管理对 Azure 机器学习工作区的访问权限Manage access to an Azure Machine Learning workspace

本文介绍了如何管理对 Azure 机器学习工作区的访问权限(授权)。In this article, you learn how to manage access (authorization) to an Azure Machine Learning workspace. Azure 基于角色的访问控制 (Azure RBAC) 用于管理对 Azure 资源的访问权限,例如,创建新资源或使用现有资源的权限。Azure role-based access control (Azure RBAC) is used to manage access to Azure resources, such as the ability to create new resources or use existing ones. Azure Active Directory (Azure AD) 中的用户会获得特定角色,这些角色授予对资源的访问权限。Users in your Azure Active Directory (Azure AD) are assigned specific roles, which grant access to resources. Azure 提供内置角色和创建自定义角色的功能。Azure provides both built-in roles and the ability to create custom roles.

提示

虽然本文着重介绍的是 Azure 机器学习,但 Azure ML 依赖的单个服务也提供了它们自己的 RBAC 设置。While this article focuses on Azure Machine Learning, individual services that Azure ML relies on provide their own RBAC settings. 例如,使用本文中的信息,可以配置谁能向 Azure Kubernetes 服务上部署为 Web 服务的模型提交评分请求。For example, using the information in this article, you can configure who can submit scoring requests to a model deployed as a web service on Azure Kubernetes Service. 但 Azure Kubernetes 服务具有它自己的一组 Azure 角色。But Azure Kubernetes Service provides its own set of Azure roles. 有关对于 Azure 机器学习可能有用的服务特定的 RBAC 信息,请参阅以下链接:For service specific RBAC information that may be useful with Azure Machine Learning, see the following links:

警告

应用某些角色可能会限制 Azure 机器学习工作室中针对其他用户的 UI 功能。Applying some roles may limit UI functionality in Azure Machine Learning studio for other users. 例如,如果用户的角色无法创建计算实例,工作室中就不会提供创建计算实例的选项。For example, if a user's role does not have the ability to create a compute instance, the option to create a compute instance will not be available in studio. 此行为是正常的,可以防止用户尝试会返回“拒绝访问”错误的操作。This behavior is expected, and prevents the user from attempting operations that would return an access denied error.

默认角色Default roles

Azure 机器学习工作区是一种 Azure 资源。An Azure Machine Learning workspace is an Azure resource. 与其他 Azure 资源一样,当创建新的 Azure 机器学习工作区时,它附带三个默认角色。Like other Azure resources, when a new Azure Machine Learning workspace is created, it comes with three default roles. 可以将用户添加到工作区,并将他们分配给这些内置角色之一。You can add users to the workspace and assign them to one of these built-in roles.

角色Role 访问级别Access level
读者Reader 工作区中的只读操作。Read-only actions in the workspace. 读取者可以在工作区中列出和查看资产,包括数据存储凭据。Readers can list and view assets, including datastore credentials, in a workspace. 读取者不能创建或更新这些资产。Readers can't create or update these assets.
参与者Contributor 在工作区中查看、创建、编辑或删除(如果适用)资产。View, create, edit, or delete (where applicable) assets in a workspace. 例如,参与者可以创建试验、创建或附加计算群集、提交运行和部署 Web 服务。For example, contributors can create an experiment, create or attach a compute cluster, submit a run, and deploy a web service.
所有者Owner 对工作区的完全访问权限,包括能够在工作区中查看、创建、编辑或删除(如果适用)资产。Full access to the workspace, including the ability to view, create, edit, or delete (where applicable) assets in a workspace. 此外,还可以更改角色分配。Additionally, you can change role assignments.
自定义角色Custom Role 允许你自定义对工作区中特定控件或数据平面操作的访问权限。Allows you to customize access to specific control or data plane operations within a workspace. 例如,提交运行、创建计算、部署模型或注册数据集。For example, submitting a run, creating a compute, deploying a model or registering a dataset.

重要

在 Azure 中,角色访问的作用域可以限定为多个级别。Role access can be scoped to multiple levels in Azure. 例如,对工作区具有所有者访问权限的人可能没有对包含工作区的资源组的所有者访问权限。For example, someone with owner access to a workspace may not have owner access to the resource group that contains the workspace. 有关详细信息,请参阅 Azure RBAC 工作原理For more information, see How Azure RBAC works.

当前没有特定于 Azure 机器学习的其他内置角色。Currently there are no additional built-in roles that are specific to Azure Machine Learning. 有关内置角色的详细信息,请参阅 Azure 内置角色For more information on built-in roles, see Azure built-in roles.

