Azure AD 权利管理中的委托和角色Delegation and roles in Azure AD entitlement management

默认情况下,全局管理员与用户管理员可以创建和管理 Azure AD 权利管理的各个方面。By default, Global administrators and User administrators can create and manage all aspects of Azure AD entitlement management. 但是,充当这些角色的用户不一定全面了解在哪些情况下需要访问包。However, the users in these roles may not know all the situations where access packages are required. 通常,是各自的部门、团队或项目中的用户知道他们正在合作的对象、使用的资源,以及相应的时间长度。Typically it is users within the respective departments, teams, or projects who know who they are collaborating with, using what resources, and for how long. 不要向非管理员授予不受限制的权限,而可以向用户授予执行其作业所需的最低权限,并避免创建有冲突或者不适当的访问权限。Instead of granting unrestricted permissions to non-administrators, you can grant users the least permissions they need to perform their job and avoid creating conflicting or inappropriate access rights.

委托示例Delegate example

为了了解如何在权利管理中委托访问管理,让我们从一个示例着手。To understand how you might delegate access governance in entitlement management, it helps to consider an example. 假设你的组织中有以下管理员和经理。Suppose your organization has the following administrator and managers.

从 IT 管理员委托给经理

作为 IT 管理员,Hana 在每个部门中都有联系人 -- 市场营销部的 Mamta、财务部的 Mark 以及法务部的 Joe,这些人负责其所在部门的资源和业务关键内容。As the IT administrator, Hana has contacts in each department -- Mamta in Marketing, Mark in Finance, and Joe in Legal who are responsible for their department's resources and business critical content.

使用权利管理,你可以将访问管理委托给这些非管理员的人员,因为这些人知道哪些用户需要对哪些资源具有多长时间的访问权限。With entitlement management, you can delegate access governance to these non-administrators because they are the ones who know which users need access, for how long, and to which resources. 这可确保适当的人员为其部门管理访问权限。This ensures the right people are managing access for their departments.

Hana 可以采用下面这种方式将访问管理委托给市场营销部、财务部和法务部。Here is one way that Hana could delegate access governance to the marketing, finance, and legal departments.

  1. Hana 创建新的 Azure AD 安全组,并将 Mamta、Mark 和 Joe 添加为组的成员。Hana creates a new Azure AD security group, and adds Mamta, Mark, and Joe as members of the group.

  2. Hana 将该组添加到目录创建者角色。Hana adds that group to the catalog creators role.

    Mamta、Mark 和 Joe 现在可以为自己的部门创建目录、添加自己的部门所需的资源,并在目录中执行进一步的委托。Mamta, Mark, and Joe can now create catalogs for their departments, add resources that their departments need, and do further delegation within the catalog.

    请注意,Mamta、Mark 和 Joe 看不到彼此的目录。Note that Mamta, Mark, and Joe cannot see each other's catalogs.

  3. Mamta 创建“市场营销”目录,它是资源的容器。Mamta creates a Marketing catalog, which is a container of resources.

  4. Mamta 向此目录添加她的市场营销部拥有的资源。Mamta adds the resources that her marketing department owns to this catalog.

  5. Mamta 可以将其部门的其他人员添加为此目录的目录所有者。Mamta can add additional people from her department as catalog owners for this catalog. 这有助于共享目录管理责任。This helps share the catalog management responsibilities.

  6. Mamta 可以进一步将“市场营销”目录中访问包的创建和管理委托给市场营销部的项目经理。Mamta can further delegate the creation and management of access packages in the Marketing catalog to project managers in the Marketing department. 她可以通过向他们分配访问包管理者角色来完成此操作。She can do this by assigning them to the access package manager role. 访问包管理者可以创建和管理访问包。An access package manager can create and manage access packages.

下图显示了包含市场营销部、财务部和法务部的资源的目录。The following diagram shows catalogs with resources for the marketing, finance, and legal departments. 项目经理可以使用这些目录为他们的团队或项目创建访问包。Using these catalogs, project managers can create access packages for their teams or projects.

权利管理委托示例

委托后,市场营销部的角色可能与下表类似。After delegation, the marketing department might have roles similar to the following table.

用户User 工作角色Job role Azure AD 角色Azure AD role 权利管理角色Entitlement management role
HanaHana IT 管理员IT administrator 全局管理员或用户管理员Global administrator or User administrator
MamtaMamta 市场营销部经理Marketing manager 用户User 目录创建者和目录所有者Catalog creator and Catalog owner
BobBob 市场营销部主管Marketing lead 用户User 目录所有者Catalog owner
JessicaJessica 市场营销部项目经理Marketing project manager 用户User 访问包管理者Access package manager

权利管理角色Entitlement management roles

权利管理具有以下特定的角色。Entitlement management has the following roles that are specific to entitlement management.

权利管理角色Entitlement management role 描述Description
目录创建者Catalog creator 创建和管理目录。Create and manage catalogs. 通常,该角色是不充当全局管理员的 IT 管理员,或者是资源集合的资源所有者。Typically an IT administrator who is not a Global administrator, or a resource owner for a collection of resources. 创建目录的人员将自动成为该目录的第一个目录所有者,并可以添加其他目录所有者。The person that creates a catalog automatically becomes the catalog's first catalog owner, and can add additional catalog owners. 目录创建者无法管理或查看他们不拥有的目录,也无法将他们不拥有的资源添加到目录中。A catalog creator can’t manage or see catalogs that they don’t own and can’t add resources they don’t own to a catalog. 如果目录创建者需要管理其他目录或添加他们不拥有的资源,那么他们可以请求成为该目录或资源的共同所有者。If the catalog creator needs to manage another catalog or add resources they don’t own, they can request to be a co-owner of that catalog or resource.
目录所有者Catalog owner 编辑和管理现有目录。Edit and manage existing catalogs. 通常,该角色是 IT 管理员或资源所有者,或者是目录所有者指定的用户。Typically an IT administrator or resource owners, or a user who the catalog owner has designated.
访问包管理者Access package manager 编辑和管理目录中的所有现有访问包。Edit and manage all existing access packages within a catalog.
访问包分配管理人员Access package assignment manager 编辑和管理所有现有访问包的分配。Edit and manage all existing access packages' assignments.

