Azure 监视内置角色
本文列出了“监视”类别的 Azure 内置角色。
Application Insights 组件参与者
可管理 Application Insights 组件
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典警报规则 |
Microsoft.Insights/generateLiveToken/read | 实时指标获取令牌 |
Microsoft.Insights/metricAlerts/* | 创建和管理新警报规则 |
Microsoft.Insights/components/* | 创建和管理 Insights 组件 |
Microsoft.Insights/scheduledqueryrules/* | |
Microsoft.Insights/topology/read | 读取拓扑 |
Microsoft.Insights/transactions/read | 读取事务 |
Microsoft.Insights/webtests/* | 创建和管理 Insights Web 测试 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can manage Application Insights components",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e",
"name": "ae349356-3a1b-4a5e-921d-050484c6347e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/generateLiveToken/read",
"Microsoft.Insights/metricAlerts/*",
"Microsoft.Insights/components/*",
"Microsoft.Insights/scheduledqueryrules/*",
"Microsoft.Insights/topology/read",
"Microsoft.Insights/transactions/read",
"Microsoft.Insights/webtests/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Application Insights Component Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Application Insights 快照调试器
授予用户查看和下载使用 Application Insights Snapshot Debugger 收集的调试快照的权限。 请注意,所有者或参与者角色不包括这些权限。 在向用户授予 Application Insights Snapshot Debugger 角色时,必须将该角色直接授予用户。 将角色添加到自定义角色时,无法识别该角色。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Insights/components/*/read | |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Gives user permission to use Application Insights Snapshot Debugger features",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b",
"name": "08954f03-6346-4c2e-81c0-ec3a5cfae23b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/components/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Application Insights Snapshot Debugger",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 托管 Grafana 工作区参与者
可以管理 Azure 托管 Grafana 资源,无需提供对工作区本身的访问权限。
操作 | 说明 |
---|---|
Microsoft.Dashboard/grafana/write | 写入 grafana |
Microsoft.Dashboard/grafana/delete | 删除 grafana |
Microsoft.Dashboard/grafana/PrivateEndpointConnectionsApproval/action | 审批 PrivateEndpointConnection |
Microsoft.Dashboard/grafana/managedPrivateEndpoints/action | 专用终结点上的操作 |
Microsoft.Dashboard/locations/operationStatuses/write | 写入操作状态 |
Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/validate/action | 验证 PrivateEndpointConnectionProxy |
Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/write | 创建/更新 PrivateEndpointConnectionProxy |
Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/delete | 删除 PrivateEndpointConnectionProxy |
Microsoft.Dashboard/grafana/privateEndpointConnections/write | 更新 PrivateEndpointConnection |
Microsoft.Dashboard/grafana/privateEndpointConnections/delete | 删除 PrivateEndpointConnection |
Microsoft.Dashboard/grafana/managedPrivateEndpoints/write | 写入托管专用终结点 |
Microsoft.Dashboard/grafana/managedPrivateEndpoints/delete | 删除托管专用终结点 |
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/AlertRules/Write | 创建或更新经典指标警报 |
Microsoft.Insights/AlertRules/Delete | 删除经典指标警报 |
Microsoft.Insights/AlertRules/Read | 读取经典指标警报 |
Microsoft.Insights/AlertRules/Activated/Action | 经典指标警报已激活 |
Microsoft.Insights/AlertRules/Resolved/Action | 经典指标警报已解决 |
Microsoft.Insights/AlertRules/Throttled/Action | 经典指标预警规则已中止 |
Microsoft.Insights/AlertRules/Incidents/Read | 读取经典指标警报事件 |
Microsoft.Resources/deployments/read | 获取或列出部署。 |
Microsoft.Resources/deployments/write | 创建或更新部署。 |
Microsoft.Resources/deployments/delete | 删除部署。 |
Microsoft.Resources/deployments/cancel/action | 取消部署。 |
Microsoft.Resources/deployments/validate/action | 验证部署。 |
Microsoft.Resources/deployments/whatIf/action | 预测模板部署更改。 |
Microsoft.Resources/deployments/exportTemplate/action | 导出部署的模板 |
Microsoft.Resources/deployments/operations/read | 获取或列出部署操作。 |
Microsoft.Resources/deployments/operationstatuses/read | 获取或列出部署操作状态。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure Managed Grafana resources, without providing access to the workspaces themselves.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5c2d7e57-b7c2-4d8a-be4f-82afa42c6e95",
"name": "5c2d7e57-b7c2-4d8a-be4f-82afa42c6e95",
"permissions": [
{
"actions": [
"Microsoft.Dashboard/grafana/write",
"Microsoft.Dashboard/grafana/delete",
"Microsoft.Dashboard/grafana/PrivateEndpointConnectionsApproval/action",
"Microsoft.Dashboard/grafana/managedPrivateEndpoints/action",
"Microsoft.Dashboard/locations/operationStatuses/write",
"Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/validate/action",
"Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/write",
"Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/delete",
"Microsoft.Dashboard/grafana/privateEndpointConnections/write",