管理工作区访问权限Manage workspace access

如果你是工作区的所有者,则可以为工作区添加和删除角色。If you're an owner of a workspace, you can add and remove roles for the workspace. 还可以将角色分配给用户。You can also assign roles to users. 使用以下链接了解如何管理访问权限:Use the following links to discover how to manage access:

如果已安装 Azure 机器学习 CLI,则可使用 CLI 命令为用户分配角色:If you have installed the Azure Machine Learning CLI, you can use CLI commands to assign roles to users:

az ml workspace share -w <workspace_name> -g <resource_group_name> --role <role_name> --user <user_corp_email_address>

user 字段是 Azure Active Directory 实例中现有用户的电子邮件地址,该实例中包含工作区父订阅。The user field is the email address of an existing user in the instance of Azure Active Directory where the workspace parent subscription lives. 下面是此命令的用法示例:Here is an example of how to use this command:

az ml workspace share -w my_workspace -g my_resource_group --role Contributor --user jdoe@contoson.com

备注

“az ml workspace share”命令对 Azure Active Directory B2B 的联合帐户不起作用。"az ml workspace share" command does not work for federated account by Azure Active Directory B2B. 请使用 Azure UI 门户而不是命令。Please use Azure UI portal instead of command.

创建自定义角色Create custom role

如果内置角色不够,可以创建自定义角色。If the built-in roles are insufficient, you can create custom roles. 自定义角色可能具有该工作区中的读取、写入、删除和计算资源权限。Custom roles might have read, write, delete, and compute resource permissions in that workspace. 可以使角色在特定工作区级别、特定资源组级别或特定订阅级别可用。You can make the role available at a specific workspace level, a specific resource group level, or a specific subscription level.

备注

必须是该级别资源的所有者,才能在该资源中创建自定义角色。You must be an owner of the resource at that level to create custom roles within that resource.

要创建自定义角色,请首先构造角色定义 JSON 文件,指定角色的权限和作用域。To create a custom role, first construct a role definition JSON file that specifies the permission and scope for the role. 以下示例定义了名为“Data Scientist Custom”的自定义角色,其作用域为特定工作区级别:The following example defines a custom role named "Data Scientist Custom" scoped at a specific workspace level:

data_scientist_custom_role.json :data_scientist_custom_role.json :

{
    "Name": "Data Scientist Custom",
    "IsCustom": true,
    "Description": "Can run experiment but can't create or delete compute.",
    "Actions": ["*"],
    "NotActions": [
        "Microsoft.MachineLearningServices/workspaces/*/delete",
        "Microsoft.MachineLearningServices/workspaces/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/delete", 
        "Microsoft.Authorization/*/write"
    ],
    "AssignableScopes": [
        "/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.MachineLearningServices/workspaces/<workspace_name>"
    ]
}

提示

可以更改 AssignableScopes 字段,以在订阅级别、资源组级别或特定工作区级别设置此自定义角色的作用域。You can change the AssignableScopes field to set the scope of this custom role at the subscription level, the resource group level, or a specific workspace level. 上述自定义角色只是一个示例,请参阅我们建议的一些 Azure 机器学习服务自定义角色The above custom role is just an example, see some suggested custom roles for the Azure Machine Learning service.

此自定义角色可以在工作区中执行除以下操作之外的所有操作:This custom role can do everything in the workspace except for the following actions:

  • 创建或更新计算资源。It can't create or update a compute resource.
  • 删除计算资源。It can't delete a compute resource.
  • 添加、删除或更改角色分配。It can't add, delete, or alter role assignments.
  • 删除工作区。It can't delete the workspace.

要部署此自定义角色,请使用以下 Azure CLI 命令:To deploy this custom role, use the following Azure CLI command:

az role definition create --role-definition data_scientist_role.json

部署后,此角色在指定工作区中可用。After deployment, this role becomes available in the specified workspace. 现在,可以在 Azure 门户中添加和分配此角色。Now you can add and assign this role in the Azure portal. 或者,可以使用 az ml workspace share CLI 命令将此角色分配给用户:Or, you can assign this role to a user by using the az ml workspace share CLI command:

az ml workspace share -w my_workspace -g my_resource_group --role "Data Scientist" --user jdoe@contoson.com

有关自定义角色的详细信息,请参阅 Azure 自定义角色For more information on custom roles, see Azure custom roles.

Azure 机器学习操作Azure Machine Learning operations

有关可用于自定义角色的操作(Actions 和 NotActions)的详细信息,请参阅资源提供程序操作For more information on the operations (actions and not actions) usable with custom roles, see Resource provider operations. 还可以使用以下 Azure CLI 命令来列出操作:You can also use the following Azure CLI command to list operations:

az provider operation show -n Microsoft.MachineLearningServices

列出自定义角色List custom roles

在 Azure CLI 中运行以下命令:In the Azure CLI, run the following command:

az role definition list --subscription <sub-id> --custom-role-only true

若要查看特定自定义角色的角色定义,请使用以下 Azure CLI 命令。To view the role definition for a specific custom role, use the following Azure CLI command. <role-name> 的格式应与上述命令返回的格式相同:The <role-name> should be in the same format returned by the command above:

az role definition list -n <role-name> --subscription <sub-id>

更新自定义角色Update a custom role

在 Azure CLI 中运行以下命令:In the Azure CLI, run the following command:

az role definition update --role-definition update_def.json --subscription <sub-id>

你需要对新角色定义的整个作用域具有权限。You need to have permissions on the entire scope of your new role definition. 例如,如果此新角色的作用域跨三个订阅,则你需要对所有三个订阅都具有权限。For example if this new role has a scope across three subscriptions, you need to have permissions on all three subscriptions.

备注

角色更新可能需要花费 15 分钟到一小时才能应用于该作用域中的所有角色分配。Role updates can take 15 minutes to an hour to apply across all role assignments in that scope.

使用 Azure 资源管理器模板实现可重复性Use Azure Resource Manager templates for repeatability

如果预计需要重新创建复杂的角色分配,则使用 Azure 资源管理器模板可能会很有帮助。If you anticipate that you will need to recreate complex role assignments, an Azure Resource Manager template can be a big help. 201-machine-learning-dependencies-role-assignment 模板显示了如何在源代码中指定角色分配以供重用。The 201-machine-learning-dependencies-role-assignment template shows how role assignments can be specified in source code for reuse.

常见方案Common scenarios

下表汇总了 Azure 机器学习活动以及在最小作用域内执行它们所需的权限。The following table is a summary of Azure Machine Learning activities and the permissions required to perform them at the least scope. 例如,如果可以使用某个工作区作用域(第 4 列)执行某个活动,自然也可以使用具有该权限的所有更高的作用域:For example, if an activity can be performed with a workspace scope (Column 4), then all higher scope with that permission will also work automatically:

重要

此表中以 / 开头的所有路径都是相对于 Microsoft.MachineLearningServices/相对路径All paths in this table that start with / are relative paths to Microsoft.MachineLearningServices/ :

活动Activity 订阅级作用域Subscription-level scope 资源组级作用域Resource group-level scope 工作区级作用域Workspace-level scope
创建新工作区Create new workspace 不是必需Not required 所有者或参与者Owner or contributor 不适用(在创建后成为所有者或继承更高作用域角色)N/A (becomes Owner or inherits higher scope role after creation)
请求订阅级别 Amlcompute 配额或设置工作区级别配额Request subscription level Amlcompute quota or set workspace level quota 所有者、参与者或自定义角色Owner, or contributor, or custom role
允许 /locations/updateQuotas/actionallowing /locations/updateQuotas/action
(在订阅范围内)at subscription scope
未授权Not Authorized 未授权Not Authorized
新建计算群集Create new compute cluster 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:/workspaces/computes/writeOwner, contributor, or custom role allowing: /workspaces/computes/write
新建计算实例Create new compute instance 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:/workspaces/computes/writeOwner, contributor, or custom role allowing: /workspaces/computes/write
提交任何类型的运行Submitting any type of run 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:"/workspaces/*/read", "/workspaces/environments/write", "/workspaces/experiments/runs/write", "/workspaces/metadata/artifacts/write", "/workspaces/metadata/snapshots/write", "/workspaces/environments/build/action", "/workspaces/experiments/runs/submit/action", "/workspaces/environments/readSecrets/action"Owner, contributor, or custom role allowing: "/workspaces/*/read", "/workspaces/environments/write", "/workspaces/experiments/runs/write", "/workspaces/metadata/artifacts/write", "/workspaces/metadata/snapshots/write", "/workspaces/environments/build/action", "/workspaces/experiments/runs/submit/action", "/workspaces/environments/readSecrets/action"
发布管道和终结点Publishing pipelines and endpoints 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:"/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/modules/*"Owner, contributor, or custom role allowing: "/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/modules/*"
在 AKS/ACI 资源上部署已注册的模型Deploying a registered model on an AKS/ACI resource 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:"/workspaces/services/aks/write", "/workspaces/services/aci/write"Owner, contributor, or custom role allowing: "/workspaces/services/aks/write", "/workspaces/services/aci/write"
针对已部署的 AKS 终结点进行评分Scoring against a deployed AKS endpoint 不是必需Not required 不是必需Not required 允许以下权限的“所有者”角色、“参与者”角色或自定义角色:"/workspaces/services/aks/score/action", "/workspaces/services/aks/listkeys/action"(未使用 Azure Active Directory 身份验证时)或 "/workspaces/read"(使用令牌身份验证时)Owner, contributor, or custom role allowing: "/workspaces/services/aks/score/action", "/workspaces/services/aks/listkeys/action" (when you are not using Azure Active Directory auth) OR "/workspaces/read" (when you are using token auth)
使用交互式笔记本访问存储Accessing storage using interactive notebooks 不是必需Not required 不是必需Not required 所有者、参与者或自定义角色允许:"/workspaces/computes/read", "/workspaces/notebooks/samples/read", "/workspaces/notebooks/storage/*", "/workspaces/listKeys/action"Owner, contributor, or custom role allowing: "/workspaces/computes/read", "/workspaces/notebooks/samples/read", "/workspaces/notebooks/storage/*", "/workspaces/listKeys/action"
创建新的自定义角色Create new custom role 所有者、参与者或自定义角色允许 Microsoft.Authorization/roleDefinitions/writeOwner, contributor, or custom role allowing Microsoft.Authorization/roleDefinitions/write 不是必需Not required 所有者、参与者或自定义角色允许:/workspaces/computes/writeOwner, contributor, or custom role allowing: /workspaces/computes/write

