Azure Policy 豁免结构Azure Policy exemption structure

Azure Policy 例外(预览版)功能用于免除资源层次结构或单个资源对计划或定义的评估。The Azure Policy exemptions (preview) feature is used to exempt a resource hierarchy or an individual resource from evaluation of initiatives or definitions. 免除的资源计入总体符合性,但不能被评估或具有暂时豁免。Resources that are exempt count toward overall compliance, but can't be evaluated or have a temporary waiver. 有关详细信息,请参阅了解 Azure Policy 中的范围For more information, see Understand scope in Azure Policy. Azure Policy 例外仅适用于资源管理器模式,不适用于资源提供程序模式Azure Policy exemptions only work with Resource Manager modes and don't work with Resource Provider modes.

重要

此功能在预览期间免费。This feature is free during preview. 有关定价详细信息,请参阅 Azure Policy 定价For pricing details, see Azure Policy pricing.

使用 JSON 创建策略例外。You use JSON to create a policy exemption. 策略例外包含以下各项的元素:The policy exemption contains elements for:

  • 显示名称display name
  • descriptiondescription
  • metadatametadata
  • 策略分配policy assignment
  • 计划中的策略定义policy definitions within an initiative
  • 例外类别exemption category
  • expirationexpiration

备注

策略例外创建为资源层次结构上的子对象,或创建为被授予例外的单个资源,因此目标不包含在例外定义中。A policy exemption is created as a child object on the resource hierarchy or the individual resource granted the exemption, so the target isn't included in the exemption definition.

例如,以下 JSON 在名为 resourceShouldBeCompliantInit 的计划分配的资源的“豁免”类别中显示了策略例外。For example, the following JSON shows a policy exemption in the waiver category of a resource to an initiative assignment named resourceShouldBeCompliantInit. 该资源仅受到计划中两个策略定义的免除,即 customOrgPolicy 自定义策略定义(引用 requiredTags)和“允许的位置”内置策略定义(ID:e56962a6-4747-49cd-b67b-bf8b01975c4c,引用 allowedLocations):The resource is exempt from only two of the policy definitions in the initiative, the customOrgPolicy custom policy definition (reference requiredTags) and the 'Allowed locations' built-in policy definition (ID: e56962a6-4747-49cd-b67b-bf8b01975c4c, reference allowedLocations):

{
    "id": "/subscriptions/{subId}/resourceGroups/ExemptRG/providers/Microsoft.Authorization/policyExemptions/resourceIsNotApplicable",
    "name": "resourceIsNotApplicable",
    "type": "Microsoft.Authorization/policyExemptions",
    "properties": {
        "displayName": "This resource is scheduled for deletion",
        "description": "This resources is planned to be deleted by end of quarter and has been granted a waiver to the policy.",
        "metadata": {
            "requestedBy": "Storage team",
            "approvedBy": "IA",
            "approvedOn": "2020-07-26T08:02:32.0000000Z",
            "ticketRef": "4baf214c-8d54-4646-be3f-eb6ec7b9bc4f"
        },
        "policyAssignmentId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyAssignments/resourceShouldBeCompliantInit",
        "policyDefinitionReferenceIds": [
            "requiredTags",
            "allowedLocations"
        ],
        "exemptionCategory": "waiver",
        "expiresOn": "2020-12-31T23:59:00.0000000Z"
    }
}

包含与策略例外使用的匹配的 policyDefinitionReferenceIds 的相关计划的代码片段:Snippet of the related initiative with the matching policyDefinitionReferenceIds used by the policy exemption:

"policyDefinitions": [
    {
        "policyDefinitionId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyDefinitions/customOrgPolicy",
        "policyDefinitionReferenceId": "requiredTags",
        "parameters": {
            "reqTags": {
                "value": "[parameters('init_reqTags')]"
            }
        }
    },
    {
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c",
        "policyDefinitionReferenceId": "allowedLocations",
        "parameters": {
            "listOfAllowedLocations": {
                "value": "[parameters('init_listOfAllowedLocations')]"
            }
        }
    }
]

显示名称和说明Display name and description

使用“显示名称”和“说明”来标识策略例外,并提供其与特定资源配合使用时的上下文 。You use displayName and description to identify the policy exemption and provide context for its use with the specific resource. displayName 的最大长度为 128 个字符,description 的最大长度为 512 个字符。displayName has a maximum length of 128 characters and description a maximum length of 512 characters.

