Azure 内置角色Azure built-in roles
Azure 基于角色的访问控制 (Azure RBAC) 拥有多个 Azure 内置角色,可将其分配给用户、组、服务主体和托管标识。Azure role-based access control (Azure RBAC) has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. 角色分配是控制对 Azure 资源的访问的方式。Role assignments are the way you control access to Azure resources. 如果内置角色不能满足组织的特定需求,你可以创建自己的 Azure 自定义角色。If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles.
本文列出了 Azure 内置角色,这些角色总是在不断发展。This article lists the Azure built-in roles, which are always evolving. 若要获取最新角色,请使用 Get-AzRoleDefinition 或 az role definition list。To get the latest roles, use Get-AzRoleDefinition or az role definition list. 如果你正在查找 Azure Active Directory (Azure AD) 的管理员角色,请参阅 Azure Active Directory 中的管理员角色权限。If you are looking for administrator roles for Azure Active Directory (Azure AD), see Administrator role permissions in Azure Active Directory.
下表提供了每个内置角色的简短说明和唯一 ID。The following table provides a brief description and the unique ID of each built-in role. 单击角色名称,查看每个角色的 Actions、NotActions、DataActions 和 NotDataActions 列表。Click the role name to see the list of Actions, NotActions, DataActions, and NotDataActions for each role. 有关这些操作的含义以及它们如何应用于管理和数据平面的信息,请参阅了解 Azure 角色定义。For information about what these actions mean and how they apply to the management and data planes, see Understand Azure role definitions.
全部All
| 内置角色Built-in role | 说明Description | IDID |
|---|---|---|
| 常规General | ||
| 参与者Contributor | 授予完全访问权限来管理所有资源,但不允许在 Azure RBAC 中分配角色或在 Azure 蓝图中管理分配,也不允许共享映像库。Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | b24988ac-6180-42a0-ab88-20f7382dd24cb24988ac-6180-42a0-ab88-20f7382dd24c |
| 所有者Owner | 授予管理所有资源的完全访问权限,包括允许在 Azure RBAC 中分配角色。Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | 8e3af657-a8ff-443c-a75c-2fe8c4bcb6358e3af657-a8ff-443c-a75c-2fe8c4bcb635 |
| 读者Reader | 查看所有资源,但不允许进行任何更改。View all resources, but does not allow you to make any changes. | acdd72a7-3385-48ef-bd42-f606fba81ae7acdd72a7-3385-48ef-bd42-f606fba81ae7 |
| 用户访问管理员User Access Administrator | 允许管理用户对 Azure 资源的访问权限。Lets you manage user access to Azure resources. | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d918d7d88d-d35e-4fb5-a5c3-7773c20a72d9 |
| 计算Compute | ||
| 经典虚拟机参与者Classic Virtual Machine Contributor | 允许管理经典虚拟机,但不允许访问这些虚拟机及其连接到的虚拟网络或存储帐户。Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | d73bb868-a0df-4d4d-bd69-98a00b01fccbd73bb868-a0df-4d4d-bd69-98a00b01fccb |
| 虚拟机管理员登录Virtual Machine Administrator Login | 在门户中查看虚拟机并以管理员身份登录View Virtual Machines in the portal and login as administrator | 1c0163c0-47e6-4577-8991-ea5c82e286e41c0163c0-47e6-4577-8991-ea5c82e286e4 |
| 虚拟机参与者Virtual Machine Contributor | 允许管理虚拟机,但不允许访问这些虚拟机及其连接到的虚拟网络或存储帐户。Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | 9980e02c-c2be-4d73-94e8-173b1dc7cf3c9980e02c-c2be-4d73-94e8-173b1dc7cf3c |
| 虚拟机用户登录Virtual Machine User Login | 在门户中查看虚拟机并以普通用户身份登录。View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52fb879df8-f326-4884-b1cf-06f3ad86be52 |
| 网络Networking | ||
| CDN 终结点参与者CDN Endpoint Contributor | 可以管理 CDN 终结点,但不能向其他用户授予访问权限。Can manage CDN endpoints, but can't grant access to other users. | 426e0c7f-0c7e-4658-b36f-ff54d6c29b45426e0c7f-0c7e-4658-b36f-ff54d6c29b45 |
| CDN 终结点读者CDN Endpoint Reader | 可以查看 CDN 终结点,但不能进行更改。Can view CDN endpoints, but can't make changes. | 871e35f6-b5c1-49cc-a043-bde969a0f2cd871e35f6-b5c1-49cc-a043-bde969a0f2cd |
| CDN 配置文件参与者CDN Profile Contributor | 可以管理 CDN 配置文件及其终结点,但不能向其他用户授予访问权限。Can manage CDN profiles and their endpoints, but can't grant access to other users. | ec156ff8-a8d1-4d15-830c-5b80698ca432ec156ff8-a8d1-4d15-830c-5b80698ca432 |
| CDN 配置文件读者CDN Profile Reader | 可以查看 CDN 配置文件及其终结点,但不能进行更改。Can view CDN profiles and their endpoints, but can't make changes. | 8f96442b-4075-438f-813d-ad51ab4019af8f96442b-4075-438f-813d-ad51ab4019af |
| 经典网络参与者Classic Network Contributor | 允许管理经典网络,但不允许访问这些网络。Lets you manage classic networks, but not access to them. | b34d265f-36f7-4a0d-a4d4-e158ca92e90fb34d265f-36f7-4a0d-a4d4-e158ca92e90f |
| DNS 区域参与者DNS Zone Contributor | 允许管理 Azure DNS 中的 DNS 区域和记录集,但不允许控制对其访问的人员。Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | befefa01-2a29-4197-83a8-272ff33ce314befefa01-2a29-4197-83a8-272ff33ce314 |
| 网络参与者Network Contributor | 允许管理网络,但不允许访问这些网络。Lets you manage networks, but not access to them. | 4d97b98b-1d4f-4787-a291-c67834d212e74d97b98b-1d4f-4787-a291-c67834d212e7 |
| 专用 DNS 区域参与者Private DNS Zone Contributor | 允许管理专用 DNS 区域资源,但不允许管理它们所链接到的虚拟网络。Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | b12aa53e-6015-4669-85d0-8515ebb3ae7fb12aa53e-6015-4669-85d0-8515ebb3ae7f |
| 流量管理器参与者Traffic Manager Contributor | 允许管理流量管理器配置文件,但不允许控制谁可以访问它们。Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | a4b10055-b0c7-44c2-b00f-c7b5b3550cf7a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 |
| 存储Storage | ||
| Avere 参与者Avere Contributor | 可以创建和管理 Avere vFXT 群集。Can create and manage an Avere vFXT cluster. | 4f8fab4f-1852-4a58-a46a-8eaf358af14a4f8fab4f-1852-4a58-a46a-8eaf358af14a |
| Avere 操作员Avere Operator | Avere vFXT 群集用来管理群集Used by the Avere vFXT cluster to manage the cluster | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 |
| 备份参与者Backup Contributor | 允许管理备份服务,但不允许创建保管库以及授予其他人访问权限Lets you manage backup service, but can't create vaults and give access to others | 5e467623-bb1f-42f4-a55d-6e525e11384b5e467623-bb1f-42f4-a55d-6e525e11384b |
| 备份操作员Backup Operator | 允许管理备份服务,但删除备份、创建保管库以及授予其他人访问权限除外Lets you manage backup services, except removal of backup, vault creation and giving access to others | 00c29273-979b-4161-815c-10b084fb932400c29273-979b-4161-815c-10b084fb9324 |
| 备份读者Backup Reader | 可以查看备份服务,但是不能进行更改Can view backup services, but can't make changes | a795c7a0-d4a2-40c1-ae25-d81f01202912a795c7a0-d4a2-40c1-ae25-d81f01202912 |
| 经典存储帐户参与者Classic Storage Account Contributor | 允许管理经典存储帐户,但不允许对其进行访问。Lets you manage classic storage accounts, but not access to them. | 86e8f5dc-a6e9-4c67-9d15-de283e8eac2586e8f5dc-a6e9-4c67-9d15-de283e8eac25 |
| 经典存储帐户密钥操作员服务角色Classic Storage Account Key Operator Service Role | 允许经典存储帐户密钥操作员在经典存储帐户上列出和再生成密钥Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | 985d6b00-f706-48f5-a6fe-d0ca12fb668d985d6b00-f706-48f5-a6fe-d0ca12fb668d |
| Data Box 参与者Data Box Contributor | 可让你管理 Data Box 服务下的所有内容,但不能向其他人授予访问权限。Lets you manage everything under Data Box Service except giving access to others. | add466c9-e687-43fc-8d98-dfcf8d720be5add466c9-e687-43fc-8d98-dfcf8d720be5 |
| Data Box 读者Data Box Reader | 可让你管理 Data Box 服务,但不能创建订单或编辑订单详细信息,以及向其他人授予访问权限。Lets you manage Data Box Service except creating order or editing order details and giving access to others. | 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 |
| Data Lake Analytics 开发人员Data Lake Analytics Developer | 允许提交、监视和管理自己的作业,但是不允许创建或删除 Data Lake Analytics 帐户。Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | 47b7735b-770e-4598-a7da-8b91488b4c8847b7735b-770e-4598-a7da-8b91488b4c88 |
| 读取器和数据访问Reader and Data Access | 允许查看所有内容,但不允许删除或创建存储帐户或包含的资源。Lets you view everything but will not let you delete or create a storage account or contained resource. 它还允许使用存储帐户密钥对存储帐户中包含的所有数据进行读/写访问。It will also allow read/write access to all data contained in a storage account via access to storage account keys. | c12c1c16-33a1-487b-954d-41c89c60f349c12c1c16-33a1-487b-954d-41c89c60f349 |
| 存储帐户参与者Storage Account Contributor | 允许管理存储帐户。Permits management of storage accounts. 提供对帐户密钥的访问权限,而帐户密钥可以用来通过共享密钥授权对数据进行访问。Provides access to the account key, which can be used to access data via Shared Key authorization. | 17d1049b-9a84-46fb-8f53-869881c3d3ab17d1049b-9a84-46fb-8f53-869881c3d3ab |
| 存储帐户密钥操作员服务角色Storage Account Key Operator Service Role | 允许列出和重新生成存储帐户访问密钥。Permits listing and regenerating storage account access keys. | 81a9662b-bebf-436f-a333-f67b29880f1281a9662b-bebf-436f-a333-f67b29880f12 |
| 存储 Blob 数据参与者Storage Blob Data Contributor | 读取、写入和删除 Azure 存储容器和 Blob。Read, write, and delete Azure Storage containers and blobs. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | ba92f5b4-2d11-453d-a403-e96b0029c9feba92f5b4-2d11-453d-a403-e96b0029c9fe |
| 存储 Blob 数据所有者Storage Blob Data Owner | 提供对 Azure 存储 Blob 容器和数据的完全访问权限,包括分配 POSIX 访问控制。Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | b7e6dc6d-f1e8-4753-8033-0f276bb0955bb7e6dc6d-f1e8-4753-8033-0f276bb0955b |
| 存储 Blob 数据读者Storage Blob Data Reader | 读取和列出 Azure 存储容器和 Blob。Read and list Azure Storage containers and blobs. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d12a2b9908-6ea1-4ae2-8e65-a410df84e7d1 |
| 存储 Blob 委托者Storage Blob Delegator | 获取用户委托密钥,该密钥随后可用于为使用 Azure AD 凭据签名的容器或 Blob 创建共享访问签名。Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. 有关详细信息,请参阅创建用户委托 SAS。For more information, see Create a user delegation SAS. | db58b8e5-c6ad-4a2a-8342-4190687cbf4adb58b8e5-c6ad-4a2a-8342-4190687cbf4a |
| 存储文件数据 SMB 共享参与者Storage File Data SMB Share Contributor | 允许针对 Azure 文件共享中的文件/目录的读取、写入和删除权限。Allows for read, write, and delete access on files/directories in Azure file shares. 在 Windows 文件服务器上,此角色没有内置的等效角色。This role has no built-in equivalent on Windows file servers. | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb |
| 存储文件数据 SMB 共享提升参与者Storage File Data SMB Share Elevated Contributor | 允许读取、写入、删除和修改 Azure 文件共享中文件/目录上的 ACL。Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. 此角色等效于 Windows 文件服务器上更改的文件共享 ACL。This role is equivalent to a file share ACL of change on Windows file servers. | a7264617-510b-434b-a828-9731dc254ea7a7264617-510b-434b-a828-9731dc254ea7 |
| 存储文件数据 SMB 共享读取者Storage File Data SMB Share Reader | 允许针对 Azure 文件共享中的文件/目录的读取权限。Allows for read access on files/directories in Azure file shares. 此角色等效于 Windows 文件服务器上读取的文件共享 ACL。This role is equivalent to a file share ACL of read on Windows file servers. | aba4ae5f-2193-4029-9191-0cb91df5e314aba4ae5f-2193-4029-9191-0cb91df5e314 |
| 存储队列数据参与者Storage Queue Data Contributor | 读取、写入和删除 Azure 存储队列和队列消息。Read, write, and delete Azure Storage queues and queue messages. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | 974c5e8b-45b9-4653-ba55-5f855dd0fb88974c5e8b-45b9-4653-ba55-5f855dd0fb88 |
| 存储队列数据消息处理器Storage Queue Data Message Processor | 速览、检索和删除 Azure 存储队列中的消息。Peek, retrieve, and delete a message from an Azure Storage queue. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | 8a0f0c08-91a1-4084-bc3d-661d67233fed8a0f0c08-91a1-4084-bc3d-661d67233fed |
| 存储队列数据消息发送方Storage Queue Data Message Sender | 将消息添加到 Azure 存储队列。Add messages to an Azure Storage queue. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | c6a89b2d-59bc-44d0-9896-0f6e12d7b80ac6a89b2d-59bc-44d0-9896-0f6e12d7b80a |
| 存储队列数据读取者Storage Queue Data Reader | 读取并列出 Azure 存储队列和队列消息。Read and list Azure Storage queues and queue messages. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | 19e7f393-937e-4f77-808e-94535e29792519e7f393-937e-4f77-808e-94535e297925 |
| WebWeb | ||
| Azure Maps 数据参与者Azure Maps Data Contributor | 从 Azure Maps 帐户中授予地图相关数据的读取、写入和删除权限。Grants access to read, write, and delete access to map related data from an Azure maps account. | 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a2048f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 |
