为 Azure Stack Hub 注册创建自定义角色Create a custom role for Azure Stack Hub registration

警告

这不是一种安全态势功能。This is not a security posture feature. 如果你想要实施约束来防止意外更改 Azure 订阅,可以使用此功能。Use it in scenarios where you want constraints to prevent accidental changes to the Azure Subscription. 向某个用户委托此自定义角色的权限时,该用户有权编辑权限和提升权限。When a user is delegated rights to this custom role, the user has rights to edit permissions and elevate rights. 请只将受信任的用户分配到自定义角色。Only assign users you trust to the custom role.

在 Azure Stack Hub 注册期间,必须使用 Azure Active Directory (Azure AD) 帐户登录。During Azure Stack Hub registration, you must sign in with an Azure Active Directory (Azure AD) account. 该帐户需要以下 Azure AD 权限和 Azure 订阅权限:The account requires the following Azure AD permissions and Azure Subscription permissions:

  • Azure AD 租户中的应用注册权限: 管理员具有应用注册权限。App registration permissions in your Azure AD tenant: Admins have app registration permissions. 用户的权限是租户中所有用户的全局设置。The permission for users is a global setting for all users in the tenant. 若要查看或更改设置,请参阅创建可访问资源的 Azure AD 应用和服务主体To view or change the setting, see create an Azure AD app and service principal that can access resources.

    “用户可以注册应用程序”设置必须设置为“是”才能让用户帐户注册 Azure Stack Hub。 The user can register applications setting must be set to Yes for you to enable a user account to register Azure Stack Hub. 如果“应用注册”设置设为“否” ,则不能使用用户帐户注册 Azure Stack Hub,必须使用全局管理员帐户。If the app registrations setting is set to No, you can't use a user account to register Azure Stack Hub-you have to use a global admin account.

  • 一组足够高的 Azure 订阅权限: 属于“所有者”角色的用户具有足够的权限。A set of sufficient Azure Subscription permissions: Users that belong to the Owner role have sufficient permissions. 对于其他帐户,可以通过分配自定义角色来分配权限集,如以下部分所述。For other accounts, you can assign the permission set by assigning a custom role as outlined in the following sections.

你可以创建自定义角色,为权限较低的用户帐户分配权限,而不是使用 Azure 订阅中具有“所有者”权限的帐户。Rather than using an account that has Owner permissions in the Azure subscription, you can create a custom role to assign permissions to a less-privileged user account. 然后,可以使用此帐户注册 Azure Stack Hub。This account can then be used to register your Azure Stack Hub.

使用 PowerShell 创建自定义角色Create a custom role using PowerShell

若要创建自定义角色,必须拥有所有 AssignableScopesMicrosoft.Authorization/roleDefinitions/write 权限,例如所有者用户访问权限管理员To create a custom role, you must have the Microsoft.Authorization/roleDefinitions/write permission on all AssignableScopes, such as Owner or User Access Administrator. 使用以下 JSON 模板来简化自定义角色的创建。Use the following JSON template to simplify creation of the custom role. 该模板创建允许对 Azure Stack Hub 注册进行必要读取和写入访问的自定义角色。The template creates a custom role that allows the required read and write access for Azure Stack Hub registration.

  1. 创建一个 JSON 文件。Create a JSON file. 例如,C:\CustomRoles\registrationrole.jsonFor example, C:\CustomRoles\registrationrole.json.

  2. 将以下 JSON 添加到该文件。Add the following JSON to the file. <SubscriptionID> 替换为你的 Azure 订阅 ID。Replace <SubscriptionID> with your Azure subscription ID.

    {
      "Name": "Azure Stack Hub registration role",
      "Id": null,
      "IsCustom": true,
      "Description": "Allows access to register Azure Stack Hub",
      "Actions": [
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStack/registrations/*",
        "Microsoft.AzureStack/register/action",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/permissions/read",
        "Microsoft.Authorization/locks/read",
        "Microsoft.Authorization/locks/write"
      ],
      "NotActions": [
      ],
      "AssignableScopes": [
        "/subscriptions/<SubscriptionID>"
      ]
    }
    
  3. 在 PowerShell 中,连接到 Azure 以使用 Azure 资源管理器。In PowerShell, connect to Azure to use Azure Resource Manager. 出现提示时,请使用所有者用户访问管理员等拥有足够权限的帐户进行身份验证。When prompted, authenticate using an account with sufficient permissions such as Owner or User Access Administrator.

    Connect-AzureRmAccount -EnvironmentName AzureChinaCloud
    
  4. 若要创建自定义角色,请使用 New-AzureRmRoleDefinition 并指定 JSON 模板文件。To create the custom role, use New-AzureRmRoleDefinition specifying the JSON template file.

    New-AzureRmRoleDefinition -InputFile "C:\CustomRoles\registrationrole.json"
    

将用户分配到注册角色Assign a user to registration role

创建了注册自定义角色之后,将该角色分配给将用于注册 Azure Stack Hub 的用户帐户。After the registration custom role is created, assign the role to the user account that will be used for registering Azure Stack Hub.

  1. 使用在 Azure 订阅中拥有足够权限的帐户登录,以委托权限 - 例如所有者用户访问管理员Sign in with the account with sufficient permission on the Azure subscription to delegate rights - such as Owner or User Access Administrator .

  2. 在“订阅”中,选择“访问控制(IAM)”>“添加角色分配”。 In Subscriptions, select Access control (IAM) > Add role assignment.

  3. 在“角色” 中,选择已创建的自定义角色:Azure Stack Hub 注册角色 。In Role, choose the custom role you created: Azure Stack Hub registration role.

  4. 选择要分配到该角色的用户。Select the users you want to assign to the role.

  5. 选择“保存”,将选定的用户分配到该角色。 Select Save to assign the selected users to the role.

    在 Azure 门户中选择要分配到自定义角色的用户

有关使用自定义角色的详细信息,请参阅使用 RBAC 和 Azure 门户管理访问权限For more information on using custom roles, see manage access using RBAC and the Azure portal.

后续步骤Next steps

将 Azure Stack Hub 注册到 AzureRegister Azure Stack Hub with Azure