在 Privileged Identity Management 中延期或续订特权访问组分配(预览版)Extend or renew privileged access group assignments (preview) in Privileged Identity Management

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 提供相应的控件用于管理特权访问组的访问和分配生命周期。Azure Active Directory (Azure AD) Privileged Identity Management (PIM) provides controls to manage the access and assignment lifecycle for privileged access groups. 管理员可以使用开始和结束日期时间属性分配角色。Administrators can assign roles using start and end date-time properties. 当分配结束时间即将到来时,Privileged Identity Management 会向受影响的用户或组发送电子邮件通知。When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. 此外,它还向资源管理员发送电子邮件通知,确保能够保持相应的访问权限。It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. 即使访问权限未延期,分配也可以续订,并在长达 30 天内以过期状态保持可见。Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.

谁可以延期和续订Who can extend and renew

只有资源管理员可以延期或续订特权访问组分配。Only administrators of the resource can extend or renew privileged access group assignments. 受影响的用户或组可以请求延期即将过期的分配,以及请求续订已过期的分配。The affected user or group can request to extend assignments that are about to expire and request to renew assignments that are already expired.

何时发送通知When notifications are sent

Privileged Identity Management 会向管理员以及过期的特权访问组分配中的受影响用户发送电子邮件通知:Privileged Identity Management sends email notifications to administrators and affected users of privileged access group assignments that are expiring:

  • 到期前 14 天内Within 14 days prior to expiration
  • 到期前一天One day prior to expiration
  • 当分配过期时When an assignment expires

当用户或组请求延期或续订即将过期或已过期的分配时,管理员会收到通知。Administrators receive notifications when a user or group requests to extend or renew an expiring or expired assignment. 当管理员解决该请求时,所有管理员和发出请求的用户都会收到批准或拒绝的通知。When an administrator resolves the request, all administrators and the requesting user are notified of the approval or denial.

延期组分配Extend group assignments

以下步骤概述了请求、解决或管理组分配延期或续订的过程。The following steps outline the process for requesting, resolving, or administering an extension or renewal of a group assignment.

自我延期即将过期的分配Self-extend expiring assignments

分配给特权访问组的用户可以直接在该组的“分配”页面上通过“符合条件”或“活动”选项卡,延长到期的组分配的有效期 。Users assigned to a privileged access group can extend expiring group assignments directly from the Eligible or Active tab on the Assignments page for the group. 用户或组可以请求延期在后续 14 天过期的符合条件且处于活动状态的分配。Users or groups can request to extend eligible and active assignments that expire in the next 14 days.

“我的角色”页中列出了带有“操作”列的符合条件的分配

如果分配结束日期-时间在 14 天以内,可使用“延期”命令。When the assignment end date-time is within 14 days, the Extend command is available. 若要请求延期组分配,请选择“延期”以打开请求窗体。To request an extension of a group assignment, select Extend to open the request form.

包含“原因”框和详细信息的“延期组分配”窗格

备注

我们建议详细说明为何有必要延期,以及要同意延期多久(如果知道此信息)。We recommend including the details of why the extension is necessary, and for how long the extension should be granted (if you have this information).

片刻之后,管理员会收到一封电子邮件通知,要求他们审阅延期请求。In a matter of moments, administrators receive an email notification requesting that they review the extension request. 如果已提交延期请求,门户中会显示一条 Azure 通知。If a request to extend has already been submitted, an Azure notification appears in the portal.

要查看请求的状态或取消请求,请打开组分配的“待处理请求”页面。To view the status of or cancel your request, open the Pending requests page for the group assignment.

特权访问组分配 -“待处理请求”页面,显示“取消”链接

管理员批准的延期Admin approved extension

当用户或组提交延期组分配的请求时,管理员会收到一封电子邮件通知,其中包含原始分配的详细信息,以及请求的原因。When a user or group submits a request to extend a group assignment, administrators receive an email notification that contains the details of the original assignment and the reason for the request. 此通知还包含一个直接链接,让管理员批准或拒绝该请求。The notification includes a direct link to the request for the administrator to approve or deny.

除了使用电子邮件中的链接以外,管理员还可以通过转到 Privileged Identity Management 管理门户,并从左窗格中选择“审批请求”来批准或拒绝请求。In addition to using following the link from email, administrators can approve or deny requests by going to the Privileged Identity Management administration portal and selecting Approve requests in the left pane.