| Azure Maps 数据读取器Azure Maps Data Reader | 授予从 Azure Maps 帐户中读取地图相关数据的权限。Grants access to read map related data from an Azure maps account. | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa423170ca-a8f6-4b0f-8487-9e4eb8f49bfa |
| 搜索服务参与者Search Service Contributor | 允许管理搜索服务,但不允许访问这些服务。Lets you manage Search services, but not access to them. | 7ca78c08-252a-4471-8644-bb5ff32d4ba07ca78c08-252a-4471-8644-bb5ff32d4ba0 |
| SignalR AccessKey 读取者SignalR AccessKey Reader | 读取 SignalR 服务访问密钥Read SignalR Service Access Keys | 04165923-9d83-45d5-8227-78b77b0a687e04165923-9d83-45d5-8227-78b77b0a687e |
| SignalR 应用服务器(预览版)SignalR App Server (Preview) | 允许应用服务器使用 AAD 身份验证选项访问 SignalR 服务。Lets your app server access SignalR Service with AAD auth options. | 420fcaa2-552c-430f-98ca-3264be4806c7420fcaa2-552c-430f-98ca-3264be4806c7 |
| SignalR 参与者SignalR Contributor | 创建、读取、更新和删除 SignalR 服务资源Create, Read, Update, and Delete SignalR service resources | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c27618cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 |
| SignalR 无服务器参与者(预览版)SignalR Serverless Contributor (Preview) | 允许应用在无服务器模式下使用 AAD 身份验证选项来访问服务。Lets your app access service in serverless mode with AAD auth options. | fd53cd77-2268-407a-8f46-7e7863d0f521fd53cd77-2268-407a-8f46-7e7863d0f521 |
| SignalR 服务所有者(预览版)SignalR Service Owner (Preview) | 完全访问 Azure Signal 服务 REST APIFull access to Azure SignalR Service REST APIs | 7e4f1700-ea5a-4f59-8f37-079cfe29dce37e4f1700-ea5a-4f59-8f37-079cfe29dce3 |
| SignalR 服务读取者(预览版)SignalR Service Reader (Preview) | 以只读方式访问 Azure Signal 服务 REST APIRead-only access to Azure SignalR Service REST APIs | ddde6b66-c0df-4114-a159-3618637b3035ddde6b66-c0df-4114-a159-3618637b3035 |
| Web 计划参与者Web Plan Contributor | 允许管理网站的 Web 计划,但不允许访问这些计划。Lets you manage the web plans for websites, but not access to them. | 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b |
| 网站参与者Website Contributor | 允许管理网站(而非 Web 计划),但不允许访问这些网站。Lets you manage websites (not web plans), but not access to them. | de139f84-1756-47ae-9be6-808fbbe84772de139f84-1756-47ae-9be6-808fbbe84772 |
| 容器Containers | ||
| AcrDeleteAcrDelete | acr 删除acr delete | c2f4ef07-c644-48eb-af81-4b1b4947fb11c2f4ef07-c644-48eb-af81-4b1b4947fb11 |
| AcrImageSignerAcrImageSigner | ACR 映像签名程序acr image signer | 6cef56e8-d556-48e5-a04f-b8e64114680f6cef56e8-d556-48e5-a04f-b8e64114680f |
| AcrPullAcrPull | acr 拉取acr pull | 7f951dda-4ed3-4680-a7ca-43fe172d538d7f951dda-4ed3-4680-a7ca-43fe172d538d |
| AcrPushAcrPush | acr 推送acr push | 8311e382-0749-4cb8-b61a-304f252e45ec8311e382-0749-4cb8-b61a-304f252e45ec |
| AcrQuarantineReaderAcrQuarantineReader | ACR 隔离数据读取器acr quarantine data reader | cdda3590-29a3-44f6-95f2-9f980659eb04cdda3590-29a3-44f6-95f2-9f980659eb04 |
| AcrQuarantineWriterAcrQuarantineWriter | ACR 隔离数据编写器acr quarantine data writer | c8d4ff99-41c3-41a8-9f60-21dfdad59608c8d4ff99-41c3-41a8-9f60-21dfdad59608 |
| Azure Kubernetes 服务群集管理员角色Azure Kubernetes Service Cluster Admin Role | 列出群集管理员凭据操作。List cluster admin credential action. | 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be80ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 |
| Azure Kubernetes 服务群集用户角色Azure Kubernetes Service Cluster User Role | 列出群集用户凭据操作。List cluster user credential action. | 4abbcc35-e782-43d8-92c5-2d3f1bd2253f4abbcc35-e782-43d8-92c5-2d3f1bd2253f |
| Azure Kubernetes 服务参与者角色Azure Kubernetes Service Contributor Role | 授予对 Azure Kubernetes 服务群集的读写访问权限Grants access to read and write Azure Kubernetes Service clusters | ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 |
| Azure Kubernetes 服务 RBAC 管理员Azure Kubernetes Service RBAC Admin | 允许管理群集/命名空间下的所有资源,但不能更新或删除资源配额和命名空间。Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | 3498e952-d568-435e-9b2c-8d77e338d7f73498e952-d568-435e-9b2c-8d77e338d7f7 |
| Azure Kubernetes 服务 RBAC 群集管理员Azure Kubernetes Service RBAC Cluster Admin | 允许管理群集中的所有资源。Lets you manage all resources in the cluster. | b1ff04bb-8a4e-4dc4-8eb5-8693973ce19bb1ff04bb-8a4e-4dc4-8eb5-8693973ce19b |
| Azure Kubernetes 服务 RBAC 读取者Azure Kubernetes Service RBAC Reader | 允许进行只读访问并查看命名空间中的大多数对象。Allows read-only access to see most objects in a namespace. 不允许查看角色或角色绑定。It does not allow viewing roles or role bindings. 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). 在群集范围内应用此角色将提供对所有命名空间的访问权限。Applying this role at cluster scope will give access across all namespaces. | 7f6c6a51-bcf8-42ba-9220-52d62157d7db7f6c6a51-bcf8-42ba-9220-52d62157d7db |
| Azure Kubernetes 服务 RBAC 写入者Azure Kubernetes Service RBAC Writer | 允许对命名空间中的大多数对象进行读取/写入访问。不允许此角色查看或修改角色或角色绑定。Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密和运行 Pod,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. 在群集范围内应用此角色将提供对所有命名空间的访问权限。Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eba7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb |
| 数据库Databases | ||
| Cosmos DB 帐户读者角色Cosmos DB Account Reader Role | 可以读取 Azure Cosmos DB 帐户数据。Can read Azure Cosmos DB account data. 请参阅 Cosmos DB 帐户参与者,了解如何管理 Azure Cosmos DB 帐户。See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. | fbdf93bf-df7d-467e-a4d2-9458aa1360c8fbdf93bf-df7d-467e-a4d2-9458aa1360c8 |
| Cosmos DB 操作员Cosmos DB Operator | 允许管理 Azure Cosmos DB 帐户,但不能访问其中的数据。Lets you manage Azure Cosmos DB accounts, but not access data in them. 阻止访问帐户密钥和连接字符串。Prevents access to account keys and connection strings. | 230815da-be43-4aae-9cb4-875f7bd000aa230815da-be43-4aae-9cb4-875f7bd000aa |
| CosmosBackupOperatorCosmosBackupOperator | 可以为帐户提交 Cosmos DB 数据库或容器的还原请求Can submit restore request for a Cosmos DB database or a container for an account | db7b14f2-5adf-42da-9f96-f2ee17bab5cbdb7b14f2-5adf-42da-9f96-f2ee17bab5cb |
| CosmosRestoreOperatorCosmosRestoreOperator | 可以对连续备份模式下的 Cosmos DB 数据库帐户执行还原操作Can perform restore action for Cosmos DB database account with continuous backup mode | 5432c526-bc82-444a-b7ba-57c5b0b5b34f5432c526-bc82-444a-b7ba-57c5b0b5b34f |
| DocumentDB 帐户参与者DocumentDB Account Contributor | 可管理 Azure Cosmos DB 帐户。Can manage Azure Cosmos DB accounts. Azure Cosmos DB 以前称为 DocumentDB。Azure Cosmos DB is formerly known as DocumentDB. | 5bd9cd88-fe45-4216-938b-f97437e154505bd9cd88-fe45-4216-938b-f97437e15450 |
| Redis 缓存参与者Redis Cache Contributor | 允许管理 Redis 缓存,但不允许访问这些缓存。Lets you manage Redis caches, but not access to them. | e0f68234-74aa-48ed-b826-c38b57376e17e0f68234-74aa-48ed-b826-c38b57376e17 |
| SQL DB 参与者SQL DB Contributor | 允许管理 SQL 数据库,但不允许访问这些数据库。Lets you manage SQL databases, but not access to them. 此外,不允许管理其安全相关的策略或其父 SQL 服务器。Also, you can't manage their security-related policies or their parent SQL servers. | 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec9b7fa17d-e63e-47b0-bb0a-15c516ac86ec |
| SQL 托管实例参与者SQL Managed Instance Contributor | 允许你管理 SQL 托管实例和必需的网络配置,但无法向其他人授予访问权限。Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d4939a1f6-9ae0-4e48-a1e0-f2cbe897382d |
| SQL 安全管理器SQL Security Manager | 允许管理 SQL 服务器和数据库的安全相关策略,但不允许访问它们。Lets you manage the security-related policies of SQL servers and databases, but not access to them. | 056cd41c-7e88-42e1-933e-88ba6a50c9c3056cd41c-7e88-42e1-933e-88ba6a50c9c3 |
| SQL Server 参与者SQL Server Contributor | 允许管理 SQL Server 和数据库,但不允许访问它们及其安全相关策略。Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. | 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b4376d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 |
| 分析Analytics | ||
| Azure 事件中心数据所有者Azure Event Hubs Data Owner | 允许完全访问 Azure 事件中心资源。Allows for full access to Azure Event Hubs resources. | f526a384-b230-433a-b45c-95f59c4a2decf526a384-b230-433a-b45c-95f59c4a2dec |
| Azure 事件中心数据接收方Azure Event Hubs Data Receiver | 允许接收对 Azure 事件中心资源的访问权限。Allows receive access to Azure Event Hubs resources. | a638d3c7-ab3a-418d-83e6-5f17a39d4fdea638d3c7-ab3a-418d-83e6-5f17a39d4fde |
| Azure 事件中心数据发送方Azure Event Hubs Data Sender | 允许以发送方式访问 Azure 事件中心资源。Allows send access to Azure Event Hubs resources. | 2b629674-e913-4c01-ae53-ef4638d8f9752b629674-e913-4c01-ae53-ef4638d8f975 |
| 数据工厂参与者Data Factory Contributor | 创建和管理数据工厂,以及其中的子资源。Create and manage data factories, as well as child resources within them. | 673868aa-7521-48a0-acc6-0f60742d39f5673868aa-7521-48a0-acc6-0f60742d39f5 |
| 数据清除程序Data Purger | 从 Log Analytics 工作区中删除专用数据。Delete private data from a Log Analytics workspace. | 150f5e0c-0603-4f03-8c7f-cf70034c4e90150f5e0c-0603-4f03-8c7f-cf70034c4e90 |
| HDInsight 群集操作员HDInsight Cluster Operator | 允许你读取和修改 HDInsight 群集配置。Lets you read and modify HDInsight cluster configurations. | 61ed4efc-fab3-44fd-b111-e24485cc132a61ed4efc-fab3-44fd-b111-e24485cc132a |
| HDInsight 域服务参与者HDInsight Domain Services Contributor | 可以读取、创建、修改和删除 HDInsight 企业安全性套餐所需的域服务相关操作Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | 8d8d5a11-05d3-4bda-a417-a08778121c7c8d8d5a11-05d3-4bda-a417-a08778121c7c |
| Log Analytics 参与者Log Analytics Contributor | Log Analytics 参与者可以读取所有监视数据并编辑监视设置。Log Analytics Contributor can read all monitoring data and edit monitoring settings. 编辑监视设置包括向 VM 添加 VM 扩展、读取存储帐户密钥以便能够从 Azure 存储配置日志收集、创建和配置自动化帐户、添加解决方案以及配置所有 Azure 资源上的 Azure 诊断。Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. | 92aaf0da-9dab-42b6-94a3-d43ce8d1629392aaf0da-9dab-42b6-94a3-d43ce8d16293 |
| Log Analytics 读者Log Analytics Reader | Log Analytics 读者可以查看和搜索所有监视数据并查看监视设置,其中包括查看所有 Azure 资源上的 Azure 诊断的配置。Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | 73c42c96-874c-492b-b04d-ab87d138a89373c42c96-874c-492b-b04d-ab87d138a893 |
| Purview 数据管护者Purview Data Curator | Microsoft.Purview 数据管护者可以创建、读取、修改和删除目录数据对象,并可以建立对象之间的关系。The Microsoft.Purview data curator can create, read, modify and delete catalog data objects and establish relationships between objects. 此角色处于预览状态,可能会发生更改。This role is in preview and subject to change. | 8a3c2885-9b38-4fd2-9d99-91af537c13478a3c2885-9b38-4fd2-9d99-91af537c1347 |
| Purview 数据读取者Purview Data Reader | Microsoft.Purview 数据读取者可以读取目录数据对象。The Microsoft.Purview data reader can read catalog data objects. 此角色处于预览状态,可能会发生更改。This role is in preview and subject to change. | ff100721-1b9d-43d8-af52-42b69c1272dbff100721-1b9d-43d8-af52-42b69c1272db |
| Purview 数据源管理员Purview Data Source Administrator | Microsoft.Purview 数据源管理员可以管理数据源和数据扫描。The Microsoft.Purview data source administrator can manage data sources and data scans. 此角色处于预览状态,可能会发生更改。This role is in preview and subject to change. | 200bba9e-f0c8-430f-892b-6f0794863803200bba9e-f0c8-430f-892b-6f0794863803 |
| 架构注册表参与者(预览)Schema Registry Contributor (Preview) | 读取、写入和删除架构注册表组和架构。Read, write, and delete Schema Registry groups and schemas. | 5dffeca3-4936-4216-b2bc-10343a5abb255dffeca3-4936-4216-b2bc-10343a5abb25 |
| 架构注册表读取器(预览版)Schema Registry Reader (Preview) | 读取和列出架构注册表组和架构。Read and list Schema Registry groups and schemas. | 2c56ea50-c6b3-40a6-83c0-9d98858bc7d22c56ea50-c6b3-40a6-83c0-9d98858bc7d2 |
| 区块链Blockchain | ||
