Compartir a través de

用于安全性的 Azure 内置角色

本文列出了安全类别的 Azure 内置角色。

应用合规性自动化管理员

创建、读取、下载、修改和删除报表对象及其他相关的资源对象。

了解详细信息

操作 说明
Microsoft.AppComplianceAutomation/*
Microsoft.Storage/storageAccounts/blobServices/write 返回放置 blob 服务属性的结果
Microsoft.Storage/storageAccounts/fileservices/write 放置文件服务属性
Microsoft.Storage/storageAccounts/listKeys/action 返回指定存储帐户的访问密钥。
Microsoft.Storage/storageAccounts/write 使用指定的参数创建存储帐户、更新指定存储帐户的属性或标记,或者为其添加自定义域。
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action 返回 blob 服务的用户委托密钥
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
Microsoft.Storage/storageAccounts/blobServices/containers/read 返回容器列表
Microsoft.Storage/storageAccounts/blobServices/containers/write 返回放置 blob 容器的结果
Microsoft.Storage/storageAccounts/blobServices/read 返回 blob 服务属性或统计信息
Microsoft.PolicyInsights/policyStates/queryResults/action 查询有关策略状态的信息。
Microsoft.PolicyInsights/policyStates/triggerEvaluation/action 为所选范围触发新的符合性评估。
Microsoft.Resources/resources/read 基于筛选器获取资源的列表。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/subscriptions/resourceGroups/resources/read 获取资源组的资源。
Microsoft.Resources/subscriptions/resources/read 获取订阅的资源。
Microsoft.Resources/subscriptions/resourceGroups/delete 删除资源组及其所有资源。
Microsoft.Resources/subscriptions/resourceGroups/write 创建或更新资源组。
Microsoft.Resources/tags/read 获取资源上的所有标记。
Microsoft.Resources/deployments/validate/action 验证部署。
Microsoft.Security/automations/read 获取范围的自动化
Microsoft.Resources/deployments/write 创建或更新部署。
Microsoft.Security/automations/delete 删除范围的自动化
Microsoft.Security/automations/write 创建或更新范围的自动化
Microsoft.Security/register/action 注册 Azure 安全中心的订阅
Microsoft.Security/unregister/action 从 Azure 安全中心取消注册订阅
*/read 读取除密码外的所有类型的资源。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, download, modify and delete reports objects and related other resource objects.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2",
  "name": "0f37683f-2463-46b6-9ce7-9b788b988ba2",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppComplianceAutomation/*",
        "Microsoft.Storage/storageAccounts/blobServices/write",
        "Microsoft.Storage/storageAccounts/fileservices/write",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.PolicyInsights/policyStates/queryResults/action",
        "Microsoft.PolicyInsights/policyStates/triggerEvaluation/action",
        "Microsoft.Resources/resources/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
        "Microsoft.Resources/subscriptions/resources/read",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/tags/read",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Security/automations/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Security/automations/delete",
        "Microsoft.Security/automations/write",
        "Microsoft.Security/register/action",
        "Microsoft.Security/unregister/action",
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Compliance Automation Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

应用合规性自动化读取者

读取和下载报表对象及其他相关的资源对象。

了解详细信息

操作 说明
*/read 读取除密码外的所有类型的资源。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, download the reports objects and related other resource objects.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
  "name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Compliance Automation Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

证明参与者

可读写或删除证明提供者实例

操作 说明
Microsoft.Attestation/attestationProviders/attestation/read 获取证明服务状态。
Microsoft.Attestation/attestationProviders/attestation/write 添加证明服务。
Microsoft.Attestation/attestationProviders/attestation/delete 删除证明服务。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read write or delete the attestation provider instance",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/attestation/write",
        "Microsoft.Attestation/attestationProviders/attestation/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 管理员

对密钥保管库以及其中的所有对象(包括证书、密钥和机密)执行所有数据平面操作。 无法管理密钥保管库资源或管理角色分配。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