提示

如果第一次尝试创建工作区时遇到失败,请确保角色允许 Microsoft.MachineLearningServices/register/actionIf you receive a failure when trying to create a workspace for the first time, make sure that your role allows Microsoft.MachineLearningServices/register/action. 可以通过此操作将 Azure 机器学习资源提供程序注册到 Azure 订阅。This action allows you to register the Azure Machine Learning resource provider with your Azure subscription.

用于 Azure ML 计算群集的用户分配的托管标识User-assigned managed identity with Azure ML compute cluster

若要为 Azure 机器学习计算群集分配用户分配的标识,需要有写入权限来创建该计算,并且需要托管标识操作员角色To assign a user assigned identity to an Azure Machine Learning compute cluster, you need write permissions to create the compute and the Managed Identity Operator Role. 若要详细了解如何将 Azure RBAC 与托管标识配合使用,请阅读如何管理用户分配的标识For more information on Azure RBAC with Managed Identities, read How to manage user assigned identity

MLflow 操作MLflow operations

若要在 Azure 机器学习工作区中执行 MLflow 操作,请使用自定义角色的以下范围:To perform MLflow operations with your Azure Machine Learning workspace, use the following scopes your custom role:

MLflow 操作MLflow operation 范围Scope
列出工作区跟踪存储中的所有试验,按 ID 获取试验,按名称获取试验List all experiments in the workspace tracking store, get an experiment by id, get an experiment by name Microsoft.MachineLearningServices/workspaces/experiments/read
创建试验并命名,为实验设置标签,还原标记为删除的试验Create an experiment with a name , set a tag on an experiment, restore an experiment marked for deletion Microsoft.MachineLearningServices/workspaces/experiments/write
删除试验Delete an experiment Microsoft.MachineLearningServices/workspaces/experiments/delete
获取运行以及相关的数据和元数据,获取指定运行的指定指标的所有值的列表,列出运行的项目Get a run and related data and metadata, get a list of all values for the specified metric for a given run, list artifacts for a run Microsoft.MachineLearningServices/workspaces/experiments/runs/read
在试验中新建运行,删除运行,还原已删除的运行,记录当前运行下的指标,为运行设置标签,删除运行上的标签,记录运行所使用的参数(键值对),记录运行的一批指标、参数和标签,更新运行状态Create a new run within an experiment, delete runs, restore deleted runs, log metrics under the current run, set tags on a run, delete tags on a run, log params (key-value pair) used for a run, log a batch of metrics, params, and tags for a run, update run status Microsoft.MachineLearningServices/workspaces/experiments/runs/write
按名称获取已注册的模型,获取注册表中所有已注册模型的列表,搜索每个请求阶段的已注册模型、最新版模型,获取已注册模型的版本,搜索模型版本,获取 URI(其中存储了模型版本的项目),按试验 ID 搜索运行Get registered model by name, fetch a list of all registered models in the registry, search for registered models, latest version models for each requests stage, get a registered model's version, search model versions, get URI where a model version's artifacts are stored, search for runs by experiment ids Microsoft.MachineLearningServices/workspaces/models/read
创建新的已注册模型,更新已注册模型的名称/说明,重命名现有的已注册模型,创建新版本的模型,更新模型版本的说明,将已注册模型转换到其中一个阶段Create a new registered model, update a registered model's name/description, rename existing registered model, create new version of the model, update a model version's description, transition a registered model to one of the stages Microsoft.MachineLearningServices/workspaces/models/write
删除已注册模型及其所有版本,删除已注册模型的特定版本Delete a registered model along with all its version, delete specific versions of a registered model Microsoft.MachineLearningServices/workspaces/models/delete

自定义角色示例Example custom roles

数据科学家Data scientist

允许数据科学家在工作区中执行所有操作,但以下操作 除外Allows a data scientist to perform all operations inside a workspace except:

* <span data-ttu-id="85752-260">创建计算</span><span class="sxs-lookup"><span data-stu-id="85752-260">Creation of compute</span></span>
* <span data-ttu-id="85752-261">将模型部署到生产 AKS 群集</span><span class="sxs-lookup"><span data-stu-id="85752-261">Deploying models to a production AKS cluster</span></span>
* <span data-ttu-id="85752-262">在生产环境中部署管道终结点</span><span class="sxs-lookup"><span data-stu-id="85752-262">Deploying a pipeline endpoint in production</span></span>

<span data-ttu-id="85752-263">`data_scientist_custom_role.json` :</span><span class="sxs-lookup"><span data-stu-id="85752-263">`data_scientist_custom_role.json` :</span></span>
```json
{
    "Name": "Data Scientist Custom",
    "IsCustom": true,
    "Description": "Can run experiment but can't create or delete compute or deploy production endpoints.",
    "Actions": [
        "Microsoft.MachineLearningServices/workspaces/*/read",
        "Microsoft.MachineLearningServices/workspaces/*/action",
        "Microsoft.MachineLearningServices/workspaces/*/delete",
        "Microsoft.MachineLearningServices/workspaces/*/write"
    ],
    "NotActions": [
        "Microsoft.MachineLearningServices/workspaces/delete",
        "Microsoft.MachineLearningServices/workspaces/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/delete", 
        "Microsoft.Authorization/*",
        "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
        "Microsoft.MachineLearningServices/workspaces/listKeys/action",
        "Microsoft.MachineLearningServices/workspaces/services/aks/write",
        "Microsoft.MachineLearningServices/workspaces/services/aks/delete",
        "Microsoft.MachineLearningServices/workspaces/endpoints/pipelines/write"
    ],
    "AssignableScopes": [
        "/subscriptions/<subscription_id>"
    ]
}
```

受限制的数据科学家Data scientist restricted

一个限制性更强的角色定义,允许的操作中不包含通配符。A more restricted role definition without wildcards in the allowed actions. 它可以在工作区中执行所有操作,但以下操作 除外It can perform all operations inside a workspace except:

* <span data-ttu-id="85752-267">创建计算</span><span class="sxs-lookup"><span data-stu-id="85752-267">Creation of compute</span></span>
* <span data-ttu-id="85752-268">将模型部署到生产 AKS 群集</span><span class="sxs-lookup"><span data-stu-id="85752-268">Deploying models to a production AKS cluster</span></span>
* <span data-ttu-id="85752-269">在生产环境中部署管道终结点</span><span class="sxs-lookup"><span data-stu-id="85752-269">Deploying a pipeline endpoint in production</span></span>

<span data-ttu-id="85752-270">`data_scientist_restricted_custom_role.json` :</span><span class="sxs-lookup"><span data-stu-id="85752-270">`data_scientist_restricted_custom_role.json` :</span></span>
```json
{
    "Name": "Data Scientist Restricted Custom",
    "IsCustom": true,
    "Description": "Can run experiment but can't create or delete compute or deploy production endpoints",
    "Actions": [
        "Microsoft.MachineLearningServices/workspaces/*/read",
        "Microsoft.MachineLearningServices/workspaces/computes/start/action",
        "Microsoft.MachineLearningServices/workspaces/computes/stop/action",
        "Microsoft.MachineLearningServices/workspaces/computes/restart/action",
        "Microsoft.MachineLearningServices/workspaces/computes/applicationaccess/action",
        "Microsoft.MachineLearningServices/workspaces/notebooks/storage/read",
        "Microsoft.MachineLearningServices/workspaces/notebooks/storage/write",
        "Microsoft.MachineLearningServices/workspaces/notebooks/storage/delete",
        "Microsoft.MachineLearningServices/workspaces/notebooks/samples/read",
        "Microsoft.MachineLearningServices/workspaces/experiments/runs/write",
        "Microsoft.MachineLearningServices/workspaces/experiments/write",
        "Microsoft.MachineLearningServices/workspaces/experiments/runs/submit/action",
        "Microsoft.MachineLearningServices/workspaces/pipelinedrafts/write",
        "Microsoft.MachineLearningServices/workspaces/metadata/snapshots/write",
        "Microsoft.MachineLearningServices/workspaces/metadata/artifacts/write",
        "Microsoft.MachineLearningServices/workspaces/environments/write",
        "Microsoft.MachineLearningServices/workspaces/models/write",
        "Microsoft.MachineLearningServices/workspaces/modules/write",
        "Microsoft.MachineLearningServices/workspaces/datasets/registered/write", 
        "Microsoft.MachineLearningServices/workspaces/datasets/registered/delete",
        "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/write",
        "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/delete",
        "Microsoft.MachineLearningServices/workspaces/computes/listNodes/action",
        "Microsoft.MachineLearningServices/workspaces/environments/build/action"
    ],
    "NotActions": [
        "Microsoft.MachineLearningServices/workspaces/computes/write",
        "Microsoft.MachineLearningServices/workspaces/write",
        "Microsoft.MachineLearningServices/workspaces/computes/delete",
        "Microsoft.MachineLearningServices/workspaces/delete",
        "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
        "Microsoft.MachineLearningServices/workspaces/listKeys/action",
        "Microsoft.Authorization/*",
        "Microsoft.MachineLearningServices/workspaces/datasets/registered/profile/read",
        "Microsoft.MachineLearningServices/workspaces/datasets/registered/preview/read",
        "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/profile/read",
        "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/preview/read",
        "Microsoft.MachineLearningServices/workspaces/datasets/registered/schema/read",    
        "Microsoft.MachineLearningServices/workspaces/datasets/unregistered/schema/read",
        "Microsoft.MachineLearningServices/workspaces/datastores/write",
        "Microsoft.MachineLearningServices/workspaces/datastores/delete"
    ],
    "AssignableScopes": [
        "/subscriptions/<subscription_id>"
    ]
}
```
 

