Application Insights 中的资源、角色和访问控制Resources, roles, and access control in Application Insights

通过使用 Azure 中基于角色的访问控制,可以控制哪些用户对 Azure Application Insights 中的数据具有读取和更新访问权限。You can control who has read and update access to your data in Azure Application Insights, by using Role-based access control in Azure.

重要

将访问权限分配给应用程序资源所属资源组或订阅中的用户(并非资源本身)。Assign access to users in the resource group or subscription to which your application resource belongs - not in the resource itself. 分配 Application Insights 组件参与者角色。Assign the Application Insights component contributor role. 这可确保对 Web 测试和警报及应用程序资源的访问实现统一控制。This ensures uniform control of access to web tests and alerts along with your application resource. 了解详细信息Learn more.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

资源、组和订阅Resources, groups and subscriptions

首先,某些定义如下:First, some definitions:

  • 资源 - Azure 服务的实例。Resource - An instance of an Azure service. Application Insights 资源会收集、分析并显示从应用程序发送的遥测数据。Your Application Insights resource collects, analyzes and displays the telemetry data sent from your application. 其他类型的 Azure 资源包括 Web 应用、数据库和 VM。Other types of Azure resources include web apps, databases, and VMs.

    要查看资源,请打开 Azure 门户并登录,然后单击“所有资源”。To see your resources, open the Azure portal, sign in, and click All Resources. 为找到资源,请在筛选器字段中键入部分名称。To find a resource, type part of its name in the filter field.

    Azure 资源的列表

  • 资源组 - 每个资源都属于一个组。Resource group - Every resource belongs to one group. 组是一种管理相关资源的简便方式,对于访问控制尤其如此。A group is a convenient way to manage related resources, particularly for access control. 例如,可以将 Web 应用放入资源组中,监视应用和存储资源以保存导出的数据。For example, into one resource group you could put a Web App, an Application Insights resource to monitor the app, and a Storage resource to keep exported data.

  • 订阅 - 若要使用 Application Insights 或其他 Azure 资源,则登录到 Azure 订阅。Subscription - To use Application Insights or other Azure resources, you sign in to an Azure subscription. 每个资源组都属于一个 Azure 订阅,从中选择价格封装,并选择成员及其访问权限(如果它是组织订阅)。Every resource group belongs to one Azure subscription, where you choose your price package and, if it's an organization subscription, choose the members and their access permissions.

  • Microsoft 帐户 - 用于登录到 Azure 订阅、XBox Live、Outlook.com 和其他 Microsoft 服务的用户名和密码。Microsoft account - The username and password that you use to sign in to Azure subscriptions, XBox Live, Outlook.com, and other Microsoft services.

控制资源组中的访问Control access in the resource group

请务必了解,除了为应用程序创建的资源外,也有为警报和 Web 测试单独隐藏的资源。It's important to understand that in addition to the resource you created for your application, there are also separate hidden resources for alerts and web tests. 它们会附加到与 Application Insights 资源相同的资源组They are attached to the same resource group as your Application Insights resource. 还可以在其中放置其他 Azure 服务,例如网站或存储。You might also have put other Azure services in there, such as websites or storage.

对其他用户提供访问权限To provide access to another user

必须对订阅或资源组拥有所有者权限。You must have Owner rights to the subscription or the resource group.

用户必须具有 Microsoft 帐户,或对其组织 Microsoft 帐户的访问权限。The user must have a Microsoft Account, or access to their organizational Microsoft Account. 可以将访问权限提供给个人,也可以提供给 Azure Active Directory 中定义的用户组。You can provide access to individuals, and also to user groups defined in Azure Active Directory.

从左侧菜单中选择“访问控制 (IAM)”。Choose Access control (IAM) from the left-hand menu.

Azure 门户中的访问控制按钮的屏幕截图

选择“添加角色分配”Select Add role assignment

以红色突出显示添加按钮的访问控制菜单的屏幕截图

下面的“添加权限”视图主要特定于 Application Insights 资源,如果从更高级别(如资源组)查看访问控制权限,则将看到其他并非以 Application Insights 为中心的角色。The Add permissions view below is primarily specific to Application Insights resources, if you were viewing the access control permissions from a higher level like resource groups, you would see additional non-Application Insights-centric roles.

若要查看有关所有基于 Azure 角色的访问控制内置角色的信息,请使用官方参考内容To view information on all Azure role-based access control built-in roles use the official reference content.

访问控制用户角色列表的屏幕截图

选择角色Select a role

如适用,我们将链接到相关联的官方参考文档。Where applicable we link to the associated official reference documentation.

