Azure 数据工厂的角色和权限Roles and permissions for Azure Data Factory

适用于: Azure 数据工厂 Azure Synapse Analytics

本文介绍创建和管理 Azure 数据工厂资源所需的角色,以及由这些角色授予的权限。This article describes the roles required to create and manage Azure Data Factory resources, and the permissions granted by those roles.

角色和要求Roles and requirements

若要创建数据工厂实例,用于登录到 Azure 的用户帐户必须属于参与者或所有者角色,或者是 Azure 订阅的管理员。 To create Data Factory instances, the user account that you use to sign in to Azure must be a member of the contributor role, the owner role, or an administrator of the Azure subscription. 若要查看你在订阅中拥有的权限,请在 Azure 门户中,选择右上角的用户名,然后选择“权限”。To view the permissions that you have in the subscription, in the Azure portal, select your username in the upper-right corner, and then select Permissions. 如果可以访问多个订阅,请选择相应的订阅。If you have access to multiple subscriptions, select the appropriate subscription.

若要为数据工厂创建和管理子资源(包括数据集、链接服务、管道、触发器和集成运行时),以下要求适用:To create and manage child resources for Data Factory - including datasets, linked services, pipelines, triggers, and integration runtimes - the following requirements are applicable:

  • 若要在 Azure 门户中创建和管理子资源,你必须属于“资源组”级别或更高级别的“数据工厂参与者”角色 。To create and manage child resources in the Azure portal, you must belong to the Data Factory Contributor role at the Resource Group level or above.
  • 若要使用 PowerShell 或 SDK 创建和管理子资源,资源级别或更高级别的 参与者 角色已足够。To create and manage child resources with PowerShell or the SDK, the contributor role at the resource level or above is sufficient.

设置权限Set up permissions

创建数据工厂之后,可能需要让其他用户使用该数据工厂。After you create a Data Factory, you may want to let other users work with the data factory. 若要将该访问权限授予其他用户,必须将这些用户添加到数据工厂所在“资源组”中的内置“数据工厂参与者”角色。 To give this access to other users, you have to add them to the built-in Data Factory Contributor role on the Resource Group that contains the Data Factory.

“数据工厂参与者”角色的权限范围Scope of the Data Factory Contributor role

“数据工厂参与者”角色中的成员身份允许用户执行以下操作:Membership of the Data Factory Contributor role lets users do the following things:

  • 创建、编辑和删除数据工厂和子资源,包括数据集、链接服务、管道、触发器和集成运行时。Create, edit, and delete data factories and child resources including datasets, linked services, pipelines, triggers, and integration runtimes.
  • 部署资源管理器模板。Deploy Resource Manager templates. 资源管理器部署是数据工厂在 Azure 门户中使用的部署方法。Resource Manager deployment is the deployment method used by Data Factory in the Azure portal.
  • 管理数据工厂的 App Insights 警报。Manage App Insights alerts for a data factory.
  • 创建支持票证。Create support tickets.

有关此角色的详细信息,请参阅“数据工厂参与者”角色For more info about this role, see Data Factory Contributor role.

资源管理器模板部署Resource Manager template deployment

资源组级别或更高级别的“数据工厂参与者”角色允许用户部署资源管理器模板。The Data Factory Contributor role, at the resource group level or above, lets users deploy Resource Manager templates. 因此,此角色的成员可以使用资源管理器模板来部署数据工厂及其子资源,包括数据集、链接服务、管道、触发器和集成运行时。As a result, members of the role can use Resource Manager templates to deploy both data factories and their child resources, including datasets, linked services, pipelines, triggers, and integration runtimes. 此角色的成员身份不允许用户创建其他资源。Membership in this role does not let the user create other resources.


使用“数据工厂参与者”角色进行资源管理器模板部署不会提升你的权限。Resource Manager template deployment with the Data Factory Contributor role does not elevate your permissions. 例如,如果你部署一个可以创建 Azure 虚拟机的模板,而你没有创建虚拟机的权限,则部署会失败并出现授权错误。For example, if you deploy a template that creates an Azure virtual machine, and you don't have permission to create virtual machines, the deployment fails with an authorization error.

自定义方案和自定义角色Custom scenarios and custom roles

有时候,可能需要为不同的数据工厂用户授予不同的访问权限级别。Sometimes you may need to grant different access levels for different data factory users. 例如:For example:

  • 可能需要一个其中的用户只有特定数据工厂的权限的组。You may need a group where users only have permissions on a specific data factory.
  • 或者可能需要一个其中的用户只能监视一个或多个数据工厂但不能对其进行修改的组。Or you may need a group where users can only monitor a data factory (or factories) but can't modify it.

若要实现这些自定义方案,可以创建自定义角色,然后向这些角色分配用户。You can achieve these custom scenarios by creating custom roles and assigning users to those roles. 有关自定义角色的详细信息,请参阅 Azure 中的自定义角色For more info about custom roles, see Custom roles in Azure.

下面是一些示例,演示了自定义角色的功能:Here are a few examples that demonstrate what you can achieve with custom roles:

  • 让用户通过 Azure 门户对资源组中的任何数据工厂执行创建、编辑或删除操作。Let a user create, edit, or delete any data factory in a resource group from the Azure portal.

    在资源组级别为用户分配内置的“数据工厂参与者”角色。Assign the built-in Data Factory contributor role at the resource group level for the user. 若需允许用户访问订阅中的任何数据工厂,请在订阅级别分配角色。If you want to allow access to any data factory in a subscription, assign the role at the subscription level.

  • 允许用户查看(读取)和监视数据工厂,但不允许对其进行编辑或更改。Let a user view (read) and monitor a data factory, but not edit or change it.

    为用户分配内置的“读者”角色,其权限范围为数据工厂资源。Assign the built-in reader role on the data factory resource for the user.

  • 允许用户在 Azure 门户中编辑单个数据工厂。Let a user edit a single data factory in the Azure portal.

    此方案需要两个角色分配。This scenario requires two role assignments.

    1. 在数据工厂级别分配内置的“参与者”角色。Assign the built-in contributor role at the data factory level.
    2. 创建权限为 Microsoft.Resources/deployments/ 的自定义角色。Create a custom role with the permission Microsoft.Resources/deployments/. 将此自定义角色分配给资源组级别的用户。Assign this custom role to the user at resource group level.
  • 让用户能够测试链接服务中的连接或预览数据集中的数据Let a user be able to test connection in a linked service or preview data in a dataset

    创建具有以下操作权限的自定义角色:Microsoft.DataFactory/factories/getFeatureValue/read 和 Microsoft.DataFactory/factories/getDataPlaneAccess/action。Create a custom role with permissions for the following actions: Microsoft.DataFactory/factories/getFeatureValue/read and Microsoft.DataFactory/factories/getDataPlaneAccess/action. 在数据工厂资源上为用户分配此自定义角色。Assign this custom role on the data factory resource for the user.

  • 允许用户通过 PowerShell 或 SDK 更新数据工厂,但不允许其在 Azure 门户中进行更新。Let a user update a data factory from PowerShell or the SDK, but not in the Azure portal.

    为用户分配内置的“参与者”角色,其权限范围为数据工厂资源。Assign the built-in contributor role on the data factory resource for the user. 此角色允许用户在 Azure 门户中查看资源,但不允许其访问“发布”和“全部发布”按钮。This role lets the user see the resources in the Azure portal, but the user can't access the Publish and Publish All buttons.

后续步骤Next steps