Azure AD 权利管理中的常见方案Common scenarios in Azure AD entitlement management

可以通过多种方式配置组织的权利管理。There are several ways that you can configure entitlement management for your organization. 但是,如果你刚开始使用,了解适用于管理员、目录所有者、访问包管理者、审批者和请求者的常见方案会很有帮助。However, if you're just getting started, it's helpful to understand the common scenarios for administrators, catalog owners, access package managers, approvers, and requestors.

委托Delegate

管理员:委托资源管理权Administrator: Delegate management of resources

  1. 将用户委托到目录创建者角色Delegate users to catalog creator role

目录创建者:委托资源管理权Catalog creator: Delegate management of resources

目录所有者:委托资源管理权Catalog owner: Delegate management of resources

  1. 将共同所有者添加到目录Add co-owners to the catalog
  2. 将资源添加到目录Add resources to the catalog

目录所有者:委托访问包的管理Catalog owner: Delegate management of access packages

  1. 将用户委托到访问包管理者角色Delegate users to access package manager role

管控组织中用户的访问权限Govern access for users in your organization

访问包管理者:允许组织中的员工请求资源的访问权限Access package manager: Allow employees in your organization to request access to resources

  1. 创建新的访问包Create a new access package
  2. 将组、团队、应用程序或 SharePoint 站点添加到访问包Add groups, Teams, applications, or SharePoint sites to access package
  3. 添加请求策略以允许目录中的用户请求访问权限Add a request policy to allow users in your directory to request access
  4. 指定过期设置Specify expiration settings

请求者:请求对资源的访问权限Requestor: Request access to resources

  1. 登录到“我的访问权限”门户Sign in to the My Access portal
  2. 查找访问包Find access package
  3. 请求访问权限Request access

审批者:审批对资源的请求Approver: Approve requests to resources

  1. 在“我的访问权限”门户中打开请求Open request in My Access portal
  2. 批准或拒绝访问请求Approve or deny access request

请求者:查看你已有权访问的资源Requestor: View the resources you already have access to

  1. 登录到“我的访问权限”门户Sign in to the My Access portal
  2. 查看活动访问包View active access packages

管控组织外部用户的访问权限Govern access for users outside your organization

管理员:与外部合作伙伴组织协作Administrator: Collaborate with an external partner organization

  1. 了解外部用户访问权限的工作方式Read how access works for external users
  2. 查看外部用户的设置Review settings for external users
  3. 添加与外部组织的连接Add a connection to the external organization

访问包管理者:与外部合作伙伴组织协作Access package manager: Collaborate with an external partner organization

  1. 创建新的访问包Create a new access package
  2. 将组、团队、应用程序或 SharePoint 站点添加到访问包Add groups, Teams, applications, or SharePoint sites to access package
  3. 添加请求策略以允许不在目录中的用户请求访问权限Add a request policy to allow users not in your directory to request access
  4. 指定过期设置Specify expiration settings
  5. 复制用于请求访问包的链接Copy the link to request the access package
  6. 将该链接发送到外部合作伙伴联系人,以便与其用户共享Send the link to your external partner contact partner to share with their users

请求者:以外部用户身份请求资源的访问权限Requestor: Request access to resources as an external user

  1. 查找从联系人收到的访问包链接Find the access package link you received from your contact
  2. 登录到“我的访问权限”门户Sign in to the My Access portal
  3. 请求访问权限Request access

审批者:审批对资源的请求Approver: Approve requests to resources

  1. 在“我的访问权限”门户中打开请求Open request in My Access portal
  2. 批准或拒绝访问请求Approve or deny access request

请求者:查看你已有权访问的资源Requestor: View the resources your already have access to

  1. 登录到“我的访问权限”门户Sign in to the My Access portal
  2. 查看活动访问包View active access packages

日常管理Day-to-day management

访问包管理者:更新项目的资源Access package manager: Update the resources for a project

  1. 打开访问包Open the access package
  2. 添加或删除组、团队、应用程序或 SharePoint 站点Add or remove groups, Teams, applications, or SharePoint sites

访问包管理者:更新项目的持续时间Access package manager: Update the duration for a project

  1. 打开访问包Open the access package
  2. 打开生命周期设置Open the lifecycle settings
  3. 更新过期设置Update the expiration settings

访问包管理者:更新审批项目访问权限的方式Access package manager: Update how access is approved for a project

  1. 打开请求设置的现有策略Open an existing policy of request settings
  2. 更新审批设置Update the approval settings

访问包管理者:更新项目人员Access package manager: Update the people for a project

  1. 删除不再需要访问权限的用户Remove users that no longer need access
  2. 打开请求设置的现有策略Open an existing policy of request settings
  3. 添加需要访问权限的用户Add users that need access

访问包管理者:将特定用户直接分配到访问包Access package manager: Directly assign specific users to an access package

  1. 如果用户需要不同的生命周期设置,请将新策略添加到访问包If users need different lifecycle settings, add a new policy to the access package
  2. 将特定用户直接分配到访问包Directly assign specific users to the access package

分配和报表Assignments and reports

管理员:查看给谁分配了访问包Administrator: View who has assignments to an access package

  1. 打开访问包Open an access package
  2. 查看分配View assignments
  3. 将报表和日志存档Archive reports and logs

管理员:查看分配给用户的资源Administrator: View resources assigned to users

  1. 查看用户的访问包View access packages for a user
  2. 查看用户的资源分配View resource assignments for a user

通过编程方式进行管理Programmatic administration

你也可以使用 Microsoft Graph 来管理访问包、目录、策略、请求和分配。You can also manage access packages, catalogs, policies, requests and assignments using Microsoft Graph. 相应角色中的用户通过具有委托的 EntitlementManagement.ReadWrite.All 权限的应用程序可以调用权利管理 APIA user in an appropriate role with an application that has the delegated EntitlementManagement.ReadWrite.All permission can call the entitlement management API.

后续步骤Next steps