Paul K space : Management Groups & Policy (incomplete - on hold)

Created by Paul Kelleher, last modified on May 08, 2023

:gh:

:azure:

The Azure Tenant for Azure in Contino UK has a management group structure that in the future, we plan to use to apply policy across subscriptions and generally make things easier for us to manage

Below are some details around how that policy will affect capability should it be enforced

Basic Info

  • all new subscriptions drop into DefaultManagementGroup until moved

  • all subscriptions will be homed under an appropriate group

  • The DefaultManagementGroup will be restricted so that it subs dont just languish there

Policy Design

  • notes from SME’s and stakeholders as to what the policy for each management group should cover - and enforcement - so that a policy structure, it’s inheritance and impact can be reviewed and tweaked so that

  1. it does not restrict the business in any way that is unnecessary

  2. it ensures we comply with any regulation

  3. it ensures we adhere to our internal standards

  • Azure Practice will be responsible for the delivery mechanisms and code as required

  • Security Practice or it’s nominees to provide guidance and/or explicit requirements to their satisfaction

  • sign-off to be agreed

Top

Level 1

2

3

4

Summary

Root

  • Legal Compliance

  • Tag Enforcement

  • Owner Enforcement

  • Periodic Review Enforcement

Root

Contino

  • Corporate compliance

Root

Contino

Production

  • Corporate Compliance

  • Industry Sub Groups?

  • External Service Role

  • Cost Considerations

  • Capscity Considerations

  • Integration Consideration

  • Automated Scanning

Root

Contino

Platform

  • Internal Systems

  • Internal Service Role

  • Availability Consideration

  • Integration Consideration

  • Automated Scanning

Root

Contino

Non-Prod

  • resource type restriction

  • budget allocation

  • expires tag

Root

Contino

Non-Prod

ClientDemo

Root

Contino

Non-Prod

Expired

  • no access

Root

Contino

Non-Prod

Dev/test

  • resource type restriction

  • cost restriction

Root

Contino

Non-Prod

Dev/test

AU

  • regional compliance

Root

Contino

Non-Prod

Dev/test

UK

  • regional compliance

Root

Contino

Non-Prod

Dev/test

US

  • regional compliance

Root

DefaultManagementGroup

  • Highly Restricted

  • Protect Access

  • Protect Cost

  • Policy Decisions Below
Root Tenant Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Default Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Contino Management Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    • All resource groups must contain “Environment” tag

    • All resources inherit their Resource Group Tags

    Suggested (Notify)

    Suggested (Enforce)

Contino/Production Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Contino/Platform Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Contino/Non-Production Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Contino/Non-Production/ClientPOCDemo Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Contino/Non-Production/Expired Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Contino/Non-Production/Engineering DevTest Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    • All Subscriptions must contain “Owner” tag

    • All resource groups must contain “expires” tag

    • All resources must inherit resource group tags

    Suggested (Notify)

    Suggested (Enforce)

Contino/Non-Production/Engineering DevTest/UK Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Contino/Non-Production/Engineering DevTest/US Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Contino/Non-Production/Engineering DevTest/AU Group

General Guidance: TBD

    Category

    Requirement and Policies

    Essential (Notify)

    Essential (Enforce)

    Suggested (Notify)

    Suggested (Enforce)

Attachments:

azure-header.png (image/png)
5b723e103cfce4e5a0908bcb1482b9ab22d7be60-3584x2012.jpg (image/jpeg)
image-20230501-212837.png (image/png)
tagpolicy.png (image/png)
bbtagpolicy.png (image/png)
bbtagpolicy-blue.png (image/png)