为 Azure Stack 创建注册角色Create a registration role for Azure Stack

适用于:Azure Stack 集成系统和 Azure Stack 开发工具包Applies to: Azure Stack integrated systems and Azure Stack Development Kit

如果你不想在 Azure 订阅中授予所有者权限,可以创建一个自定义角色,以将权限分配给某个用户帐户来注册 Azure Stack。For scenarios where you don't want to give owner permissions in the Azure subscription, you can create a custom role to assign permissions to a user account to register your Azure Stack.

Warning

这不是一种安全态势功能。This is not a security posture feature. 如果你想要实施约束来防止意外更改 Azure 订阅,可以使用此功能。Use it in scenarios where you want constraints to prevent accidental changes to the Azure Subscription. 向某个用户委托此自定义角色的权限时,该用户有权编辑权限和提升权限。When a user is delegated rights to this custom role, the user has rights to edit permissions and elevate rights. 请只将受信任的用户分配到自定义角色。Only assign users you trust to the custom role.

注册 Azure Stack 时,注册帐户需要以下 Azure Active Directory 权限和 Azure 订阅权限:When registering Azure Stack, the registration account requires the following Azure Active Directory permissions and Azure Subscription permissions:

  • Azure Active Directory 租户中的应用程序注册权限: 管理员拥有应用程序注册权限。Application registration permissions in your Azure Active Directory tenant: Administrators have application registration permissions. 用户的权限是租户中所有用户的全局设置。The permission for users is a global setting for all users in the tenant. 若要查看或更改设置,请参阅创建可访问资源的 Azure AD 应用程序和服务主体To view or change the setting, see create an Azure AD application and service principal that can access resources.

    “用户可以注册应用程序”设置必须设置为“是”才能让用户帐户注册 Azure Stack。 The user can register applications setting must be set to Yes for you to enable a user account to register Azure Stack. 如果“应用注册”设置指定为“否”,则你无法使用用户帐户,而必须使用全局管理员帐户来注册 Azure Stack。 If the app registrations setting is set to No, you can't use a user account and must use a global administrator account to register Azure Stack.

  • 一组足够高的 Azure 订阅权限: “所有者”组中的用户拥有足够高的权限。A set of sufficient Azure Subscription permissions: Users in the Owners group have sufficient permissions. 对于其他帐户,可以通过分配自定义角色来分配权限集,如以下部分所述。For other accounts, you can assign the permission set by assigning a custom role as outlined in the following sections.

使用 PowerShell 创建自定义角色Create a custom role using PowerShell

若要创建自定义角色,必须拥有所有 AssignableScopesMicrosoft.Authorization/roleDefinitions/write 权限,例如所有者用户访问权限管理员To create a custom role, you must have the Microsoft.Authorization/roleDefinitions/write permission on all AssignableScopes, such as Owner or User Access Administrator. 使用以下 JSON 模板来简化自定义角色的定义。Use the following JSON template to simplify defining the custom role. 该模板创建允许对 Azure Stack 注册进行必要读取和写入访问的自定义角色。The template creates a custom role that allows the required read and write access for Azure Stack registration.

  1. 创建一个 JSON 文件。Create a JSON file. 例如 C:\CustomRoles\registrationrole.jsonFor example, C:\CustomRoles\registrationrole.json

  2. 将以下 JSON 添加到该文件。Add the following JSON to the file. <SubscriptionID> 替换为你的 Azure 订阅 ID。Replace <SubscriptionID> with your Azure subscription ID.

    {
      "Name": "Azure Stack registration role",
      "Id": null,
      "IsCustom": true,
      "Description": "Allows access to register Azure Stack",
      "Actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStack/registrations/*",
        "Microsoft.AzureStack/register/action",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/permissions/read"
      ],
      "NotActions": [
      ],
      "AssignableScopes": [
        "/subscriptions/<SubscriptionID>"
      ]
    }
    
  3. 在 PowerShell 中,连接到 Azure 以使用 Azure 资源管理器。In PowerShell, connect to Azure to use Azure Resource Manager. 出现提示时,请使用所有者用户访问管理员等拥有足够权限的帐户进行身份验证。When prompted, authenticate using an account with sufficient permissions such as Owner or User Access Administrator.

    Connect-AzureRmAccount -EnvironmentName AzureChinaCloud
    
  4. 若要将角色添加到订阅,请使用 New-AzureRmRoleDefinition 并指定 JSON 模板文件。To add the role to the subscription, use New-AzureRmRoleDefinition specifying the JSON template file.

    New-AzureRmRoleDefinition -InputFile "C:\CustomRoles\registrationrole.json"
    

将用户分配到注册角色Assign a user to registration role

创建注册自定义角色后,分配用于注册 Azure Stack 的角色用户。After the registration custom role is created, assign the role users registering Azure Stack.

  1. 使用在 Azure 订阅中拥有足够权限的帐户登录,以委托权限 - 例如所有者用户访问管理员Sign in with the account with sufficient permission on the Azure subscription to delegate rights - such as Owner or User Access Administrator .

  2. 在“订阅”中,选择“访问控制(IAM)”>“添加角色分配”。 In Subscriptions, select Access control (IAM) > Add role assignment.

  3. 在“角色”中,选择创建的自定义角色“Azure Stack 注册角色”。 In Role, choose the custom role you created Azure Stack registration role.

  4. 选择要分配到该角色的用户。Select the users you want to assign to the role.

  5. 选择“保存”,将选定的用户分配到该角色。 Select Save to assign the selected users to the role.

    选择要分配到角色的用户

有关使用自定义角色的详细信息,请参阅使用 RBAC 和 Azure 门户管理访问权限For more information on using custom roles, see manage access using RBAC and the Azure portal.

后续步骤Next steps

将 Azure Stack 注册到 AzureRegister Azure Stack with Azure