管理对 Azure 机器学习工作区的访问权限Manage access to an Azure Machine Learning workspace

适用于:是基本版是企业版               (升级到企业版APPLIES TO: yesBasic edition yesEnterprise edition                    (Upgrade to Enterprise edition)

本文介绍了如何管理对 Azure 机器学习工作区的访问权限。In this article, you learn how to manage access to an Azure Machine Learning workspace. 基于角色的访问控制 (RBAC) 用于管理对 Azure 资源的访问权限。Role-based access control (RBAC) is used to manage access to Azure resources. Azure Active Directory 中的用户可获得特定角色,这些角色授予了对资源的访问权限。Users in your Azure Active Directory are assigned specific roles, which grant access to resources. Azure 提供内置角色和创建自定义角色的功能。Azure provides both built-in roles and the ability to create custom roles.

默认角色Default roles

Azure 机器学习工作区是一种 Azure 资源。An Azure Machine Learning workspace is an Azure resource. 与其他 Azure 资源一样,当创建新的 Azure 机器学习工作区时,它附带三个默认角色。Like other Azure resources, when a new Azure Machine Learning workspace is created, it comes with three default roles. 可以将用户添加到工作区,并将他们分配给这些内置角色之一。You can add users to the workspace and assign them to one of these built-in roles.

角色Role 访问级别Access level
读者Reader 工作区中的只读操作。Read-only actions in the workspace. 读取者可以在工作区中列出和查看资产,包括数据存储凭据。Readers can list and view assets, including datastore credentials, in a workspace. 读取者不能创建或更新这些资产。Readers can't create or update these assets.
参与者Contributor 在工作区中查看、创建、编辑或删除(如果适用)资产。View, create, edit, or delete (where applicable) assets in a workspace. 例如,参与者可以创建试验、创建或附加计算群集、提交运行和部署 Web 服务。For example, contributors can create an experiment, create or attach a compute cluster, submit a run, and deploy a web service.
所有者Owner 对工作区的完全访问权限,包括能够在工作区中查看、创建、编辑或删除(如果适用)资产。Full access to the workspace, including the ability to view, create, edit, or delete (where applicable) assets in a workspace. 此外,还可以更改角色分配。Additionally, you can change role assignments.
自定义角色Custom Role 允许你自定义对工作区中特定控件或数据平面操作的访问权限。Allows you to customize access to specific control or data plane operations within a workspace. 例如,提交运行、创建计算、部署模型或注册数据集。For example, submitting a run, creating a compute, deploying a model or registering a dataset.

重要

在 Azure 中,角色访问的作用域可以限定为多个级别。Role access can be scoped to multiple levels in Azure. 例如,对工作区具有所有者访问权限的人可能没有对包含工作区的资源组的所有者访问权限。For example, someone with owner access to a workspace may not have owner access to the resource group that contains the workspace. 有关详细信息信息,请参阅 RBAC 工作原理For more information, see How RBAC works.

有关特定内置角色的详细信息,请参阅 Azure 的内置角色For more information on specific built-in roles, see Built-in roles for Azure.

管理工作区访问权限Manage workspace access

如果你是工作区的所有者,则可以为工作区添加和删除角色。If you're an owner of a workspace, you can add and remove roles for the workspace. 还可以将角色分配给用户。You can also assign roles to users. 使用以下链接了解如何管理访问权限:Use the following links to discover how to manage access:

如果已安装 Azure 机器学习 CLI,则可使用 CLI 命令为用户分配角色:If you have installed the Azure Machine Learning CLI, you can use CLI commands to assign roles to users:

az ml workspace share -w <workspace_name> -g <resource_group_name> --role <role_name> --user <user_corp_email_address>

user 字段是 Azure Active Directory 实例中现有用户的电子邮件地址,该实例中包含工作区父订阅。The user field is the email address of an existing user in the instance of Azure Active Directory where the workspace parent subscription lives. 下面是此命令的用法示例:Here is an example of how to use this command:

az ml workspace share -w my_workspace -g my_resource_group --role Contributor --user jdoe@contoson.com

备注

“az ml workspace share”命令对 Azure Active Directory B2B 的联合帐户不起作用。"az ml workspace share" command does not work for federated account by Azure Active Directory B2B. 请使用 Azure UI 门户而不是命令。Please use Azure UI portal instead of command.