角色Role 在资源组中In the resource group
所有者Owner 可以更改任何内容,包括用户访问权限。Can change anything, including user access.
参与者Contributor 可以编辑任何内容,包括所有资源。Can edit anything, including all resources.
Application Insights 组件参与者Application Insights Component contributor 可以编辑 Application Insights 资源。Can edit Application Insights resources.
读者Reader 可以查看但无法更改任何内容。Can view but not change anything.
Application Insights 快照调试器Application Insights Snapshot Debugger 授予用户使用 Application Insights 快照调试器功能的权限。Gives the user permission to use Application Insights Snapshot Debugger features. 请注意,此角色既不包含在所有者角色中,也不包含在参与者角色中。Note that this role is included in neither the Owner nor Contributor roles.
Azure 服务部署版本管理参与者Azure Service Deploy Release Management Contributor 通过 Azure 服务部署进行部署的服务的参与者角色。Contributor role for services deploying through Azure Service Deploy.
数据清除程序Data Purger 清除个人数据的特殊角色。Special role for purging personal data. 有关更多信息,请参阅我们的个人数据指南See our guidance for personal data for more information.
ExpressRoute 管理员ExpressRoute Administrator 可以创建删除和管理快速路由。Can create delete and manage express routes.
Log Analytics 参与者Log Analytics Contributor Log Analytics 参与者可以读取所有监视数据并编辑监视设置。Log Analytics Contributor can read all monitoring data and edit monitoring settings. 编辑监视设置包括向 VM 添加 VM 扩展、读取存储帐户密钥以便能够从 Azure 存储配置日志收集、创建和配置自动化帐户、添加解决方案以及配置所有 Azure 资源上的 Azure 诊断。Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources.
Log Analytics 读者Log Analytics Reader Log Analytics 读者可以查看和搜索所有监视数据并查看监视设置,其中包括查看所有 Azure 资源上的 Azure 诊断的配置。Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.
主读者master reader 允许用户查看所有内容,但不能进行更改。Allows a user to view everything but not make changes.
监视参与者Monitoring Contributor 允许读取所有监视数据并更新监视设置。Can read all monitoring data and update monitoring settings.
监视指标发布者Monitoring Metrics Publisher 允许针对 Azure 资源发布指标。Enables publishing metrics against Azure resources.
监视读取者Monitoring Reader 可以读取所有监视数据。Can read all monitoring data.
资源策略参与者(预览)Resource Policy Contributor (Preview) 通过 EA 回填的用户,具有创建/修改资源策略、创建支持票证和读取资源/层次结构的权限。Backfilled users from EA, with rights to create/modify resource policy, create support ticket and read resource/hierarchy.
用户访问管理员User Access Administrator 允许用户管理其他用户对 Azure 资源的访问。Allows a user to manage access for other users to Azure resources.
网站参与者Website Contributor 允许管理网站(而非 Web 计划),但不允许访问这些网站。Lets you manage websites (not web plans), but not access to them..

“编辑”包括创建、删除和更新:'Editing' includes creating, deleting and updating:

  • 资源Resources
  • Web 测试Web tests
  • 警报Alerts
  • 连续导出Continuous export

选择用户Select the user

如果所需的用户不在目录中,可以邀请有 Azure 帐户的任何人。If the user you want isn't in the directory, you can invite anyone with an Azure account. (如果他们使用诸如 Outlook.com、OneDrive、Windows Phone 或 XBox Live 之类的服务,他们就会有 Azure 帐户。)(If they use services like Outlook.com, OneDrive, Windows Phone, or XBox Live, they have an Azure account.)

PowerShell 查询确定角色成员身份PowerShell query to determine role membership

由于某些角色可以链接到通知和电子邮件警报,因此能够生成属于给定角色的用户列表会很有帮助。Since certain roles can be linked to notifications and e-mail alerts it can be helpful to be able to generate a list of users who belong to a given role. 为了帮助生成这些类型的列表,我们提供了以下示例查询,可以根据特定需求进行调整:To help with generating these types of lists we offer the following sample queries that can be adjusted to fit your specific needs:

为管理员角色 + 参与者角色查询整个订阅Query entire subscription for Admin roles + Contributor roles

(Get-AzRoleAssignment -IncludeClassicAdministrators | Where-Object {$_.RoleDefinitionName -in @('ServiceAdministrator', 'CoAdministrator', 'Owner', 'Contributor') } | Select -ExpandProperty SignInName | Sort-Object -Unique) -Join ", "

在所有者和参与者的特定 Application Insights 资源的上下文中进行查询Query within the context of a specific Application Insights resource for owners and contributors

$resourceGroup = "RGNAME"
$resourceName = "AppInsightsName"
$resourceType = "microsoft.insights/components"
(Get-AzRoleAssignment -ResourceGroup $resourceGroup -ResourceType $resourceType -ResourceName $resourceName | Where-Object {$_.RoleDefinitionName -in @('Owner', 'Contributor') } | Select -ExpandProperty SignInName | Sort-Object -Unique) -Join ", "

在所有者和参与者的特定资源组的上下文中进行查询Query within the context of a specific resource group for owners and contributors

$resourceGroup = "RGNAME"
(Get-AzRoleAssignment -ResourceGroup $resourceGroup | Where-Object {$_.RoleDefinitionName -in @('Owner', 'Contributor') } | Select -ExpandProperty SignInName | Sort-Object -Unique) -Join ", "