管理角色权限和安全性Manage role permissions and security

基于角色的访问控制 (RBAC) 可用于对 Azure 资源进行访问管理。Role-based access control (RBAC) enables access management for Azure resources. 使用 RBAC,可在团队中对职责进行分配,仅授予执行作业所需的对用户、组和应用程序的适当访问权限。Using RBAC, you can segregate duties within your team and grant only the amount of access to users, groups, and applications that they need to perform their jobs. 可以使用 Azure 门户、Azure 命令行工具或 Azure 管理 API 将基于角色的访问权限授予用户。You can grant role-based access to users using the Azure portal, Azure Command-Line tools, or Azure Management APIs.

自动化帐户中的角色Roles in Automation accounts

在 Azure 自动化中,访问权限是通过将相应的 Azure 角色分配给自动化帐户作用域的用户、组和应用程序来授予的。In Azure Automation, access is granted by assigning the appropriate Azure role to users, groups, and applications at the Automation account scope. 以下是自动化帐户所支持的内置角色:Following are the built-in roles supported by an Automation account:

角色Role 说明Description
“所有者”Owner “所有者”角色允许访问自动化帐户中的所有资源和操作,包括访问其他用户、组和应用程序以管理自动化帐户。The Owner role allows access to all resources and actions within an Automation account including providing access to other users, groups, and applications to manage the Automation account.
参与者Contributor “参与者”角色允许管理所有事项,修改其他用户对自动化帐户的访问权限除外。The Contributor role allows you to manage everything except modifying other user’s access permissions to an Automation account.
读取器Reader “读者”角色允许查看自动化帐户中的所有资源,但不能进行任何更改。The Reader role allows you to view all the resources in an Automation account but cannot make any changes.
自动化运算符Automation Operator 自动化操作员角色允许针对某个自动化帐户中的所有 Runbook 查看 Runbook 名称和属性,以及为其创建和管理作业。The Automation Operator role allows you to view runbook name and properties and to create and manage jobs for all runbooks in an Automation account. 如果想要防止他人查看或修改自动化帐户资源(例如凭据资产和 Runbook),但仍允许所在组织的成员执行这些 Runbook,则可使用此角色。This role is helpful if you want to protect your Automation account resources like credentials assets and runbooks from being viewed or modified but still allow members of your organization to execute these runbooks.
自动化作业操作员Automation Job Operator 自动化作业操作员角色允许针对某个自动化帐户中的所有 Runbook 创建和管理作业。The Automation Job Operator role allows you to create and manage jobs for all runbooks in an Automation account.
自动化 Runbook 操作员Automation Runbook Operator 自动化 Runbook 操作员角色允许查看某个 Runbook 的名称和属性。The Automation Runbook Operator role allows you to view a runbook’s name and properties.
Log Analytics 参与者Log Analytics Contributor Log Analytics 参与者可以读取所有监视数据并编辑监视设置。The Log Analytics Contributor role allows you to read all monitoring data and edit monitoring settings. 编辑监视设置包括向 VM 添加 VM 扩展、读取存储帐户密钥以便能够从 Azure 存储配置日志收集、创建和配置自动化帐户、添加 Azure 自动化功能以及配置对所有 Azure 资源的 Azure 诊断。Editing monitoring settings includes adding the VM extension to VMs, reading storage account keys to be able to configure collection of logs from Azure storage, creating and configuring Automation accounts, adding Azure Automation features, and configuring Azure diagnostics on all Azure resources.
Log Analytics 读者Log Analytics Reader Log Analytics 读取者可以读取所有监视数据并编辑监视设置。The Log Analytics Reader role allows you to view and search all monitoring data as well as view monitoring settings. 这包括查看 Azure 诊断在所有 Azure 资源上的配置。This includes viewing the configuration of Azure diagnostics on all Azure resources.
监视参与者Monitoring Contributor 监视参与者可以读取所有监视数据并更新监视设置。The Monitoring Contributor role allows you to read all monitoring data and update monitoring settings.
监视查阅者Monitoring Reader 监视读取者角色,可以读取所有监视数据。The Monitoring Reader role allows you to read all monitoring data.
用户访问管理员User Access Administrator “用户访问管理员”角色允许管理用户对 Azure 自动化帐户的访问。The User Access Administrator role allows you to manage user access to Azure Automation accounts.

角色权限Role permissions

下表描述授予每个角色的特定权限。The following tables describe the specific permissions given to each role. 这可能包括授予权限的操作和限制权限的不操作。This can include Actions, which give permissions, and NotActions, which restrict them.

“所有者”Owner

所有者可管理所有内容,包括访问权限。An Owner can manage everything, including access. 下表显示了授予角色的权限:The following table shows the permissions granted for the role:

操作Actions 说明Description
Microsoft.Automation/automationAccounts/Microsoft.Automation/automationAccounts/ 创建和管理所有类型的资源。Create and manage resources of all types.