Azure 机器学习操作Azure Machine Learning operations

适用于许多操作和任务的 Azure 机器学习内置操作。Azure Machine Learning built-in actions for many operations and tasks. 有关完整列表,请参阅 Azure 资源提供程序操作For a complete list, see Azure resource providers operations.

创建自定义角色Create custom role

如果内置角色不够,可以创建自定义角色。If the built-in roles are insufficient, you can create custom roles. 自定义角色可能具有该工作区中的读取、写入、删除和计算资源权限。Custom roles might have read, write, delete, and compute resource permissions in that workspace. 可以使角色在特定工作区级别、特定资源组级别或特定订阅级别可用。You can make the role available at a specific workspace level, a specific resource group level, or a specific subscription level.

备注

必须是该级别资源的所有者,才能在该资源中创建自定义角色。You must be an owner of the resource at that level to create custom roles within that resource.

要创建自定义角色,请首先构造角色定义 JSON 文件,指定角色的权限和作用域。To create a custom role, first construct a role definition JSON file that specifies the permission and scope for the role. 以下示例定义了名为“Data Scientist Custom”的自定义角色,其作用域为特定工作区级别:The following example defines a custom role named "Data Scientist Custom" scoped at a specific workspace level:

data_scientist_custom_role.json :data_scientist_custom_role.json :

{
    "Name": "Data Scientist Custom",
    "IsCustom": true,
    "Description": "Can run experiment but can't create or delete compute.",
    "Actions": ["*"],
    "NotActions": [
        "Microsoft.MachineLearningServices/workspaces/*/delete",
        "Microsoft.MachineLearningServices/workspaces/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/delete", 
        "Microsoft.Authorization/*/write"
    ],
    "AssignableScopes": [
        "/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.MachineLearningServices/workspaces/<workspace_name>"
    ]
}

提示

可以更改 AssignableScopes 字段,以在订阅级别、资源组级别或特定工作区级别设置此自定义角色的作用域。You can change the AssignableScopes field to set the scope of this custom role at the subscription level, the resource group level, or a specific workspace level. 上述自定义角色只是一个示例,请参阅我们建议的一些 Azure 机器学习服务自定义角色The above custom role is just an example, see some suggested custom roles for the Azure Machine Learning service.

此自定义角色可以在工作区中执行除以下操作之外的所有操作:This custom role can do everything in the workspace except for the following actions:

  • 创建或更新计算资源。It can't create or update a compute resource.
  • 删除计算资源。It can't delete a compute resource.
  • 添加、删除或更改角色分配。It can't add, delete, or alter role assignments.
  • 删除工作区。It can't delete the workspace.

要部署此自定义角色,请使用以下 Azure CLI 命令:To deploy this custom role, use the following Azure CLI command:

az role definition create --role-definition data_scientist_role.json

部署后,此角色在指定工作区中可用。After deployment, this role becomes available in the specified workspace. 现在,可以在 Azure 门户中添加和分配此角色。Now you can add and assign this role in the Azure portal. 或者,可以使用 az ml workspace share CLI 命令将此角色分配给用户:Or, you can assign this role to a user by using the az ml workspace share CLI command:

az ml workspace share -w my_workspace -g my_resource_group --role "Data Scientist" --user jdoe@contoson.com

有关自定义角色的详细信息,请参阅 Azure 自定义角色For more information on custom roles, see Azure custom roles. 有关可用于自定义角色的操作(Actions 和 NotActions)的详细信息,请参阅资源提供程序操作For more information on the operations (actions and not actions) usable with custom roles, see Resource provider operations.

常见问题Frequently asked questions

问:Q. 在 Azure 机器学习服务中执行一些常见方案需要哪些权限?What are the permissions needed to perform some common scenarios in the Azure Machine Learning service?

