用于从 SQL Server 在线迁移到 Azure SQL 托管实例的自定义角色Custom roles for SQL Server to Azure SQL Managed Instance online migrations

Azure 数据库迁移服务使用应用 ID 来与 Azure 服务交互。Azure Database Migration Service uses an APP ID to interact with Azure Services. 应用 ID 需要订阅级别的“参与者”角色(许多企业安全部门不允许这种角色),或创建自定义角色用于授予 Azure 数据库迁移服务所需的特定权限。The APP ID requires either the Contributor role at the Subscription level (which many Corporate security departments won't allow) or creation of custom roles that grant the specific permissions that Azure database Migrations Service requires. 由于 Azure Active Directory 将自定义角色数目限制为 2,000 个,因此你可能希望将应用 ID 专门需要的所有权限合并成一个或两个自定义角色,然后为该应用 ID 授予对特定对象或资源组的自定义角色(而不是在订阅级别授予这种角色)。Since there's a limit of 2,000 custom roles in Azure Active Directory, you may want to combine all permissions required specifically by the APP ID into one or two custom roles, and then grant the APP ID the custom role on specific objects or resource groups (vs. at the subscription level). 如果自定义角色数目没有限制,则可按资源类型拆分自定义角色,以根据下面所述总共创建三个自定义角色。If the number of custom roles isn't a concern, you can split the custom roles by resource type, to create three custom roles in total as described below.

使用角色定义 JSON 字符串的 AssignableScopes 节,可以控制权限在门户上“添加角色分配”UI 中的显示位置。****The AssignableScopes section of the role definition json string allows you to control where the permissions appear in the Add Role Assignment UI in the portal. 你可能想要在资源组甚至资源级别定义角色,以免额外的角色使 UI 变得杂乱无章。You'll likely want to define the role at the resource group or even resource level to avoid cluttering the UI with extra roles. 请注意,这并不会执行实际的角色分配。Note that this doesn't perform the actual role assignment.

最小角色数Minimum number of roles

目前,我们建议至少为应用 ID 创建两个自定义角色,一个在资源级别创建,另一个在订阅级别创建。We currently recommend creating a minimum of two custom roles for the APP ID, one at the resource level and the other at the subscription level.

备注

最后一项自定义角色要求最终可能会取消,因为新的 SQL 托管实例代码将部署到 Azure 中。The last custom role requirement may eventually be removed, as new SQL Managed Instance code is deployed to Azure.

应用 ID 的自定义角色Custom Role for the APP ID. 在资源或资源组级别进行 Azure 数据库迁移服务迁移时需要此角色(有关应用 ID 的详细信息,请参阅使用门户创建可访问资源的 Azure AD 应用程序和服务主体一文)。** **This role is required for Azure Database Migration Service migration at the resource or resource group level (for more information about the APP ID, see the article Use the portal to create an Azure AD application and service principal that can access resources).

{
  "Name": "DMS Role - App ID",
  "IsCustom": true,
  "Description": "DMS App ID access to complete MI migrations",
  "Actions": [
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageaccounts/blobservices/read",
        "Microsoft.Storage/storageaccounts/blobservices/write",
        "Microsoft.Sql/managedInstances/read",
        "Microsoft.Sql/managedInstances/write",
        "Microsoft.Sql/managedInstances/databases/read",
        "Microsoft.Sql/managedInstances/databases/write",
        "Microsoft.Sql/managedInstances/databases/delete",
        "Microsoft.Sql/managedInstances/metrics/read",
        "Microsoft.DataMigration/locations/*",
        "Microsoft.DataMigration/services/*"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/<subscription_id>/ResourceGroups/<StorageAccount_rg_name>",
    "/subscriptions/<subscription_id>/ResourceGroups/<ManagedInstance_rg_name>",
    "/subscriptions/<subscription_id>/ResourceGroups/<DMS_rg_name>",
  ]
}

应用 ID 的自定义角色 - 订阅Custom role for the APP ID - subscription. 在订阅级别进行 Azure 数据库迁移服务迁移时需要此角色。**This role is required for Azure Database Migration Service migration at subscription level.