| 区块链成员节点访问(预览版)Blockchain Member Node Access (Preview) | 允许对区块链成员节点的访问Allows for access to Blockchain Member nodes | 31a002a1-acaf-453e-8a5b-297c9ca1ea2431a002a1-acaf-453e-8a5b-297c9ca1ea24 |
| AI + 机器学习AI + machine learning | ||
| 认知服务参与者Cognitive Services Contributor | 允许创建、读取、更新、删除和管理认知服务的密钥。Lets you create, read, update, delete and manage keys of Cognitive Services. | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee6825fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 |
| 认知服务自定义视觉参与者Cognitive Services Custom Vision Contributor | 对项目的完全访问权限,包括可以查看、创建、编辑或删除项目。Full access to the project, including the ability to view, create, edit, or delete projects. | c1ff6cc2-c111-46fe-8896-e0ef812ad9f3c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 |
| 认知服务自定义视觉部署Cognitive Services Custom Vision Deployment | 发布、取消发布或导出模型。Publish, unpublish or export models. 部署可以查看项目,但不能更新项目。Deployment can view the project but can't update. | 5c4089e1-6d96-4d2f-b296-c1bc7137275f5c4089e1-6d96-4d2f-b296-c1bc7137275f |
| 认知服务自定义视觉标记者Cognitive Services Custom Vision Labeler | 查看、编辑训练图像,创建、添加、移除或删除图像标记。View, edit training images and create, add, remove, or delete the image tags. 标记者可以查看项目,但不能更新除训练图像和标记以外的任何内容。Labelers can view the project but can't update anything other than training images and tags. | 88424f51-ebe7-446f-bc41-7fa16989e96c88424f51-ebe7-446f-bc41-7fa16989e96c |
| 认知服务自定义视觉读取者Cognitive Services Custom Vision Reader | 只读项目中的操作。Read-only actions in the project. 读取者不能创建或更新项目。Readers can't create or update the project. | 93586559-c37d-4a6b-ba08-b9f0940c2d7393586559-c37d-4a6b-ba08-b9f0940c2d73 |
| 认知服务自定义视觉训练者Cognitive Services Custom Vision Trainer | 查看、编辑项目和训练模型,包括可以发布、取消发布、导出模型。View, edit projects and train the models, including the ability to publish, unpublish, export the models. 训练者不能创建或删除项目。Trainers can't create or delete the project. | 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b0a5ae4ab-0d65-4eeb-be61-29fc9b54394b |
| 认知服务数据读取者(预览版)Cognitive Services Data Reader (Preview) | 允许读取认知服务数据。Lets you read Cognitive Services data. | b59867f0-fa02-499b-be73-45a86b5b3e1cb59867f0-fa02-499b-be73-45a86b5b3e1c |
| 认知服务指标顾问管理员Cognitive Services Metrics Advisor Administrator | 拥有对项目的完全访问权限,包括系统级配置。Full access to the project, including the system level configuration. | cb43c632-a144-4ec5-977c-e80c4affc34acb43c632-a144-4ec5-977c-e80c4affc34a |
| 认知服务 QnA Maker 编辑者Cognitive Services QnA Maker Editor | 允许你创建、编辑、导入和导出知识库。Let's you create, edit, import and export a KB. 但不能发布或删除知识库。You cannot publish or delete a KB. | f4cc2bf9-21be-47a1-bdf1-5c5804381025f4cc2bf9-21be-47a1-bdf1-5c5804381025 |
| 认知服务 QnA Maker 读取者Cognitive Services QnA Maker Reader | 只能读取和测试知识库。Let's you read and test a KB only. | 466ccd10-b268-4a11-b098-b4849f024126466ccd10-b268-4a11-b098-b4849f024126 |
| 认知服务用户Cognitive Services User | 允许读取和列出认知服务的密钥。Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908a97b65f3-24c7-4388-baec-2e87135dc908 |
| 混合现实Mixed reality | ||
| 远程渲染管理员Remote Rendering Administrator | 为用户提供 Azure 远程渲染的转换、管理会话、渲染和诊断功能Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | 3df8b902-2a6f-47c7-8cc5-360e9b272a7e3df8b902-2a6f-47c7-8cc5-360e9b272a7e |
| 远程渲染客户端Remote Rendering Client | 为用户提供 Azure 远程渲染的管理会话、渲染和诊断功能。Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | d39065c4-c120-43c9-ab0a-63eed9795f0ad39065c4-c120-43c9-ab0a-63eed9795f0a |
| 空间定位点帐户参与者Spatial Anchors Account Contributor | 允许管理帐户中的空间定位点,但不能删除它们Lets you manage spatial anchors in your account, but not delete them | 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c8278bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 |
| 空间定位点帐户所有者Spatial Anchors Account Owner | 允许管理帐户中的空间定位点,包括删除它们Lets you manage spatial anchors in your account, including deleting them | 70bbe301-9835-447d-afdd-19eb3167307c70bbe301-9835-447d-afdd-19eb3167307c |
| 空间定位点帐户读取者Spatial Anchors Account Reader | 允许查找并读取帐户中的空间定位点的属性Lets you locate and read properties of spatial anchors in your account | 5d51204f-eb77-4b1c-b86a-2ec626c494135d51204f-eb77-4b1c-b86a-2ec626c49413 |
| 集成Integration | ||
| API 管理服务参与者API Management Service Contributor | 可以管理服务和 APICan manage service and the APIs | 312a565d-c81f-4fd8-895a-4e21e48d571c312a565d-c81f-4fd8-895a-4e21e48d571c |
| API 管理服务操作员角色API Management Service Operator Role | 可以管理服务,但不可管理 APICan manage service but not the APIs | e022efe7-f5ba-4159-bbe4-b44f577e9b61e022efe7-f5ba-4159-bbe4-b44f577e9b61 |
| API 管理服务读者角色API Management Service Reader Role | 对服务和 API 的只读访问权限Read-only access to service and APIs | 71522526-b88f-4d52-b57f-d31fc3546d0d71522526-b88f-4d52-b57f-d31fc3546d0d |
| 应用程序配置数据所有者App Configuration Data Owner | 允许对应用程序配置数据进行完全访问。Allows full access to App Configuration data. | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b |
| 应用程序配置数据读取者App Configuration Data Reader | 允许对应用程序配置数据进行读取访问。Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071516239f1-63e1-4d78-a4de-a74fb236a071 |
| Azure 服务总线数据所有者Azure Service Bus Data Owner | 允许完全访问 Azure 服务总线资源。Allows for full access to Azure Service Bus resources. | 090c5cfd-751d-490a-894a-3ce6f1109419090c5cfd-751d-490a-894a-3ce6f1109419 |
| Azure 服务总线数据接收方Azure Service Bus Data Receiver | 允许对 Azure 服务总线资源进行接收访问。Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e04f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 |
| Azure 服务总线数据发送方Azure Service Bus Data Sender | 允许对 Azure 服务总线资源进行发送访问。Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a3969a216fc-b8fb-44d8-bc22-1f3c2cd27a39 |
| Azure Stack 注册所有者Azure Stack Registration Owner | 允许管理 Azure Stack 注册。Lets you manage Azure Stack registrations. | 6f12a6df-dd06-4f3e-bcb1-ce8be600526a6f12a6df-dd06-4f3e-bcb1-ce8be600526a |
| EventGrid EventSubscription 参与者EventGrid EventSubscription Contributor | 可以管理 EventGrid 事件订阅操作。Lets you manage EventGrid event subscription operations. | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443428e0ff0-5e57-4d9c-a221-2c70d0e0a443 |
| EventGrid EventSubscription 读者EventGrid EventSubscription Reader | 可以读取 EventGrid 事件订阅。Lets you read EventGrid event subscriptions. | 2414bbcf-6497-4faf-8c65-0454607484052414bbcf-6497-4faf-8c65-045460748405 |
| FHIR 数据参与者FHIR Data Contributor | 角色允许用户或主体完全访问 FHIR 数据Role allows user or principal full access to FHIR Data | 5a1fc7df-4bf1-4951-a576-89034ee01acd5a1fc7df-4bf1-4951-a576-89034ee01acd |
| FHIR 数据导出者FHIR Data Exporter | 角色允许用户或主体读取和导出 FHIR 数据Role allows user or principal to read and export FHIR Data | 3db33094-8700-4567-8da5-1501d4e7e8433db33094-8700-4567-8da5-1501d4e7e843 |
| FHIR 数据读取者FHIR Data Reader | 角色允许用户或主体读取 FHIR 数据Role allows user or principal to read FHIR Data | 4c8d0bbc-75d3-4935-991f-5f3c56d815084c8d0bbc-75d3-4935-991f-5f3c56d81508 |
| FHIR 数据写入者FHIR Data Writer | 角色允许用户或主体读取和写入 FHIR 数据Role allows user or principal to read and write FHIR Data | 3f88fce4-5892-4214-ae73-ba52945599133f88fce4-5892-4214-ae73-ba5294559913 |
| 集成服务环境参与者Integration Service Environment Contributor | 允许管理集成服务环境,但不允许访问这些环境。Lets you manage integration service environments, but not access to them. | a41e2c5b-bd99-4a07-88f4-9bf657a760b8a41e2c5b-bd99-4a07-88f4-9bf657a760b8 |
| 集成服务环境开发人员Integration Service Environment Developer | 允许开发人员在集成服务环境中创建和更新工作流、集成帐户与 API 连接。Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | c7aa55d3-1abb-444a-a5ca-5e51e485d6ecc7aa55d3-1abb-444a-a5ca-5e51e485d6ec |
| Intelligent Systems 帐户参与者Intelligent Systems Account Contributor | 允许管理智能系统帐户,但不允许访问这些帐户。Lets you manage Intelligent Systems accounts, but not access to them. | 03a6d094-3444-4b3d-88af-7477090a9e5e03a6d094-3444-4b3d-88af-7477090a9e5e |
| 逻辑应用参与者Logic App Contributor | 允许管理逻辑应用,但不允许更改其访问权限。Lets you manage logic apps, but not change access to them. | 87a39d53-fc1b-424a-814c-f7e04687dc9e87a39d53-fc1b-424a-814c-f7e04687dc9e |
| 逻辑应用操作员Logic App Operator | 允许读取、启用和禁用逻辑应用,但不允许编辑或更新它们。Lets you read, enable, and disable logic apps, but not edit or update them. | 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe515c2055-d9d4-4321-b1b9-bd0c9a0f79fe |
| 标识Identity | ||
| 托管的标识参与者Managed Identity Contributor | 创建、读取、更新和删除用户分配的标识Create, Read, Update, and Delete User Assigned Identity | e40ec5ca-96e0-45a2-b4ff-59039f2c2b59e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 |
| 托管的标识操作员Managed Identity Operator | 读取和分配用户分配的标识Read and Assign User Assigned Identity | f1a07417-d97a-45cb-824c-7a7467783830f1a07417-d97a-45cb-824c-7a7467783830 |
| 安全性Security | ||
| 证明参与者Attestation Contributor | 可读写或删除证明提供者实例Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86ebbf86eb8-f7b4-4cce-96e4-18cddf81d86e |
| 证明读取者Attestation Reader | 可以读取证明提供程序属性Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3fd1bd22b-8476-40bc-a0bc-69b95687b9f3 |
| Azure Sentinel 参与者Azure Sentinel Contributor | Azure Sentinel 参与者Azure Sentinel Contributor | ab8e14d6-4a74-4a29-9ba8-549422addadeab8e14d6-4a74-4a29-9ba8-549422addade |
| Azure Sentinel 读取者Azure Sentinel Reader | Azure Sentinel 读取者Azure Sentinel Reader | 8d289c81-5878-46d4-8554-54e1e3d8b5cb8d289c81-5878-46d4-8554-54e1e3d8b5cb |
| Azure Sentinel 响应方Azure Sentinel Responder | Azure Sentinel 响应方Azure Sentinel Responder | 3e150937-b8fe-4cfb-8069-0eaf05ecd0563e150937-b8fe-4cfb-8069-0eaf05ecd056 |
| Key Vault 管理员Key Vault Administrator | 对密钥保管库以及其中的所有对象(包括证书、密钥和机密)执行所有数据平面操作。Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. 无法管理密钥保管库资源或管理角色分配。Cannot manage key vault resources or manage role assignments. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e7448300482a5a-887f-4fb3-b363-3b7fe8e74483 |
| Key Vault 证书管理人员Key Vault Certificates Officer | 对密钥保管库的证书执行任何操作(管理权限除外)。Perform any action on the certificates of a key vault, except manage permissions. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. | a4417e6f-fecd-4de8-b567-7b0420556985a4417e6f-fecd-4de8-b567-7b0420556985 |
| 密钥保管库参与者Key Vault Contributor | 管理密钥保管库,但不允许在 Azure RBAC 中分配角色,也不允许访问机密、密钥或证书。Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. | f25e0fa2-a7c8-4377-a976-54943a77a395f25e0fa2-a7c8-4377-a976-54943a77a395 |
| Key Vault 加密管理人员Key Vault Crypto Officer | 对密钥保管库的密钥执行任何操作(管理权限除外)。Perform any action on the keys of a key vault, except manage permissions. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. | 14b46e9e-c2b7-41b4-b07b-48a6ebf6060314b46e9e-c2b7-41b4-b07b-48a6ebf60603 |
| 密钥保管库加密服务加密用户Key Vault Crypto Service Encryption User | 读取密钥的元数据并执行包装/展开操作。Read metadata of keys and perform wrap/unwrap operations. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. | e147488a-f6f5-4113-8e2d-b22465e65bf6e147488a-f6f5-4113-8e2d-b22465e65bf6 |
| Key Vault 加密用户Key Vault Crypto User | 使用密钥执行加密操作。Perform cryptographic operations using keys. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. | 12338af0-0e69-4776-bea7-57ae8d29742412338af0-0e69-4776-bea7-57ae8d297424 |
| Key Vault 读取者Key Vault Reader | 读取密钥保管库及其证书、密钥和机密的元数据。Read metadata of key vaults and its certificates, keys, and secrets. 无法读取机密内容或密钥材料等敏感值。Cannot read sensitive values such as secret contents or key material. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. | 21090545-7ca7-4776-b22c-e363652d74d221090545-7ca7-4776-b22c-e363652d74d2 |