下表汇总了 Azure 机器学习活动以及在最小作用域内执行它们所需的权限。The following table is a summary of Azure Machine Learning activities and the permissions required to perform them at the least scope. 例如,如果可以使用某个工作区作用域(第 4 列)执行某个活动,自然也可以使用具有该权限的所有更高的作用域:For example, if an activity can be performed with a workspace scope (Column 4), then all higher scope with that permission will also work automatically:

重要

此表中以 / 开头的所有路径都是相对于 Microsoft.MachineLearningServices/相对路径All paths in this table that start with / are relative paths to Microsoft.MachineLearningServices/ :

活动Activity 订阅级作用域Subscription-level scope 资源组级作用域Resource group-level scope 工作区级作用域Workspace-level scope
创建新工作区Create new workspace 不是必需Not required 所有者或参与者Owner or contributor 不适用(在创建后成为所有者或继承更高作用域角色)N/A (becomes Owner or inherits higher scope role after creation)
更新工作区的版本Update the Edition of the workspace 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:/workspaces/writeOwner, contributor, or custom role allowing: /workspaces/write
请求订阅级别 Amlcompute 配额或设置工作区级别配额Request subscription level Amlcompute quota or set workspace level quota 所有者、参与者或自定义角色Owner, or contributor, or custom role
允许 /locations/updateQuotas/actionallowing /locations/updateQuotas/action
(在订阅范围内)at subscription scope
未授权Not Authorized 未授权Not Authorized
新建计算群集Create new compute cluster 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:/workspaces/computes/writeOwner, contributor, or custom role allowing: /workspaces/computes/write
新建计算实例Create new compute instance 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:/workspaces/computes/writeOwner, contributor, or custom role allowing: /workspaces/computes/write
提交任何类型的运行Submitting any type of run 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:"/workspaces/*/read", "/workspaces/environments/write", "/workspaces/experiments/runs/write", "/workspaces/metadata/artifacts/write", "/workspaces/metadata/snapshots/write", "/workspaces/environments/build/action", "/workspaces/experiments/runs/submit/action", "/workspaces/environments/readSecrets/action"Owner, contributor, or custom role allowing: "/workspaces/*/read", "/workspaces/environments/write", "/workspaces/experiments/runs/write", "/workspaces/metadata/artifacts/write", "/workspaces/metadata/snapshots/write", "/workspaces/environments/build/action", "/workspaces/experiments/runs/submit/action", "/workspaces/environments/readSecrets/action"
发布管道终结点Publishing a pipeline endpoint 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:"/workspaces/pipelines/write", "/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/modules/*"Owner, contributor, or custom role allowing: "/workspaces/pipelines/write", "/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/modules/*"
在 AKS/ACI 资源上部署已注册的模型Deploying a registered model on an AKS/ACI resource 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:"/workspaces/services/aks/write", "/workspaces/services/aci/write"Owner, contributor, or custom role allowing: "/workspaces/services/aks/write", "/workspaces/services/aci/write"
针对已部署的 AKS 终结点进行评分Scoring against a deployed AKS endpoint 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:"/workspaces/services/aks/score/action", "/workspaces/services/aks/listkeys/action"(未使用 AAD 身份验证时)或 "/workspaces/read"(使用令牌身份验证时)Owner, contributor, or custom role allowing: "/workspaces/services/aks/score/action", "/workspaces/services/aks/listkeys/action" (when you are not using AAD auth) OR "/workspaces/read" (when you are using token auth)
使用交互式笔记本访问存储Accessing storage using interactive notebooks 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:"/workspaces/computes/read", "/workspaces/notebooks/samples/read", "/workspaces/notebooks/storage/*"Owner, contributor, or custom role allowing: "/workspaces/computes/read", "/workspaces/notebooks/samples/read", "/workspaces/notebooks/storage/*"
创建新的自定义角色Create new custom role 所有者、参与者或自定义角色允许 Microsoft.Authorization/roleDefinitions/writeOwner, contributor, or custom role allowing Microsoft.Authorization/roleDefinitions/write 不是必需Not required 所有者、参与者或自定义角色允许:/workspaces/computes/writeOwner, contributor, or custom role allowing: /workspaces/computes/write

提示

如果第一次尝试创建工作区时遇到失败,请确保角色允许 Microsoft.MachineLearningServices/register/actionIf you receive a failure when trying to create a workspace for the first time, make sure that your role allows Microsoft.MachineLearningServices/register/action. 可以通过此操作将 Azure 机器学习资源提供程序注册到 Azure 订阅。This action allows you to register the Azure Machine Learning resource provider with your Azure subscription.

问:Q. 是否会针对机器学习服务发布 Azure 内置角色?Are we publishing Azure built-in roles for the Machine Learning service?

