Compartir a través de

Azure 物联网内置角色

本文列出了“物联网”类别的 Azure 内置角色。

设备预配服务数据参与者

允许对设备预配服务数据平面操作进行完全访问。

了解详细信息

操作 说明
不操作
DataActions
Microsoft.Devices/provisioningServices/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Device Provisioning Service data-plane operations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633",
  "name": "dfce44e4-17b7-4bd1-a6d1-04996ec95633",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/provisioningServices/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Provisioning Service Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备预配服务数据读取者

允许对设备预配服务数据平面属性进行完全读取访问。

了解详细信息

操作 说明
不操作
DataActions
Microsoft.Devices/provisioningServices/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full read access to Device Provisioning Service data-plane properties.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8",
  "name": "10745317-c249-44a1-a5ce-3a4353c0bbd8",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/provisioningServices/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Provisioning Service Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新管理员

授予你对管理操作和内容操作的完全访问权限

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/updates/write 执行与更新相关的写入操作
Microsoft.DeviceUpdate/accounts/instances/updates/delete 执行与更新相关的删除操作
Microsoft.DeviceUpdate/accounts/instances/management/read 执行与管理相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/management/write 执行与管理相关的写入操作
Microsoft.DeviceUpdate/accounts/instances/management/delete 执行与管理相关的删除操作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to management and content operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a",
  "name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete",
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新内容管理员

授予你对内容操作的完全访问权限

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/updates/write 执行与更新相关的写入操作
Microsoft.DeviceUpdate/accounts/instances/updates/delete 执行与更新相关的删除操作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to content operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98",
  "name": "0378884a-3af5-44ab-8323-f5b22f9f3c98",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Content Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新内容读取者

授予你对内容操作的读取访问权限,但不允许进行更改

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to content operations, but does not allow making changes",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
  "name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Content Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新部署管理员

授予你对管理操作的完全访问权限

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/management/read 执行与管理相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/management/write 执行与管理相关的写入操作
Microsoft.DeviceUpdate/accounts/instances/management/delete 执行与管理相关的删除操作
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to management operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432",
  "name": "e4237640-0e3d-4a46-8fda-70bc94856432",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete",
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Deployments Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新部署读取者

授予你对管理操作的读取访问权限,但不允许进行更改

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/management/read 执行与管理相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to management operations, but does not allow making changes",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f",
  "name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Deployments Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新读取者

授予你对管理操作和内容操作的读取访问权限,但不允许进行更改

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/management/read 执行与管理相关的读取操作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to management and content operations, but does not allow making changes",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
  "name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

固件分析管理员

在 Defender for IoT 中上传和分析韧体映像

操作 说明
Microsoft.IoTFirmwareDefense/*
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Upload and analyze firmware images in Defender for IoT",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/9c1607d1-791d-4c68-885d-c7b7aaff7c8a",
  "name": "9c1607d1-791d-4c68-885d-c7b7aaff7c8a",
  "permissions": [
    {
      "actions": [
        "Microsoft.IoTFirmwareDefense/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Firmware Analysis Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中心数据参与者

具有 IoT 中心数据平面操作的完全访问权限。

了解详细信息

操作 说明
不操作
DataActions
Microsoft.Devices/IotHubs/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to IoT Hub data plane operations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f",
  "name": "4fc6c259-987e-4a07-842e-c321cc9d413f",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中心数据读取者

具有 IoT 中心数据平面属性的完全读取访问权限

了解详细信息

操作 说明
不操作
DataActions
Microsoft.Devices/IotHubs/*/read
Microsoft.Devices/IotHubs/fileUpload/notifications/action 接收、完成或放弃文件上传通知
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full read access to IoT Hub data-plane properties",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3",
  "name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*/read",
        "Microsoft.Devices/IotHubs/fileUpload/notifications/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中心注册表参与者

具有 IoT 中心设备注册表的完全访问权限。

了解详细信息

操作 说明
不操作
DataActions
Microsoft.Devices/IotHubs/devices/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to IoT Hub device registry.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
  "name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/devices/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Registry Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中心孪生参与者

具有所有 IoT 中心设备和模块孪生的读写访问权限。

了解详细信息

操作 说明
不操作
DataActions
Microsoft.Devices/IotHubs/twins/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read and write access to all IoT Hub device and module twins.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c",
  "name": "494bdba2-168f-4f31-a0a1-191d2f7c028c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/twins/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Twin Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

后续步骤