MLflow 数据科学家MLflow data scientist

允许数据科学家执行 MLflow AzureML 支持的所有操作,但以下操作除外:Allows a data scientist to perform all MLflow AzureML supported operations except:

  • 创建计算Creation of compute
  • 将模型部署到生产 AKS 群集Deploying models to a production AKS cluster
  • 在生产环境中部署管道终结点Deploying a pipeline endpoint in production

mlflow_data_scientist_custom_role.json :mlflow_data_scientist_custom_role.json :

{
     "Name": "MLFlow Data Scientist Custom",
     "IsCustom": true,
     "Description": "Can perform azureml mlflow integrated functionalities that includes mlflow tracking, projects, model registry",
     "Actions": [
         "Microsoft.MachineLearningServices/workspaces/experiments/read",
         "Microsoft.MachineLearningServices/workspaces/experiments/write",
         "Microsoft.MachineLearningServices/workspaces/experiments/delete",
         "Microsoft.MachineLearningServices/workspaces/experiments/runs/read",
         "Microsoft.MachineLearningServices/workspaces/experiments/runs/write",
         "Microsoft.MachineLearningServices/workspaces/models/read",
         "Microsoft.MachineLearningServices/workspaces/models/write",
         "Microsoft.MachineLearningServices/workspaces/models/delete"
     ],
     "NotActions": [
         "Microsoft.MachineLearningServices/workspaces/delete",
         "Microsoft.MachineLearningServices/workspaces/write",
         "Microsoft.MachineLearningServices/workspaces/computes/*/write",
         "Microsoft.MachineLearningServices/workspaces/computes/*/delete", 
         "Microsoft.Authorization/*",
         "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
         "Microsoft.MachineLearningServices/workspaces/listKeys/action",
         "Microsoft.MachineLearningServices/workspaces/services/aks/write",
         "Microsoft.MachineLearningServices/workspaces/services/aks/delete",
         "Microsoft.MachineLearningServices/workspaces/endpoints/pipelines/write"
     ],
  "AssignableScopes": [
         "/subscriptions/<subscription_id>"
     ]
 }
 ```   

### <a name="mlops"></a><span data-ttu-id="85752-277">MLOps</span><span class="sxs-lookup"><span data-stu-id="85752-277">MLOps</span></span>

<span data-ttu-id="85752-278">允许将角色分配给服务主体,并使用该角色自动执行 MLOps 管道。</span><span class="sxs-lookup"><span data-stu-id="85752-278">Allows you to assign a role to a service principal and use that to automate your MLOps pipelines.</span></span> <span data-ttu-id="85752-279">例如,若要针对已发布的管道提交运行,可使用以下代码:</span><span class="sxs-lookup"><span data-stu-id="85752-279">For example, to submit runs against an already published pipeline:</span></span>

 `mlops_custom_role.json` :
 ```json
 {
     "Name": "MLOps Custom",
     "IsCustom": true,
     "Description": "Can run pipelines against a published pipeline endpoint",
     "Actions": [
         "Microsoft.MachineLearningServices/workspaces/read",
         "Microsoft.MachineLearningServices/workspaces/endpoints/pipelines/read",
         "Microsoft.MachineLearningServices/workspaces/metadata/artifacts/read",
         "Microsoft.MachineLearningServices/workspaces/metadata/snapshots/read",
         "Microsoft.MachineLearningServices/workspaces/environments/read",    
         "Microsoft.MachineLearningServices/workspaces/metadata/secrets/read",
         "Microsoft.MachineLearningServices/workspaces/modules/read",
         "Microsoft.MachineLearningServices/workspaces/experiments/runs/read",
         "Microsoft.MachineLearningServices/workspaces/datasets/registered/read",
         "Microsoft.MachineLearningServices/workspaces/datastores/read",
         "Microsoft.MachineLearningServices/workspaces/environments/write",
         "Microsoft.MachineLearningServices/workspaces/experiments/runs/write",
         "Microsoft.MachineLearningServices/workspaces/metadata/artifacts/write",
         "Microsoft.MachineLearningServices/workspaces/metadata/snapshots/write",
         "Microsoft.MachineLearningServices/workspaces/environments/build/action",
         "Microsoft.MachineLearningServices/workspaces/experiments/runs/submit/action"
     ],
     "NotActions": [
         "Microsoft.MachineLearningServices/workspaces/computes/write",