我们目前不会针对机器学习服务发布 Azure 内置角色We are currently not publishing Azure built-in roles for the Machine Learning service. 内置角色在发布后无法更新,我们仍在根据客户方案和反馈改进角色定义。A built-in role once published cannot be updated, and we are still firming the role definitions based on customer scenarios and feedback.

问:Q. 对于机器学习服务中的最常见方案,是否有一些自定义角色模板?Are there some custom-role templates for the most common scenarios in Machine Learning service?

有。下面的一些常见方案具有建议的自定义角色定义,你可以将其作为基础来定义自己的自定义角色:Yes here are some common scenarios with custom proposed role definitions that you can use as a base to define your own custom roles:

  • Data Scientist Custom:允许数据科学家在工作区中执行所有操作,但以下操作除外Data Scientist Custom: Allows a data scientist to perform all operations inside a workspace except:

    • 创建计算Creation of compute
    • 将模型部署到生产 AKS 群集Deploying models to a production AKS cluster
    • 在生产环境中部署管道终结点Deploying a pipeline endpoint in production

    data_scientist_custom_role.json :data_scientist_custom_role.json :

    {
        "Name": "Data Scientist Custom",
        "IsCustom": true,
        "Description": "Can run experiment but can't create or delete compute or deploy production endpoints.",
        "Actions": [
            "Microsoft.MachineLearningServices/workspaces/*/read",
            "Microsoft.MachineLearningServices/workspaces/*/action",
            "Microsoft.MachineLearningServices/workspaces/*/delete",
            "Microsoft.MachineLearningServices/workspaces/*/write"
        ],
        "NotActions": [
            "Microsoft.MachineLearningServices/workspaces/delete",
            "Microsoft.MachineLearningServices/workspaces/write",
            "Microsoft.MachineLearningServices/workspaces/computes/*/write",
            "Microsoft.MachineLearningServices/workspaces/computes/*/delete", 
            "Microsoft.Authorization/*",
            "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
            "Microsoft.MachineLearningServices/workspaces/listKeys/action",
            "Microsoft.MachineLearningServices/workspaces/services/aks/write",
            "Microsoft.MachineLearningServices/workspaces/services/aks/delete",
            "Microsoft.MachineLearningServices/workspaces/endpoints/pipelines/write"
        ],
        "AssignableScopes": [
            "/subscriptions/<subscription_id>"
        ]
    }
    
  • Data Scientist Restricted Custom:一个限制性更强的角色定义,允许的操作中不包含通配符。Data Scientist Restricted Custom: A more restricted role definition without wildcards in the allowed actions. 它可以在工作区中执行所有操作,但以下操作除外It can perform all operations inside a workspace except:

    • 创建计算Creation of compute
    • 将模型部署到生产 AKS 群集Deploying models to a production AKS cluster
    • 在生产环境中部署管道终结点Deploying a pipeline endpoint in production

    data_scientist_restricted_custom_role.json :data_scientist_restricted_custom_role.json :

