diff --git a/src/pages/en/research_computing/utokyo_azure/faq/addrole.mdx b/src/pages/en/research_computing/utokyo_azure/faq/addrole.mdx index 6886ad45e..1621dfb34 100644 --- a/src/pages/en/research_computing/utokyo_azure/faq/addrole.mdx +++ b/src/pages/en/research_computing/utokyo_azure/faq/addrole.mdx @@ -21,11 +21,11 @@ We will show you how to add **Contributor** permissions as an example, but the s - A list of selectable roles will be displayed at the bottom of the screen, so click `Contributor`. - If the cell background turns grey, it is selected. - + **Important**: Considerations when assigning the Owner role to a subscription If you grant owner privileges to a subscription, **That member will also be able to view Usage and Billing Information on the "Subscription Management" Page of the "UTokyo Azure: New Usage Application" Page**. Make sure the member is someone you really want to give permission to. - + Steps for assigning the Owner role A **Condition** section will be added. Select `Allow user to assign all roles` only if you want to transfer all permissions to that member by taking over, etc. In other cases, select other choices. @@ -36,7 +36,7 @@ We will show you how to add **Contributor** permissions as an example, but the s - **Members**:Click `+ Select Members`, and a search and selection screen for the accounts to which you want to grant permissions will appear on the right side of the screen. Narrow your search criteria to find and select the accounts to which you want to grant permissions. Finally, click `Select` at the bottom of the selection screen, and the selected members will be displayed on the main screen. - **Description**:Please add a description if necessary. - + I can't find the account I want to select The member must have a UTokyo Account. Please make sure that your search string is correct. Alternatively, if the member may not yet have a UTokyo Account, please ask them to check their UTokyo Account registration status. diff --git a/src/pages/en/research_computing/utokyo_azure/faq/index.mdx b/src/pages/en/research_computing/utokyo_azure/faq/index.mdx index 52449b2b7..1799e4b51 100644 --- a/src/pages/en/research_computing/utokyo_azure/faq/index.mdx +++ b/src/pages/en/research_computing/utokyo_azure/faq/index.mdx @@ -8,27 +8,27 @@ import HelpItem from "@components/utils/HelpItem.astro"; **General** - + For what purposes can it be used? Can be used for research and education purposes - + In what fields can it be used? It can be used in a variety of fields. We especially welcome initiatives to promote GX, DI, and AI. - + What kind of services can I use? Basically, you can use all the services provided by MS Azure. You can use it in various ways, such as accessing the GPU environment with Jupyter Notebook from a browser, using Open AI chat and API, setting up and using a cluster environment yourself, etc. However, to prevent cost overruns, some services are unavailable by default (opt-in). Also, due to contractual reasons, you cannot use Marketplace services (services provided by third parties). - + How long can I continue to use it? The gift credits can be used up to a maximum of 9/30/2029 (approximately a maximum of 5 years). Because there is a limit to the gift credits available to the university as a whole, they may end a little earlier than this. - + Can I continue using it for free? Everyone can use UTokyo Azure free of charge until the monthly university-wide UTokyo Azure usage fee reaches the planned consumption amount of gift credits for that month. If the university-wide usage fee for that month exceeds the planned consumption amount, the free tier per user for that month will be calculated, and each user will be responsible for any amount exceeding that the Free Tier. @@ -38,24 +38,24 @@ Furthermore, even if the usage fee exceeds the Guaranteed Free Tier, there will For more information, see **Free Tier and Guaranteed Free Tier** below. - + What will happen to the environment I created after the service ends? It is undecided. We may continue depending on the utilization status and the effect on costs of the cloud migration, but nothing has been decided yet. For large-scale computational needs, please consider using the supercomputers and mdx service operated by the Information Infrastructure Center. **Users** - + Who can use this service? Member at the University of Tokyo can use it, but those with a UTokyo Account must apply for use through [UTokyo Azure: New Usage Application](https://azure.itc.u-tokyo.ac.jp/) and open a "subscription". For members who wish to use it jointly, it is possible to add other members' permissions to the opened subscription later. - + Can students use it? It is possible to give students user privileges to a virtual machine created on Azure without any problem. It is also possible to give them sharer privileges for subscriptions, etc. later. However, since a usage fee must be paid if the free portion is exceeded, subscription applications are limited to faculty and staff. - + Can it be shared with people outside the university? Logging in to the Azure Portal and the "UTokyo Azure:New user application page" requires authentication via a UTokyo Account, so use of these services is limited to those who already have a UTokyo Account. However, for example, login authentication to the OS running on a virtual machine you have created does not depend on the authority of your UTokyo Account, so it is possible to allow external collaborators to register accounts on the OS and use it. @@ -63,55 +63,55 @@ However, for example, login authentication