...
It is crucial to understand, that most of the landing zone setup itself can and is only done by the client themselves. Learn in https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/434896928436536285/Get+started+with+a+Customer+Managed+Tenant#Responsibilities which tasks these are.
...
More control over incoming changes
Fewer if not minimal lateral movement risks
A tight grip on principle of least privilege as no human needs privileged access anymore except in escalations
An easy to get audit trail
A modern-day approach of collaboration
Gliffy | imageAttachmentId | att436109341|||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Note that the more the client automates, the less of the roles and permissions outlined below are needed. How much of the setup is automated from the client side also has a pricing and timeline impact as human actions always take longer than those of machines.
This automation grade is top-notch and a dream to many 🫧 Unique although works on providing the best risk mitigations possible. The more of this automation is implemented, the securer the solution all-in-all gets.
Once more it is to remember that depending on the https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/434896928436536285/Get+started+with+a+Customer+Managed+Tenant#Responsibilities it is up to one of the parties to mitigate this risk.
...
This separation targets primarily https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/436043790436536301/Reference+Architecture+CMT#Risk-based-approach and is not only decoration.
Gliffy | imageAttachmentId | att435617824|||||||
---|---|---|---|---|---|---|---|---|
|
Unique advises to segregate resources at a resource group level using the following groups:
...
The content of the main group, primarily based on https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks-pci/aks-pci-ra-code-assets. Besides the Infrastructure requirements some more resources are recommended to be deployed in order to run .
Gliffy | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Roles
Panel | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
To understand the content of this section, https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles must be read and understood. |
Gliffy | imageAttachmentId | att436469781|||||||
---|---|---|---|---|---|---|---|---|
|
Gliffy | |||||||||
---|---|---|---|---|---|---|---|---|---|
|
...
GovernanceOwner | see parentDominik Meyer |
---|