         "Microsoft.MachineLearningServices/workspaces/write",
         "Microsoft.MachineLearningServices/workspaces/computes/delete",
         "Microsoft.MachineLearningServices/workspaces/delete",
         "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
         "Microsoft.MachineLearningServices/workspaces/listKeys/action",
         "Microsoft.Authorization/*"
     ],
     "AssignableScopes": [
         "/subscriptions/<subscription_id>"
     ]
 }
 ```

### <a name="workspace-admin"></a><span data-ttu-id="85752-280">工作区管理员</span><span class="sxs-lookup"><span data-stu-id="85752-280">Workspace Admin</span></span>

<span data-ttu-id="85752-281">允许在工作区范围中执行所有操作,但以下操作 **除外**:</span><span class="sxs-lookup"><span data-stu-id="85752-281">Allows you to perform all operations within the scope of a workspace, **except**:</span></span>

 * <span data-ttu-id="85752-282">创建一个新工作区</span><span class="sxs-lookup"><span data-stu-id="85752-282">Creating a new workspace</span></span>
 * <span data-ttu-id="85752-283">分配订阅或工作区级别配额</span><span class="sxs-lookup"><span data-stu-id="85752-283">Assigning subscription or workspace level quotas</span></span>

 <span data-ttu-id="85752-284">工作区管理员也无法创建新的角色,</span><span class="sxs-lookup"><span data-stu-id="85752-284">The workspace admin also cannot create a new role.</span></span> <span data-ttu-id="85752-285">而只能在其工作区的作用域内分配现有内置角色或自定义角色:</span><span class="sxs-lookup"><span data-stu-id="85752-285">It can only assign existing built-in or custom roles within the scope of their workspace:</span></span>

 <span data-ttu-id="85752-286">`workspace_admin_custom_role.json` :</span><span class="sxs-lookup"><span data-stu-id="85752-286">`workspace_admin_custom_role.json` :</span></span>
 ```json
 {
     "Name": "Workspace Admin Custom",
     "IsCustom": true,
     "Description": "Can perform all operations except quota management and upgrades",
     "Actions": [
         "Microsoft.MachineLearningServices/workspaces/*/read",
         "Microsoft.MachineLearningServices/workspaces/*/action",
         "Microsoft.MachineLearningServices/workspaces/*/write",
         "Microsoft.MachineLearningServices/workspaces/*/delete",
         "Microsoft.Authorization/roleAssignments/*"
     ],
     "NotActions": [
         "Microsoft.MachineLearningServices/workspaces/write"
     ],
     "AssignableScopes": [
         "/subscriptions/<subscription_id>"
     ]
 }
 ```

<a name="labeler"></a>
### <a name="data-labeler"></a><span data-ttu-id="85752-287">数据标记员</span><span class="sxs-lookup"><span data-stu-id="85752-287">Data labeler</span></span>

<span data-ttu-id="85752-288">允许你定义一个只能在作用域内标记数据的角色:</span><span class="sxs-lookup"><span data-stu-id="85752-288">Allows you to define a role scoped only to labeling data:</span></span>

 `labeler_custom_role.json` :
 ```json
 {
     "Name": "Labeler Custom",
     "IsCustom": true,
     "Description": "Can label data for Labeling",
     "Actions": [
         "Microsoft.MachineLearningServices/workspaces/read",
         "Microsoft.MachineLearningServices/workspaces/labeling/projects/read",
         "Microsoft.MachineLearningServices/workspaces/labeling/labels/write"
     ],
     "NotActions": [
         "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read"
     ],
     "AssignableScopes": [
         "/subscriptions/<subscription_id>"
     ]
 }
 ```

## <a name="troubleshooting"></a><span data-ttu-id="85752-289">疑难解答</span><span class="sxs-lookup"><span data-stu-id="85752-289">Troubleshooting</span></span>

<span data-ttu-id="85752-290">使用 Azure 基于角色的访问控制 (Azure RBAC) 时,请注意以下几点:</span><span class="sxs-lookup"><span data-stu-id="85752-290">Here are a few things to be aware of while you use Azure role-based access control (Azure RBAC):</span></span>