此外,访问包的指定审批者和请求者也拥有权限,但他们不是角色。In addition, a designated approver and a requestor of an access package also have rights, although they are not roles.

RightRight 描述Description
审批者Approver 由策略授权,可以批准或拒绝对访问包的请求,但无法更改访问包定义。Authorized by a policy to approve or deny requests to access packages, though they cannot change the access package definitions.
请求者Requestor 由访问包的策略授权,可以请求该访问包。Authorized by a policy of an access package to request that access package.

下表列出了这些权利管理角色可以执行的任务。The following table lists the tasks that the entitlement management roles can perform.

任务Task 管理员Admin 目录创建者Catalog creator 目录所有者Catalog owner 访问包管理者Access package manager 访问包分配管理人员Access package assignment manager
委托给目录创建者Delegate to a catalog creator ✔️
添加连接的组织Add a connected organization ✔️
“创建新目录”Create a new catalog ✔️ ✔️
将资源添加到目录Add a resource to a catalog ✔️ ✔️
添加目录所有者Add a catalog owner ✔️ ✔️
编辑目录Edit a catalog ✔️ ✔️
删除目录Delete a catalog ✔️ ✔️
委托给访问包管理者Delegate to an access package manager ✔️ ✔️
删除访问包管理者Remove an access package manager ✔️ ✔️
在目录中创建新的访问包Create a new access package in a catalog ✔️ ✔️ ✔️
更改访问包中的资源角色Change resource roles in an access package ✔️ ✔️ ✔️
创建和编辑策略Create and edit policies ✔️ ✔️ ✔️
直接将用户分配到访问包Directly assign a user to an access package ✔️ ✔️ ✔️ ✔️
直接从访问包中删除用户Directly remove a user from an access package ✔️ ✔️ ✔️ ✔️
查看谁有访问包的分配View who has an assignment to an access package ✔️ ✔️ ✔️ ✔️
查看访问包的请求View an access package's requests ✔️ ✔️ ✔️ ✔️
查看请求的传递错误View a request's delivery errors ✔️ ✔️ ✔️ ✔️
重新处理请求Reprocess a request ✔️ ✔️ ✔️ ✔️
取消挂起的请求Cancel a pending request ✔️ ✔️ ✔️ ✔️
隐藏访问包Hide an access package ✔️ ✔️ ✔️
删除访问包Delete an access package ✔️ ✔️ ✔️

将资源添加到目录所需的角色Required roles to add resources to a catalog

全局管理员可以在目录中添加或删除任何组(云创建的安全组,或云创建的Microsoft 365 组)、应用程序或 SharePoint Online 站点。A Global administrator can add or remove any group (cloud-created security groups or cloud-created Microsoft 365 Groups), application, or SharePoint Online site in a catalog. 用户管理员可以添加或删除目录中的任何组或应用程序,但配置为可分配给目录角色的组除外。A User administrator can add or remove any group or application in a catalog, except for a group configured as assignable to a directory role.

对于不充当全局管理员或用户管理员的用户,若要将组、应用程序或 SharePoint Online 站点添加到目录,该用户必须同时具有所需的 Azure AD 目录角色和目录所有者权利管理角色。**For a user who is not a Global administrator or a User administrator, to add groups, applications, or SharePoint Online sites to a catalog, that user must have both the required Azure AD directory role and catalog owner entitlement management role. 下表列出了将资源添加到目录所需的角色组合。The following table lists the role combinations that are required to add resources to a catalog. 若要从目录中删除资源,必须具有相同的角色。To remove resources from a catalog, you must have the same roles.

Azure AD 目录角色Azure AD directory role 权利管理角色Entitlement management role 可以添加安全组Can add security group 可以添加 Microsoft 365 组Can add Microsoft 365 Group 可以添加应用Can add app 可以添加 SharePoint Online 站点Can add SharePoint Online site
全局管理员Global administrator 不适用n/a ✔️ ✔️ ✔️ ✔️
用户管理员User administrator 不适用n/a ✔️ ✔️ ✔️
Intune 管理员Intune administrator 目录所有者Catalog owner ✔️ ✔️
Exchange 管理员Exchange administrator 目录所有者Catalog owner ✔️
Teams 服务管理员Teams service administrator 目录所有者Catalog owner ✔️
SharePoint 管理员SharePoint administrator 目录所有者Catalog owner ✔️ ✔️
应用程序管理员Application administrator 目录所有者Catalog owner ✔️
云应用程序管理员Cloud application administrator 目录所有者Catalog owner ✔️
用户User 目录所有者Catalog owner 仅限组所有者Only if group owner 仅限组所有者Only if group owner 仅限应用所有者Only if app owner

备注

如果用户添加安全组或 Microsoft 365 组,则该组不能是可分配角色的组。If a user adds a security group or Microsoft 365 group, then the group can't be role-assignable. 如果用户在创建访问包时添加了可分配角色的组,则他们还必须是该可分配角色的组的所有者。If the user adds a group that is role-assignable when they create the access package, then they must also be the owner of that role-assignable group.

若要确定任务的最小特权角色,还可以参考按 Azure Active Directory 中的管理员任务划分的管理员角色To determine the least privileged role for a task, you can also reference Administrator roles by admin task in Azure Active Directory.

后续步骤Next steps