to the OS running on a virtual machin **Subscription** - + What is a subscription? Subscriptions are the unit of contract and billing in Microsoft Azure, and allow users to use a variety of services by using them as a management unit. - + Can I have multiple subscriptions? There is no limit to applying for multiple subscriptions. Please apply as many as necessary. However, please keep in mind that gift credits are assets shared among members of the university. - + What is the difference between the Owner and Contributor in Privileged administrator roles? **Owner** is Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. **Contributor** is Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. - + Can I register a subscription created under a different contract to UTokyo Azure? No. - + I would like to share the subscriptions and resources I applied for with members of my laboratory, etc. If you want to share a subscription or resource with multiple people, you need to grant permission to the UTokyo Account of the members you want to share with as an **Owner** or **Contributor**. This operation must be performed by a member with the **Owner** role. - + I want to know my subscription ID You can check your subscription ID on the subscription details screen. **Free Tier and Guaranteed Free Tier** - + What is the Free Tier? This is the amount of the free portion of the usage fee for a given month. Each user must pay any usage fees that exceed the free portion from their own research funds, etc. In practice, the excess and surplus amounts for each month are tallied for each half-year at the end of March and September, and the total excess amount for each half-year is calculated. This total excess amount will be invoiced by the Information Infrastructure Center. The Free Tier is calculated at the end of each month to be fair, taking into account the university's overall usage fee and number of subscriptions for that month. The usage fee for each month can be confirmed on the management page of the [UTokyo Azure : New User Application Page (limited to access from the campus network)](http://azure.itc.u-tokyo.ac.jp/). - + What is the Guaranteed Free Tier? The monthly Free Tier is calculated at the end of the month, so you will not know until the end of the month how much or what percentage of the amount used that month will be free. This may be unsettling for users who want to use UTokyo Azure within the free limits. For this reason, at the beginning of the month, we announce a minimum guaranteed amount that will always be fully free. This is the Guaranteed Free Tier. It is an amount that is less than the Free Tier calculated at the end of the month. You can check the Guaranteed Free Tier on the management page of the [UTokyo Azure : New User Application Page (Limited to access from the campus network)](http://azure.itc.u-tokyo.ac.jp/). - + I want to know how to calculate the Free Tier and Guaranteed Free Tier For details on the calculation method, please refer to the subscriotion management page of the [UTokyo Azure : New User Application Page (access limited to the campus network)] (http://azure.itc.u-tokyo.ac.jp/). - + Why are the amounts shown on the Subscription Management page in USD? Due to the way Microsoft processes gift credits, they are managed in US dollars and therefore displayed in US dollars. If an applicant is billed for an excess amount, the university's financial accounting system will convert the amount at the current conversion rate and bill in Japanese yen. diff --git a/src/pages/en/research_computing/utokyo_azure/group/img/01_iam_en.png b/src/pages/en/research_computing/utokyo_azure/group/img/01_iam_en.png new file mode 100644 index 000000000..f56af19b0 Binary files /dev/null and b/src/pages/en/research_computing/utokyo_azure/group/img/01_iam_en.png differ diff --git a/src/pages/en/research_computing/utokyo_azure/group/img/tmp b/src/pages/en/research_computing/utokyo_azure/group/img/tmp new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/src/pages/en/research_computing/utokyo_azure/group/img/tmp @@ -0,0 +1 @@ + diff --git a/src/pages/en/research_computing/utokyo_azure/group/index.mdx b/src/pages/en/research_computing/utokyo_azure/group/index.mdx new file mode 100644 index 000000000..b9ec330e1 --- /dev/null +++ b/src/pages/en/research_computing/utokyo_azure/group/index.mdx @@ -0,0 +1,85 @@ +--- +title: "Group Use" +breadcrumb: + title: Group Use +--- +import HelpItem from "@components/utils/HelpItem.astro"; + +If you want to share **subscriptions** or **resources** (scopes) with members of your laboratory or collaborators, the representative can apply for a subscription and add members to that subscription with the appropriate permissions (roles) to make it possible to share. + +Also, what a sharer can do will depend on which resource they are assigned to, who they are assigned to, and what role they are assigned to. + +Please refer to this link for instructions on assigning permissions. +- [Steps to assign an Azure role to subscriptions and resources](/en/research_computing/utokyo_azure/faq/addrole) + +## Roles and Members (Role-Based Access Control: RBAC) + +In Microsoft Azure, you can grant permissions to other accounts to access each scope by setting which permissions (roles) to assign to whom (members). This is called role-based access control (RBAC), and you can use this function to share subscriptions and resources you create. + +## Permission Inheritance + +Microsoft Azure inherits permissions from higher scopes to lower scopes. Specifically, in the diagram below, inner scopes inherit permissions from outer scopes. Permissions are irreversible and are not inherited to outer scopes. The top-level scope is a subscription. + +