    {
        "Name": "Data Scientist Restricted Custom",
        "IsCustom": true,
        "Description": "Can run experiment but can't create or delete compute or deploy production endpoints",
        "Actions": [
            "Microsoft.MachineLearningServices/workspaces/*/read",
            "Microsoft.MachineLearningServices/workspaces/computes/start/action",
            "Microsoft.MachineLearningServices/workspaces/computes/stop/action",
            "Microsoft.MachineLearningServices/workspaces/computes/restart/action",
            "Microsoft.MachineLearningServices/workspaces/computes/applicationaccess/action",
            "Microsoft.MachineLearningServices/workspaces/notebooks/storage/read",
            "Microsoft.MachineLearningServices/workspaces/notebooks/storage/write",
            "Microsoft.MachineLearningServices/workspaces/notebooks/storage/delete",
            "Microsoft.MachineLearningServices/workspaces/notebooks/samples/read",
            "Microsoft.MachineLearningServices/workspaces/experiments/runs/write",
            "Microsoft.MachineLearningServices/workspaces/experiments/write",
            "Microsoft.MachineLearningServices/workspaces/experiments/runs/submit/action",
            "Microsoft.MachineLearningServices/workspaces/pipelinedrafts/write",
            "Microsoft.MachineLearningServices/workspaces/metadata/snapshots/write",
            "Microsoft.MachineLearningServices/workspaces/metadata/artifacts/write",
            "Microsoft.MachineLearningServices/workspaces/environments/write",
            "Microsoft.MachineLearningServices/workspaces/models/write",
            "Microsoft.MachineLearningServices/workspaces/modules/write",
            "Microsoft.MachineLearningServices/workspaces/datasets/registered/write", 
            "Microsoft.MachineLearningServices/workspaces/datasets/registered/delete",
            "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/write",
            "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/delete",
            "Microsoft.MachineLearningServices/workspaces/computes/listNodes/action",
            "Microsoft.MachineLearningServices/workspaces/environments/build/action"
        ],
        "NotActions": [
            "Microsoft.MachineLearningServices/workspaces/computes/write",
            "Microsoft.MachineLearningServices/workspaces/write",
            "Microsoft.MachineLearningServices/workspaces/computes/delete",
            "Microsoft.MachineLearningServices/workspaces/delete",
            "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
            "Microsoft.MachineLearningServices/workspaces/listKeys/action",
            "Microsoft.Authorization/*",
            "Microsoft.MachineLearningServices/workspaces/datasets/registered/profile/read",
            "Microsoft.MachineLearningServices/workspaces/datasets/registered/preview/read",
            "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/profile/read",
            "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/preview/read",
            "Microsoft.MachineLearningServices/workspaces/datasets/registered/schema/read",    
            "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/schema/read",
            "Microsoft.MachineLearningServices/workspaces/datastores/write",
            "Microsoft.MachineLearningServices/workspaces/datastores/delete"
        ],
        "AssignableScopes": [
            "/subscriptions/<subscription_id>"
        ]
    }
    
  • MLOps Custom:允许将角色分配给服务主体,并使用该角色自动执行 MLOps 管道。MLOps Custom: Allows you to assign a role to a service principal and use that to automate your MLOps pipelines. 例如,若要针对已发布的管道提交运行,可使用以下代码:For example, to submit runs against an already published pipeline:

    mlops_custom_role.json :mlops_custom_role.json :

    {
        "Name": "MLOps Custom",
        "IsCustom": true,
        "Description": "Can run pipelines against a published pipeline endpoint",
        "Actions": [
            "Microsoft.MachineLearningServices/workspaces/read",
            "Microsoft.MachineLearningServices/workspaces/endpoints/pipelines/read",
            "Microsoft.MachineLearningServices/workspaces/metadata/artifacts/read",
            "Microsoft.MachineLearningServices/workspaces/metadata/snapshots/read",
            "Microsoft.MachineLearningServices/workspaces/environments/read",    
            "Microsoft.MachineLearningServices/workspaces/metadata/secrets/read",
            "Microsoft.MachineLearningServices/workspaces/modules/read",
            "Microsoft.MachineLearningServices/workspaces/experiments/runs/read",
            "Microsoft.MachineLearningServices/workspaces/datasets/registered/read",
            "Microsoft.MachineLearningServices/workspaces/datastores/read",
            "Microsoft.MachineLearningServices/workspaces/environments/write",
            "Microsoft.MachineLearningServices/workspaces/experiments/runs/write",
            "Microsoft.MachineLearningServices/workspaces/metadata/artifacts/write",
            "Microsoft.MachineLearningServices/workspaces/metadata/snapshots/write",
            "Microsoft.MachineLearningServices/workspaces/environments/build/action",
            "Microsoft.MachineLearningServices/workspaces/experiments/runs/submit/action"
        ],
        "NotActions": [
            "Microsoft.MachineLearningServices/workspaces/computes/write",
            "Microsoft.MachineLearningServices/workspaces/write",
            "Microsoft.MachineLearningServices/workspaces/computes/delete",
            "Microsoft.MachineLearningServices/workspaces/delete",
            "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
            "Microsoft.MachineLearningServices/workspaces/listKeys/action",
            "Microsoft.Authorization/*"
        ],
        "AssignableScopes": [
            "/subscriptions/<subscription_id>"
        ]
    }
    
  • Workspace Admin:允许在工作区范围中执行所有操作,但以下操作除外Workspace Admin: Allows you to perform all operations within the scope of a workspace, except:

    • 创建一个新工作区Creating a new workspace
    • 分配订阅或工作区级别配额Assigning subscription or workspace level quotas
    • 升级工作区的版本Upgrading the edition of the workspace

    工作区管理员也无法创建新的角色,The workspace admin also cannot create a new role. 而只能在其工作区的作用域内分配现有内置角色或自定义角色:It can only assign existing built-in or custom roles within the scope of their workspace:

    workspace_admin_custom_role.json :workspace_admin_custom_role.json :

    {
        "Name": "Workspace Admin Custom",
        "IsCustom": true,
        "Description": "Can perform all operations except quota management and upgrades",
        "Actions": [
            "Microsoft.MachineLearningServices/workspaces/*/read",
            "Microsoft.MachineLearningServices/workspaces/*/action",
            "Microsoft.MachineLearningServices/workspaces/*/write",
            "Microsoft.MachineLearningServices/workspaces/*/delete",
            "Microsoft.Authorization/roleAssignments/*"
        ],
        "NotActions": [
            "Microsoft.MachineLearningServices/workspaces/write"
        ],
        "AssignableScopes": [
            "/subscriptions/<subscription_id>"
        ]
    }
    

  • Labeler Custom:允许你定义一个只能在作用域内标记数据的角色:Labeler Custom: Allows you to define a role scoped only to labeling data:

    labeler_custom_role.json :labeler_custom_role.json :

    {
        "Name": "Labeler Custom",
        "IsCustom": true,
        "Description": "Can label data for Labeling",
        "Actions": [
            "Microsoft.MachineLearningServices/workspaces/read",
            "Microsoft.MachineLearningServices/workspaces/labeling/projects/read",
            "Microsoft.MachineLearningServices/workspaces/labeling/labels/write"
        ],
        "NotActions": [
            "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read"
        ],
        "AssignableScopes": [
            "/subscriptions/<subscription_id>"
        ]
    }
    

问:Q. 如何列出我的订阅中的所有自定义角色?How do I list all the custom roles in my subscription?

在 Azure CLI 中运行以下命令。In the Azure CLI, run the following command.

az role definition list --subscription <sub-id> --custom-role-only true

问:Q. 如何查找机器学习服务支持的操作?How do I find the operations supported by the Machine Learning Service?

在 Azure CLI 中运行以下命令。In the Azure CLI, run the following command.

az provider operation show -n Microsoft.MachineLearningServices

还可以在资源提供程序操作的列表中找到它们。They can also be found in the list of Resource provider operations.

问:Q. 使用 Azure RBAC 时,有哪些常见注意事项?What are some common gotchas when using Azure RBAC?

使用 Azure 基于角色的访问控制 (Azure RBAC) 时,请注意以下几点:Here are a few things to be aware of while you use Azure role-based access control (Azure RBAC):

  • 在 Azure 中创建资源时,例如创建工作区时,你不会直接成为工作区的所有者。When you create a resource in Azure, say a workspace, you are not directly the owner of the workspace. 你的角色继承自你在该订阅中获得相应授权的最高作用域角色。Your role gets inherited from the highest scope role that you are authorized against in that subscription. 例如,如果你是网络管理员,有权创建机器学习工作区,则会为你分配该工作区的网络管理员角色,而不是所有者角色。As an example if you are a Network Administrator, and had the permissions to create a Machine Learning workspace, you would be assigned the Network Administrator role against that workspace, and not the Owner role.

  • 针对同一 Azure Active Directory 用户的两个角色分配具有冲突的 Actions/NotActions 部分时,如果操作在某个角色的 NotActions 中列出,但也在另一个角色中作为 Actions 列出,则此类操作可能不会生效。When there are two role assignments to the same Azure Active Directory user with conflicting sections of Actions/NotActions, your operations listed in NotActions from one role might not take effect if they are also listed as Actions in another role. 若要详细了解 Azure 如何分析角色分配,请参阅 Azure RBAC 如何确定用户是否有权访问资源To learn more about how Azure parses role assignments, read How Azure RBAC determines if a user has access to a resource

  • 若要在 VNet 中部署计算资源,需要显式拥有以下操作的权限:To deploy your compute resources inside a VNet, you need to explicitly have permissions for the following actions:

    • “Microsoft.Network/virtualNetworks/join/action”(在 VNet 资源上)。"Microsoft.Network/virtualNetworks/join/action" on the VNet resource.
    • “Microsoft.Network/virtualNetworks/subnet/join/action”(在子网资源上)。"Microsoft.Network/virtualNetworks/subnet/join/action" on the subnet resource.

