To perform SideScanning for your Microsoft Azure accounts, the Orca Enterprise application requires a specific set of Active Directory (AD) and RBAC (Resource Manager) permissions. During account onboarding, when approving the Orca app, a service principal with the necessary AD permissions is automatically created for the Orca app at the customer’s tenant. Then, when deploying Orca’s onboarding ARM template, a custom IAM role definition (Orca Security Side-Scanner Role), where the RBAC permissions are specified, is created and assigned to the Orca app’s service principal at the scope of the onboarded subscription(s).
This applies to the default SaaS deployment mode where permissions and role assignments are handled by the deployment template without any input from the user. For information about limiting Orca to specific resource groups, please see the Azure: Limit Orca to Specific Resource Groups article.
Additionally, a dedicated resource group is created within the target subscription and the Orca app is assigned the Contributor role.
Note: The user who is approving the Orca app during onboarding needs to be assigned the Cloud Application Admin or Application Admin AD role in Azure. Additionally, the user deploying the Orca onboarding template must be assigned an RBAC role (typically, the Owner role) at the onboarded subscription(s) scope, with sufficient permissions to create resource groups as well as to create and assign roles. These roles allow users to successfully complete the onboarding process, but are not granted to the Orca app itself.
You can access the Orca role assignments in Azure by navigation to Resource Groups > Orca-Security > Access control (IAM).
Depending on the selected onboarding policy, Orca may ask for the following access permissions at varying levels of scope:
Scope: management group or subscription:
Obtain general control-plane information used to compute security posture.
Obtain access keys to storage accounts in order to scan their content.
Create & delete snapshots.
Obtain credentials to access managed K8s clusters. Used to access and scan cluster workloads.
Share the created snapshots with Orca’s subscription (only used in SaaS mode).
Assign access permissions in the key vault to the Orca App - used to scan encrypted disks.
Scope: Azure Active Directory:
|Directory.Read.All||Obtain general control-plane information used to compute security posture.|
Scope: Key vaults containing encryption keys for disks:
|Secret Permissions: "Get" and "List"
Key Permissions: "Get", "List" and "UnwrapKey"
|Decrypt scanned disks.|