"Microsoft.Dashboard/grafana/privateEndpointConnections/delete",
"Microsoft.Dashboard/grafana/managedPrivateEndpoints/write",
"Microsoft.Dashboard/grafana/managedPrivateEndpoints/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Managed Grafana Workspace Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Grafana 管理员
管理伺服器范围的设定并管理对组织、使用者和许可证等资源的存取。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action | 充当 Grafana 管理员角色 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Manage server-wide settings and manage access to resources such as organizations, users, and licenses.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41",
"name": "22926164-76b3-42b3-bc55-97df8dab3e41",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Grafana Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Grafana 编辑者
建立、编辑、删除或检视仪表板;建立、编辑或删除资料夹;并编辑或查看播放清单。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action | 充当 Grafana 编辑者角色 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Create, edit, delete, or view dashboards; create, edit, or delete folders; and edit or view playlists.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f",
"name": "a79a5197-3a5c-4973-a920-486035ffd60f",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action"
],
"notDataActions": []
}
],
"roleName": "Grafana Editor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Grafana 受限查看者
看主页。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Dashboard/grafana/ActAsGrafanaLimitedViewer/action | 担任 Grafana 有限观看者角色 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "View home page.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/41e04612-9dac-4699-a02b-c82ff2cc3fb5",
"name": "41e04612-9dac-4699-a02b-c82ff2cc3fb5",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Dashboard/grafana/ActAsGrafanaLimitedViewer/action"
],
"notDataActions": []
}
],
"roleName": "Grafana Limited Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Grafana 查看者
查看仪表板、播放清单和查询资料来源。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action | 充当 Grafana 查看者角色 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "View dashboards, playlists, and query data sources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769",
"name": "60921a7e-fef1-4a43-9b16-a26c52ad4769",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action"
],
"notDataActions": []
}
],
"roleName": "Grafana Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
监视参与者
可以读取所有监视数据和编辑监视设置。 另请参阅 Azure Monitor 的角色、权限和安全入门。
操作 | 说明 |
---|---|
*/read | 读取除密码外的所有类型的资源。 |
Microsoft.AlertsManagement/alerts/* | |
Microsoft.AlertsManagement/alertsSummary/* | |
Microsoft.Insights/actiongroups/* | |
Microsoft.Insights/activityLogAlerts/* | |
Microsoft.Insights/AlertRules/* | 创建和管理经典指标警报 |
Microsoft.Insights/components/* | 创建和管理 Insights 组件 |
Microsoft.Insights/createNotifications/* | |
Microsoft.Insights/dataCollectionEndpoints/* | |
Microsoft.Insights/dataCollectionRules/* | |
Microsoft.Insights/dataCollectionRuleAssociations/* | |
Microsoft.Insights/DiagnosticSettings/* | 创建、更新或读取 Analysis Server 的诊断设置 |
Microsoft.Insights/eventtypes/* | 列出订阅中的活动日志事件(管理事件)。 此权限适用于以编程方式和通过门户访问活动日志。 |
Microsoft.Insights/LogDefinitions/* | 此权限对于需要通过门户访问活动日志的用户是必需的。 列出活动日志中的日志类别。 |
Microsoft.Insights/metricalerts/* | |
Microsoft.Insights/MetricDefinitions/* | 读取指标定义(资源的可用指标类型的列表)。 |
Microsoft.Insights/Metrics/* | 读取资源的指标。 |
Microsoft.Insights/notificationStatus/* | |
Microsoft.Insights/Register/Action | 注册 Microsoft Insights 提供程序 |
Microsoft.Insights/scheduledqueryrules/* | |
Microsoft.Insights/webtests/* | 创建和管理 Insights Web 测试 |
Microsoft.Insights/workbooks/* | |
Microsoft.Insights/workbooktemplates/* | |
Microsoft.Insights/privateLinkScopes/* | |
Microsoft.Insights/privateLinkScopeOperationStatuses/* | |
Microsoft.Monitor/accounts/* | |
Microsoft.OperationalInsights/workspaces/write | 创建新的工作区,或者通过提供现有工作区中的客户 ID 链接到现有工作区。 |
Microsoft.OperationalInsights/workspaces/intelligencepacks/* | 读取/写入/删除日志分析解决方案包。 |
Microsoft.OperationalInsights/workspaces/savedSearches/* | 读取/写入/删除日志分析保存的搜索。 |
Microsoft.OperationalInsights/workspaces/search/action | 执行搜索查询 |
Microsoft.OperationalInsights/workspaces/sharedKeys/action | 检索工作区的共享密钥。 这些密钥用于将 Microsoft Operational Insights 代理连接到工作区。 |
Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* | 读取/写入/删除日志分析存储见解配置。 |
Microsoft.AlertsManagement/smartDetectorAlertRules/* | |
Microsoft.AlertsManagement/actionRules/* | |
Microsoft.AlertsManagement/smartGroups/* | |
Microsoft.AlertsManagement/migrateFromSmartDetection/* | |
Microsoft.AlertsManagement/investigations/* | |
Microsoft.AlertsManagement/prometheusRuleGroups/* | |
Microsoft.Monitor/investigations/* | |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can read all monitoring data and update monitoring settings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"name": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.AlertsManagement/alerts/*",
"Microsoft.AlertsManagement/alertsSummary/*",
"Microsoft.Insights/actiongroups/*",
"Microsoft.Insights/activityLogAlerts/*",
"Microsoft.Insights/AlertRules/*",
"Microsoft.Insights/components/*",
"Microsoft.Insights/createNotifications/*",
"Microsoft.Insights/dataCollectionEndpoints/*",
"Microsoft.Insights/dataCollectionRules/*",
"Microsoft.Insights/dataCollectionRuleAssociations/*",
"Microsoft.Insights/DiagnosticSettings/*",
"Microsoft.Insights/eventtypes/*",
"Microsoft.Insights/LogDefinitions/*",
"Microsoft.Insights/metricalerts/*",
"Microsoft.Insights/MetricDefinitions/*",
"Microsoft.Insights/Metrics/*",
"Microsoft.Insights/notificationStatus/*",
"Microsoft.Insights/Register/Action",
"Microsoft.Insights/scheduledqueryrules/*",
"Microsoft.Insights/webtests/*",
"Microsoft.Insights/workbooks/*",
"Microsoft.Insights/workbooktemplates/*",
"Microsoft.Insights/privateLinkScopes/*",
"Microsoft.Insights/privateLinkScopeOperationStatuses/*",
"Microsoft.Monitor/accounts/*",
"Microsoft.OperationalInsights/workspaces/write",
"Microsoft.OperationalInsights/workspaces/intelligencepacks/*",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*",
"Microsoft.AlertsManagement/smartDetectorAlertRules/*",
"Microsoft.AlertsManagement/actionRules/*",
"Microsoft.AlertsManagement/smartGroups/*",
"Microsoft.AlertsManagement/migrateFromSmartDetection/*",
"Microsoft.AlertsManagement/investigations/*",
"Microsoft.AlertsManagement/prometheusRuleGroups/*",
"Microsoft.Monitor/investigations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Monitoring Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
监视指标发布者
允许针对 Azure 资源发布指标
操作 | 描述 |
---|---|
Microsoft.Insights/Register/Action | 注册 Microsoft Insights 提供程序 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
Microsoft.Insights/Metrics/Write | 写入指标 |
Microsoft.Insights/Telemetry/Write | 写入遥测数据 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Enables publishing metrics against Azure resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb",
"name": "3913510d-42f4-4e42-8a64-420c390055eb",
"permissions": [
{
"actions": [
"Microsoft.Insights/Register/Action",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Insights/Metrics/Write",
"Microsoft.Insights/Telemetry/Write"
],
"notDataActions": []
}
],
"roleName": "Monitoring Metrics Publisher",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
监视查阅者
可以读取所有监视数据(指标、日志等)。 另请参阅 Azure Monitor 的角色、权限和安全入门。
操作 | 说明 |
---|---|
*/read | 读取除密码外的所有类型的资源。 |
Microsoft.OperationalInsights/workspaces/search/action | 执行搜索查询 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can read all monitoring data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05",
"name": "43d0d8ad-25c7-4714-9337-8ba259a9fe05",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/search/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Monitoring Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
工作簿参与者
可以保存共享的工作簿。
操作 | 描述 |
---|---|
Microsoft.Insights/workbooks/write | 创建或更新工作簿 |
Microsoft.Insights/workbooks/delete | 删除工作簿 |
Microsoft.Insights/workbooks/read | 读取工作簿 |
Microsoft.Insights/workbooks/revisions/read | 获取工作簿修订版本 |
Microsoft.Insights/workbooktemplates/write | 创建或更新工作簿模板 |
Microsoft.Insights/workbooktemplates/delete | 删除工作簿模板 |
Microsoft.Insights/workbooktemplates/read | 读取工作簿模板 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can save shared workbooks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad",
"name": "e8ddcd69-c73f-4f9f-9844-4100522f16ad",
"permissions": [
{
"actions": [
"Microsoft.Insights/workbooks/write",
"Microsoft.Insights/workbooks/delete",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/workbooks/revisions/read",
"Microsoft.Insights/workbooktemplates/write",
"Microsoft.Insights/workbooktemplates/delete",
"Microsoft.Insights/workbooktemplates/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Workbook Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
工作簿读者
可以读取工作簿。
操作 | 描述 |
---|---|
microsoft.insights/workbooks/read | 读取工作簿 |
microsoft.insights/workbooks/revisions/read | 获取工作簿修订版本 |
microsoft.insights/workbooktemplates/read | 读取工作簿模板 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can read workbooks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d",
"name": "b279062a-9be3-42a0-92ae-8b3cf002ec4d",
"permissions": [
{
"actions": [
"microsoft.insights/workbooks/read",
"microsoft.insights/workbooks/revisions/read",
"microsoft.insights/workbooktemplates/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Workbook Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}