如何在 Azure API 管理中使用基于角色的访问控制How to Use Role-Based Access Control in Azure API Management

Azure API 管理依赖于 Azure 基于角色的访问控制 (RBAC) 来为 API 管理服务和实体(例如,API 和策略)启用精细访问管理。Azure API Management relies on Azure Role-Based Access Control (RBAC) to enable fine-grained access management for API Management services and entities (for example, APIs and policies). 本文概述 API 管理中的内置角色和自定义角色。This article gives you an overview of the built-in and custom roles in API Management. 有关 Azure 门户中的访问管理的详细信息,请参阅 Azure 门户中的访问管理入门For more information on access management in the Azure portal, see Get started with access management in the Azure portal

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

内置角色Built-in roles

API 管理目前提供了三个内置角色,不久之后会再添加两个角色。API Management currently provides three built-in roles and will add two more roles in the near future. 可在不同的范围(包括订阅、资源组和单个 API 管理实例)分配这些角色。These roles can be assigned at different scopes, including subscription, resource group, and individual API Management instance. 例如,如果在资源组级别将“Azure API 管理服务读取者”角色分配给某个用户,则该用户将对该资源组中的所有 API 管理实例拥有读取访问权限。For instance, if you assign the "Azure API Management Service Reader" role to a user at the resource-group level, then the user has read access to all API Management instances inside the resource group.

下表提供内置角色的简短说明。The following table provides brief descriptions of the built-in roles. 可以使用 Azure 门户或其他工具(包括 Azure PowerShellAzure CLIREST API)分配这些角色。You can assign these roles by using the Azure portal or other tools, including Azure PowerShell, Azure CLI, and REST API. 有关如何分配内置角色的详细信息,请参阅使用角色分配管理对 Azure 订阅资源的访问权限For details about how to assign built-in roles, see Use role assignments to manage access to your Azure subscription resources.

角色Role 读取访问权限[1]Read access[1] 写入访问权限[2]Write access[2] 服务创建、删除、缩放,VPN 和自定义域配置Service creation, deletion, scaling, VPN, and custom domain configuration 对旧版发布者门户拥有访问权限Access to the legacy publisher portal 说明Description
Azure API 管理服务参与者Azure API Management Service Contributor 超级用户。Super user. 对 API 管理服务和实体(例如,API 和策略)拥有完全 CRUD 访问权限。Has full CRUD access to API Management services and entities (for example, APIs and policies). 对旧版发布者门户拥有访问权限。Has access to the legacy publisher portal.
Azure API 管理服务读取者Azure API Management Service Reader 对 API 管理服务和实体拥有只读访问权限。Has read-only access to API Management services and entities.
Azure API 管理服务操作员Azure API Management Service Operator 可以管理 API 管理服务,但不能管理实例。Can manage API Management services, but not entities.
Azure API 管理服务编辑者*Azure API Management Service Editor* 可以管理 API 管理实体,但不能管理服务。Can manage API Management entities, but not services.
Azure API 管理内容管理员*Azure API Management Content Manager* 可以管理开发人员门户。Can manage the developer portal. 对服务和实体拥有只读访问权限。Read-only access to services and entities.

[1] 对 API 管理服务和实体(例如,API 和策略)拥有读取访问权限。[1] Read access to API Management services and entities (for example, APIs and policies).

[2] 对 API 管理服务和实体拥有写入访问权限,但以下操作除外:实例创建、删除和缩放;VPN 配置;以及自定义域设置。[2] Write access to API Management services and entities except the following operations: instance creation, deletion, and scaling; VPN configuration; and custom domain setup.

* 将所有管理 UI 从现有发布者门户迁移到 Azure 门户后,将提供“服务编辑者”角色。将发布者门户重建为只包含与管理开发人员门户相关的功能后,将提供“内容管理员”角色。* The Service Editor role will be available after we migrate all the admin UI from the existing publisher portal to the Azure portal. The Content Manager role will be available after the publisher portal is refactored to only contain functionality related to managing the developer portal.

自定义角色Custom roles

如果没有任何内置角色可以满足具体需要,可以创建自定义角色,针对 API 管理实体提供更精细的访问管理。If none of the built-in roles meet your specific needs, custom roles can be created to provide more granular access management for API Management entities. 例如,可以创建一个对 API 管理服务拥有只读访问权限,但只对某个特定 API 拥有写入访问权限的自定义角色。For example, you can create a custom role that has read-only access to an API Management service, but only has write access to one specific API. 若要详细了解自定义角色,请参阅 Azure RBAC 中的自定义角色To learn more about custom roles, see Custom roles in Azure RBAC.

Note

若要在 Azure 门户中查看 API 管理实例,自定义角色必须包含 Microsoft.ApiManagement/service/read 操作。To be able to see an API Management instance in the Azure portal, a custom role must include the Microsoft.ApiManagement/service/read action.

创建自定义角色时,从某个内置角色着手会更为轻松。When you create a custom role, it's easier to start with one of the built-in roles. 编辑属性以添加 ActionsNotActionsAssignableScopes,然后将所做的更改保存为新角色。Edit the attributes to add Actions, NotActions, or AssignableScopes, and then save the changes as a new role. 以下示例从“Azure API 管理服务读取者”角色着手,创建名为“计算器 API 编辑者”的自定义角色。The following example begins with the "Azure API Management Service Reader" role and creates a custom role called "Calculator API Editor." 可以将自定义角色分配给特定的 API。You can assign the custom role to a specific API. 因此,此角色仅有权访问该 API。Consequently, this role only has access to that API.

$role = Get-AzRoleDefinition "API Management Service Reader Role"
$role.Id = $null
$role.Name = 'Calculator API Contributor'
$role.Description = 'Has read access to Contoso APIM instance and write access to the Calculator API.'
$role.Actions.Add('Microsoft.ApiManagement/service/apis/write')
$role.Actions.Add('Microsoft.ApiManagement/service/apis/*/write')
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add('/subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.ApiManagement/service/<service name>/apis/<api ID>')
New-AzRoleDefinition -Role $role
New-AzRoleAssignment -ObjectId <object ID of the user account> -RoleDefinitionName 'Calculator API Contributor' -Scope '/subscriptions/<subscription ID>/resourceGroups/<resource group name>/providers/Microsoft.ApiManagement/service/<service name>/apis/<api ID>'

Azure 资源管理器资源提供程序操作一文提供了可以在 API 管理级别授予的权限的列表。The Azure Resource Manager resource provider operations article contains the list of permissions that can be granted on the API Management level.

后续步骤Next Steps

若要详细了解 Azure 中基于角色的访问控制,请参阅以下文章:To learn more about Role-Based Access Control in Azure, see the following articles: