在 Privileged Identity Management 中使用 Azure 自定义角色Use Azure custom roles in Privileged Identity Management

可能需要对 Azure Active Directory (Azure AD) 组织中具有特权角色的某些用户应用严格的 Privileged Identity Management (PIM) 设置,同时为其他用户提供更大的自主权。You might need to apply strict Privileged Identity Management (PIM) settings to some users in a privileged role in your Azure Active Directory (Azure AD) organization, while providing greater autonomy for others. 例如,假设你的组织招聘了几名合同工来帮助开发将在 Azure 订阅中运行的应用程序。Consider for example a scenario in which your organization hires several contract associates to assist in the development of an application that will run in an Azure subscription.

作为资源管理员,你希望正式员工可以在不需要审批的情况下获得合格访问权。As a resource administrator, you want employees to be eligible for access without requiring approval. 但所有合同工在请求访问组织资源时必须接受审批。However, all contract associates must be approved when they request access to the organization's resources.

按照下一部分中列出的步骤来为 Azure 资源角色设置具针对性的 Privileged Identity Management 设置。Follow the steps outlined in the next section to set up targeted Privileged Identity Management settings for Azure resource roles.

创建自定义角色Create the custom role

若要为资源创建自定义角色,请按照 Azure 自定义角色中所述的步骤操作。To create a custom role for a resource, follow the steps described in Azure custom roles.

创建自定义角色后,请提供一个描述性名称,以便可以轻松记住你打算复制的内置角色。When you create custom role, include a descriptive name so you can easily remember which built-in role you intended to duplicate.

备注

请确保自定义角色是需要复制的内置角色的副本,且其作用域与该内置角色匹配。Ensure that the custom role is a duplicate of the built-in role you want to duplicate, and that its scope matches the built-in role.

应用 PIM 设置Apply PIM settings

在 Azure AD 组织中创建角色后,请在 Azure 门户中转到“Privileged Identity Management - Azure 资源” 页。After the role is created in your Azure AD organization, go to the Privileged Identity Management - Azure resources page in the Azure portal. 选择应用该角色的资源。Select the resource that the role applies to.

“Privileged Identity Management - Azure 资源”窗格

配置 Privileged Identity Management 角色设置,这些设置应当应用于该角色的这些成员。Configure Privileged Identity Management role settings that should apply to these members of the role.

最后,为你希望作为这些设置的应用目标的不同成员组分配角色Finally, assign roles to the distinct group of members that you want to target with these settings.

后续步骤Next steps