密钥保管库证书用户

读取证书内容。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
不操作
DataActions
Microsoft.KeyVault/vaults/certificates/read 列出指定的 Key Vault 中的证书,或获取有关证书的信息。
Microsoft.KeyVault/vaults/secrets/getSecret/action 获取机密的值。
Microsoft.KeyVault/vaults/secrets/readMetadata/action 列出或查看机密的属性,但不列出或查看机密的值。
Microsoft.KeyVault/vaults/keys/read 列出指定保管库中的密钥,或读取密钥的属性和公共材料。 对于非对称密钥,此操作会公开公钥,并提供执行公钥算法(例如加密和验证签名)的功能。 永远不会公开私钥和对称密钥。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
  "name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificates/read",
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
        "Microsoft.KeyVault/vaults/keys/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Certificate User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 证书管理人员

对密钥保管库的证书执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/certificatecas/*
Microsoft.KeyVault/vaults/certificates/*
Microsoft.KeyVault/vaults/certificatecontacts/write 管理证书联系人
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
  "name": "a4417e6f-fecd-4de8-b567-7b0420556985",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificatecas/*",
        "Microsoft.KeyVault/vaults/certificates/*",
        "Microsoft.KeyVault/vaults/certificatecontacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Certificates Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

密钥保管库参与者

管理密钥保管库,但不允许在 Azure RBAC 中分配角色,也不允许访问机密、密钥或证书。

了解详细信息

重要

使用访问策略权限模型时,拥有 ContributorKey Vault Contributor 或任何其他角色(包括对密钥保管库管理平面的 Microsoft.KeyVault/vaults/write 权限)的用户,可以通过设置密钥保管库访问策略来为自己授予对数据平面的访问权限。 为了防止对密钥保管库、密钥、机密和证书进行未经授权的访问和管理,在访问策略权限模型下,必须限制参与者角色对密钥保管库的访问,这一点至关重要。 为了缓解此风险,我们建议使用基于角色的访问控制 (RBAC) 权限模型,该模型将权限管理限制为“所有者”和“用户访问管理员”角色,从而明确地区分安全运营和管理职责。 有关详细信息,请参阅 Key Vault RBAC 指南什么是 Azure RBAC

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.KeyVault/*
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
Microsoft.KeyVault/locations/deletedVaults/purge/action 清除软删除的密钥保管库
Microsoft.KeyVault/hsmPools/*
Microsoft.KeyVault/managedHsms/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage key vaults, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
  "name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.KeyVault/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [
        "Microsoft.KeyVault/locations/deletedVaults/purge/action",
        "Microsoft.KeyVault/hsmPools/*",
        "Microsoft.KeyVault/managedHsms/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 加密管理人员

对密钥保管库的密钥执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/keys/*
Microsoft.KeyVault/vaults/keyrotationpolicies/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/*",
        "Microsoft.KeyVault/vaults/keyrotationpolicies/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

密钥保管库加密服务加密用户

读取密钥的元数据并执行包装/展开操作。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
Microsoft.EventGrid/eventSubscriptions/write 创建或更新事件订阅
Microsoft.EventGrid/eventSubscriptions/read 读取事件订阅
Microsoft.EventGrid/eventSubscriptions/delete 删除事件订阅
不操作
DataActions
Microsoft.KeyVault/vaults/keys/read 列出指定保管库中的密钥,或读取密钥的属性和公共材料。 对于非对称密钥,此操作会公开公钥,并提供执行公钥算法(例如加密和验证签名)的功能。 永远不会公开私钥和对称密钥。
Microsoft.KeyVault/vaults/keys/wrap/action 使用 Key Vault 密钥包装对称密钥。 请注意,如果 Key Vault 密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。
Microsoft.KeyVault/vaults/keys/unwrap/action 使用 Key Vault 密钥解包对称密钥。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventGrid/eventSubscriptions/write",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/eventSubscriptions/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Service Encryption User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