| Key Vault 机密管理人员Key Vault Secrets Officer | 对密钥保管库的机密执行任何操作(管理权限除外)。Perform any action on the secrets of a key vault, except manage permissions. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. | b86a8fe4-44ce-4948-aee5-eccb2c155cd7b86a8fe4-44ce-4948-aee5-eccb2c155cd7 |
| Key Vault 机密用户Key Vault Secrets User | 读取机密内容。Read secret contents. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e64633458b-17de-408a-b874-0445c86b69e6 |
| 安全管理员Security Admin | 查看和更新安全中心的权限。View and update permissions for Security Center. 与安全读取者角色具有相同的权限,还可以更新安全策略并关闭警报和建议。Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations. | fb1c8493-542b-48eb-b624-b4c8fea62acdfb1c8493-542b-48eb-b624-b4c8fea62acd |
| 安全评估参与者Security Assessment Contributor | 允许你将评估推送到安全中心Lets you push assessments to Security Center | 612c2aa1-cb24-443b-ac28-3ab7272de6f5612c2aa1-cb24-443b-ac28-3ab7272de6f5 |
| 安全管理器(旧版)Security Manager (Legacy) | 这是旧角色。This is a legacy role. 请改用安全管理员。Please use Security Admin instead. | e3d13bf0-dd5a-482e-ba6b-9b8433878d10e3d13bf0-dd5a-482e-ba6b-9b8433878d10 |
| 安全读取者Security Reader | 查看安全中心的权限。View permissions for Security Center. 可以查看但不能更改建议、警报、安全策略和安全状态。Can view recommendations, alerts, a security policy, and security states, but cannot make changes. | 39bc4728-0917-49c7-9d2c-d95423bc2eb439bc4728-0917-49c7-9d2c-d95423bc2eb4 |
| DevOpsDevOps | ||
| DevTest 实验室用户DevTest Labs User | 允许连接、启动、重启和关闭 Azure 开发测试实验室中的虚拟机。Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | 76283e04-6283-4c54-8f91-bcf1374a3c6476283e04-6283-4c54-8f91-bcf1374a3c64 |
| 实验室创建者Lab Creator | 允许在 Azure 实验室帐户下新建实验室。Lets you create new labs under your Azure Lab Accounts. | b97fb8bc-a8b2-4522-a38b-dd33c7e65eadb97fb8bc-a8b2-4522-a38b-dd33c7e65ead |
| 监视Monitor | ||
| Application Insights 组件参与者Application Insights Component Contributor | 可管理 Application Insights 组件Can manage Application Insights components | ae349356-3a1b-4a5e-921d-050484c6347eae349356-3a1b-4a5e-921d-050484c6347e |
| Application Insights 快照调试器Application Insights Snapshot Debugger | 授予用户查看和下载使用 Application Insights Snapshot Debugger 收集的调试快照的权限。Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. 请注意,所有者或参与者角色不包括这些权限。Note that these permissions are not included in the Owner or Contributor roles. 在向用户授予 Application Insights Snapshot Debugger 角色时,必须将该角色直接授予用户。When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. 将角色添加到自定义角色时,无法识别该角色。The role is not recognized when it is added to a custom role. | 08954f03-6346-4c2e-81c0-ec3a5cfae23b08954f03-6346-4c2e-81c0-ec3a5cfae23b |
| 监视参与者Monitoring Contributor | 可以读取所有监视数据和编辑监视设置。Can read all monitoring data and edit monitoring settings. 另请参阅 Azure Monitor 的角色、权限和安全入门。See also Get started with roles, permissions, and security with Azure Monitor. | 749f88d5-cbae-40b8-bcfc-e573ddc772fa749f88d5-cbae-40b8-bcfc-e573ddc772fa |
| 监视指标发布者Monitoring Metrics Publisher | 允许针对 Azure 资源发布指标Enables publishing metrics against Azure resources | 3913510d-42f4-4e42-8a64-420c390055eb3913510d-42f4-4e42-8a64-420c390055eb |
| 监视读取者Monitoring Reader | 可以读取所有监视数据(指标、日志等)。Can read all monitoring data (metrics, logs, etc.). 另请参阅 Azure Monitor 的角色、权限和安全入门。See also Get started with roles, permissions, and security with Azure Monitor. | 43d0d8ad-25c7-4714-9337-8ba259a9fe0543d0d8ad-25c7-4714-9337-8ba259a9fe05 |
| 工作簿参与者Workbook Contributor | 可以保存共享的工作簿。Can save shared workbooks. | e8ddcd69-c73f-4f9f-9844-4100522f16ade8ddcd69-c73f-4f9f-9844-4100522f16ad |
| 工作簿读者Workbook Reader | 可以读取工作簿。Can read workbooks. | b279062a-9be3-42a0-92ae-8b3cf002ec4db279062a-9be3-42a0-92ae-8b3cf002ec4d |
| 管理 + 治理Management + governance | ||
| 自动化作业操作员Automation Job Operator | 使用自动化 Runbook 创建和管理作业。Create and Manage Jobs using Automation Runbooks. | 4fe576fe-1146-4730-92eb-48519fa6bf9f4fe576fe-1146-4730-92eb-48519fa6bf9f |
| 自动化运算符Automation Operator | 自动化操作员能够启动、停止、暂停和恢复作业Automation Operators are able to start, stop, suspend, and resume jobs | d3881f73-407a-4167-8283-e981cbba0404d3881f73-407a-4167-8283-e981cbba0404 |
| 自动化 Runbook 操作员Automation Runbook Operator | 读取 Runbook 属性 - 以能够创建 runbook 的作业。Read Runbook properties - to be able to create Jobs of the runbook. | 5fb5aef8-1081-4b8e-bb16-9d5d0385bab55fb5aef8-1081-4b8e-bb16-9d5d0385bab5 |
| Azure Connected Machine 加入Azure Connected Machine Onboarding | 可以加入 Azure Connected Machine。Can onboard Azure Connected Machines. | b64e21ea-ac4e-4cdf-9dc9-5b892992bee7b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 |
| Azure Connected Machine 资源管理员Azure Connected Machine Resource Administrator | 可以读取、写入、删除和重新加入 Azure Connected Machine。Can read, write, delete and re-onboard Azure Connected Machines. | cd570a14-e51a-42ad-bac8-bafd67325302cd570a14-e51a-42ad-bac8-bafd67325302 |
| 计费读者Billing Reader | 允许对帐单数据进行读取访问Allows read access to billing data | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 |
| 蓝图参与者Blueprint Contributor | 可以管理蓝图定义,但不能对其进行分配。Can manage blueprint definitions, but not assign them. | 41077137-e803-4205-871c-5a86e6a753b441077137-e803-4205-871c-5a86e6a753b4 |
| 蓝图操作员Blueprint Operator | 可以指定现有已发布的蓝图,但不能创建新的蓝图。Can assign existing published blueprints, but cannot create new blueprints. 请注意:仅当使用用户分配的托管标识完成分配时,此分配才有效。Note that this only works if the assignment is done with a user-assigned managed identity. | 437d2ced-4a38-4302-8479-ed2bcb43d090437d2ced-4a38-4302-8479-ed2bcb43d090 |
| 成本管理参与者Cost Management Contributor | 可以查看成本和管理成本配置(例如预算、导出)Can view costs and manage cost configuration (e.g. budgets, exports) | 434105ed-43f6-45c7-a02f-909b2ba83430434105ed-43f6-45c7-a02f-909b2ba83430 |
| 成本管理读者Cost Management Reader | 可以查看成本数据和配置(例如预算、导出)Can view cost data and configuration (e.g. budgets, exports) | 72fafb9e-0641-4937-9268-a91bfd8191a372fafb9e-0641-4937-9268-a91bfd8191a3 |
| 层次结构设置管理员Hierarchy Settings Administrator | 允许用户编辑和删除层次结构设置Allows users to edit and delete Hierarchy Settings | 350f8d15-c687-4448-8ae1-157740a3936d350f8d15-c687-4448-8ae1-157740a3936d |
| Kubernetes 群集 - Azure Arc 载入Kubernetes Cluster - Azure Arc Onboarding | 授权任何用户/服务创建 connectedClusters 资源的角色定义Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d4134e09817-6cbe-4d01-b1a2-e0eac5743d41 |
| 托管应用程序参与者角色Managed Application Contributor Role | 允许创建托管应用程序资源。Allows for creating managed application resources. | 641177b8-a67a-45b9-a033-47bc880bb21e641177b8-a67a-45b9-a033-47bc880bb21e |
| 托管应用程序操作员角色Managed Application Operator Role | 可让你在托管应用程序资源上读取和执行操作Lets you read and perform actions on Managed Application resources | c7393b34-138c-406f-901b-d8cf2b17e6aec7393b34-138c-406f-901b-d8cf2b17e6ae |
| 托管应用程序读者Managed Applications Reader | 允许读取托管应用中的资源并请求 JIT 访问。Lets you read resources in a managed app and request JIT access. | b9331d33-8a36-4f8c-b097-4f54124fdb44b9331d33-8a36-4f8c-b097-4f54124fdb44 |
| 托管服务注册分配删除角色Managed Services Registration assignment Delete Role | 托管服务注册分配删除角色允许管理租户用户删除分配给其租户的注册分配。Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | 91c1777a-f3dc-4fae-b103-61d183457e4691c1777a-f3dc-4fae-b103-61d183457e46 |
| 管理组参与者Management Group Contributor | 管理组参与者角色Management Group Contributor Role | 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c |
| 管理组读取者Management Group Reader | 管理组读取者角色Management Group Reader Role | ac63b705-f282-497d-ac71-919bf39d939dac63b705-f282-497d-ac71-919bf39d939d |
| New elic APM 帐户参与者New Relic APM Account Contributor | 允许管理 New Relic 应用程序性能管理帐户和应用程序,但不允许访问它们。Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | 5d28c62d-5b37-4476-8438-e587778df2375d28c62d-5b37-4476-8438-e587778df237 |
| 策略见解数据编写者(预览)Policy Insights Data Writer (Preview) | 允许对资源策略进行读取访问,并允许对资源组件策略事件进行写入访问。Allows read access to resource policies and write access to resource component policy events. | 66bb4e9e-b016-4a94-8249-4c0511c2be8466bb4e9e-b016-4a94-8249-4c0511c2be84 |
| 预留买方Reservation Purchaser | 允许你购买预留Lets you purchase reservations | f7b75c60-3036-4b75-91c3-6b41c27c1689f7b75c60-3036-4b75-91c3-6b41c27c1689 |
| 资源策略参与者Resource Policy Contributor | 有权创建/修改资源策略、创建支持票证和读取资源/层次结构的用户。Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | 36243c78-bf99-498c-9df9-86d9f8d2860836243c78-bf99-498c-9df9-86d9f8d28608 |
| Site Recovery 参与者Site Recovery Contributor | 允许管理除保管库创建和角色分配外的 Site Recovery 服务Lets you manage Site Recovery service except vault creation and role assignment | 6670b86e-a3f7-4917-ac9b-5d6ab1be45676670b86e-a3f7-4917-ac9b-5d6ab1be4567 |
| Site Recovery 操作员Site Recovery Operator | 允许进行故障转移和故障回复,但不允许执行其他 Site Recovery 管理操作Lets you failover and failback but not perform other Site Recovery management operations | 494ae006-db33-4328-bf46-533a6560a3ca494ae006-db33-4328-bf46-533a6560a3ca |
| Site Recovery 读取者Site Recovery Reader | 允许查看 Site Recovery 状态,但不允许执行其他管理操作Lets you view Site Recovery status but not perform other management operations | dbaa88c4-0c30-4179-9fb3-46319faa6149dbaa88c4-0c30-4179-9fb3-46319faa6149 |
| 支持请求参与者Support Request Contributor | 允许创建和管理支持请求Lets you create and manage Support requests | cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24ecfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e |
| 标记参与者Tag Contributor | 允许你管理实体上的标记,而无需提供对实体本身的访问权限。Lets you manage tags on entities, without providing access to the entities themselves. | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f4a9ae827-6dc8-4573-8ac7-8239d42aa03f |
| 其他Other | ||
| Azure 数字孪生数据所有者Azure Digital Twins Data Owner | 对数字孪生数据平面具有完全访问权限的角色Full access role for Digital Twins data-plane | bcd981a7-7f74-457b-83e1-cceb9e632ffebcd981a7-7f74-457b-83e1-cceb9e632ffe |
| Azure 数字孪生数据读者Azure Digital Twins Data Reader | 对数字孪生数据平面具有只读权限的角色Read-only role for Digital Twins data-plane properties | d57506d4-4c8d-48b1-8587-93c323f6a5a3d57506d4-4c8d-48b1-8587-93c323f6a5a3 |
| BizTalk 参与者BizTalk Contributor | 允许管理 BizTalk 服务,但不允许访问这些服务。Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac733425e3c6656-6cfa-4708-81fe-0de47ac73342 |
| 桌面虚拟化应用程序组参与者Desktop Virtualization Application Group Contributor | 桌面虚拟化应用程序组参与者。Contributor of the Desktop Virtualization Application Group. | 86240b0e-9422-4c43-887b-b61143f32ba886240b0e-9422-4c43-887b-b61143f32ba8 |
| 桌面虚拟化应用程序组读取者Desktop Virtualization Application Group Reader | 桌面虚拟化应用程序组读取者。Reader of the Desktop Virtualization Application Group. | aebf23d0-b568-4e86-b8f9-fe83a2c6ab55aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 |
| 桌面虚拟化参与者Desktop Virtualization Contributor | 桌面虚拟化参与者。Contributor of Desktop Virtualization. | 082f0a83-3be5-4ba1-904c-961cca79b387082f0a83-3be5-4ba1-904c-961cca79b387 |
| 桌面虚拟化主机池参与者Desktop Virtualization Host Pool Contributor | 桌面虚拟化主机池参与者。Contributor of the Desktop Virtualization Host Pool. | e307426c-f9b6-4e81-87de-d99efb3c32bce307426c-f9b6-4e81-87de-d99efb3c32bc |
| 桌面虚拟化主机池读取者Desktop Virtualization Host Pool Reader | 桌面虚拟化主机池读取者。Reader of the Desktop Virtualization Host Pool. | ceadfde2-b300-400a-ab7b-6143895aa822ceadfde2-b300-400a-ab7b-6143895aa822 |
| 桌面虚拟化读取者Desktop Virtualization Reader | 桌面虚拟化读取者。Reader of Desktop Virtualization. | 49a72310-ab8d-41df-bbb0-79b64920386849a72310-ab8d-41df-bbb0-79b649203868 |