参与者Contributor

参与者可管理访问权限以外的所有内容A Contributor can manage everything except access. 下表显示了授予和拒绝角色的权限:The following table shows the permissions granted and denied for the role:

操作Actions 说明Description
Microsoft.Automation/automationAccounts/Microsoft.Automation/automationAccounts/ 创建和管理所有类型的资源Create and manage resources of all types
无操作Not Actions
Microsoft.Authorization/*/DeleteMicrosoft.Authorization/*/Delete 删除角色和角色分配。Delete roles and role assignments.
Microsoft.Authorization/*/WriteMicrosoft.Authorization/*/Write 创建角色和角色分配。Create roles and role assignments.
Microsoft.Authorization/elevateAccess/ActionMicrosoft.Authorization/elevateAccess/Action 拒绝创建用户访问管理员。Denies the ability to create a User Access Administrator.

读取器Reader

读者可以查看自动化帐户中的所有资源,但不能进行任何更改。A Reader can view all the resources in an Automation account but cannot make any changes.

操作Actions 说明Description
Microsoft.Automation/automationAccounts/readMicrosoft.Automation/automationAccounts/read 查看自动化帐户中的所有资源。View all resources in an Automation account.

自动化运算符Automation Operator

自动化操作员能够针对某个自动化帐户中的所有 Runbook 创建和管理作业,以及读取 Runbook 名称和属性。An Automation Operator is able to create and manage jobs, and read runbook names and properties for all runbooks in an Automation account.

备注

如果希望控制操作员对各个 runbook 的访问,请勿设置此角色。If you want to control operator access to individual runbooks then don't set this role. 请改为结合使用“自动化作业操作员”和“自动化 Runbook 操作员”角色 。Instead use the Automation Job Operator and Automation Runbook Operator roles in combination.

下表显示了授予角色的权限:The following table shows the permissions granted for the role:

操作Actions 说明Description
Microsoft.Authorization/*/readMicrosoft.Authorization/*/read 读取授权。Read authorization.
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/readMicrosoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read 读取混合 Runbook 辅助角色资源。Read Hybrid Runbook Worker Resources.
Microsoft.Automation/automationAccounts/jobs/readMicrosoft.Automation/automationAccounts/jobs/read 列出 runbook 的作业。List jobs of the runbook.
Microsoft.Automation/automationAccounts/jobs/resume/actionMicrosoft.Automation/automationAccounts/jobs/resume/action 恢复已暂停的作业。Resume a job that is paused.
Microsoft.Automation/automationAccounts/jobs/stop/actionMicrosoft.Automation/automationAccounts/jobs/stop/action 取消正在进行的作业。Cancel a job in progress.
Microsoft.Automation/automationAccounts/jobs/streams/readMicrosoft.Automation/automationAccounts/jobs/streams/read 读取作业流和输出。Read the Job Streams and Output.
Microsoft.Automation/automationAccounts/jobs/output/readMicrosoft.Automation/automationAccounts/jobs/output/read 获取作业的输出。Get the Output of a job.
Microsoft.Automation/automationAccounts/jobs/suspend/actionMicrosoft.Automation/automationAccounts/jobs/suspend/action 暂停正在进行的作业。Pause a job in progress.
Microsoft.Automation/automationAccounts/jobs/writeMicrosoft.Automation/automationAccounts/jobs/write 创建作业。Create jobs.
Microsoft.Automation/automationAccounts/jobSchedules/readMicrosoft.Automation/automationAccounts/jobSchedules/read 获取 Azure 自动化作业计划。Get an Azure Automation job schedule.
Microsoft.Automation/automationAccounts/jobSchedules/writeMicrosoft.Automation/automationAccounts/jobSchedules/write 创建 Azure 自动化作业计划。Create an Azure Automation job schedule.
Microsoft.Automation/automationAccounts/linkedWorkspace/readMicrosoft.Automation/automationAccounts/linkedWorkspace/read 获取链接到自动化帐户的工作区。Get the workspace linked to the Automation account.
Microsoft.Automation/automationAccounts/readMicrosoft.Automation/automationAccounts/read 获取 Azure 自动化帐户。Get an Azure Automation account.
Microsoft.Automation/automationAccounts/runbooks/readMicrosoft.Automation/automationAccounts/runbooks/read 获取 Azure 自动化 Runbook。Get an Azure Automation runbook.
Microsoft.Automation/automationAccounts/schedules/readMicrosoft.Automation/automationAccounts/schedules/read 获取 Azure 自动化计划资产。Get an Azure Automation schedule asset.
Microsoft.Automation/automationAccounts/schedules/writeMicrosoft.Automation/automationAccounts/schedules/write 创建或更新 Azure 自动化计划资产。Create or update an Azure Automation schedule asset.
Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read 读取角色和角色分配。Read roles and role assignments.
Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* 创建和管理资源组部署。Create and manage resource group deployments.
Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* 创建和管理警报规则。Create and manage alert rules.
Microsoft.Support/*Microsoft.Support/* 创建和管理支持票证。Create and manage support tickets.