    若要详细了解如何将 RBAC 与网络配合使用,请参阅网络内置角色For more information on RBAC with networking, see the Networking built-in roles.

  • 新的角色分配有时可能需要长达 1 小时才能生效,覆盖整个堆栈的缓存权限。It can sometimes take upto 1 hour for your new role assignments to take effect over cached permissions across the stack.

问:Q. 我需要具有哪些权限才能将用户分配的托管标识用于我的 Amlcompute 群集?What permissions do I need to use a user-assigned managed identity with my Amlcompute clusters?

若要在 Amlcompute 群集上分配用户分配的标识,必须具有创建计算所需的写入权限,并且必须具有托管标识操作员角色To�assign a user assigned identity on Amlcompute clusters, one has to have write permissions to create compute and have Managed Identity Operator�Role. 若要详细了解如何将 RBAC 与托管标识配合使用,请阅读如何管理用户分配的标识For more information on RBAC with Managed Identities, read How to manage user assigned identity

问:Q. 工作室门户上是否支持基于角色的访问控制?Do we support role-based access control on the Studio portal?

Azure 机器学习工作室支持 Azure 基于角色的访问控制 (Azure RBAC)。Azure Machine Learning Studio supports Azure role-based access control (Azure RBAC).

重要

在你为工作区中的数据科学家分配了具有特定权限的自定义角色后,系统会自动对用户隐藏相应的操作(例如添加一个计算按钮)。Once you have assigned a custom role with specific permissions to a data scientist in your workspace, corresponding actions (such as adding a compute button) are automatically hidden from the users. 隐藏这些项可防止用户在使用它们时看到控件返回来自服务的“未经授权的访问”通知,从而避免混乱。Hiding these items prevents any confusion from seeing controls that return an Unauthorized Access notification from the service when used.

问:Q. 如何查找我的订阅中某个角色的角色定义?How do I find the role definition for a role in my subscription?

在 Azure CLI 中运行以下命令。In the Azure CLI, run the following command. <role-name> 的格式应与上述命令返回的格式相同。The <role-name> should be in the same format returned by the command above.

az role definition list -n <role-name> --subscription <sub-id>

问:Q. 如何更新角色定义?How do I update a role definition?

在 Azure CLI 中运行以下命令。In the Azure CLI, run the following command.

az role definition update --role-definition update_def.json --subscription <sub-id>

你需要对新角色定义的整个作用域具有权限。You need to have permissions on the entire scope of your new role definition. 例如,如果此新角色的作用域跨三个订阅,则你需要对所有三个订阅都具有权限。For example if this new role has a scope across three subscriptions, you need to have permissions on all three subscriptions.

备注

角色更新可能需要花费 15 分钟到一小时才能应用于该作用域中的所有角色分配。Role updates can take 15 minutes to an hour to apply across all role assignments in that scope.

问:Q. 是否可以定义阻止更新工作区版本的角色?Can I define a role that prevents updating the workspace Edition?

是,你可以定义阻止更新工作区版本的角色。Yes, you can define a role that prevents updating the workspace Edition. 由于工作区更新是对工作区对象的 PATCH 调用,因此可以通过在 JSON 定义中的 "NotActions" 数组中放置以下操作来实现此目的:Since the workspace update is a PATCH call on the workspace object, you do this by putting the following action in the "NotActions" array in your JSON definition:

"Microsoft.MachineLearningServices/workspaces/write"

问:Q. 在工作区中执行配额操作需要哪些权限?What permissions are needed to perform quota operations in a workspace?

要在工作区中执行任何与配额相关的操作,你需要具有订阅级权限。You need subscription level permissions to perform any quota related operation in the workspace. 这意味着,只有当你在订阅作用域具有写入权限时,才能为你的托管计算资源设置订阅级配额或工作区级配额。This means setting either subscription level quota or workspace level quota for your managed compute resources can only happen if you have write permissions at the subscription scope.

后续步骤Next steps