| 桌面虚拟化会话主机操作员Desktop Virtualization Session Host Operator | 桌面虚拟化会话主机操作员。Operator of the Desktop Virtualization Session Host. | 2ad6aaab-ead9-4eaa-8ac5-da422f5624082ad6aaab-ead9-4eaa-8ac5-da422f562408 |
| 桌面虚拟化用户Desktop Virtualization User | 允许用户使用应用程序组中的应用程序。Allows user to use the applications in an application group. | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e631d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 |
| 桌面虚拟化用户会话操作员Desktop Virtualization User Session Operator | 桌面虚拟化用户会话操作员。Operator of the Desktop Virtualization Uesr Session. | ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 |
| 桌面虚拟化工作区参与者Desktop Virtualization Workspace Contributor | 桌面虚拟化工作区参与者。Contributor of the Desktop Virtualization Workspace. | 21efdde3-836f-432b-bf3d-3e8e734d4b2b21efdde3-836f-432b-bf3d-3e8e734d4b2b |
| 桌面虚拟化工作区读取者Desktop Virtualization Workspace Reader | 桌面虚拟化工作区读取者。Reader of the Desktop Virtualization Workspace. | 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d0fa44ee9-7a7d-466b-9bb2-2bf446b1204d |
| 磁盘备份读取者Disk Backup Reader | 向备份保管库提供执行磁盘备份的权限。Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f243e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| 磁盘还原操作员Disk Restore Operator | 向备份保管库提供执行磁盘还原的权限。Provides permission to backup vault to perform disk restore. | b50d9833-a0cb-478e-945f-707fcc997c13b50d9833-a0cb-478e-945f-707fcc997c13 |
| 磁盘快照参与者Disk Snapshot Contributor | 向备份保管库提供管理磁盘快照的权限。Provides permission to backup vault to manage disk snapshots. | 7efff54f-a5b4-42b5-a1c5-5411624893ce7efff54f-a5b4-42b5-a1c5-5411624893ce |
| 计划程序作业集合参与者Scheduler Job Collections Contributor | 允许管理计划程序作业集合,但不允许访问这些集合。Lets you manage Scheduler job collections, but not access to them. | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94188a0f2f-5c9e-469b-ae67-2aa5ce574b94 |
| 服务中心操作员Services Hub Operator | “服务中心操作员”允许你执行与服务中心连接器相关的所有读取、写入和删除操作。Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | 82200a5b-e217-47a5-b665-6d8765ee745b82200a5b-e217-47a5-b665-6d8765ee745b |
常规General
参与者Contributor
授予完全访问权限来管理所有资源,但不允许在 Azure RBAC 中分配角色或在 Azure 蓝图中管理分配,也不允许共享映像库。Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| * | 创建和管理所有类型的资源Create and manage resources of all types |
| 不操作NotActions | |
| Microsoft.Authorization/*/DeleteMicrosoft.Authorization/*/Delete | 删除角色、策略分配、策略定义和策略集定义Delete roles, policy assignments, policy definitions and policy set definitions |
| Microsoft.Authorization/*/WriteMicrosoft.Authorization/*/Write | 创建角色、角色分配、策略分配、策略定义和策略集定义Create roles, role assignments, policy assignments, policy definitions and policy set definitions |
| Microsoft.Authorization/elevateAccess/ActionMicrosoft.Authorization/elevateAccess/Action | 向调用方授予租户范围的“用户访问管理员”访问权限Grants the caller User Access Administrator access at the tenant scope |
| Microsoft.Blueprint/blueprintAssignments/writeMicrosoft.Blueprint/blueprintAssignments/write | 创建或更新任何蓝图分配Create or update any blueprint assignments |
| Microsoft.Blueprint/blueprintAssignments/deleteMicrosoft.Blueprint/blueprintAssignments/delete | 删除任何蓝图分配Delete any blueprint assignments |
| Microsoft.Compute/galleries/share/actionMicrosoft.Compute/galleries/share/action | 将库共享到不同的范围Shares a Gallery to different scopes |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
所有者Owner
授予管理所有资源的完全访问权限,包括允许在 Azure RBAC 中分配角色。Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| * | 创建和管理所有类型的资源Create and manage resources of all types |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"permissions": [
{
"actions": [
"*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
读取器Reader
查看所有资源,但不允许进行任何更改。View all resources, but does not allow you to make any changes. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| */read*/read | 读取除密码外的所有类型的资源。Read resources of all types, except secrets. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "View all resources, but does not allow you to make any changes.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
用户访问管理员User Access Administrator
允许管理用户对 Azure 资源的访问权限。Lets you manage user access to Azure resources. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| */read*/read | 读取除密码外的所有类型的资源。Read resources of all types, except secrets. |
| Microsoft.Authorization/*Microsoft.Authorization/* | 管理授权Manage authorization |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage user access to Azure resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Authorization/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "User Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
计算Compute
经典虚拟机参与者Classic Virtual Machine Contributor
允许管理经典虚拟机,但不允许访问这些虚拟机及其连接到的虚拟网络或存储帐户。Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.ClassicCompute/domainNames/*Microsoft.ClassicCompute/domainNames/* | 创建和管理经典计算域名Create and manage classic compute domain names |
| Microsoft.ClassicCompute/virtualMachines/*Microsoft.ClassicCompute/virtualMachines/* | 创建和管理虚拟机Create and manage virtual machines |
| Microsoft.ClassicNetwork/networkSecurityGroups/join/actionMicrosoft.ClassicNetwork/networkSecurityGroups/join/action | |
| Microsoft.ClassicNetwork/reservedIps/link/actionMicrosoft.ClassicNetwork/reservedIps/link/action | 链接保留 IPLink a reserved Ip |
| Microsoft.ClassicNetwork/reservedIps/readMicrosoft.ClassicNetwork/reservedIps/read | 获取保留 IPGets the reserved Ips |
| Microsoft.ClassicNetwork/virtualNetworks/join/actionMicrosoft.ClassicNetwork/virtualNetworks/join/action | 加入虚拟网络。Joins the virtual network. |
| Microsoft.ClassicNetwork/virtualNetworks/readMicrosoft.ClassicNetwork/virtualNetworks/read | 获取虚拟网络。Get the virtual network. |
| Microsoft.ClassicStorage/storageAccounts/disks/readMicrosoft.ClassicStorage/storageAccounts/disks/read | 返回存储帐户磁盘。Returns the storage account disk. |
| Microsoft.ClassicStorage/storageAccounts/images/readMicrosoft.ClassicStorage/storageAccounts/images/read | 返回存储帐户映像。Returns the storage account image. (已弃用。(Deprecated. 请使用“Microsoft.ClassicStorage/storageAccounts/vmImages”)Use 'Microsoft.ClassicStorage/storageAccounts/vmImages') |
| Microsoft.ClassicStorage/storageAccounts/listKeys/actionMicrosoft.ClassicStorage/storageAccounts/listKeys/action | 列出存储帐户的访问密钥。Lists the access keys for the storage accounts. |
| Microsoft.ClassicStorage/storageAccounts/readMicrosoft.ClassicStorage/storageAccounts/read | 返回包含给定帐户的存储帐户。Return the storage account with the given account. |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/domainNames/*",
"Microsoft.ClassicCompute/virtualMachines/*",
"Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
"Microsoft.ClassicNetwork/reservedIps/link/action",
"Microsoft.ClassicNetwork/reservedIps/read",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicStorage/storageAccounts/disks/read",
"Microsoft.ClassicStorage/storageAccounts/images/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虚拟机管理员登录Virtual Machine Administrator Login
在门户中查看虚拟机并以管理员身份登录 了解详细信息View Virtual Machines in the portal and login as administrator Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Network/publicIPAddresses/readMicrosoft.Network/publicIPAddresses/read | 获取公共 IP 地址定义。Gets a public ip address definition. |
| Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read | 获取虚拟网络定义Get the virtual network definition |
| Microsoft.Network/loadBalancers/readMicrosoft.Network/loadBalancers/read | 获取负载均衡器定义Gets a load balancer definition |
| Microsoft.Network/networkInterfaces/readMicrosoft.Network/networkInterfaces/read | 获取网络接口定义。Gets a network interface definition. |
| Microsoft.Compute/virtualMachines/*/readMicrosoft.Compute/virtualMachines/*/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Compute/virtualMachines/login/actionMicrosoft.Compute/virtualMachines/login/action | 以普通用户身份登录虚拟机Log in to a virtual machine as a regular user |
| Microsoft.Compute/virtualMachines/loginAsAdmin/actionMicrosoft.Compute/virtualMachines/loginAsAdmin/action | 以 Windows 管理员身份或 Linux 根用户权限登录虚拟机Log in to a virtual machine with Windows administrator or Linux root user privileges |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as administrator",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4",
"name": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.Compute/virtualMachines/loginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虚拟机参与者Virtual Machine Contributor
允许管理虚拟机,但不允许访问这些虚拟机及其连接到的虚拟网络或存储帐户。Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Compute/availabilitySets/*Microsoft.Compute/availabilitySets/* | 创建和管理计算可用性集Create and manage compute availability sets |
| Microsoft.Compute/locations/*Microsoft.Compute/locations/* | 创建和管理计算位置Create and manage compute locations |
| Microsoft.Compute/virtualMachines/*Microsoft.Compute/virtualMachines/* | 执行所有虚拟机操作,包括创建、更新、删除、启动、重新启动和关闭虚拟机。Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. 在虚拟机上执行预定义的脚本。Execute predefined scripts on virtual machines. |
| Microsoft.Compute/virtualMachineScaleSets/*Microsoft.Compute/virtualMachineScaleSets/* | 创建和管理虚拟机规模集Create and manage virtual machine scale sets |
| Microsoft.Compute/disks/writeMicrosoft.Compute/disks/write | 创建新的磁盘,或更新现有的磁盘Creates a new Disk or updates an existing one |
| Microsoft.Compute/disks/readMicrosoft.Compute/disks/read | 获取磁盘的属性Get the properties of a Disk |
| Microsoft.Compute/disks/deleteMicrosoft.Compute/disks/delete | 删除磁盘Deletes the Disk |
| Microsoft.DevTestLab/schedules/*Microsoft.DevTestLab/schedules/* | |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Network/applicationGateways/backendAddressPools/join/actionMicrosoft.Network/applicationGateways/backendAddressPools/join/action | 加入应用程序网关后端地址池。Joins an application gateway backend address pool. 不可发出警报。Not Alertable. |
| Microsoft.Network/loadBalancers/backendAddressPools/join/actionMicrosoft.Network/loadBalancers/backendAddressPools/join/action | 加入负载均衡器后端地址池。Joins a load balancer backend address pool. 不可发出警报。Not Alertable. |
| Microsoft.Network/loadBalancers/inboundNatPools/join/actionMicrosoft.Network/loadBalancers/inboundNatPools/join/action | 加入负载均衡器入站 NAT 池。Joins a load balancer inbound NAT pool. 不可发出警报。Not alertable. |
| Microsoft.Network/loadBalancers/inboundNatRules/join/actionMicrosoft.Network/loadBalancers/inboundNatRules/join/action | 加入负载均衡器入站 NAT 规则。Joins a load balancer inbound nat rule. 不可发出警报。Not Alertable. |
| Microsoft.Network/loadBalancers/probes/join/actionMicrosoft.Network/loadBalancers/probes/join/action | 允许使用负载均衡器的探测。Allows using probes of a load balancer. 例如,使用此权限,VM 规模集的 healthProbe 属性可以引用探测。For example, with this permission healthProbe property of VM scale set can reference the probe. 不可发出警报。Not alertable. |
| Microsoft.Network/loadBalancers/readMicrosoft.Network/loadBalancers/read | 获取负载均衡器定义Gets a load balancer definition |
| Microsoft.Network/locations/*Microsoft.Network/locations/* | 创建和管理网络位置Create and manage network locations |
| Microsoft.Network/networkInterfaces/*Microsoft.Network/networkInterfaces/* | 创建和管理网络接口Create and manage network interfaces |
| Microsoft.Network/networkSecurityGroups/join/actionMicrosoft.Network/networkSecurityGroups/join/action | 加入网络安全组。Joins a network security group. 不可发出警报。Not Alertable. |
| Microsoft.Network/networkSecurityGroups/readMicrosoft.Network/networkSecurityGroups/read | 获取网络安全组定义Gets a network security group definition |
| Microsoft.Network/publicIPAddresses/join/actionMicrosoft.Network/publicIPAddresses/join/action | 加入公共 IP 地址。Joins a public ip address. 不可发出警报。Not Alertable. |
| Microsoft.Network/publicIPAddresses/readMicrosoft.Network/publicIPAddresses/read | 获取公共 IP 地址定义。Gets a public ip address definition. |
| Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read | 获取虚拟网络定义Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。Joins a virtual network. 不可发出警报。Not Alertable. |
| Microsoft.RecoveryServices/locations/*Microsoft.RecoveryServices/locations/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/writeMicrosoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | 创建备份保护意向Create a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 返回受保护项的对象详细信息Returns object details of the Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/writeMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | 创建备份受保护项Create a backup Protected Item |
| Microsoft.RecoveryServices/Vaults/backupPolicies/readMicrosoft.RecoveryServices/Vaults/backupPolicies/read | 返回所有保护策略Returns all Protection Policies |
| Microsoft.RecoveryServices/Vaults/backupPolicies/writeMicrosoft.RecoveryServices/Vaults/backupPolicies/write | 创建保护策略Creates Protection Policy |
| Microsoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/read | “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/usages/readMicrosoft.RecoveryServices/Vaults/usages/read | 返回恢复服务保管库的使用情况详细信息。Returns usage details for a Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/writeMicrosoft.RecoveryServices/Vaults/write | “创建保管库”操作创建“vault”类型的 Azure 资源Create Vault operation creates an Azure resource of type 'vault' |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.SqlVirtualMachine/*Microsoft.SqlVirtualMachine/* | |
| Microsoft.Storage/storageAccounts/listKeys/actionMicrosoft.Storage/storageAccounts/listKeys/action | 返回指定存储帐户的访问密钥。Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.SqlVirtualMachine/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虚拟机用户登录Virtual Machine User Login
在门户中查看虚拟机并以普通用户身份登录。View Virtual Machines in the portal and login as a regular user. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Network/publicIPAddresses/readMicrosoft.Network/publicIPAddresses/read | 获取公共 IP 地址定义。Gets a public ip address definition. |
| Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read | 获取虚拟网络定义Get the virtual network definition |
| Microsoft.Network/loadBalancers/readMicrosoft.Network/loadBalancers/read | 获取负载均衡器定义Gets a load balancer definition |
| Microsoft.Network/networkInterfaces/readMicrosoft.Network/networkInterfaces/read | 获取网络接口定义。Gets a network interface definition. |
| Microsoft.Compute/virtualMachines/*/readMicrosoft.Compute/virtualMachines/*/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Compute/virtualMachines/login/actionMicrosoft.Compute/virtualMachines/login/action | 以普通用户身份登录虚拟机Log in to a virtual machine as a regular user |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as a regular user.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52",
"name": "fb879df8-f326-4884-b1cf-06f3ad86be52",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine User Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
网络Networking
CDN 终结点参与者CDN Endpoint Contributor
可以管理 CDN 终结点,但不能向其他用户授予访问权限。Can manage CDN endpoints, but can't grant access to other users.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Cdn/edgenodes/readMicrosoft.Cdn/edgenodes/read | |
| Microsoft.Cdn/operationresults/*Microsoft.Cdn/operationresults/* | |
| Microsoft.Cdn/profiles/endpoints/*Microsoft.Cdn/profiles/endpoints/* | |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can manage CDN endpoints, but can't grant access to other users.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
"name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 终结点读者CDN Endpoint Reader
可以查看 CDN 终结点,但不能进行更改。Can view CDN endpoints, but can't make changes.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Cdn/edgenodes/readMicrosoft.Cdn/edgenodes/read | |
| Microsoft.Cdn/operationresults/*Microsoft.Cdn/operationresults/* | |
| Microsoft.Cdn/profiles/endpoints/*/readMicrosoft.Cdn/profiles/endpoints/*/read | |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can view CDN endpoints, but can't make changes.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd",
"name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 配置文件参与者CDN Profile Contributor
可以管理 CDN 配置文件及其终结点,但不能向其他用户授予访问权限。Can manage CDN profiles and their endpoints, but can't grant access to other users.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Cdn/edgenodes/readMicrosoft.Cdn/edgenodes/read | |
| Microsoft.Cdn/operationresults/*Microsoft.Cdn/operationresults/* | |
| Microsoft.Cdn/profiles/*Microsoft.Cdn/profiles/* | |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can manage CDN profiles and their endpoints, but can't grant access to other users.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432",
"name": "ec156ff8-a8d1-4d15-830c-5b80698ca432",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 配置文件读者CDN Profile Reader
可以查看 CDN 配置文件及其终结点,但不能进行更改。Can view CDN profiles and their endpoints, but can't make changes.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Cdn/edgenodes/readMicrosoft.Cdn/edgenodes/read | |
| Microsoft.Cdn/operationresults/*Microsoft.Cdn/operationresults/* | |
| Microsoft.Cdn/profiles/*/readMicrosoft.Cdn/profiles/*/read | |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can view CDN profiles and their endpoints, but can't make changes.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af",
"name": "8f96442b-4075-438f-813d-ad51ab4019af",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
经典网络参与者Classic Network Contributor
允许管理经典网络,但不允许访问这些网络。Lets you manage classic networks, but not access to them. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.ClassicNetwork/*Microsoft.ClassicNetwork/* | 创建和管理经典网络Create and manage classic networks |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic networks, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
"name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicNetwork/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DNS 区域参与者DNS Zone Contributor
允许管理 Azure DNS 中的 DNS 区域和记录集,但不允许控制对其访问的人员。Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Network/dnsZones/*Microsoft.Network/dnsZones/* | 创建和管理 DNS 区域和记录Create and manage DNS zones and records |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314",
"name": "befefa01-2a29-4197-83a8-272ff33ce314",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/dnsZones/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
网络参与者Network Contributor
允许管理网络,但不允许访问这些网络。Lets you manage networks, but not access to them.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Network/*Microsoft.Network/* | 创建并管理网络Create and manage networks |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage networks, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"name": "4d97b98b-1d4f-4787-a291-c67834d212e7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
专用 DNS 区域参与者Private DNS Zone Contributor
允许管理专用 DNS 区域资源,但不允许管理它们所链接到的虚拟网络。Lets you manage private DNS zone resources, but not the virtual networks they are linked to. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Network/privateDnsZones/*Microsoft.Network/privateDnsZones/* | |
| Microsoft.Network/privateDnsOperationResults/*Microsoft.Network/privateDnsOperationResults/* | |
| Microsoft.Network/privateDnsOperationStatuses/*Microsoft.Network/privateDnsOperationStatuses/* | |
| Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read | 获取虚拟网络定义Get the virtual network definition |
| Microsoft.Network/virtualNetworks/join/actionMicrosoft.Network/virtualNetworks/join/action | 加入虚拟网络。Joins a virtual network. 不可发出警报。Not Alertable. |
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"permissions": [
{
"actions": [
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/privateDnsZones/*",
"Microsoft.Network/privateDnsOperationResults/*",
"Microsoft.Network/privateDnsOperationStatuses/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Private DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
流量管理器参与者Traffic Manager Contributor
允许管理流量管理器配置文件,但不允许控制谁可以访问它们。Lets you manage Traffic Manager profiles, but does not let you control who has access to them.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Network/trafficManagerProfiles/*Microsoft.Network/trafficManagerProfiles/* | |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
"name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/trafficManagerProfiles/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Traffic Manager Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储Storage
Avere 参与者Avere Contributor
可以创建和管理 Avere vFXT 群集。Can create and manage an Avere vFXT cluster.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Compute/*/readMicrosoft.Compute/*/read | |
| Microsoft.Compute/availabilitySets/*Microsoft.Compute/availabilitySets/* | |
| Microsoft.Compute/proximityPlacementGroups/*Microsoft.Compute/proximityPlacementGroups/* | |
| Microsoft.Compute/virtualMachines/*Microsoft.Compute/virtualMachines/* | |
| Microsoft.Compute/disks/*Microsoft.Compute/disks/* | |
| Microsoft.Network/*/readMicrosoft.Network/*/read | |
| Microsoft.Network/networkInterfaces/*Microsoft.Network/networkInterfaces/* | |
| Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read | 获取虚拟网络定义Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义Gets a virtual network subnet definition |
| Microsoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。Joins a virtual network. 不可发出警报。Not Alertable. |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionMicrosoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。Joins resource such as storage account or SQL database to a subnet. 不可发出警报。Not alertable. |
| Microsoft.Network/networkSecurityGroups/join/actionMicrosoft.Network/networkSecurityGroups/join/action | 加入网络安全组。Joins a network security group. 不可发出警报。Not Alertable. |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Storage/*/readMicrosoft.Storage/*/read | |
| Microsoft.Storage/storageAccounts/*Microsoft.Storage/storageAccounts/* | 创建和管理存储帐户Create and manage storage accounts |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Resources/subscriptions/resourceGroups/resources/readMicrosoft.Resources/subscriptions/resourceGroups/resources/read | 获取资源组的资源。Gets the resources for the resource group. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/delete | 返回删除 blob 的结果Returns the result of deleting a blob |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read | 返回 blob 或 blob 列表Returns a blob or a list of blobs |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write | 返回写入 blob 的结果Returns the result of writing a blob |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can create and manage an Avere vFXT cluster.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/proximityPlacementGroups/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/disks/*",
