Check for Required IAM Permissions in Azure

GigaVUE‑FM allows you to validate the required IAM permissions of the policy attached to GigaVUE‑FM using Managed Identity or Application ID with client secret. It notifies users about permissions. You can check permissions while creating a Monitoring Domain and deploying GigaVUE Fabric Components using GigaVUE‑FM. To check, click the Check Permissions button on the following:

Create Monitoring Domain page
Azure Fabric Launch page.

GigaVUE‑FM displays the minimum required IAM permissions.

IMPORTANT: "Microsoft.Authorization/roleAssignments/read" permission is required for validating the required permissions. Ensure to include "Microsoft.Authorization/roleAssignments/read" permission in your IAM policy.

Prerequisites to deploy GigaVUE Cloud Suite for Azure:

IAM permissions: Check whether the minimum required permissions are granted for the instance where the GigaVUE‑FM is deployed. For details, refer to Permissions and Privileges (Azure).
Access to public cloud endpoints: Check for access to the Azure cloud endpoint APIs.
Subscription to the GigaVUE Cloud Suite for Azure: Before deploying the solution, you must subscribe to the GigaVUE Cloud Suite components from the Azure marketplace. For details, refer to Enable Subscription for GigaVUE Cloud Suite for Azure.
Security Group: Checks whether the required ports are configured in the security group. For more information, see Network Security Groups

After you press the Check Permissions button, GigaVUE‑FM verifies the minimum required permissions. Any missing permissions are highlighted in a dialog box with the respective message against the permission. You can use the displayed IAM Policy JSON as a reference and update the policy attached to GigaVUE‑FM.

Points to Note

When using Managed Identity (MSI), the IAM policy modified in Azure Portal takes a long duration to reflect in GigaVUE‑FM. For details, refer to the Limitation of using managed identities for authorization section in the Azure Documentation.
The Check Permissions feature is not supported when the Traffic Acquisition Method is set to vTAP.

The following table lists the different available status and their descriptions:

Access Status	Description
Allowed	This status is displayed if permission is configured correctly.
Denied	This status is displayed if permission is missing. For example, if a permission is not configured in the IAM policy or permission access is explicitly denied in Azure, then the status is displayed as Denied.
Failed	This status is displayed if GigaVUE‑FM fails to validate a permission. The reason and the probable cause are also displayed.
Not Executed	This status is displayed if a higher level of permission is denied or not configured, then GigaVUE‑FM cannot validate a permission. For example, if a subscription-level permission is denied or failed, the resource-level permission cannot be validated.
Undeterminable	The "Microsoft.Authorization/roleAssignments/read" permission is required to validate the necessary permissions. If this permission is not configured, you cannot determine the status of several other permissions.

For more details, refer to the following sections:

View Permission Status Reports

The permission status reports consist of previously run Check permissions reports. They are auto purged once every 30 days. You can change the purge interval from the Advanced Settings page. For details, refer to Configure Azure Settings.

You can view the Permission Status Report in the following two ways:

In the Monitoring Domain page, select Actions > View Permission Status Report.
In the Monitoring Domain page, navigate to Settings and select Permission Status Report

On the Permission Status Report page, you can use the Filter button to sort the reports by File Name, Type, and Date.

To view or delete individual reports, select the report and select Actions.