Compartir a través de

列出 Azure 角色定义

角色定义是可执行特权的集合,例如读取、写入和删除。 它通常直接称为“角色”。 Azure 基于角色的访问控制 (Azure RBAC) 具有超过 120 种内置角色,也可以创建自己的自定义角色。 本文介绍如何列出可用于授予 Azure 资源访问权限的内置角色和自定义角色。

若要查看 Microsoft Entra ID 的管理员角色列表,请参阅 Microsoft Entra ID 中的管理员角色权限

先决条件

Azure 门户

列出所有角色

按照以下步骤在 Azure 门户中列出所有角色。

  1. 在 Azure 门户中单击“所有服务”,然后选择任意范围。 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。

  2. 单击特定的资源。

  3. 单击“访问控制(IAM)”。

  4. 单击“角色”选项卡以查看包含所有内置角色和自定义角色的列表。

    显示使用新体验的角色列表的屏幕截图。

  5. 若要查看特定角色的权限,请在“详细信息”列中,单击“查看”链接 。

    “权限”窗格随即显示。

  6. 单击“权限”选项卡以查看和搜索所选角色的权限。

    显示使用新体验的角色权限的屏幕截图。

Azure PowerShell

列出所有角色

若要列出 Azure PowerShell 中的所有角色,请使用 Get-AzRoleDefinition

Get-AzRoleDefinition | FT Name, Description
AcrImageSigner                                    acr image signer
AcrQuarantineReader                               acr quarantine data reader
AcrQuarantineWriter                               acr quarantine data writer
API Management Service Contributor                Can manage service and the APIs
API Management Service Operator Role              Can manage service but not the APIs
API Management Service Reader Role                Read-only access to service and APIs
Application Insights Component Contributor        Can manage Application Insights components
Application Insights Snapshot Debugger            Gives user permission to use Application Insights Snapshot Debugge...
Automation Job Operator                           Create and Manage Jobs using Automation Runbooks.
Automation Operator                               Automation Operators are able to start, stop, suspend, and resume ...
...

列出角色定义

若要列出特定角色的详细信息,请使用 Get-AzRoleDefinition

Get-AzRoleDefinition <role_name>
PS C:\> Get-AzRoleDefinition "Contributor"

Name             : Contributor
Id               : b24988ac-6180-42a0-ab88-20f7382dd24c
IsCustom         : False
Description      : Lets you manage everything except access to resources.
Actions          : {*}
NotActions       : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
                  Microsoft.Authorization/elevateAccess/Action}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/}

以 JSON 格式列出角色定义

若要以 JSON 格式列出角色,请使用 Get-AzRoleDefinition

Get-AzRoleDefinition <role_name> | ConvertTo-Json
PS C:\> Get-AzRoleDefinition "Contributor" | ConvertTo-Json

{
  "Name": "Contributor",
  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "IsCustom": false,
  "Description": "Lets you manage everything except access to resources.",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Authorization/*/Delete",
    "Microsoft.Authorization/*/Write",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

列出角色定义的特权

若要列出特定角色的特权,请使用 Get-AzRoleDefinition

Get-AzRoleDefinition <role_name> | FL Actions, NotActions
PS C:\> Get-AzRoleDefinition "Contributor" | FL Actions, NotActions

Actions    : {*}
NotActions : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
            Microsoft.Authorization/elevateAccess/Action,
            Microsoft.Blueprint/blueprintAssignments/write...}
(Get-AzRoleDefinition <role_name>).Actions
PS C:\> (Get-AzRoleDefinition "Virtual Machine Contributor").Actions

Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
...

Azure CLI

列出所有角色

若要列出 Azure CLI 中的所有角色,请使用 az role definition list

az role definition list

以下示例列出了所有可用的角色定义的名称和说明:

az role definition list --output json --query '[].{roleName:roleName, description:description}'
[
  {
    "description": "Can manage service and the APIs",
    "roleName": "API Management Service Contributor"
  },
  {
    "description": "Can manage service but not the APIs",
    "roleName": "API Management Service Operator Role"
  },
  {
    "description": "Read-only access to service and APIs",
    "roleName": "API Management Service Reader Role"
  },

  ...

]

下面的示例列出了所有内置角色。

az role definition list --custom-role-only false --output json --query '[].{roleName:roleName, description:description, roleType:roleType}'
[
  {
    "description": "Can manage service and the APIs",
    "roleName": "API Management Service Contributor",
    "roleType": "BuiltInRole"
  },
  {
    "description": "Can manage service but not the APIs",
    "roleName": "API Management Service Operator Role",
    "roleType": "BuiltInRole"
  },
  {
    "description": "Read-only access to service and APIs",
    "roleName": "API Management Service Reader Role",
    "roleType": "BuiltInRole"
  },
  
  ...

]

列出角色定义

若要列出角色的详细信息,请使用 az role definition list

az role definition list --name {roleName}

下面的示例列出了“参与者”角色定义:

az role definition list --name "Contributor"
[
  {
    "assignableScopes": [
      "/"
    ],
    "description": "Lets you manage everything except access to resources.",
    "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "dataActions": [],
        "notActions": [
          "Microsoft.Authorization/*/Delete",
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action",
          "Microsoft.Blueprint/blueprintAssignments/write",
          "Microsoft.Blueprint/blueprintAssignments/delete"
        ],
        "notDataActions": []
      }
    ],
    "roleName": "Contributor",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

列出角色定义的特权

以下示例仅列出“参与者”角色的“actions”和“notActions” 。

az role definition list --name "Contributor" --output json --query '[].{actions:permissions[0].actions, notActions:permissions[0].notActions}'
[
  {
    "actions": [
      "*"
    ],
    "notActions": [
      "Microsoft.Authorization/*/Delete",
      "Microsoft.Authorization/*/Write",
      "Microsoft.Authorization/elevateAccess/Action",
      "Microsoft.Blueprint/blueprintAssignments/write",
      "Microsoft.Blueprint/blueprintAssignments/delete"
    ]
  }
]

The following example lists just the actions of the Virtual Machine Contributor role.

az role definition list --name "Virtual Machine Contributor" --output json --query '[].permissions[0].actions'
[
  [
    "Microsoft.Authorization/*/read",
    "Microsoft.Compute/availabilitySets/*",
    "Microsoft.Compute/locations/*",
    "Microsoft.Compute/virtualMachines/*",
    "Microsoft.Compute/virtualMachineScaleSets/*",
    "Microsoft.Compute/disks/write",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/disks/delete",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

    ...

    "Microsoft.Storage/storageAccounts/listKeys/action",
    "Microsoft.Storage/storageAccounts/read"
  ]
]

REST API

先决条件

必须使用以下版本:

  • 2015-07-01 或更高版本

有关详细信息,请参阅 Azure RBAC REST API 的 API 版本

列出所有角色定义

若要列出租户中的角色定义,请使用角色定义 - 列出 REST API。

  • 以下示例列出了租户中的所有角色定义:

    请求

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01
    

    响应

    {
        "value": [
            {
                "properties": {
                    "roleName": "Billing Reader Plus",
                    "type": "CustomRole",
                    "description": "Read billing data and download invoices",
                    "assignableScopes": [
                        "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15"
                    ],
                    "permissions": [
                        {
                            "actions": [
                                "Microsoft.Authorization/*/read",
                                "Microsoft.Billing/*/read",
                                "Microsoft.Consumption/*/read",
                                "Microsoft.Management/managementGroups/read",
                                "Microsoft.Billing/invoices/download/action"
                            ],
                            "notActions": [
                            ],
                            "dataActions": [],
                            "notDataActions": []
                        }
                    ],
                    "createdOn": "2021-05-22T21:57:23.5764138Z",
                    "updatedOn": "2021-05-22T21:57:23.5764138Z",
                    "createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
                    "updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
                },
                "id": "/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c",
                "type": "Microsoft.Authorization/roleDefinitions",
                "name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
            },
            {
                "properties": {
                    "roleName": "AcrPush",
                    "type": "BuiltInRole",
                    "description": "acr push",
                    "assignableScopes": [
                        "/"
                    ],
                    "permissions": [
                        {
                            "actions": [
                                "Microsoft.ContainerRegistry/registries/pull/read",
                                "Microsoft.ContainerRegistry/registries/push/write"
                            ],
                            "notActions": [],
                            "dataActions": [],
                            "notDataActions": []
                        }
                    ],
                    "createdOn": "2018-10-29T17:52:32.5201177Z",
                    "updatedOn": "2021-11-11T20:13:07.4993029Z",
                    "createdBy": null,
                    "updatedBy": null
                },
                "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
                "type": "Microsoft.Authorization/roleDefinitions",
                "name": "8311e382-0749-4cb8-b61a-304f252e45ec"
            }
        ]
    }
    

列出角色定义

若要列出角色定义,请使用角色定义 - 列出 REST API。 若要优化结果,请指定一个范围和可选的筛选器。

  1. 从下面的请求开始:

    GET https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleDefinitions?$filter={$filter}&api-version=2022-04-01
    

    对于租户级范围,可以使用以下请求:

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleDefinitions?filter={$filter}&api-version=2022-04-01
    
  2. 在 URI 中,将“{scope}”替换为要列出角色定义的范围。

    作用域 类型
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组
    subscriptions/{subscriptionId1} 订阅
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 资源

    在前面的示例中,microsoft.web 是引用应用服务实例的资源提供程序。 同样,可以使用任何其他资源提供程序并指定范围。 有关详细信息,请参阅 Azure 资源提供程序和类型和支持的 Azure 资源提供程序操作

  3. {filter} 替换为筛选角色定义列表时要应用的条件。

    筛选器 说明
    $filter=type+eq+'{type}' 列出指定类型的角色定义。 角色的类型可以是 CustomRoleBuiltInRole

    以下示例列出了租户中的所有自定义角色:

    请求

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleDefinitions?$filter=type+eq+'CustomRole'&api-version=2022-04-01
    

    响应

    {
        "value": [
            {
                "properties": {
                    "roleName": "Billing Reader Plus",
                    "type": "CustomRole",
                    "description": "Read billing data and download invoices",
                    "assignableScopes": [
                        "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15"
                    ],
                    "permissions": [
                        {
                            "actions": [
                                "Microsoft.Authorization/*/read",
                                "Microsoft.Billing/*/read",
                                "Microsoft.Consumption/*/read",
                                "Microsoft.Management/managementGroups/read",
                                "Microsoft.Billing/invoices/download/action"
                            ],
                            "notActions": [
                            ],
                            "dataActions": [],
                            "notDataActions": []
                        }
                    ],
                    "createdOn": "2021-05-22T21:57:23.5764138Z",
                    "updatedOn": "2021-05-22T21:57:23.5764138Z",
                    "createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
                    "updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
                },
                "id": "/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c",
                "type": "Microsoft.Authorization/roleDefinitions",
                "name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
            }
        ]
    }
    

列出角色定义

若要列出特定角色的详细信息,请使用角色定义 - 获取角色定义 - 按 ID 获取 REST API。

  1. 从下面的请求开始:

    GET https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01
    

    对于租户级别的角色定义,可以使用以下请求:

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01
    
  2. 在 URI 中,将“{scope}”替换为要列出角色定义的范围。

    作用域 类型
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组
    subscriptions/{subscriptionId1} 订阅
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 资源
  3. 将“{roleDefinitionId}”替换为角色定义标识符。

    以下示例列出了读取者角色定义:

Request

GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7?api-version=2022-04-01

Response

{
    "properties": {
        "roleName": "Reader",
        "type": "BuiltInRole",
        "description": "View all resources, but does not allow you to make any changes.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2021-11-11T20:13:47.8628684Z",
        "createdBy": null,
        "updatedBy": null
    },
    "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7"
}