"Microsoft.Network/*/read",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Avere 操作员Avere Operator
由 Avere vFXT 群集用来管理群集。Used by the Avere vFXT cluster to manage the cluster.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Compute/virtualMachines/readMicrosoft.Compute/virtualMachines/read | 获取虚拟机的属性Get the properties of a virtual machine |
| Microsoft.Network/networkInterfaces/readMicrosoft.Network/networkInterfaces/read | 获取网络接口定义。Gets a network interface definition. |
| Microsoft.Network/networkInterfaces/writeMicrosoft.Network/networkInterfaces/write | 创建网络接口,或更新现有的网络接口。Creates a network interface or updates an existing network interface. |
| Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read | 获取虚拟网络定义Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义Gets a virtual network subnet definition |
| Microsoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。Joins a virtual network. 不可发出警报。Not Alertable. |
| Microsoft.Network/networkSecurityGroups/join/actionMicrosoft.Network/networkSecurityGroups/join/action | 加入网络安全组。Joins a network security group. 不可发出警报。Not Alertable. |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/blobServices/containers/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/delete | 返回删除容器的结果Returns the result of deleting a container |
| Microsoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/blobServices/containers/read | 返回容器列表Returns list of containers |
| Microsoft.Storage/storageAccounts/blobServices/containers/writeMicrosoft.Storage/storageAccounts/blobServices/containers/write | 返回放置 blob 容器的结果Returns the result of put blob container |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/delete | 返回删除 blob 的结果Returns the result of deleting a blob |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read | 返回 blob 或 blob 列表Returns a blob or a list of blobs |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write | 返回写入 blob 的结果Returns the result of writing a blob |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Used by the Avere vFXT cluster to manage the cluster",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
备份参与者Backup Contributor
允许管理备份服务,但不允许创建保管库及授予他人访问权限 了解详细信息Lets you manage backup service, but can't create vaults and give access to others Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read | 获取虚拟网络定义Get the virtual network definition |
| Microsoft.RecoveryServices/locations/*Microsoft.RecoveryServices/locations/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* | 管理备份管理操作的结果Manage results of operation on backup management |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* | 在恢复服务保管库的备份结构内创建和管理备份容器Create and manage backup containers inside backup fabrics of Recovery Services vault |
| Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | 刷新容器列表Refreshes the container list |
| Microsoft.RecoveryServices/Vaults/backupJobs/*Microsoft.RecoveryServices/Vaults/backupJobs/* | 创建和管理备份作业Create and manage backup jobs |
| Microsoft.RecoveryServices/Vaults/backupJobsExport/actionMicrosoft.RecoveryServices/Vaults/backupJobsExport/action | 导出作业Export Jobs |
| Microsoft.RecoveryServices/Vaults/backupOperationResults/*Microsoft.RecoveryServices/Vaults/backupOperationResults/* | 创建和管理备份管理操作的结果Create and manage Results of backup management operations |
| Microsoft.RecoveryServices/Vaults/backupPolicies/*Microsoft.RecoveryServices/Vaults/backupPolicies/* | 创建和管理备份策略Create and manage backup policies |
| Microsoft.RecoveryServices/Vaults/backupProtectableItems/*Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | 创建和管理可以备份的项Create and manage items which can be backed up |
| Microsoft.RecoveryServices/Vaults/backupProtectedItems/*Microsoft.RecoveryServices/Vaults/backupProtectedItems/* | 创建和管理备份项Create and manage backed up items |
| Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* | 创建和管理保存备份项的容器Create and manage containers holding backup items |
| Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* | |
| Microsoft.RecoveryServices/Vaults/backupUsageSummaries/readMicrosoft.RecoveryServices/Vaults/backupUsageSummaries/read | 返回恢复服务的受保护项和受保护服务器的摘要。Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
| Microsoft.RecoveryServices/Vaults/certificates/*Microsoft.RecoveryServices/Vaults/certificates/* | 创建和管理与恢复服务保管库中的备份相关的证书Create and manage certificates related to backup in Recovery Services vault |
| Microsoft.RecoveryServices/Vaults/extendedInformation/*Microsoft.RecoveryServices/Vaults/extendedInformation/* | 创建和管理与保管库相关的扩展信息Create and manage extended info related to vault |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/readMicrosoft.RecoveryServices/Vaults/monitoringAlerts/read | 获取恢复服务保管库的警报。Gets the alerts for the Recovery services vault. |
| Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
| Microsoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/read | “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/*Microsoft.RecoveryServices/Vaults/registeredIdentities/* | 创建和管理已注册标识Create and manage registered identities |
| Microsoft.RecoveryServices/Vaults/usages/*Microsoft.RecoveryServices/Vaults/usages/* | 创建和管理恢复服务保管库的使用情况Create and manage usage of Recovery Services vault |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.RecoveryServices/Vaults/backupstorageconfig/*Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
| Microsoft.RecoveryServices/Vaults/backupconfig/*Microsoft.RecoveryServices/Vaults/backupconfig/* | |
| Microsoft.RecoveryServices/Vaults/backupValidateOperation/actionMicrosoft.RecoveryServices/Vaults/backupValidateOperation/action | 验证对受保护项的操作Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/writeMicrosoft.RecoveryServices/Vaults/write | “创建保管库”操作创建“vault”类型的 Azure 资源Create Vault operation creates an Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/backupOperations/readMicrosoft.RecoveryServices/Vaults/backupOperations/read | 返回恢复服务保管库的备份操作状态。Returns Backup Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupEngines/readMicrosoft.RecoveryServices/Vaults/backupEngines/read | 返回使用保管库注册的所有备份管理服务器。Returns all the backup management servers registered with vault. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | 获取所有可保护的容器Get all protectable containers |
| Microsoft.RecoveryServices/locations/backupStatus/actionMicrosoft.RecoveryServices/locations/backupStatus/action | 检查恢复服务保管库的备份状态Check Backup Status for Recovery Services Vaults |
| Microsoft.RecoveryServices/locations/backupPreValidateProtection/actionMicrosoft.RecoveryServices/locations/backupPreValidateProtection/action | |
| Microsoft.RecoveryServices/locations/backupValidateFeatures/actionMicrosoft.RecoveryServices/locations/backupValidateFeatures/action | 验证功能Validate Features |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/writeMicrosoft.RecoveryServices/Vaults/monitoringAlerts/write | 解决警报。Resolves the alert. |
| Microsoft.RecoveryServices/operations/readMicrosoft.RecoveryServices/operations/read | 操作返回资源提供程序的操作列表Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/locations/operationStatus/readMicrosoft.RecoveryServices/locations/operationStatus/read | 获取给定操作的操作状态Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/Vaults/backupProtectionIntents/readMicrosoft.RecoveryServices/Vaults/backupProtectionIntents/read | 列出所有备份保护意向List all backup Protection Intents |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backup service,but can't create vaults and give access to others",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
"name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/*",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/*",
"Microsoft.RecoveryServices/Vaults/extendedInformation/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
"Microsoft.RecoveryServices/Vaults/usages/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
备份操作员Backup Operator
允许管理备份服务,但删除备份、创建保管库及授予他人访问权限除外 了解详细信息Lets you manage backup services, except removal of backup, vault creation and giving access to others Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read | 获取虚拟网络定义Get the virtual network definition |
| Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | 返回操作状态Returns status of the operation |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | 获取对保护容器执行的操作的结果。Gets result of Operation performed on Protection Container. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | 对受保护的项执行备份。Performs Backup for Protected Item. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | 获取对受保护项执行的操作的结果。Gets Result of Operation Performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | 返回对受保护项执行的操作的状态。Returns the status of Operation performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 返回受保护项的对象详细信息Returns object details of the Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | 预配受保护项的即时项恢复Provision Instant Item Recovery for Protected Item |
| Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/actionMicrosoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | 获取跨区域还原所需的 AccessToken。Get AccessToken for Cross Region Restore. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | 获取受保护项的恢复点。Get Recovery Points for Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | 还原受保护项的恢复点。Restore Recovery Points for Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | 吊销受保护项的即时项恢复Revoke Instant Item Recovery for Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/writeMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | 创建备份受保护项Create a backup Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | 返回所有已注册的容器Returns all registered containers |
| Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | 刷新容器列表Refreshes the container list |
| Microsoft.RecoveryServices/Vaults/backupJobs/*Microsoft.RecoveryServices/Vaults/backupJobs/* | 创建和管理备份作业Create and manage backup jobs |
| Microsoft.RecoveryServices/Vaults/backupJobsExport/actionMicrosoft.RecoveryServices/Vaults/backupJobsExport/action | 导出作业Export Jobs |
| Microsoft.RecoveryServices/Vaults/backupOperationResults/*Microsoft.RecoveryServices/Vaults/backupOperationResults/* | 创建和管理备份管理操作的结果Create and manage Results of backup management operations |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/readMicrosoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | 获取策略操作的结果。Get Results of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/readMicrosoft.RecoveryServices/Vaults/backupPolicies/read | 返回所有保护策略Returns all Protection Policies |
| Microsoft.RecoveryServices/Vaults/backupProtectableItems/*Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | 创建和管理可以备份的项Create and manage items which can be backed up |
| Microsoft.RecoveryServices/Vaults/backupProtectedItems/readMicrosoft.RecoveryServices/Vaults/backupProtectedItems/read | 返回所有受保护项的列表。Returns the list of all Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupProtectionContainers/readMicrosoft.RecoveryServices/Vaults/backupProtectionContainers/read | 返回属于订阅的所有容器Returns all containers belonging to the subscription |
