媒体服务帐户的基于角色的访问控制 (RBAC)Role-based access control (RBAC) for Media Services accounts

目前,Azure 媒体服务不定义任何特定于服务的自定义角色。Currently, Azure Media Services does not define any custom roles specific to the service. 若要获得媒体服务帐户的完全访问权限,客户可以使用内置的“所有者”或“参与者”角色。 To get full access to the Media Services account, customers can use the built-in roles of Owner or Contributor. 这两个角色的主要区别是:所有者可以控制谁有权访问某个资源,而参与者则不可以。 The main difference between these roles is: the Owner can control who has access to a resource and the Contributor cannot. 也可使用内置的“读者”角色,但用户或应用程序将只能对媒体服务 API 进行读取访问。 The built-in Reader role can also be used but the user or application will only have read access to the Media Services APIs.

设计原理Design principles

V3 API 的主要设计原则之一是使 API 更安全。One of the key design principles of the v3 API is to make the API more secure. v3 API 不会在 GetList 操作中返回机密或凭据。v3 APIs do not return secrets or credentials on Get or List operations. 在响应中,密钥始终为 null、空值或进行了净化。The keys are always null, empty, or sanitized from the response. 用户需要调用单独的操作方法来获取机密或凭据。The user needs to call a separate action method to get secrets or credentials. “读者”角色 不能调用多项操作,例如 Asset.ListContainerSas、StreamingLocator.ListContentKeys、ContentKeyPolicies.GetPolicyPropertiesWithSecrets。The Reader role cannot call operations like Asset.ListContainerSas, StreamingLocator.ListContentKeys, ContentKeyPolicies.GetPolicyPropertiesWithSecrets. 可以通过单独的操作根据需要采用自定义角色来设置更细致的 RBAC 安全权限。Having separate actions enables you to set more granular RBAC security permissions in a custom role if desired.

若要列出媒体服务支持的操作,请执行以下代码:To list the operations Media Services supports, do:

foreach (Microsoft.Azure.Management.Media.Models.Operation a in client.Operations.List())
{
    Console.WriteLine($"{a.Name} - {a.Display.Operation} - {a.Display.Description}");
}

内置角色定义一文会确切地告知你该角色授予的权限。The built-in role definitions article tells you exactly what the role grants.

有关详细信息,请参阅以下文章:See the following articles for more information:

后续步骤Next steps