自动化作业操作员Automation Job Operator

自动化作业操作员角色是在自动化帐户范围内授予的。An Automation Job Operator role is granted at the Automation account scope. 这将向操作员授予权限来为帐户中的所有 Runbook 创建和管理作业。 This allows the operator permissions to create and manage jobs for all runbooks in the account. 如果为作业操作员角色授予了对包含自动化帐户的资源组的读取权限,则该角色的成员能够启动 runbook。If the Job Operator role is granted read permissions on the resource group containing the Automation account, members of the role have the ability to start runbooks. 但他们不能创建、编辑或删除它们。However, they do not have the ability to create, edit, or delete them.

下表显示了授予角色的权限:The following table shows the permissions granted for the role:

操作Actions 说明Description
Microsoft.Authorization/*/readMicrosoft.Authorization/*/read 读取授权。Read authorization.
Microsoft.Automation/automationAccounts/jobs/readMicrosoft.Automation/automationAccounts/jobs/read 列出 runbook 的作业。List jobs of the runbook.
Microsoft.Automation/automationAccounts/jobs/resume/actionMicrosoft.Automation/automationAccounts/jobs/resume/action 恢复已暂停的作业。Resume a job that is paused.
Microsoft.Automation/automationAccounts/jobs/stop/actionMicrosoft.Automation/automationAccounts/jobs/stop/action 取消正在进行的作业。Cancel a job in progress.
Microsoft.Automation/automationAccounts/jobs/streams/readMicrosoft.Automation/automationAccounts/jobs/streams/read 读取作业流和输出。Read the Job Streams and Output.
Microsoft.Automation/automationAccounts/jobs/suspend/actionMicrosoft.Automation/automationAccounts/jobs/suspend/action 暂停正在进行的作业。Pause a job in progress.
Microsoft.Automation/automationAccounts/jobs/writeMicrosoft.Automation/automationAccounts/jobs/write 创建作业。Create jobs.
Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read 读取角色和角色分配。Read roles and role assignments.
Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* 创建和管理资源组部署。Create and manage resource group deployments.
Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* 创建和管理警报规则。Create and manage alert rules.
Microsoft.Support/*Microsoft.Support/* 创建和管理支持票证。Create and manage support tickets.

自动化 Runbook 操作员Automation Runbook Operator

自动化 Runbook 操作员角色在 Runbook 范围授予。An Automation Runbook Operator role is granted at the Runbook scope. 自动化 Runbook 操作员可以查看 Runbook 的名称和属性。An Automation Runbook Operator can view the runbook's name and properties. 将此角色与“自动化作业操作员”角色组合使用时,也会使操作员能够为 Runbook 创建和管理作业。 This role combined with the *Automation Job Operator* role enables the operator to also create and manage jobs for the runbook. 下表显示了授予角色的权限:The following table shows the permissions granted for the role:

操作Actions 说明Description
Microsoft.Automation/automationAccounts/runbooks/readMicrosoft.Automation/automationAccounts/runbooks/read 列出 runbook。List the runbooks.
Microsoft.Authorization/*/readMicrosoft.Authorization/*/read 读取授权。Read authorization.
Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read 读取角色和角色分配。Read roles and role assignments.
Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* 创建和管理资源组部署。Create and manage resource group deployments.
Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* 创建和管理警报规则。Create and manage alert rules.
Microsoft.Support/*Microsoft.Support/* 创建和管理支持票证。Create and manage support tickets.

Log Analytics 参与者Log Analytics Contributor

Log Analytics 参与者可以读取所有监视数据并编辑监视设置。A Log Analytics Contributor can read all monitoring data and edit monitoring settings. 编辑监视设置包括向 VM 添加 VM 扩展、读取存储帐户密钥以便能够从 Azure 存储配置日志收集、创建和配置自动化帐户、添加功能以及配置对所有 Azure 资源的 Azure 诊断。Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding features; and configuring Azure diagnostics on all Azure resources. 下表显示了授予角色的权限:The following table shows the permissions granted for the role:

