Dedomena is an all PaaS clean room setup on an Azure, including ML workspaces for quick data room exercises.
A data room is a physical or online space set up by the seller to collate and store information about the target company and its business for the purposes of completing or rather satisfying the buyer's due diligence exercise. Physical data rooms – which are becoming increasingly uncommon – house hard copy documents in a room (normally in the offices of the sellers or their advisers) which is supervised by a representative of the seller (this would often be their solicitor). This contrasts with online data rooms – commonly referred to as virtual data rooms – which are made available through a secure internet site and act as a digital document repository.
Click here for further reading
Data rooms are an essential part of the due diligence process which, if administered correctly, should encourage collaboration and communication between the involved parties by facilitating the exchange of confidential information in a secure manner.
Moderator: This dataroom is setup on Azure, the client who owns the subscription is henceforth refered as the moderator. The moderator is also the one who runs the current automation and create a setup from ground up.
Contributor: Contributors will be given access to the above subscription by the moderator. Contributors can work on the data that is brought into the subscription by the moderator.
This setup includes a bunch of Azure PaaS components, that will be spun by the moderator
Get an Azure subscription created
Create a Service Principal in the customer tenant on Azure Active Directory.
Create the client secret and please note down these values
Add the app role AppRoleAssignment.ReadWrite.All
.
Add the role Global administrator
to the service principal
Search for the corresponding Entra ID
Search for the role Global Administrator
Click on Add Assignments
Add the required assignment
Select the moderator account - the moderator account you have created and make it a
Global Admin
Give the Service Principal owner role to the subscription. (Unconstrained). Need to search by the app-name to find the tenant and assign the role.
Verify and register the following resource providers to the subscription.
microsoft.insights
Microsoft.OperationalInsights
Once you have the above values, fill the same in values.yaml in the moderator client section, along with the desired user ids.
- Create a service principal (Multitenant) as the above, only difference is to select
Multitenant
option. - Create a client secret and note down the values.
- Create a log analytics workspace on Azure
- Give the Multitenant Service Principal role namely – Log analytics contributor access.
-
Register the
microsoft.insights
,Microsoft.OperationalInsights
resource providers for the subscription if not already -
Fill in values.yaml with the details of subscription,Service Principal and log analytics name.
Log Analytics namespace is required by the contributor to have the audit history of the actions performed on the dataroom by the moderator. The intention is to audit these actions for future deliberation should there be any.
Once the setup is done, if you intend to move files from/to SFTP, please follow the below
Run the setup.sh once you have the required values.yaml populated by the moderator.
Note: While populating the user information, please note the primary domain from the
Microsoft Entra ID
. For example if the primary domain name of the account iscontoso.onmicrosoft.com
, the user email should be provided as[email protected]
.
It sets up a dataroom on an azure resource group, with the following components
- Azure entra users with read/contributor access to storage containers
- Storage Account and Containers
- Randomized Passwords for the same
- An ML workspace
- Key Vault and Secret Manager
- Azure Sentinel
- Synapse Spark Tool
- Audit Logs pushed to contributors Log Analytics account.
- Secrets managed in key vault
Run the destroy.sh to destroy the resource group once the dataroom's purpose has been met.
- Debian Based Linux Distributions
Copyright 2023 PhonePe Private Limited
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.