“特权访问组分配 - 审批请求”页列出了请求和“批准”或“拒绝”链接

当管理员选择“批准”或“拒绝”时,将显示请求的详细信息,同时会显示一个字段,让管理员提供审核日志的业务理由。 When an Administrator selects Approve or Deny, the details of the request are shown, along with a field to provide a business justification for the audit logs.

使用请求者原因、分配类型、开始时间、结束时间和原因审批组分配请求

批准延期组分配的请求时,资源管理员可以选择新的开始日期、结束日期和分配类型。When approving a request to extend a group assignment, resource administrators can choose a new start date, end date, and assignment type. 如果管理员希望提供受限的访问权限来完成特定的任务(例如,一天的访问权限),则可能需要更改分配类型。Changing assignment type might be necessary if the administrator wants to provide limited access to complete a specific task (one day, for example). 在此示例中,管理员可将分配从“符合条件”更改为“活动”。In this example, the administrator can change the assignment from Eligible to Active. 这意味着,他们可为请求者提供访问权限,而无需让请求者激活。This means they can provide access to the requestor without requiring them to activate.

管理员发起的延期Admin initiated extension

如果分配到某个组的用户未请求组分配延期,管理员可以代表该用户延期分配。If a user assigned to a group doesn't request an extension for the group assignment, an administrator can extend an assignment on behalf of the user. 组分配的管理延期不需要审批,但在完成分配延期后,系统会向其他所有管理员发送通知。Administrative extensions of group assignment do not require approval, but notifications are sent to all other administrators after the assignment has been extended.

若要延期组分配,请浏览 Privileged Identity Management 中的分配视图。To extend a group assignment, browse to the assignment view in Privileged Identity Management. 找到需要延期的分配。Find the assignment that requires an extension. 在操作列中选择“延期”。Then select Extend in the action column.

“分配”页列出了带有“延期”链接的符合条件的组分配

续订组分配Renew group assignments

续订已过期组分配的过程虽然在概念上与请求延期的过程类似,但两者确实存在差异。While conceptually similar to the process for requesting an extension, the process to renew an expired group assignment is different. 分配和管理员可根据需要,使用以下步骤来续订对已过期分配的访问权限。Using the following steps, assignments and administrators can renew access to expired assignments when necessary.

自我续订Self-renew

不再能够访问资源的用户可以访问最长 30 天的已过期分配历史记录。Users who can no longer access resources can access up to 30 days of expired assignment history. 为此,他们可以在左窗格中浏览“我的角色”,并选择“已过期的分配”选项卡。 To do this, they browse to My Roles in the left pane, and then select the Expired assignments tab.

“我的角色”页 -“过期的分配”选项卡

显示的分配列表默认为“符合条件”的分配。The list of assignments shown defaults to Eligible assignments. 使用下拉菜单在“符合条件”与“活动”分配之间切换。Use the drop-down menu to toggle between Eligible and Active assignments.

若要请求续订列表中的任何组分配,请选择“续订”操作。To request renewal for any of the group assignments in the list, select the Renew action. 然后提供请求原因。Then provide a reason for the request. 建议提供持续时间和任何附加的上下文或业务理由,以帮助资源管理员做出批准或拒绝的决定。It's helpful to provide a duration in addition to any additional context or a business justification that can help the resource administrator decide to approve or deny.

“续订组分配”窗格显示了“原因”框

提交请求后,资源管理员会收到一个续订组分配的待定请求的通知。After the request has been submitted, resource administrators are notified of a pending request to renew a group assignment.

管理员审批Admin approves

资源管理员可以通过电子邮件通知中的链接,或者在 Azure 门户中访问 Privileged Identity Management 并从左窗格中选择“审批请求”,来访问续订请求。Resource administrators can access the renewal request from the link in the email notification or by accessing Privileged Identity Management from the Azure portal and selecting Approve requests from the left pane.

当管理员选择“批准”或“拒绝”时,将显示请求的详细信息,同时会显示一个字段,让管理员提供审核日志的业务理由。When an administrator selects Approve or Deny, the details of the request are shown along with a field to provide a business justification for the audit logs.

批准续订组分配的请求时,资源管理员必须输入新的开始日期、结束日期和分配类型。When approving a request to renew a group assignment, resource administrators must enter a new start date, end date, and assignment type.

后续步骤Next steps