'Writer' role in RBAC roles to limit data exfiltration risk for on-premises uploading applications #1255
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have an on-premises component that uploads DICOM instance to the Azure (and would like to use the DICOM service instead).
In this scenario, we need that component to have the minimum rights possible (certainly not the ability to query, retrieve, or delete any instances, for example). Any of these rights increases the risk that an on-premises breach of escape of the application secret will lead to exfiltration of the customer's data with fully-laden PHI. One the data is in Azure, all our other applications that need to access it are also in Azure and can use RBAC, subnets, etc.
Presumably, the best way to achieve this would be with a 'Writer" role in the RBAC options.
User story
As a user in a lower-security environment, I want my application to only be able to store instances.
Acceptance criteria
The text was updated successfully, but these errors were encountered: