在 Azure AD 权利管理中创建和管理资源目录Create and manage a catalog of resources in Azure AD entitlement management

创建目录Create a catalog

目录是资源和访问包的容器。A catalog is a container of resources and access packages. 需要将相关的资源和访问包分组时,可以创建目录。You create a catalog when you want to group related resources and access packages. 创建目录的任何人将成为第一个目录所有者。Whoever creates the catalog becomes the first catalog owner. 目录所有者可以添加其他目录所有者。A catalog owner can add additional catalog owners.

必备角色: 全局管理员、用户管理员或目录创建者Prerequisite role: Global administrator, User administrator, or Catalog creator

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在左侧菜单中,单击“目录”。In the left menu, click Catalogs.

    Azure 门户中的权利管理目录

  3. 单击“新建目录”。Click New catalog.

  4. 输入目录的唯一名称,并提供说明。Enter a unique name for the catalog and provide a description.

    用户将在访问包的详细信息中看到此信息。Users will see this information in an access package's details.

  5. 如果你希望在创建此目录中的访问包后,用户可立即请求这些访问包,请将“启用”设置为“是”。If you want the access packages in this catalog to be available for users to request as soon as they are created, set Enabled to Yes.

  6. 如果希望允许选定外部目录中的用户请求此目录中的访问包,请将“为外部用户启用”设置为“是”。If you want to allow users in selected external directories to be able to request access packages in this catalog, set Enabled for external users to Yes.

    “新建目录”窗格

  7. 单击“创建”以创建该目录。Click Create to create the catalog.

以编程方式创建目录Creating a catalog programmatically

还可以使用 Microsoft Graph 创建目录。You can also create a catalog using Microsoft Graph. 通过具有委托的 EntitlementManagement.ReadWrite.All 权限的应用程序,相应角色中的用户可以调用 API 来创建 accessPackageCatalogA user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the API to create an accessPackageCatalog.

将资源添加到目录Add resources to a catalog

若要在访问包中包含资源,这些资源必须存在于目录中。To include resources in an access package, the resources must exist in a catalog. 可添加的资源类型包括组、应用程序和 SharePoint Online 站点。The types of resources you can add are groups, applications, and SharePoint Online sites. 组可以是云创建的 Microsoft 365 组,或者云创建的 Azure AD 安全组。The groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups. 应用程序可以是 Azure AD 企业应用程序,包括 SaaS 应用程序,以及你自己的已联合到 Azure AD 的应用程序。The applications can be Azure AD enterprise applications, including both SaaS applications and your own applications federated to Azure AD. 站点可以是 SharePoint Online 站点或 SharePoint Online 站点集合。The sites can be SharePoint Online sites or SharePoint Online site collections.

必备角色: 请参阅 将资源添加到目录所需的角色Prerequisite role: See Required roles to add resources to a catalog

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在左侧菜单中单击“目录”,然后打开要将资源添加到的目录。In the left menu, click Catalogs and then open the catalog you want to add resources to.

  3. 在左侧菜单中单击“资源”。In the left menu, click Resources.

  4. 单击“添加资源”。Click Add resources.

  5. 单击某个资源类型:“组和团队”、“应用程序”或“SharePoint 站点”。 Click a resource type: Groups and Teams, Applications, or SharePoint sites.

    如果未看到所要添加的资源或无法添加资源,请确保具有所需的 Azure AD 目录角色和权利管理角色。If you don't see a resource that you want to add or you are unable to add a resource, make sure you have the required Azure AD directory role and entitlement management role. 可能需要求助某个具有所需角色的人员将资源添加到目录。You might need to have someone with the required roles add the resource to your catalog. 有关详细信息,请参阅将资源添加到目录所需的角色For more information, see Required roles to add resources to a catalog.

  6. 选择一个或多个要添加到目录中的所需类型的资源。Select one or more resources of the type that you would like to add to the catalog.

    将资源添加到目录

  7. 完成后,单击“添加”。When finished, click Add.

    现在,可将这些资源包含在目录中的访问包内。These resources can now be included in access packages within the catalog.

添加多地理位置 SharePoint 站点(预览版)Add a Multi-geo SharePoint Site (Preview)

  1. 若已为 SharePoint 启用多地域,请选择想从中选择站点的环境。If you have Multi-Geo enabled for SharePoint, select the environment you would like to select sites from.

    访问包 - 添加资源角色 - 选择 SharePoint 多地域站点

  2. 然后选择要添加到目录中的站点。Then select the sites you would like to be added to the catalog.

以编程方式将资源添加到目录Adding a resource to a catalog programmatically

还可以使用 Microsoft Graph 将资源添加到目录。You can also add a resource to a catalog using Microsoft Graph. 通过具有委托的 EntitlementManagement.ReadWrite.All 权限的应用程序,相应角色中的用户或目录和资源所有者可以调用 API 来创建 accessPackageResourceRequestA user in an appropriate role, or a catalog and resource owner, with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the API to create an accessPackageResourceRequest.

从目录中删除资源Remove resources from a catalog

可以从目录中删除资源。You can remove resources from a catalog. 如果资源未在目录的任何访问包中使用时,才能从该目录中删除该资源。A resource can only be removed from a catalog if it is not being used in any of the catalog's access packages.

必备角色: 请参阅 将资源添加到目录所需的角色Prerequisite role: See Required roles to add resources to a catalog

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在左侧菜单中单击“目录”,然后打开要从中删除资源的目录。In the left menu, click Catalogs and then open the catalog you want to remove resources from.

  3. 在左侧菜单中单击“资源”。In the left menu, click Resources.

  4. 选择要删除的资源。Select the resources you want to remove.

  5. 单击“删除”(或单击省略号 (...),然后单击“删除资源”)。Click Remove (or click the ellipsis (...) and then click Remove resource).

添加其他目录所有者Add additional catalog owners

创建了目录的用户将成为第一个目录所有者。The user that created a catalog becomes the first catalog owner. 若要委托目录的管理,请将用户添加到目录所有者角色。To delegate management of a catalog, you add users to the catalog owner role. 这有助于共享目录管理责任。This helps share the catalog management responsibilities.

遵循以下步骤将用户分配到目录所有者角色:Follow these steps to assign a user to the catalog owner role:

必备角色: 全局管理员、用户管理员或目录所有者Prerequisite role: Global administrator, User administrator, or Catalog owner

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在左侧菜单中单击“目录”,然后打开要将管理员添加到的目录。In the left menu, click Catalogs and then open the catalog you want to add administrators to.

  3. 在左侧菜单中,单击“角色和管理员”。In the left menu, click Roles and administrators.

    目录角色和管理员

  4. 单击“添加所有者者”,以选择这些角色的成员。Click Add owners to select the members for these roles.

  5. 单击“选择”以添加这些成员。Click Select to add these members.

编辑目录Edit a catalog

可以编辑目录的名称和说明。You can edit the name and description for a catalog. 用户将在访问包的详细信息中看到此信息。Users see this information in an access package's details.

必备角色: 全局管理员、用户管理员或目录所有者Prerequisite role: Global administrator, User administrator, or Catalog owner

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在左侧菜单中单击“目录”,然后打开要编辑的目录。In the left menu, click Catalogs and then open the catalog you want to edit.

  3. 在该目录的“概述”页上单击“编辑”。On the catalog's Overview page, click Edit.

  4. 编辑目录的名称、说明或启用的设置。Edit the catalog's name, description, or enabled settings.

    编辑目录设置

  5. 单击“保存”。Click Save.

删除目录Delete a catalog

可以删除目录,但前提是它不包含任何访问包。You can delete a catalog, but only if it does not have any access packages.

必备角色: 全局管理员、用户管理员或目录所有者Prerequisite role: Global administrator, User administrator, or Catalog owner

  1. 在 Azure 门户中,依次单击“Azure Active Directory”、“标识监管”。 In the Azure portal, click Azure Active Directory and then click Identity Governance.

  2. 在左侧菜单中单击“目录”,然后打开要删除的目录。In the left menu, click Catalogs and then open the catalog you want to delete.

  3. 在该目录的“概述”中单击“删除”。On the catalog's Overview, click Delete.

  4. 在出现的消息框中单击“是”。In the message box that appears, click Yes.

以编程方式删除目录Deleting a catalog programmatically

还可以使用 Microsoft Graph 删除目录。You can also delete a catalog using Microsoft Graph. 通过具有委托的 EntitlementManagement.ReadWrite.All 权限的应用程序,相应角色中的用户可以调用 API 来删除 accessPackageCatalogA user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the API to delete an accessPackageCatalog.

后续步骤Next steps