操作Actions 说明Description
*/read*/read 读取除密码外的所有类型的资源。Read resources of all types, except secrets.
Microsoft.Automation/automationAccounts/*Microsoft.Automation/automationAccounts/* 管理自动化帐户。Manage Automation accounts.
Microsoft.ClassicCompute/virtualMachines/extensions/*Microsoft.ClassicCompute/virtualMachines/extensions/* 创建和管理虚拟机扩展。Create and manage virtual machine extensions.
Microsoft.ClassicStorage/storageAccounts/listKeys/actionMicrosoft.ClassicStorage/storageAccounts/listKeys/action 列出经典存储帐户密钥。List classic storage account keys.
Microsoft.Compute/virtualMachines/extensions/*Microsoft.Compute/virtualMachines/extensions/* 创建和管理经典虚拟机扩展。Create and manage classic virtual machine extensions.
Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* 读取/写入/删除警报规则。Read/write/delete alert rules.
Microsoft.Insights/diagnosticSettings/*Microsoft.Insights/diagnosticSettings/* 读取/写入/删除诊断设置。Read/write/delete diagnostic settings.
Microsoft.OperationalInsights/*Microsoft.OperationalInsights/* 管理 Azure Monitor 日志。Manage Azure Monitor logs.
Microsoft.OperationsManagement/*Microsoft.OperationsManagement/* 管理工作区中的 Azure 自动化功能。Manage Azure Automation features in workspaces.
Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* 创建和管理资源组部署。Create and manage resource group deployments.
Microsoft.Resources/subscriptions/resourcegroups/deployments/*Microsoft.Resources/subscriptions/resourcegroups/deployments/* 创建和管理资源组部署。Create and manage resource group deployments.
Microsoft.Storage/storageAccounts/listKeys/actionMicrosoft.Storage/storageAccounts/listKeys/action 列出存储帐户密钥。List storage account keys.
Microsoft.Support/*Microsoft.Support/* 创建和管理支持票证。Create and manage support tickets.

Log Analytics 读者Log Analytics Reader

Log Analytics 读者可以查看和搜索所有监视数据并查看监视设置,其中包括查看所有 Azure 资源上的 Azure 诊断的配置。A Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. 下表显示了授予或拒绝角色的权限:The following table shows the permissions granted or denied for the role:

操作Actions 说明Description
*/read*/read 读取除密码外的所有类型的资源。Read resources of all types, except secrets.
Microsoft.OperationalInsights/workspaces/analytics/query/actionMicrosoft.OperationalInsights/workspaces/analytics/query/action 管理 Azure Monitor 日志中的查询。Manage queries in Azure Monitor logs.
Microsoft.OperationalInsights/workspaces/search/actionMicrosoft.OperationalInsights/workspaces/search/action 搜索 Azure Monitor 日志数据。Search Azure Monitor log data.
Microsoft.Support/*Microsoft.Support/* 创建和管理支持票证。Create and manage support tickets.
无操作Not Actions
Microsoft.OperationalInsights/workspaces/sharedKeys/readMicrosoft.OperationalInsights/workspaces/sharedKeys/read 无法读取共享访问密钥。Not able to read the shared access keys.

监视参与者Monitoring Contributor

监视参与者可以读取所有监视数据并更新监视设置。A Monitoring Contributor can read all monitoring data and update monitoring settings. 下表显示了授予角色的权限:The following table shows the permissions granted for the role:

操作Actions 说明Description
*/read*/read 读取除密码外的所有类型的资源。Read resources of all types, except secrets.
Microsoft.AlertsManagement/alerts/*Microsoft.AlertsManagement/alerts/* 管理警报。Manage Alerts.
Microsoft.AlertsManagement/alertsSummary/*Microsoft.AlertsManagement/alertsSummary/* 管理警报仪表板。Manage the Alert dashboard.
Microsoft.Insights/AlertRules/*Microsoft.Insights/AlertRules/* 管理警报规则。Manage alert rules.
Microsoft.Insights/components/*Microsoft.Insights/components/* 管理 Application Insights 组件。Manage Application Insights components.
Microsoft.Insights/DiagnosticSettings/*Microsoft.Insights/DiagnosticSettings/* 管理诊断设置。Manage diagnostic settings.
Microsoft.Insights/eventtypes/*Microsoft.Insights/eventtypes/* 列出订阅中的活动日志事件(管理事件)。List Activity Log events (management events) in a subscription. 此权限适用于以编程方式和通过门户访问活动日志。This permission is applicable to both programmatic and portal access to the Activity Log.
Microsoft.Insights/LogDefinitions/*Microsoft.Insights/LogDefinitions/* 此权限对于需要通过门户访问活动日志的用户是必需的。This permission is necessary for users who need access to Activity Logs via the portal. 列出活动日志中的日志类别。List log categories in Activity Log.
Microsoft.Insights/MetricDefinitions/*Microsoft.Insights/MetricDefinitions/* 读取指标定义(资源的可用指标类型的列表)。Read metric definitions (list of available metric types for a resource).
Microsoft.Insights/Metrics/*Microsoft.Insights/Metrics/* 读取资源的指标。Read metrics for a resource.
Microsoft.Insights/Register/ActionMicrosoft.Insights/Register/Action 注册 Microsoft.Insights 提供程序。Register the Microsoft.Insights provider.
Microsoft.Insights/webtests/*Microsoft.Insights/webtests/* 管理 Application Insights Web 测试。Manage Application Insights web tests.
Microsoft.OperationalInsights/workspaces/intelligencepacks/*Microsoft.OperationalInsights/workspaces/intelligencepacks/* 管理 Azure Monitor 日志解决方案包。Manage Azure Monitor logs solution packs.
Microsoft.OperationalInsights/workspaces/savedSearches/*Microsoft.OperationalInsights/workspaces/savedSearches/* 管理 Azure Monitor 日志保存的搜索。Manage Azure Monitor logs saved searches.
Microsoft.OperationalInsights/workspaces/search/actionMicrosoft.OperationalInsights/workspaces/search/action 搜索 Log Analytics 工作区。Search Log Analytics workspaces.
Microsoft.OperationalInsights/workspaces/sharedKeys/actionMicrosoft.OperationalInsights/workspaces/sharedKeys/action 列出 Log Analytics 工作区的键。List keys for a Log Analytics workspace.
Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* 管理 Azure Monitor 日志存储见解配置。Manage Azure Monitor logs storage insight configurations.
Microsoft.Support/*Microsoft.Support/* 创建和管理支持票证。Create and manage support tickets.
Microsoft.WorkloadMonitor/workloads/*Microsoft.WorkloadMonitor/workloads/* 管理工作负荷。Manage Workloads.

