使用基于角色的访问控制管理 Azure Stack Hub 中的资源访问Manage access to resources in Azure Stack Hub with role-based access control

Azure Stack Hub 支持基于角色的访问控制 (RBAC),这与 Azure 使用的用于访问控制的安全模型相同。Azure Stack Hub supports role-based access control (RBAC), the same security model for access management that Azure uses. 可以使用 RBAC 来管理用户、组或应用对订阅、资源和服务的访问权限。You can use RBAC to manage user, group, or app access to subscriptions, resources, and services.

访问管理基础知识Basics of access management

基于角色的访问控制 (RBAC) 提供了精细的访问控制,可以用来保护环境安全。Role-based access control (RBAC) provides fine-grained access control that you can use to secure your environment. 通过在特定范围内分配 RBAC 角色,可以为用户授予他们所需的确切权限。You give users the exact permissions they need by assigning an RBAC role at a certain scope. 角色分配的范围可以是订阅、资源组或单个资源。The scope of the role assignment can be a subscription, a resource group, or a single resource. 有关访问管理的更多详细信息,请参阅 Azure 门户中基于角色的访问控制一文。For more detailed information about access management, see the Role-Based Access Control in the Azure portal article.

备注

使用 Active Directory 联合身份验证服务作为标识提供者部署 Azure Stack Hub 时,RBAC 方案仅支持通用组。When Azure Stack Hub is deployed using Active Directory Federation Services as the identity provider, only Universal Groups are supported for RBAC scenarios.

内置角色Built-in roles

Azure Stack Hub 有三个可应用于所有资源类型的基本角色:Azure Stack Hub has three basic roles that you can apply to all resource types:

  • 所有者:可以管理所有内容,包括对资源的访问权限。Owner: can manage everything, including access to resources.
  • 参与者:可以管理除资源访问权限以外的所有内容。Contributor: can manage everything, except access to resources.
  • 读者:可以查看所有内容,但不能进行任何更改。Reader: can view everything, but can't make any changes.

资源层次结构和继承Resource hierarchy and inheritance

Azure Stack Hub 具有以下资源层次结构:Azure Stack Hub has the following resource hierarchy:

  • 每个订阅属于一个目录。Each subscription belongs to one directory.
  • 每个资源组属于一个订阅。Each resource group belongs to one subscription.
  • 每个资源属于一个资源组。Each resource belongs to one resource group.

子范围将继承在父范围授予的访问权限。Access that you grant at a parent scope is inherited at child scopes. 例如:For example:

  • 你向某个 Azure AD 组分配了在订阅范围内的读者角色。You assign the Reader role to an Azure AD group at the subscription scope. 该组的成员可以查看订阅中的每个资源组和资源。The members of that group can view every resource group and resource in the subscription.
  • 你向某个应用分配了资源组范围内的参与者角色。You assign the Contributor role to an app at the resource group scope. 此应用可以管理该资源组中所有类型的资源,但不能管理订阅中的其他资源组。The app can manage resources of all types in that resource group, but not other resource groups in the subscription.

分配角色Assigning roles

可以向一位用户分配多个角色,并且每个角色可以与不同的范围相关联。You can assign more than one role to a user and each role can be associated with a different scope. 例如:For example:

  • 你向 TestUser-A 分配 Subscription-1 的读者角色。You assign TestUser-A the Reader role to Subscription-1.
  • 向 TestUser-A 分配 TestVM-1 的所有者角色。You assign TestUser-A the Owner role to TestVM-1.

Azure 角色分配一文提供了有关查看、分配和删除角色的详细信息。The Azure role assignments article provides detailed information about viewing, assigning, and deleting roles.

设置用户的访问权限Set access permissions for a user

以下步骤介绍了如何为用户配置权限。The following steps describe how to configure permissions for a user.

  1. 使用对要管理的资源具有所有者权限的帐户登录。Sign in with an account that has owner permissions to the resource you want to manage.

  2. 在左侧导航窗格中,选择“资源组” 。In the left navigation pane, choose Resource groups.

  3. 选择要针对其设置权限的资源组的名称。Choose the name of the resource group that you want to set permissions on.

  4. 在资源组的导航窗格中,选择“访问控制(标识和访问管理)” 。In the resource group navigation pane, choose Access control (IAM).
    “角色分配” 视图会列出对该资源组具有访问权限的项。The Role Assignments view lists the items that have access to the resource group. 可以对结果进行筛选和分组。You can filter and group the results.

  5. 在“访问控制” 菜单栏上,选择“添加” 。On the Access control menu bar, choose Add.

  6. 在“添加权限” 窗格上:On Add permissions pane:

    • 从“角色”下拉列表中选择要分配的角色。 Choose the role you want to assign from the Role drop-down list.
    • 从“将访问权限分配到”下拉列表中选择要分配的资源。 Choose the resource you want to assign from the Assign access to drop-down list.
    • 在你的目录中选择要向其授予访问权限的用户、组或应用。Select the user, group, or app in your directory that you wish to grant access to. 可以通过显示名称、电子邮件地址和对象标识符搜索该目录。You can search the directory with display names, email addresses, and object identifiers.
  7. 选择“保存” 。Select Save.

后续步骤Next steps

创建服务主体Create service principals