+- Deployed services such as virtual machines may be an exception to privilege inheritance. (described later) +- There are cases where permissions are not necessarily inherited. If it is important that permissions are inherited, be sure to check that they are, and if they are not, assign the necessary permissions individually. +
+ +![](img/01_iam_en.png){:.medium.center} + + +## Assign a member with the **Owner** role to the subscription. + +The **Owner** has the authority to assign all roles (with some exceptions) and is assigned to the applicant's UTokyo Account by default. The main privileges are as follows. + +- Assign other members and roles to the subscription. + - However, depending on the conditions when assigning the owner role to a member, that member may not have some privileges. +- View the details of your subscription on the `Subscription Management page` of the **UTokyo Azure:New Application page**. + - The current of limit the Free Tier and Guaranteed Free Tier can only be viewed on the subscription management page of the UTokyo Azure New Application page. + - Billing information will also be displayed, so be careful not to give owner privileges to the wrong member. +- Use that subscription to create resources for the new service. + + +Unless you want to completely transfer the subscription to another member, please do not assign other members the privileges of the **Owner who can assign all roles**. If you want to assign the owner role to that member for sharing purposes, make sure to make a conditional selection. + +## Assign a member with the **Contributor** role to the subscription. + +**Contributor** role has the same permissions as the Owner role, except that permissions cannot be assigned to other members. Normally, if you want to share your subscription with other members, please grant this privileges. + +- **have privileges** + - Use that subscription to create resources for the new service. + - Check resource usage from the Azure Portal. +- **have no privileges** + - Assign roles to other members to each scope. + - View the subscription details on the Subscription Management page of the **UTokyo Azure:New Application page**. + + +## Assign a member with the **Owner** role to a resource or resource group. + +You will be given privileges to assign all roles to that resource. + +- **have privileges** + - Assign other members and roles to the resource or resource groups. + - However, depending on the conditions when assigning the owner role to a member, that member may not have some privileges. + - Create a new resource in the resource group. + - For example, adding a new interface to a virtual machine, adding a new subnetwork resources, etc. +- **have no privileges** + - Create a resource or resource group for the new Azure service. + +## Assign a member with the **Contributor** role to the resource or resource groups. + +Has the same privileges as the Owner, except that the role cannot be granted to other members. + +- **have privileges** + - Create a new resource in the resource group. + - For example, adding a new interface to a virtual machine, adding a new subnetwork resources, etc. +- **have no privileges** + - Assign roles to other members to the resource or resource group. + - Create a resource for the new Azure service. + +## About permissions for deployed services + +Deployed services may not be subject to Azure permission inheritance. + +- For example, when a virtual machine is deployed, the system account and administrative privileges for that OS will not be inherited from the Azure service and will be managed separately. +- For such services, if you want to add members only to the service, set the accounts and permissions only in the deployed service, not in Azure. diff --git a/src/pages/en/research_computing/utokyo_azure/index.mdx b/src/pages/en/research_computing/utokyo_azure/index.mdx index 216491e32..03850e082 100644 --- a/src/pages/en/research_computing/utokyo_azure/index.mdx +++ b/src/pages/en/research_computing/utokyo_azure/index.mdx @@ -52,6 +52,12 @@ Operation is performed by the Information Technology Center, the Information Sys * under construction +## Groups Use + +- To share a subscription or resource with a group, grant the required permissions to the subscription or resource in the sharer's UTokyo Account. See below for details: + +- [Groups use](/en/research_computing/utokyo_azure/group/) + ## FAQ & Support #### [FAQ](/en/research_computing/utokyo_azure/faq/) diff --git a/src/pages/research_computing/utokyo_azure/group/index.mdx b/src/pages/research_computing/utokyo_azure/group/index.mdx index 31dca9556..cd7a30db2 100644 --- a/src/pages/research_computing/utokyo_azure/group/index.mdx +++ b/src/pages/research_computing/utokyo_azure/group/index.mdx @@ -37,8 +37,6 @@ Microsoft Azure は上位スコープの権限を下位に継承します.具 - UTokyo Azure 新規申請ページの管理ページで,そのサブスクリプションの詳細を表示する. - 無料分や無料保証枠の現在の上限値は UTokyo Azure 新規申請ページの管理ページでしか確認できません. - 請求情報も表示されるので,誤ったメンバーに所有者権限を与えないようご注意ください. -- Azure Portal からリソースの予算利用状況を確認する. - - Microsoft Azure としての利用状況が確認できますが,UTokyo Azure の無料分や無料保証枠の確認は原則こちらからはできません.UTokyo Azure 新規申請ページの管理ページから確認ください. - そのサブスクリプションを用い新しいサービスのリソースを作成する. @@ -51,8 +49,6 @@ Microsoft Azure は上位スコープの権限を下位に継承します.具 - **権限がある** - そのサブスクリプションによる新しいサービスのリソースを作成する. - - Azure Portal からリソースの予算利用状況を確認する. - - 所有者の場合と同じ機能だが一部権限がない機能あり. - **権限がない** - 他のメンバーを各スコープにロール割り当をする. - UTokyo Azure 新規申請ページの管理ページでそのサブスクリプションの詳細を表示する.