- <span data-ttu-id="85752-291">你在 Azure 中创建资源(例如工作区)时,并不会直接成为该资源的所有者。</span><span class="sxs-lookup"><span data-stu-id="85752-291">When you create a resource in Azure, such as a workspace, you are not directly the owner of the resource.</span></span> <span data-ttu-id="85752-292">你的角色继承自你在该订阅中获得相应授权的最高范围角色。</span><span class="sxs-lookup"><span data-stu-id="85752-292">Your role is inherited from the highest scope role that you are authorized against in that subscription.</span></span> <span data-ttu-id="85752-293">例如,如果你是网络管理员,有权创建机器学习工作区,则会为你分配该工作区的网络管理员角色,而不是所有者角色。</span><span class="sxs-lookup"><span data-stu-id="85752-293">As an example if you are a Network Administrator, and have the permissions to create a Machine Learning workspace, you would be assigned the Network Administrator role against that workspace, and not the Owner role.</span></span>

- <span data-ttu-id="85752-294">若要在工作区中执行配额操作,需要订阅级别的权限。</span><span class="sxs-lookup"><span data-stu-id="85752-294">To perform quota operations in a workspace, you need subscription level permissions.</span></span> <span data-ttu-id="85752-295">这意味着,只有当你在订阅作用域具有写入权限时,才能为你的托管计算资源设置订阅级配额或工作区级配额。</span><span class="sxs-lookup"><span data-stu-id="85752-295">This means setting either subscription level quota or workspace level quota for your managed compute resources can only happen if you have write permissions at the subscription scope.</span></span>

- <span data-ttu-id="85752-296">针对同一 Azure Active Directory 用户的两个角色分配具有冲突的 Actions/NotActions 部分时,如果操作在某个角色的 NotActions 中列出,但也在另一个角色中作为 Actions 列出,则此类操作可能不会生效。</span><span class="sxs-lookup"><span data-stu-id="85752-296">When there are two role assignments to the same Azure Active Directory user with conflicting sections of Actions/NotActions, your operations listed in NotActions from one role might not take effect if they are also listed as Actions in another role.</span></span> <span data-ttu-id="85752-297">若要详细了解 Azure 如何分析角色分配,请参阅 [Azure RBAC 如何确定用户是否有权访问资源](../role-based-access-control/overview.md#how-azure-rbac-determines-if-a-user-has-access-to-a-resource)</span><span class="sxs-lookup"><span data-stu-id="85752-297">To learn more about how Azure parses role assignments, read [How Azure RBAC determines if a user has access to a resource](../role-based-access-control/overview.md#how-azure-rbac-determines-if-a-user-has-access-to-a-resource)</span></span>

- <span data-ttu-id="85752-298">若要在 VNet 中部署计算资源,需要显式拥有以下操作的权限:</span><span class="sxs-lookup"><span data-stu-id="85752-298">To deploy your compute resources inside a VNet, you need to explicitly have permissions for the following actions:</span></span>
 - <span data-ttu-id="85752-299">VNet 资源上的 `Microsoft.Network/virtualNetworks/join/action`。</span><span class="sxs-lookup"><span data-stu-id="85752-299">`Microsoft.Network/virtualNetworks/join/action` on the VNet resource.</span></span>
 - <span data-ttu-id="85752-300">子网资源上的 `Microsoft.Network/virtualNetworks/subnet/join/action`。</span><span class="sxs-lookup"><span data-stu-id="85752-300">`Microsoft.Network/virtualNetworks/subnet/join/action` on the subnet resource.</span></span>
 
 <span data-ttu-id="85752-301">若要详细了解如何将 Azure RBAC 与网络配合使用,请参阅[网络内置角色](../role-based-access-control/built-in-roles.md#networking)。</span><span class="sxs-lookup"><span data-stu-id="85752-301">For more information on Azure RBAC with networking, see the [Networking built-in roles](../role-based-access-control/built-in-roles.md#networking).</span></span>

- <span data-ttu-id="85752-302">新的角色分配有时可能需要长达 1 小时才能生效,覆盖整个堆栈的缓存权限。</span><span class="sxs-lookup"><span data-stu-id="85752-302">It can sometimes take up to 1 hour for your new role assignments to take effect over cached permissions across the stack.</span></span>

## <a name="next-steps"></a><span data-ttu-id="85752-303">后续步骤</span><span class="sxs-lookup"><span data-stu-id="85752-303">Next steps</span></span>

- [<span data-ttu-id="85752-304">企业安全性概述</span><span class="sxs-lookup"><span data-stu-id="85752-304">Enterprise security overview</span></span>](concept-enterprise-security.md)
- [<span data-ttu-id="85752-305">教程:训练模型</span><span class="sxs-lookup"><span data-stu-id="85752-305">Tutorial: Train models</span></span>](tutorial-train-models-with-aml.md)
- [<span data-ttu-id="85752-306">资源提供程序操作</span><span class="sxs-lookup"><span data-stu-id="85752-306">Resource provider operations</span></span>](../role-based-access-control/resource-provider-operations.md#microsoftmachinelearningservices)