the permission access is explicitly denied in Azure, then the status is displayed as Denied. |
|
Failed |
This status is displayed if GigaVUE-FM fails to validate a permission. The reason and the probable cause are also displayed. |
|
Not Executed |
This status is displayed if a higher level of permission is denied or not configured, then GigaVUE-FM cannot validate a permission. For Example: If a subscription level permission is in denied or failed state then the resource level permission cannot be validated. |
|
Undeterminable |
The "Microsoft.Authorization/roleAssignments/read" permission is required to validate the required permissions. If this permission is not configured, the status of several other permissions cannot be determined. |
Refer to the following section for more detailed information:
- Check Permissions while Creating a Monitoring Domain
- Check Permissions while Configuring GigaVUE Fabric Components using GigaVUE‑FM
- View Permission Status Reports
View Permission Status Reports
The permission status reports consist of previously run Check permissions reports. They are auto purged once every 30 days. You can change the purge interval from the Advanced Settings page. Refer to Configure Azure Settings for more detailed information.
You can view the Permission Status Report in the following two ways:
- In the Monitoring Domain page, click Actions > View Permission Status Report.
- In the Monitoring Domain page, you can navigate to Settings and then click Permission Status Report
On the Permission Status Report page, you can use the Filter button to filter the reports based on File Name, Type, and Date.
To view or delete individual reports, select the report and click Actions button.