元数据Metadata

通过“元数据”属性,可以创建存储相关信息所需的任何子属性。The metadata property allows creating any child property needed for storing relevant information. 在上面的示例中,属性“requestedBy”、“approvedBy”、“approvedOn”和“ticketRef”包含客户值,以提供有关免除请求者、批准者、批准时间,以及该请求的内部跟踪工单的信息 。In the example above, properties requestedBy, approvedBy, approvedOn, and ticketRef contains customer values to provide information on who requested the exemption, who approved it and when, and an internal tracking ticket for the request. 这些“元数据”属性是示例,但不是必需的,且“元数据”不仅限于这些子属性 。These metadata properties are examples, but they aren't required and metadata isn't limited to these child properties.

策略分配 IDPolicy assignment ID

此字段必须是策略分配或计划分配的完整路径名称。This field must be the full path name of either a policy assignment or an initiative assignment. policyAssignmentId 是字符串,而不是数组。policyAssignmentId is a string and not an array. 此属性定义父级资源层次结构或单个资源是从哪个分配免除的。This property defines which assignment the parent resource hierarchy or individual resource is exempt from.

策略定义 IDPolicy definition IDs

如果 policyAssignmentId 用于计划分配,则 policyDefinitionReferenceIds 属性可用于指定主题资源可豁免计划中的哪些策略定义。If the policyAssignmentId is for an initiative assignment, the policyDefinitionReferenceIds property may be used to specify which policy definition(s) in the initiative the subject resource has an exemption to. 由于可以从一个或多个包含的策略定义中免除资源,因此此属性是一个数组。As the resource may be exempted from one or more included policy definitions, this property is an array. 这些值必须与 policyDefinitions.policyDefinitionReferenceId 字段中的计划定义中的值相匹配。The values must match the values in the initiative definition in the policyDefinitions.policyDefinitionReferenceId fields.

例外类别Exemption category

存在两个例外类别,用于组例外:Two exemption categories exist and are used to group exemptions:

  • 缓解:由于通过另一种方法满足了策略意图,因此授予了豁免。Mitigated: The exemption is granted because the policy intent is met through another method.
  • 豁免:由于暂时接受资源的不合规状态,因此授予了豁免。Waiver: The exemption is granted because the non-compliance state of the resource is temporarily accepted. 使用此类别的另一个原因是,对于某些资源或资源层次结构,应将其从计划中的一个或多个定义中排除,但不应将其从整个计划中排除。Another reason to use this category is for a resource or resource hierarchy that should be excluded from one or more definitions in an initiative, but shouldn't be excluded from the entire initiative.

过期时间Expiration

若要设置资源层次结构或单个资源不再在分配中豁免的时间,请设置 expiresOn 属性。To set when a resource hierarchy or an individual resource is no longer exempt to an assignment, set the expiresOn property. 此可选属性必须采用通用 ISO 8601 日期/时间格式 yyyy-MM-ddTHH:mm:ss.fffffffZThis optional property must be in the Universal ISO 8601 DateTime format yyyy-MM-ddTHH:mm:ss.fffffffZ.

备注

达到 expiresOn 日期后,策略例外不会被删除。The policy exemptions isn't deleted when the expiresOn date is reached. 该对象会保留用于记录,但不再受到免除。The object is preserved for record-keeping, but the exemption is no longer honored.

所需的权限Required permissions

管理策略例外对象所需的 Azure RBAC 权限位于 Microsoft.Authorization/policyExemptions 操作组中。The Azure RBAC permissions needed to manage Policy exemption objects are in the Microsoft.Authorization/policyExemptions operation group. 内置角色资源策略参与者安全管理员都具有 readwrite 权限,策略见解数据编写者(预览版)具有 read 权限。The built-in roles Resource Policy Contributor and Security Admin both have the read and write permissions and Policy Insights Data Writer (Preview) has the read permission.

鉴于授予免除的影响,免除具有附加的安全措施。Exemptions have additional security measures because of the impact of granting an exemption. 除了要求对资源层次结构或单个资源进行 Microsoft.Authorization/policyExemptions/write 操作外,例外的创建者还必须在目标分配上具有 exempt/Action 谓词。Beyond requiring the Microsoft.Authorization/policyExemptions/write operation on the resource hierarchy or individual resource, the creator of an exemption must have the exempt/Action verb on the target assignment.

后续步骤Next steps