密钥保管库加密服务发布用户

发布密钥。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
不操作
DataActions
Microsoft.KeyVault/vaults/keys/release/action 使用证明令牌中 KEK 的公共部分来释放密钥。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08bbd89e-9f13-488c-ac41-acfcb10c90ab",
  "name": "08bbd89e-9f13-488c-ac41-acfcb10c90ab",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/release/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Service Release User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 加密用户

使用密钥执行加密操作。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
不操作
DataActions
Microsoft.KeyVault/vaults/keys/read 列出指定保管库中的密钥,或读取密钥的属性和公共材料。 对于非对称密钥,此操作会公开公钥,并提供执行公钥算法(例如加密和验证签名)的功能。 永远不会公开私钥和对称密钥。
Microsoft.KeyVault/vaults/keys/update/action 更新与给定密钥关联的指定属性。
Microsoft.KeyVault/vaults/keys/backup/action 创建密钥的备份文件。 该文件可用于还原同一订阅的 Key Vault 中的密钥。 可能存在限制。
Microsoft.KeyVault/vaults/keys/encrypt/action 使用密钥加密纯文本。 请注意,如果密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。
Microsoft.KeyVault/vaults/keys/decrypt/action 使用密钥解密已加密文本。
Microsoft.KeyVault/vaults/keys/wrap/action 使用 Key Vault 密钥包装对称密钥。 请注意,如果 Key Vault 密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。
Microsoft.KeyVault/vaults/keys/unwrap/action 使用 Key Vault 密钥解包对称密钥。
Microsoft.KeyVault/vaults/keys/sign/action 使用密钥为消息摘要(哈希)签名。
Microsoft.KeyVault/vaults/keys/verify/action 使用密钥验证消息摘要(哈希)的签名。 请注意,如果密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
  "name": "12338af0-0e69-4776-bea7-57ae8d297424",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/update/action",
        "Microsoft.KeyVault/vaults/keys/backup/action",
        "Microsoft.KeyVault/vaults/keys/encrypt/action",
        "Microsoft.KeyVault/vaults/keys/decrypt/action",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action",
        "Microsoft.KeyVault/vaults/keys/sign/action",
        "Microsoft.KeyVault/vaults/keys/verify/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

密钥保管库数据访问管理员

通过添加或删除 Key Vault 管理员、Key Vault 证书主管、Key Vault 加密管理人员、Key Vault 加密服务加密用户、Key Vault 加密用户、Key Vault 加密用户、Key Vault 读取者、Key Vault 机密主管或 Key Vault 机密用户角色来管理对 Azure Key Vault 的访问。 包括用于约束角色分配的 ABAC 条件。

操作 说明
Microsoft.Authorization/roleAssignments/write 创建指定范围的角色分配。
Microsoft.Authorization/roleAssignments/delete 删除指定范围的角色分配。
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.KeyVault/vaults/*/read
不操作
DataActions
NotDataActions
Condition
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) 添加或移除以下角色的角色分配:
Key Vault 管理员
Key Vault 证书管理人员
Key Vault 加密管理人员
密钥保管库加密服务加密用户
Key Vault 加密用户
Key Vault 读取者
Key Vault 机密管理人员
Key Vault 机密用户
{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8",
  "name": "8b54135c-b56d-4d72-a534-26097cfdc8d8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.KeyVault/vaults/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))"
    }
  ],
  "roleName": "Key Vault Data Access Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 读取者

读取密钥保管库及其证书、密钥和机密的元数据。 无法读取机密内容或密钥材料等敏感值。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/vaults/secrets/readMetadata/action 列出或查看机密的属性,但不列出或查看机密的值。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "name": "21090545-7ca7-4776-b22c-e363652d74d2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 机密管理人员

对密钥保管库的机密执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/secrets/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 机密用户

读取机密内容。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。

了解详细信息

操作 说明
不操作
DataActions
Microsoft.KeyVault/vaults/secrets/getSecret/action 获取机密的值。
Microsoft.KeyVault/vaults/secrets/readMetadata/action 列出或查看机密的属性,但不列出或查看机密的值。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
  "name": "4633458b-17de-408a-b874-0445c86b69e6",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管 HSM 参与者

允许你管理托管 HSM 池,但不允许访问这些池。

了解详细信息

操作 说明
Microsoft.KeyVault/managedHSMs/*
Microsoft.KeyVault/deletedManagedHsms/read 查看已删除的托管 HSM 的属性
Microsoft.KeyVault/locations/deletedManagedHsms/read 查看已删除的托管 HSM 的属性
Microsoft.KeyVault/locations/deletedManagedHsms/purge/action 清除已软删除的托管 HSM
Microsoft.KeyVault/locations/managedHsmOperationResults/read 检查长时间运行的操作的结果
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage managed HSM pools, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
  "name": "18500a29-7fe2-46b2-a342-b16a415e101d",
  "permissions": [
    {
      "actions": [
        "Microsoft.KeyVault/managedHSMs/*",
        "Microsoft.KeyVault/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
        "Microsoft.KeyVault/locations/managedHsmOperationResults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed HSM contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 自动化参与者

Microsoft Sentinel 自动化参与者

了解详细信息

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Logic/workflows/triggers/read 读取触发器。
Microsoft.Logic/workflows/triggers/listCallbackUrl/action 获取触发器的回调 URL。
Microsoft.Logic/workflows/runs/read 读取工作流运行。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read 列出 Web 应用 Hostruntime 工作流触发器。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action 获取 Web 应用 Hostruntime 工作流触发器 URI。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read 列出 Web 应用 Hostruntime 工作流运行。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Automation Contributor",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Logic/workflows/triggers/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Logic/workflows/runs/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Automation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 参与者

Microsoft Sentinel 参与者

了解详细信息

操作 说明
Microsoft.SecurityInsights/*
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎进行搜索。
Microsoft.OperationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.OperationalInsights/workspaces/savedSearches/*
Microsoft.OperationsManagement/solutions/read 获取现有的 OMS 解决方案
Microsoft.OperationalInsights/workspaces/query/read 对工作区中的数据运行查询
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read 获取工作区下的数据源。
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.Insights/workbooks/*
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Contributor",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
  "name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel Playbook 操作员

Microsoft Sentinel Playbook 操作员

了解详细信息

操作 说明
Microsoft.Logic/workflows/read 读取工作流。
Microsoft.Logic/workflows/triggers/listCallbackUrl/action 获取触发器的回调 URL。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action 获取 Web 应用 Hostruntime 工作流触发器 URI。
Microsoft.Web/sites/read 获取 Web 应用的属性
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Playbook Operator",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5",
  "name": "51d6186e-6489-4900-b93f-92e23144cca5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Logic/workflows/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Playbook Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 读取者

Microsoft Sentinel 读取者

了解详细信息

操作 描述
Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action 检查用户授权和许可证
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action 查询威胁情报指示器
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action 查询威胁情报指示器
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎进行搜索。
Microsoft.OperationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.OperationalInsights/workspaces/LinkedServices/read 获取给定工作区下的链接服务。
Microsoft.OperationalInsights/workspaces/savedSearches/read 获取保存的搜索查询。
Microsoft.OperationsManagement/solutions/read 获取现有的 OMS 解决方案
Microsoft.OperationalInsights/workspaces/query/read 对工作区中的数据运行查询
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read 获取工作区下的数据源。
Microsoft.Insights/workbooks/read 读取工作簿
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/templateSpecs/*/read 获取或列出模板规格和模板规格版本
不操作
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/templateSpecs/*/read"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 响应者

Microsoft Sentinel 响应者

了解详细信息

操作 描述
Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action 检查用户授权和许可证
Microsoft.SecurityInsights/automationRules/*
Microsoft.SecurityInsights/cases/*
Microsoft.SecurityInsights/incidents/*
Microsoft.SecurityInsights/entities/runPlaybook/action 在实体上运行剧本
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action 将标记追加到威胁情报指示器
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action 查询威胁情报指示器
Microsoft.SecurityInsights/threatIntelligence/bulkTag/action 批量标记威胁情报
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action 将标记追加到威胁情报指示器
Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action 替换威胁情报指示器的标记
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action 查询威胁情报指示器
Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action 撤消操作
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎进行搜索。
Microsoft.OperationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.OperationalInsights/workspaces/dataSources/read 获取工作区下的数据源。
Microsoft.OperationalInsights/workspaces/savedSearches/read 获取保存的搜索查询。
Microsoft.OperationsManagement/solutions/read 获取现有的 OMS 解决方案
Microsoft.OperationalInsights/workspaces/query/read 对工作区中的数据运行查询
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read 获取工作区下的数据源。
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.Insights/workbooks/read 读取工作簿
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
Microsoft.SecurityInsights/cases/*/Delete
Microsoft.SecurityInsights/incidents/*/Delete
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Responder",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/automationRules/*",
        "Microsoft.SecurityInsights/cases/*",
        "Microsoft.SecurityInsights/incidents/*",
        "Microsoft.SecurityInsights/entities/runPlaybook/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/cases/*/Delete",
        "Microsoft.SecurityInsights/incidents/*/Delete",
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Responder",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全管理员

查看和更新 Microsoft Defender for Cloud 的权限。 与安全读取者角色具有相同的权限,还可以更新安全策略并关闭警报和建议。

了解详细信息

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Authorization/policyAssignments/* 创建和管理策略分配
Microsoft.Authorization/policyDefinitions/* 创建和管理策略定义
Microsoft.Authorization/policyExemptions/* 创建和管理策略豁免
Microsoft.Authorization/policySetDefinitions/* 创建和管理策略集
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.operationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Security/* 创建和管理安全组件和策略
Microsoft.IoTSecurity/*
Microsoft.IoTFirmwareDefense/*
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Admin Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/policyAssignments/*",
        "Microsoft.Authorization/policyDefinitions/*",
        "Microsoft.Authorization/policyExemptions/*",
        "Microsoft.Authorization/policySetDefinitions/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.IoTSecurity/*",
        "Microsoft.IoTFirmwareDefense/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全评估参与者

可将评估推送到 Microsoft Defender for Cloud

操作 描述
Microsoft.Security/assessments/write 创建或更新订阅的安全评估
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you push assessments to Security Center",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Security/assessments/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Assessment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全管理器(旧版)

这是旧角色。 请改用安全管理员。

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.ClassicCompute/*/read 读取经典虚拟机的配置信息
Microsoft.ClassicCompute/virtualMachines/*/write 写入经典虚拟机的配置
Microsoft.ClassicNetwork/*/read 读取有关经典网络的配置信息
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Security/* 创建和管理安全组件和策略
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "This is a legacy role. Please use Security Administrator instead",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/*/read",
        "Microsoft.ClassicCompute/virtualMachines/*/write",
        "Microsoft.ClassicNetwork/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Manager (Legacy)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全读取者

查看 Microsoft Defender for Cloud 的权限。 可以查看但不能更改建议、警报、安全策略和安全状态。

了解详细信息

操作 说明
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/read 读取经典指标警报
Microsoft.operationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.Resources/deployments/*/read
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Security/*/read 读取安全组件和策略
Microsoft.IoTSecurity/*/read
Microsoft.Security/iotDefenderSettings/packageDownloads/action 获取可下载的 IoT Defender 包信息
Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action 下载包含订阅配额数据的管理器激活文件
Microsoft.Security/iotSensors/downloadResetPassword/action 下载 IoT 传感器的重置密码文件
Microsoft.IoTSecurity/defenderSettings/packageDownloads/action 获取可下载的 IoT Defender 包信息
Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action 下载管理器激活文件
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Reader Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*/read",
        "Microsoft.IoTSecurity/*/read",
        "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
        "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
        "Microsoft.Security/iotSensors/downloadResetPassword/action",
        "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
        "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
        "Microsoft.Management/managementGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

后续步骤