Delegate permission to turn SRE workspace VMs on and off

[martintoreilly]

✅ Checklist

• I have searched open and closed issues for duplicates.
• This is a request for a new feature in the Data Safe Haven or an upgrade to an existing feature.
• The feature is still missing in the latest version.
• I have read through the documentation.
• This isn't an open-ended question (open a discussion if it is).

🍓 Suggested change

Delegation of rights to turn SRE workspace VMs on and off to (a subset of) SRE research users.

For VM types / sizes that do not charge for compute when turned off, this could also be an initial crude method for delegating the ability to change machine type / scale. If we deploy a set of VMs of various types / sizes, these research users can turn on/off the subset they want to use at any point in time.

🚂 How could this be done?

Azure access control

Use Azure role based access control to give these permissions to (a subset of) SRE research users who have accounts on the EntraID instance that owns the subscription the SRE is deployed into. Where this is the same EntraID instance as the DSH uses, all research users can be given this role. Where this is a different EntraID instance, only research users with accounts on the "infrastructure" EntraID instance can be given this role (we think a separate infrastructure EntraID will usually be the organisational one, so this subset of research users will likely be employees / students of the host organisations).

We think the minimal permissions needed are:

• To turn VMs on/off (applied to each VM or a sub-resource group containing the workspace VMs)
  • Microsoft.Compute/virtualMachines/start/action
  • Microsoft.Compute/virtualMachines/powerOff/action
  • Microsoft.Compute/virtualMachines/restart/action
• Question: Are other permissions / setting changes needed for users with this role to access the Azure portal / view the subscription / resource group (in either the multi EntraID or single EntraID scenario)?

Infrastructure as code deployment / configuration

We propose the research users given this role turn VMs on/off from the Azure portal.

[martintoreilly]

It would be good to be able to add the ability to resize a VM the Microsoft.Compute/virtualMachines RBAC group doesn't have a resize permission (it does have a redeploy permission), but the Microsoft.DevTestLab/labs/virtualMachines RBAC group does have a resize permission. May be worth investigating Dev Test Labs to see if this is something that would play nice with our SRE security / resource model