在 Privileged Identity Management 中分配 Azure 资源角色Assign Azure resource roles in Privileged Identity Management

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) 可以管理内置的 Azure 资源角色以及自定义角色,包括但不限于:Azure Active Directory (Azure AD) Privileged Identity Management (PIM) can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):

  • “所有者”Owner
  • 用户访问管理员User Access Administrator
  • 参与者Contributor
  • 安全管理员Security Admin
  • 安全管理器Security Manager

备注

默认情况下,分配到“所有者”或“用户访问管理员”订阅角色的用户或组成员以及在 Azure AD 中启用订阅管理的 Azure AD 全局管理员具有资源管理员权限。Users or members of a group assigned to the Owner or User Access Administrator subscription roles, and Azure AD Global administrators that enable subscription management in Azure AD have Resource administrator permissions by default. 这些管理员可以对 Azure 资源使用 Privileged Identity Management 来分配角色、配置角色设置,以及审查访问权限。These administrators can assign roles, configure role settings, and review access using Privileged Identity Management for Azure resources. 如果没有资源管理员权限,用户将无法管理资源的 Privileged Identity Management。A user can't manage Privileged Identity Management for Resources without Resource administrator permissions. 查看 Azure 内置角色列表。View the list of Azure built-in roles.

分配角色Assign a role

遵循以下步骤可使用户符合 Azure 资源角色的条件。Follow these steps to make a user eligible for an Azure resource role.

  1. 使用“所有者”或“用户访问管理员”角色权限登录到 Azure 门户Sign in to Azure portal with Owner or User Access Administrator role permissions.

    有关如何授予其他管理员访问权限以管理 Privileged Identity Management 的信息,请参阅授予其他管理员访问权限以管理 Privileged Identity ManagementFor information about how to grant another administrator access to manage Privileged Identity Management, see Grant access to other administrators to manage Privileged Identity Management.

  2. 打开“Azure AD Privileged Identity Management”。 Open Azure AD Privileged Identity Management.

  3. 选择“Azure 资源” 。Select Azure resources.

  4. 使用资源筛选器可查找所需的受管理资源。Use the resource filter to find the managed resources you're looking for.

    要管理的 Azure 资源的列表

  5. 选择要管理的资源以打开资源概览页。Select the resource that you want to manage to open the resource overview page.

  6. 在“管理”下,选择“角色” 以查看 Azure 资源的角色列表。Under Manage, select Roles to see the list of roles for Azure resources.

    Azure 资源角色

  7. 选择“添加分配”以打开“添加分配”窗格。 Select Add assignments to open the Add assignments pane.

  8. 选择“选择角色”以打开“选择角色”页 。Select Select a role to open the Select a role page.

    “新建分配”窗格

  9. 选择要分配的角色,然后单击“选择” 。Select a role you want to assign and then click Select.

    此时会打开“选择成员或组”窗格。The Select a member or group pane opens.

  10. 选择要向角色分配的成员或组,然后单击“选择” 。Select a member or group you want to assign to the role and then click Select.

    “选择成员或组”窗格

  11. 在“设置”选项卡的“分配类型”列表中,选择“合格”或“活动” 。On the Settings tab, in the Assignment type list, select Eligible or Active.

    “成员身份设置”窗格

    Azure 资源的 Privileged Identity Management 提供了两种不同的分配类型:Privileged Identity Management for Azure resources provides two distinct assignment types:

    • “合格”分配要求该角色的成员执行某个操作才能使用该角色。Eligible assignments require the member of the role to perform an action to use the role. 操作可能包括执行多重身份验证 (MFA) 检查、提供业务理由或请求获得指定审批者的批准。Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

    • “活动”分配不要求成员执行任何操作便可使用该角色。Active assignments don't require the member to perform any action to use the role. 分配为“活动”的成员始终具有分配给该角色的权限。Members assigned as active have the privileges assigned to the role at all times.

  12. 若要指定特定分配持续时间,请更改开始和结束日期与时间。To specify a specific assignment duration, change the start and end dates and times.

  13. 完成后,选择“分配”。When finished, select Assign.

  14. 创建新的角色分配后,会显示状态通知。After the new role assignment is created, a status notification is displayed.

    新建分配 - 通知

更新或删除现有的角色分配Update or remove an existing role assignment

按照以下步骤更新或删除现有的角色分配。Follow these steps to update or remove an existing role assignment.

  1. 打开“Azure AD Privileged Identity Management”。Open Azure AD Privileged Identity Management.

  2. 选择“Azure 资源” 。Select Azure resources.

  3. 选择要管理的资源以打开其概览页。Select the resource you want to manage to open its overview page.

  4. 在“管理”下,选择“角色” 以查看 Azure 资源的角色列表。Under Manage, select Roles to see the list of roles for Azure resources.

    Azure 资源角色 - 选择角色

  5. 选择要更新或删除的角色。Select the role that you want to update or remove.

  6. 在“合格角色”或“活动角色”选项卡上查找角色分配。Find the role assignment on the Eligible roles or Active roles tabs.

    更新或删除角色分配

  7. 选择“更新”或“删除”以更新或删除角色分配。Select Update or Remove to update or remove the role assignment.

    有关扩展角色分配的信息,请参阅在 Privileged Identity Management 中扩展或续订 Azure 资源角色For information about extending a role assignment, see Extend or renew Azure resource roles in Privileged Identity Management.

后续步骤Next steps