{
  "Name": "DMS Role - App ID - Sub",
  "IsCustom": true,
  "Description": "DMS App ID access at subscription level to complete MI migrations",
  "Actions": [
        "Microsoft.Sql/locations/managedDatabaseRestoreAzureAsyncOperation/*"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/<subscription_id>"
  ]
}

以上 JSON 必须存储在三个文本文件中,可以在 AzureRM、AZ PowerShell cmdlet 或 Azure CLI 中使用 New-AzureRmRoleDefinition (AzureRM)New-AzRoleDefinition (AZ) 创建角色。The json above must be stored in three text files, and you can use either the AzureRM, AZ PowerShell cmdlets, or Azure CLI to create the roles using either New-AzureRmRoleDefinition (AzureRM) or New-AzRoleDefinition (AZ).

有关详细信息,请参阅 Azure 资源的自定义角色一文。For more information, see the article Custom roles for Azure resources.

创建这些自定义角色后,必须将角色分配添加到相应资源或资源组中的用户和应用 ID:After you create these custom roles, you must add role assignments to users and APP ID(s) to the appropriate resources or resource groups:

  • 必须为应用 ID 授予用于迁移的“DMS 角色 - 应用 ID”角色,并在存储帐户、Azure 数据库迁移服务实例和 SQL 托管实例资源级别授予该角色。The “DMS Role - App ID” role must be granted to the APP ID that will be used for the migrations, and also at the Storage Account, Azure Database Migration Service instance, and SQL Managed Instance resource levels.
  • 必须在订阅级别为应用 ID 授予“DMS 角色 - 应用 ID - 订阅”角色(无法在资源或资源组级别授予)。The “DMS Role - App ID - Sub” role must be granted to the APP ID at the subscription level (granting at the resource or resource group will fail). 此项要求是暂时性的,部署代码更新后将会取消。This requirement is temporary until a code update is deployed.

扩展的角色数Expanded number of roles

如果 Azure Active Directory 中的自定义角色数目没有限制,我们建议总共创建三个角色。If the number of custom roles in your Azure Active Directory isn't a concern, we recommend you create a total of three roles. 仍需要“DMS 角色 - 应用 ID - 订阅”角色,但上述“DMS 角色 - 应用 ID”角色将按资源类型拆分成两个不同的角色。You'll still need the “DMS Role - App ID – Sub” role, but the “DMS Role - App ID” role above is split by resource type into two different roles.

SQL 托管实例的应用 ID 的自定义角色Custom role for the APP ID for SQL Managed Instance

{
  "Name": "DMS Role - App ID - SQL MI",
  "IsCustom": true,
  "Description": "DMS App ID access to complete MI migrations",
  "Actions": [
        "Microsoft.Sql/managedInstances/read",
        "Microsoft.Sql/managedInstances/write",
        "Microsoft.Sql/managedInstances/databases/read",
        "Microsoft.Sql/managedInstances/databases/write",
        "Microsoft.Sql/managedInstances/databases/delete",
        "Microsoft.Sql/managedInstances/metrics/read"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/<subscription_id>/resourceGroups/<ManagedInstance_rg_name>"
  ]
}

存储的应用 ID 的自定义角色Custom role for the APP ID for Storage

{
  "Name": "DMS Role - App ID - Storage",
  "IsCustom": true,
  "Description": "DMS App ID storage access to complete MI migrations",
  "Actions": [
"Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageaccounts/blobservices/read",
        "Microsoft.Storage/storageaccounts/blobservices/write"
  ],
  "NotActions": [
  ],
  "AssignableScopes": [
    "/subscriptions/<subscription_id>/resourceGroups/<StorageAccount_rg_name>"
  ]
}

角色分配Role assignment

若要将角色分配给用户/应用 ID,请打开 Azure 门户并执行以下步骤:To assign a role to users/APP ID, open the Azure portal, perform the following steps:

  1. 导航到相应的资源组或资源(需要在订阅级别授予的角色除外),转到“访问控制”,然后滚动页面找到刚刚创建的自定义角色。****Navigate to the resource group or resource (except for the role that needs to be granted on the subscription), go to Access Control, and then scroll to find the custom roles you just created.

  2. 选择相应的角色,选择应用 ID,然后保存更改。Select the appropriate role, select the APP ID, and then save the changes.

该应用 ID 随即会显示在“角色分配”选项卡上。****Your APP ID(s) now appears listed on the Role assignments tab.

后续步骤Next steps