了解 Azure Policy 中的范围Understand scope in Azure Policy

有许多设置用于确定哪些资源可以接受评估以及哪些资源由 Azure Policy 评估。There are many settings that determine which resources are capable of being evaluated and which resources are evaluated by Azure Policy. 这些控制措施的首要概念是范围。The primary concept for these controls is scope. Azure Policy 中的范围基于 Azure 资源管理器中范围的工作方式。Scope in Azure Policy is based on how scope works in Azure Resource Manager. 有关综合概述,请参阅 Azure 资源管理器中的范围For a high-level overview, see Scope in Azure Resource Manager. 本文介绍了 Azure Policy 中范围的重要性,以及它的相关对象和属性。This article explains the importance of scope in Azure Policy and it's related objects and properties.

定义位置Definition location

Azure Policy 使用第一个实例范围的时间是在创建策略定义的时候。The first instance scope used by Azure Policy is when a policy definition is created. 该定义可以保存在管理组或订阅中。The definition may be saved in either a management group or a subscription. 该位置确定计划或策略可以分配到的范围。The location determines the scope to which the initiative or policy can be assigned. 资源必须位于作为分配目标的定义位置的资源层次结构之内。Resources must be within the resource hierarchy of the definition location to target for assignment.

如果定义位置是:If the definition location is a:

  • 订阅 - 策略定义只能分配到该订阅内的资源。Subscription - Only resources within that subscription can be assigned the policy definition.
  • 管理组 - 策略定义只能分配到子管理组和子订阅内的资源。Management group - Only resources within child management groups and child subscriptions can be assigned the policy definition. 如果你计划将此策略定义应用于多个订阅,该位置必须是包含每个订阅的管理组。If you plan to apply the policy definition to several subscriptions, the location must be a management group that contains each subscription.

该位置应该是由你想要对其使用策略定义(如果存在)的所有资源共享的资源容器。The location should be the resource container shared by all resources you want to use the policy definition on exist. 此资源容器通常是位于根管理组附近的某个管理组。This resource container is typically a management group near the root management group.

分配范围Assignment scopes

一个分配具有多个用于设置范围的属性。An assignment has several properties that set a scope. 对这些属性的使用决定了要评估哪个 Azure Policy 资源以及哪些资源会计入符合性。The use of these properties determines which resource for Azure Policy to evaluate and which resources count toward compliance. 这些属性映射到以下概念:These properties map to the following concepts:

  • 包含 - 应该按定义来评估资源层次结构或单个资源的符合性。Inclusion - A resource hierarchy or individual resource should be evaluated for compliance by the definition. 分配对象的 properties.scope 属性确定针对符合性要包含和评估什么内容。The properties.scope property on an assignment object determines what to include and evaluate for compliance. 有关详细信息,请参阅分配定义For more information, see Assignment definition.

  • 排除 - 不应该按定义来评估资源层次结构或单个资源的符合性。Exclusion - A resource hierarchy or individual resource shouldn't be evaluated for compliance by the definition. 某个分配对象的 properties.notScopes 数组属性确定要排除什么内容。The properties.notScopes array property on an assignment object determines what to exclude. 这些范围内的资源不会被评估,也不会包含在符合性计算中。Resources within these scopes aren't evaluated or included in the compliance count. 有关详细信息,请参阅分配定义 - 排除的范围For more information, see Assignment definition - excluded scopes.

除了策略分配的属性外,还有一个策略豁免对象。In addition to the properties on the policy assignment, is the policy exemption object. 豁免提供一种方法来识别某个分配中不进行评估的部分,从而增强范围描述。Exemptions enhance the scope story by providing a method to identify a portion of an assignment to not be evaluated.

  • 豁免(免费预览版功能)- 应该按定义来评估资源层次结构或单个资源的符合性,但由于某种原因(如通过其他方法得到豁免或缓解)而不会对其进行评估。Exemption (free in preview feature) - A resource hierarchy or individual resource should be evaluated for compliance by the definition, but won't be evaluated for a reason such as having a waiver or being mitigated through another method. 处于这种状态的资源在符合性报告中会显示为“已豁免”,以便可对这些资源进行跟踪。Resources in this state show as Exempted in compliance reports so that they can be tracked. 豁免对象在资源层次结构或单个资源上创建为子对象,从而确定了豁免的范围。The exemption object is created on the resource hierarchy or individual resource as a child object, which determines the scope of the exemption. 资源层次结构或单个资源可以对多个分配豁免。A resource hierarchy or individual resource can be exempt to multiple assignments. 通过使用 expiresOn 属性,可以将豁免配置为按计划过期。The exemption may be configured to expire on a schedule by using the expiresOn property. 有关详细信息,请参阅豁免定义For more information, see Exemption definition.

    备注

    由于为资源层次结构或单个资源授予豁免会产生影响,因此豁免还具有更多的安全措施。Due to the impact of granting an exemption for a resource hierarchy or individual resource, exemptions have additional security measures. 除了需要对资源层次结构或单个资源执行 Microsoft.Authorization/policyExemptions/write 操作外,豁免的创建者还必须在目标分配上使用 exempt/Action 谓词。In addition to requiring the Microsoft.Authorization/policyExemptions/write operation on the resource hierarchy or individual resource, the creator of an exemption must have the exempt/Action verb on the target assignment.

范围对比Scope comparison

下表是范围选项的对比:The following table is a comparison of the scope options:

包含Inclusion 排除 (notScopes)Exclusion (notScopes) 例外Exemption
资源接受评估Resources are evaluated - -
资源管理器对象Resource Manager object - -
需要修改策略分配对象Requires modifying policy assignment object -

后续步骤Next steps