监视读取者Monitoring Reader

监视读取者可以读取所有监视数据。A Monitoring Reader can read all monitoring data. 下表显示了授予角色的权限:The following table shows the permissions granted for the role:

操作Actions 说明Description
*/read*/read 读取除密码外的所有类型的资源。Read resources of all types, except secrets.
Microsoft.OperationalInsights/workspaces/search/actionMicrosoft.OperationalInsights/workspaces/search/action 搜索 Log Analytics 工作区。Search Log Analytics workspaces.
Microsoft.Support/*Microsoft.Support/* 创建和管理支持票证Create and manage support tickets

用户访问管理员User Access Administrator

用户访问管理员可管理 Azure 资源的用户访问权限。A User Access Administrator can manage user access to Azure resources. 下表显示了授予角色的权限:The following table shows the permissions granted for the role:

操作Actions 说明Description
*/read*/read 读取所有资源。Read all resources
Microsoft.Authorization/*Microsoft.Authorization/* 管理授权Manage authorization
Microsoft.Support/*Microsoft.Support/* 创建和管理支持票证Create and manage support tickets

功能设置权限Feature setup permissions

以下部分介绍了启用更新管理功能所需的最低必需权限。The following sections describe the minimum required permissions needed for enabling the Update Management feature.

用于从 VM 启用更新管理的权限Permissions for enabling Update Management from a VM

ActionAction 权限Permission 最小范围Minimum scope
写入新部署Write new deployment Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* 订阅Subscription
写入新资源组Write new resource group Microsoft.Resources/subscriptions/resourceGroups/writeMicrosoft.Resources/subscriptions/resourceGroups/write 订阅Subscription
创建新的默认工作区Create new default Workspace Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write 资源组Resource group
创建新帐户Create new Account Microsoft.Automation/automationAccounts/writeMicrosoft.Automation/automationAccounts/write 资源组Resource group
链接工作区和帐户Link workspace and account Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write
Microsoft.Automation/automationAccounts/readMicrosoft.Automation/automationAccounts/read
工作区Workspace
自动化帐户Automation account
创建 MMA 扩展Create MMA extension Microsoft.Compute/virtualMachines/writeMicrosoft.Compute/virtualMachines/write 虚拟机Virtual Machine
创建保存的搜索Create saved search Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write 工作区Workspace
创建范围配置Create scope config Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write 工作区Workspace
加入状态检查 - 读取工作区Onboarding state check - Read workspace Microsoft.OperationalInsights/workspaces/readMicrosoft.OperationalInsights/workspaces/read 工作区Workspace
加入状态检查 - 读取帐户的链接工作区属性Onboarding state check - Read linked workspace property of account Microsoft.Automation/automationAccounts/readMicrosoft.Automation/automationAccounts/read 自动化帐户Automation account
加入状态检查 - 读取解决方案Onboarding state check - Read solution Microsoft.OperationalInsights/workspaces/intelligencepacks/readMicrosoft.OperationalInsights/workspaces/intelligencepacks/read 解决方案Solution
加入状态检查 - 读取 VMOnboarding state check - Read VM Microsoft.Compute/virtualMachines/readMicrosoft.Compute/virtualMachines/read 虚拟机Virtual Machine
加入状态检查 - 读取帐户Onboarding state check - Read account Microsoft.Automation/automationAccounts/readMicrosoft.Automation/automationAccounts/read 自动化帐户Automation account
VM 的加入工作区检查1Onboarding workspace check for VM1 Microsoft.OperationalInsights/workspaces/readMicrosoft.OperationalInsights/workspaces/read 订阅Subscription
注册 Log Analytics 提供程序Register the Log Analytics provider Microsoft.Insights/register/actionMicrosoft.Insights/register/action 订阅Subscription

1 通过 VM 门户体验启用功能需要此权限。1 This permission is needed to enable features through the VM portal experience.

