用于网络的 Azure 内置角色
本文列出了网络类别的 Azure 内置角色。
Azure Front Door 域参与者
供 Azure 内部使用。 可以管理 Azure Front Door 域,但不能向其他用户授予访问权限。
操作 | 说明 |
---|---|
Microsoft.Cdn/operationresults/profileresults/customdomainresults/read | |
Microsoft.Cdn/profiles/customdomains/read | |
Microsoft.Cdn/profiles/customdomains/write | |
Microsoft.Cdn/profiles/customdomains/delete | |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8",
"name": "0ab34830-df19-4f8c-b84e-aa85b8afa6e8",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/customdomainresults/read",
"Microsoft.Cdn/profiles/customdomains/read",
"Microsoft.Cdn/profiles/customdomains/write",
"Microsoft.Cdn/profiles/customdomains/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Domain Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Front Door 域读取者
供 Azure 内部使用。 可以查看 Azure Front Door 域,但不能进行更改。
操作 | 说明 |
---|---|
Microsoft.Cdn/operationresults/profileresults/customdomainresults/read | |
Microsoft.Cdn/profiles/customdomains/read | |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "For internal use within Azure. Can view Azure Front Door domains, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f",
"name": "0f99d363-226e-4dca-9920-b807cf8e1a5f",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/customdomainresults/read",
"Microsoft.Cdn/profiles/customdomains/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Domain Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Front Door 配置文件读取者
可以查看 AFD 标准和高级配置文件及其终结点,但不能进行更改。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Cdn/edgenodes/read | |
Microsoft.Cdn/operationresults/* | |
Microsoft.Cdn/profiles/*/read | |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action | |
Microsoft.Cdn/profiles/queryloganalyticsmetrics/action | |
Microsoft.Cdn/profiles/queryloganalyticsrankings/action | |
Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action | |
Microsoft.Cdn/profiles/querywafloganalyticsrankings/action | |
Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action | |
Microsoft.Cdn/profiles/Usages/action | |
Microsoft.Cdn/profiles/afdendpoints/Usages/action | |
Microsoft.Cdn/profiles/origingroups/Usages/action | |
Microsoft.Cdn/profiles/rulesets/Usages/action | |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can view AFD standard and premium profiles and their endpoints, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/662802e2-50f6-46b0-aed2-e834bacc6d12",
"name": "662802e2-50f6-46b0-aed2-e834bacc6d12",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action",
"Microsoft.Cdn/profiles/queryloganalyticsmetrics/action",
"Microsoft.Cdn/profiles/queryloganalyticsrankings/action",
"Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action",
"Microsoft.Cdn/profiles/querywafloganalyticsrankings/action",
"Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action",
"Microsoft.Cdn/profiles/Usages/action",
"Microsoft.Cdn/profiles/afdendpoints/Usages/action",
"Microsoft.Cdn/profiles/origingroups/Usages/action",
"Microsoft.Cdn/profiles/rulesets/Usages/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Profile Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Front Door 机密参与者
供 Azure 内部使用。 可以管理 Azure Front Door 机密,但不能向其他用户授予访问权限。
操作 | 说明 |
---|---|
Microsoft.Cdn/operationresults/profileresults/secretresults/read | |
Microsoft.Cdn/profiles/secrets/read | |
Microsoft.Cdn/profiles/secrets/write | |
Microsoft.Cdn/profiles/secrets/delete | |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5",
"name": "3f2eb865-5811-4578-b90a-6fc6fa0df8e5",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/secretresults/read",
"Microsoft.Cdn/profiles/secrets/read",
"Microsoft.Cdn/profiles/secrets/write",
"Microsoft.Cdn/profiles/secrets/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Secret Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Front Door 机密读取者
供 Azure 内部使用。 可以查看 Azure Front Door 机密,但不能进行更改。
操作 | 说明 |
---|---|
Microsoft.Cdn/operationresults/profileresults/secretresults/read | |
Microsoft.Cdn/profiles/secrets/read | |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "For internal use within Azure. Can view Azure Front Door secrets, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca",
"name": "0db238c4-885e-4c4f-a933-aa2cef684fca",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/secretresults/read",
"Microsoft.Cdn/profiles/secrets/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Secret Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 终结点参与者
可以管理 CDN 终结点,但不能向其他用户授予访问权限。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Cdn/edgenodes/read | |
Microsoft.Cdn/operationresults/* | |
Microsoft.Cdn/profiles/endpoints/* | |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can manage CDN endpoints, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
"name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 终结点读者
可以查看 CDN 终结点,但不能进行更改。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Cdn/edgenodes/read | |
Microsoft.Cdn/operationresults/* | |
Microsoft.Cdn/profiles/endpoints/*/read | |
Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action | |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can view CDN endpoints, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd",
"name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*/read",
"Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 配置文件参与者
可以管理 CDN 和 Azure Front Door 标准和高级配置文件及其终结点,但不能向其他用户授予访问权限。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Cdn/edgenodes/read | |
Microsoft.Cdn/operationresults/* | |
Microsoft.Cdn/profiles/* | |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432",
"name": "ec156ff8-a8d1-4d15-830c-5b80698ca432",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 配置文件读者
可以查看 CDN 配置文件及其终结点,但不能进行更改。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Cdn/edgenodes/read | |
Microsoft.Cdn/operationresults/* | |
Microsoft.Cdn/profiles/*/read | |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action | |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Cdn/profiles/CheckResourceUsage/action | |
Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action | |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can view CDN profiles and their endpoints, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af",
"name": "8f96442b-4075-438f-813d-ad51ab4019af",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Cdn/profiles/CheckResourceUsage/action",
"Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
经典网络参与者
允许管理经典网络,但不允许访问这些网络。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.ClassicNetwork/* | 创建和管理经典网络 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic networks, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
"name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicNetwork/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DNS 区域参与者
允许管理 Azure DNS 中的 DNS 区域和记录集,但不允许控制对其访问的人员。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Network/dnsZones/* | 创建和管理 DNS 区域和记录 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314",
"name": "befefa01-2a29-4197-83a8-272ff33ce314",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/dnsZones/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
网络参与者
允许管理网络,但不允许访问这些网络。 此角色不授予部署或管理虚拟机的权限。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Network/* | 创建并管理网络 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage networks, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"name": "4d97b98b-1d4f-4787-a291-c67834d212e7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
专用 DNS 区域参与者
允许管理专用 DNS 区域资源,但不允许管理它们所链接到的虚拟网络。
操作 | 描述 |
---|---|
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Network/privateDnsZones/* | |
Microsoft.Network/privateDnsOperationResults/* | |
Microsoft.Network/privateDnsOperationStatuses/* | |
Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
Microsoft.Network/virtualNetworks/join/action | 加入虚拟网络。 不可发出警报。 |
Microsoft.Authorization/*/read | 读取角色和角色分配 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"permissions": [
{
"actions": [
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/privateDnsZones/*",
"Microsoft.Network/privateDnsOperationResults/*",
"Microsoft.Network/privateDnsOperationStatuses/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Private DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
流量管理器参与者
允许管理流量管理器配置文件,但不允许控制谁可以访问它们。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Network/trafficManagerProfiles/* | |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
"name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/trafficManagerProfiles/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Traffic Manager Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}