用于从自动化帐户启用更新管理的权限Permissions for enabling Update Management from an Automation account

ActionAction 权限Permission 最小范围Minimum Scope
新建部署Create new deployment Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* 订阅Subscription
新建资源组Create new resource group Microsoft.Resources/subscriptions/resourceGroups/writeMicrosoft.Resources/subscriptions/resourceGroups/write 订阅Subscription
AutomationOnboarding 边栏选项卡 - 创建新工作区AutomationOnboarding blade - Create new workspace Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write 资源组Resource group
AutomationOnboarding 边栏选项卡 - 读取链接的工作区AutomationOnboarding blade - read linked workspace Microsoft.Automation/automationAccounts/readMicrosoft.Automation/automationAccounts/read 自动化帐户Automation account
AutomationOnboarding 边栏选项卡 - 读取解决方案AutomationOnboarding blade - read solution Microsoft.OperationalInsights/workspaces/intelligencepacks/readMicrosoft.OperationalInsights/workspaces/intelligencepacks/read 解决方案Solution
AutomationOnboarding 边栏选项卡 - 读取工作区AutomationOnboarding blade - read workspace Microsoft.OperationalInsights/workspaces/intelligencepacks/readMicrosoft.OperationalInsights/workspaces/intelligencepacks/read 工作区Workspace
创建工作区和帐户的链接Create link for workspace and Account Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write 工作区Workspace
写入 shoebox 帐户Write account for shoebox Microsoft.Automation/automationAccounts/writeMicrosoft.Automation/automationAccounts/write 帐户Account
创建/编辑保存的搜索Create/edit saved search Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write 工作区Workspace
创建/编辑范围配置Create/edit scope config Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write 工作区Workspace
注册 Log Analytics 提供程序Register the Log Analytics provider Microsoft.Insights/register/actionMicrosoft.Insights/register/action 订阅Subscription
步骤 2 - 启用多个 VMStep 2 - Enable Multiple VMs
VMOnboarding 边栏选项卡 - 创建 MMA 扩展VMOnboarding blade - Create MMA extension Microsoft.Compute/virtualMachines/writeMicrosoft.Compute/virtualMachines/write 虚拟机Virtual Machine
创建/编辑保存的搜索Create / edit saved search Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write 工作区Workspace
创建/编辑范围配置Create / edit scope config Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/workspaces/write 工作区Workspace

更新管理权限Update management permissions

更新管理达到跨多个服务以提供其服务。Update management reaches across multiple services to provide its service. 下表显示了管理更新管理部署所需的权限:The following table shows the permissions needed to manage update management deployments:

资源Resource 角色Role 范围Scope
自动化帐户Automation account Log Analytics 参与者Log Analytics Contributor 自动化帐户Automation account
自动化帐户Automation account 虚拟机参与者Virtual Machine Contributor 帐户的资源组Resource Group for the account
Log Analytics 工作区Log Analytics workspace Log Analytics 参与者Log Analytics Contributor Log Analytics 工作区Log Analytics workspace
Log Analytics 工作区Log Analytics workspace Log Analytics 读者Log Analytics Reader 订阅Subscription
解决方案Solution Log Analytics 参与者Log Analytics Contributor 解决方案Solution
虚拟机Virtual Machine 虚拟机参与者Virtual Machine Contributor 虚拟机Virtual Machine

为自动化帐户配置 RBACConfigure RBAC for your Automation account

以下部分演示如何通过 Azure 门户PowerShell 在自动化帐户上配置 RBAC。The following section shows you how to configure RBAC on your Automation account through the Azure portal and PowerShell.

使用 Azure 门户配置 RBACConfigure RBAC using the Azure portal

  1. 登录到 Azure 门户,然后从“自动化帐户”页打开自动化帐户。Log in to the Azure portal and open your Automation account from the Automation Accounts page.

  2. 单击“访问控制(IAM)”打开“访问控制(IAM)”页。Click on Access control (IAM) to open the Access control (IAM) page. 可以使用此页添加新的用户、组和应用程序,以便管理自动化帐户并查看可以为自动化帐户配置的现有角色。You can use this page to add new users, groups, and applications to manage your Automation account and view existing roles that are configurable for the Automation account.

  3. 单击“角色分配”选项卡。Click the Role assignments tab.

    访问按钮

添加新用户并分配角色Add a new user and assign a role

  1. 在“访问控制(IAM)”页中,单击“+ 添加角色分配”。From the Access control (IAM) page, click + Add role assignment. 此操作会打开“添加角色分配“页,可以在其中添加用户、组或应用程序,并分配相应的角色。This action opens the Add role assignment page where you can add a user, group, or application, and assign a corresponding role.

  2. 从可用角色列表中选择一个角色。Select a role from the list of available roles. 可以选择自动化帐户所支持的任何可用的内置角色,或者定义的任何自定义角色。You can choose any of the available built-in roles that an Automation account supports or any custom role you may have defined.

  3. 在“选择”字段中键入要对其授予权限的用户的名称。Type the name of the user that you want to give permissions to in the Select field. 从列表中选择用户,然后单击“保存”。Choose the user from the list and click Save.

    添加用户

    现在,应当会看到该用户已添加到“用户”页并且分配有所选角色。Now you should see the user added to the Users page, with the selected role assigned.

    列出用户

    也可以通过“角色”页向用户分配角色。You can also assign a role to the user from the Roles page.

  4. 单击“访问控制(IAM)”页中的“角色”打开“角色”页。Click Roles from the Access control (IAM) page to open the Roles page. 可以查看角色的名称以及分配给该角色的用户和组的数目。You can view the name of the role and the number of users and groups assigned to that role.

    从用户页分配角色

    备注

    只能在自动化帐户范围内设置基于角色的访问控制,不能在自动化帐户下的任何资源上设置。You can only set role-based access control at the Automation account scope and not at any resource below the Automation account.

删除用户Remove a user

可以删除不管理自动化帐户或不再为组织工作的用户的访问权限。You can remove the access permission for a user who is not managing the Automation account, or who no longer works for the organization. 下面是删除用户的步骤:Following are the steps to remove a user:

  1. 在“访问控制(IAM)”页中,选择要删除的用户,然后单击“删除”。From the Access control (IAM) page, select the user to remove and click Remove.

  2. 单击“分配详细信息”页中的“删除”按钮。Click the Remove button in the assignment details pane.

  3. 单击“是”以确认删除 。Click Yes to confirm removal.

    删除用户

使用 PowerShell 配置 RBACConfigure RBAC using PowerShell

还可以使用以下 Azure PowerShell cmdlet 为自动化帐户配置基于角色的访问权限:You can also configure role-based access to an Automation account using the following Azure PowerShell cmdlets:

Get-AzRoleDefinition 列出 Azure Active Directory 中提供的所有 Azure 角色。Get-AzRoleDefinition lists all Azure roles that are available in Azure Active Directory. 可以将此 cmdlet 与 Name 参数一起使用来列出特定角色可以执行的所有操作。You can use this cmdlet with the Name parameter to list all the actions that a specific role can perform.

Get-AzRoleDefinition -Name 'Automation Operator'

下面是示例输出:The following is the example output:

Name             : Automation Operator
Id               : d3881f73-407a-4167-8283-e981cbba0404
IsCustom         : False
Description      : Automation Operators are able to start, stop, suspend, and resume jobs
Actions          : {Microsoft.Authorization/*/read, Microsoft.Automation/automationAccounts/jobs/read, Microsoft.Automation/automationAccounts/jobs/resume/action,
                   Microsoft.Automation/automationAccounts/jobs/stop/action...}
NotActions       : {}
AssignableScopes : {/}

Get-AzRoleAssignment 列出了指定范围内的 Azure 角色分配。Get-AzRoleAssignment lists Azure role assignments at the specified scope. 在没有任何参数的情况下,此 cmdlet 返回在订阅下进行的所有角色分配。Without any parameters, this cmdlet returns all the role assignments made under the subscription. 使用 ExpandPrincipalGroups 参数可列出针对指定用户和该用户所在组的访问权限分配。Use the ExpandPrincipalGroups parameter to list access assignments for the specified user, as well as the groups that the user belongs to.

示例: 使用以下 cmdlet 列出自动化帐户中的所有用户及其角色。Example: Use the following cmdlet to list all the users and their roles within an Automation account.

Get-AzRoleAssignment -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation account name>'

下面是示例输出:The following is the example output:

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Automation/automationAccounts/myAutomationAccount/provid
                     ers/Microsoft.Authorization/roleAssignments/cc594d39-ac10-46c4-9505-f182a355c41f
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Automation/automationAccounts/myAutomationAccount
DisplayName        : admin@contoso.com
SignInName         : admin@contoso.com
RoleDefinitionName : Automation Operator
RoleDefinitionId   : d3881f73-407a-4167-8283-e981cbba0404
ObjectId           : 15f26a47-812d-489a-8197-3d4853558347
ObjectType         : User

使用 New-AzRoleAssignment 为特定范围内的用户、组和应用程序分配访问权限。Use New-AzRoleAssignment to assign access to users, groups, and applications to a particular scope.

示例: 使用以下命令为“自动化帐户”范围中的用户分配“自动化操作员”角色。Example: Use the following command to assign the "Automation Operator" role for a user in the Automation account scope.

New-AzRoleAssignment -SignInName <sign-in Id of a user you wish to grant access> -RoleDefinitionName 'Automation operator' -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation account name>'

下面是示例输出:The following is the example output:

RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/Providers/Microsoft.Automation/automationAccounts/myAutomationAccount/provid
                     ers/Microsoft.Authorization/roleAssignments/25377770-561e-4496-8b4f-7cba1d6fa346
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/Providers/Microsoft.Automation/automationAccounts/myAutomationAccount
DisplayName        : admin@contoso.com
SignInName         : admin@contoso.com
RoleDefinitionName : Automation Operator
RoleDefinitionId   : d3881f73-407a-4167-8283-e981cbba0404
ObjectId           : f5ecbe87-1181-43d2-88d5-a8f5e9d8014e
ObjectType         : User

使用 Remove-AzRoleAssignment 从特定范围中删除指定用户、组或应用程序的访问权限。Use Remove-AzRoleAssignment to remove access of a specified user, group, or application from a particular scope.

示例: 使用以下命令从自动化帐户范围的自动化操作员角色中删除用户。Example: Use the following command to remove the user from the Automation Operator role in the Automation account scope.

Remove-AzRoleAssignment -SignInName <sign-in Id of a user you wish to remove> -RoleDefinitionName 'Automation Operator' -Scope '/subscriptions/<SubscriptionID>/resourcegroups/<Resource Group Name>/Providers/Microsoft.Automation/automationAccounts/<Automation account name>'

在前面的示例中,将 sign-in ID of a user you wish to removeSubscriptionIDResource Group NameAutomation account name 替换为帐户详细信息。In the preceding example, replace sign-in ID of a user you wish to remove, SubscriptionID, Resource Group Name, and Automation account name with your account details. 出现提示时选择“是”以在继续删除用户角色分配前确认。Choose yes when prompted to confirm before continuing to remove user role assignments.

自动化操作员角色的用户体验 - 自动化帐户User experience for Automation Operator role - Automation account

在自动化帐户范围内分配了自动化操作员角色的用户,在查看分配到的自动化帐户时,只能查看在自动化帐户中创建的 Runbook、Runbook 作业和计划的列表。When a user assigned to the Automation Operator role on the Automation account scope views the Automation account to which he/she is assigned, the user can only view the list of runbooks, runbook jobs, and schedules created in the Automation account. 此用户无法查看这些项的定义。This user cannot view the definitions of these items. 该用户可以启动、停止、暂停、恢复或计划 Runbook 作业。The user can start, stop, suspend, resume, or schedule the runbook job. 但是,该用户无法访问其他自动化资源,例如配置、混合辅助角色组或 DSC 节点。However, the user does not have access to other Automation resources, such as configurations, hybrid worker groups, or DSC nodes.

对资源无访问权限

为 Runbook 配置 RBACConfigure RBAC for runbooks

通过 Azure 自动化,可以将 RBAC 分配给特定的 Runbook。Azure Automation allows you to assign RBAC to specific runbooks. 若要执行此操作,运行以下脚本将用户添加到特定 Runbook。To do this, run the following script to add a user to a specific runbook. 自动化帐户管理员或租户管理员可以运行此脚本。An Automation Account Administrator or a Tenant Administrator can run this script.

$rgName = "<Resource Group Name>" # Resource Group name for the Automation account
$automationAccountName ="<Automation account name>" # Name of the Automation account
$rbName = "<Name of Runbook>" # Name of the runbook
$userId = "<User ObjectId>" # Azure Active Directory (AAD) user's ObjectId from the directory

# Gets the Automation account resource
$aa = Get-AzResource -ResourceGroupName $rgName -ResourceType "Microsoft.Automation/automationAccounts" -ResourceName $automationAccountName

# Get the Runbook resource
$rb = Get-AzResource -ResourceGroupName $rgName -ResourceType "Microsoft.Automation/automationAccounts/runbooks" -ResourceName "$rbName"

# The Automation Job Operator role only needs to be run once per user.
New-AzRoleAssignment -ObjectId $userId -RoleDefinitionName "Automation Job Operator" -Scope $aa.ResourceId

# Adds the user to the Automation Runbook Operator role to the Runbook scope
New-AzRoleAssignment -ObjectId $userId -RoleDefinitionName "Automation Runbook Operator" -Scope $rb.ResourceId

运行脚本后,用户就可以登录到 Azure 门户并选择“所有资源”。Once the script has run, have the user log in to the Azure portal and select All Resources. 在列表中,用户可以看到以自动化 Runbook 操作员身份添加的 Runbook。In the list, the user can see the runbook for which he/she has been added as an Automation Runbook Operator.

门户中的 Runbook RBAC

自动化操作员角色的用户体验 - RunbookUser experience for Automation operator role - Runbook

在 Runbook 范围内分配了自动化操作员角色的用户,在查看分配到的 Runbook 时,只能启动 Runbook 和查看 Runbook 作业。When a user assigned to the Automation Operator role on the Runbook scope views an assigned runbook, the user can only start the runbook and view the runbook jobs.

仅有权启动

后续步骤Next steps