| Microsoft.RecoveryServices/Vaults/backupUsageSummaries/readMicrosoft.RecoveryServices/Vaults/backupUsageSummaries/read | 返回恢复服务的受保护项和受保护服务器的摘要。Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
| Microsoft.RecoveryServices/Vaults/certificates/writeMicrosoft.RecoveryServices/Vaults/certificates/write | “更新资源证书”操作更新资源/保管库凭据证书。The Update Resource Certificate operation updates the resource/vault credential certificate. |
| Microsoft.RecoveryServices/Vaults/extendedInformation/readMicrosoft.RecoveryServices/Vaults/extendedInformation/read | “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
| Microsoft.RecoveryServices/Vaults/extendedInformation/writeMicrosoft.RecoveryServices/Vaults/extendedInformation/write | “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/readMicrosoft.RecoveryServices/Vaults/monitoringAlerts/read | 获取恢复服务保管库的警报。Gets the alerts for the Recovery services vault. |
| Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
| Microsoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/read | “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/read | “获取容器”操作可用于获取针对资源注册的容器。The Get Containers operation can be used get the containers registered for a resource. |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/writeMicrosoft.RecoveryServices/Vaults/registeredIdentities/write | “注册服务容器”操作可用于向恢复服务注册容器。The Register Service Container operation can be used to register a container with Recovery Service. |
| Microsoft.RecoveryServices/Vaults/usages/readMicrosoft.RecoveryServices/Vaults/usages/read | 返回恢复服务保管库的使用情况详细信息。Returns usage details for a Recovery Services Vault. |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.RecoveryServices/Vaults/backupstorageconfig/*Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
| Microsoft.RecoveryServices/Vaults/backupValidateOperation/actionMicrosoft.RecoveryServices/Vaults/backupValidateOperation/action | 验证对受保护项的操作Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/backupOperations/readMicrosoft.RecoveryServices/Vaults/backupOperations/read | 返回恢复服务保管库的备份操作状态。Returns Backup Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operations/readMicrosoft.RecoveryServices/Vaults/backupPolicies/operations/read | 获取策略操作的状态。Get Status of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/writeMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write | 创建已注册的容器Creates a registered container |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/actionMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action | 在容器内进行工作负载的查询Do inquiry for workloads within a container |
| Microsoft.RecoveryServices/Vaults/backupEngines/readMicrosoft.RecoveryServices/Vaults/backupEngines/read | 返回使用保管库注册的所有备份管理服务器。Returns all the backup management servers registered with vault. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/writeMicrosoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | 创建备份保护意向Create a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/readMicrosoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | 获取备份保护意向Get a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | 获取所有可保护的容器Get all protectable containers |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | 获取容器中的所有项Get all items in a container |
| Microsoft.RecoveryServices/locations/backupStatus/actionMicrosoft.RecoveryServices/locations/backupStatus/action | 检查恢复服务保管库的备份状态Check Backup Status for Recovery Services Vaults |
| Microsoft.RecoveryServices/locations/backupPreValidateProtection/actionMicrosoft.RecoveryServices/locations/backupPreValidateProtection/action | |
| Microsoft.RecoveryServices/locations/backupValidateFeatures/actionMicrosoft.RecoveryServices/locations/backupValidateFeatures/action | 验证功能Validate Features |
| Microsoft.RecoveryServices/locations/backupAadProperties/readMicrosoft.RecoveryServices/locations/backupAadProperties/read | 获取用于在第三区域进行身份验证的 AAD 属性,以便进行跨区域还原。Get AAD Properties for authentication in the third region for Cross Region Restore. |
| Microsoft.RecoveryServices/locations/backupCrrJobs/actionMicrosoft.RecoveryServices/locations/backupCrrJobs/action | 列出恢复服务保管库的次要区域中的跨区域还原作业。List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrJob/actionMicrosoft.RecoveryServices/locations/backupCrrJob/action | 获取恢复服务保管库的次要区域中的跨区域还原作业详细信息。Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrossRegionRestore/actionMicrosoft.RecoveryServices/locations/backupCrossRegionRestore/action | 触发跨区域还原。Trigger Cross region restore. |
| Microsoft.RecoveryServices/locations/backupCrrOperationResults/readMicrosoft.RecoveryServices/locations/backupCrrOperationResults/read | 返回恢复服务保管库的 CRR 操作结果。Returns CRR Operation Result for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/readMicrosoft.RecoveryServices/locations/backupCrrOperationsStatus/read | 返回恢复服务保管库的 CRR 操作状态。Returns CRR Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/writeMicrosoft.RecoveryServices/Vaults/monitoringAlerts/write | 解决警报。Resolves the alert. |
| Microsoft.RecoveryServices/operations/readMicrosoft.RecoveryServices/operations/read | 操作返回资源提供程序的操作列表Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/locations/operationStatus/readMicrosoft.RecoveryServices/locations/operationStatus/read | 获取给定操作的操作状态Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/Vaults/backupProtectionIntents/readMicrosoft.RecoveryServices/Vaults/backupProtectionIntents/read | 列出所有备份保护意向List all backup Protection Intents |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
"name": "00c29273-979b-4161-815c-10b084fb9324",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/write",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/write",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupAadProperties/read",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",
"Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
备份读取器Backup Reader
可以查看备份服务,但不能进行更改 了解详细信息Can view backup services, but can't make changes Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.RecoveryServices/locations/allocatedStamp/readMicrosoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp 是服务使用的内部操作GetAllocatedStamp is internal operation used by service |
| Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | 返回操作状态Returns status of the operation |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | 获取对保护容器执行的操作的结果。Gets result of Operation performed on Protection Container. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | 获取对受保护项执行的操作的结果。Gets Result of Operation Performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | 返回对受保护项执行的操作的状态。Returns the status of Operation performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 返回受保护项的对象详细信息Returns object details of the Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | 获取受保护项的恢复点。Get Recovery Points for Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | 返回所有已注册的容器Returns all registered containers |
| Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/readMicrosoft.RecoveryServices/Vaults/backupJobs/operationResults/read | 返回作业操作的结果。Returns the Result of Job Operation. |
| Microsoft.RecoveryServices/Vaults/backupJobs/readMicrosoft.RecoveryServices/Vaults/backupJobs/read | 返回所有作业对象Returns all Job Objects |
| Microsoft.RecoveryServices/Vaults/backupJobsExport/actionMicrosoft.RecoveryServices/Vaults/backupJobsExport/action | 导出作业Export Jobs |
| Microsoft.RecoveryServices/Vaults/backupOperationResults/readMicrosoft.RecoveryServices/Vaults/backupOperationResults/read | 返回恢复服务保管库的备份操作结果。Returns Backup Operation Result for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/readMicrosoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | 获取策略操作的结果。Get Results of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/readMicrosoft.RecoveryServices/Vaults/backupPolicies/read | 返回所有保护策略Returns all Protection Policies |
| Microsoft.RecoveryServices/Vaults/backupProtectedItems/readMicrosoft.RecoveryServices/Vaults/backupProtectedItems/read | 返回所有受保护项的列表。Returns the list of all Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupProtectionContainers/readMicrosoft.RecoveryServices/Vaults/backupProtectionContainers/read | 返回属于订阅的所有容器Returns all containers belonging to the subscription |
| Microsoft.RecoveryServices/Vaults/backupUsageSummaries/readMicrosoft.RecoveryServices/Vaults/backupUsageSummaries/read | 返回恢复服务的受保护项和受保护服务器的摘要。Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
| Microsoft.RecoveryServices/Vaults/extendedInformation/readMicrosoft.RecoveryServices/Vaults/extendedInformation/read | “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/readMicrosoft.RecoveryServices/Vaults/monitoringAlerts/read | 获取恢复服务保管库的警报。Gets the alerts for the Recovery services vault. |
| Microsoft.RecoveryServices/Vaults/readMicrosoft.RecoveryServices/Vaults/read | “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/readMicrosoft.RecoveryServices/Vaults/registeredIdentities/read | “获取容器”操作可用于获取针对资源注册的容器。The Get Containers operation can be used get the containers registered for a resource. |
| Microsoft.RecoveryServices/Vaults/backupstorageconfig/readMicrosoft.RecoveryServices/Vaults/backupstorageconfig/read | 返回恢复服务保管库的存储配置。Returns Storage Configuration for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupconfig/readMicrosoft.RecoveryServices/Vaults/backupconfig/read | 返回恢复服务保管库的配置。Returns Configuration for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupOperations/readMicrosoft.RecoveryServices/Vaults/backupOperations/read | 返回恢复服务保管库的备份操作状态。Returns Backup Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operations/readMicrosoft.RecoveryServices/Vaults/backupPolicies/operations/read | 获取策略操作的状态。Get Status of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupEngines/readMicrosoft.RecoveryServices/Vaults/backupEngines/read | 返回使用保管库注册的所有备份管理服务器。Returns all the backup management servers registered with vault. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/readMicrosoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | 获取备份保护意向Get a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/readMicrosoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | 获取容器中的所有项Get all items in a container |
| Microsoft.RecoveryServices/locations/backupStatus/actionMicrosoft.RecoveryServices/locations/backupStatus/action | 检查恢复服务保管库的备份状态Check Backup Status for Recovery Services Vaults |
| Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/writeMicrosoft.RecoveryServices/Vaults/monitoringAlerts/write | 解决警报。Resolves the alert. |
| Microsoft.RecoveryServices/operations/readMicrosoft.RecoveryServices/operations/read | 操作返回资源提供程序的操作列表Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/locations/operationStatus/readMicrosoft.RecoveryServices/locations/operationStatus/read | 获取给定操作的操作状态Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/Vaults/backupProtectionIntents/readMicrosoft.RecoveryServices/Vaults/backupProtectionIntents/read | 列出所有备份保护意向List all backup Protection Intents |
| Microsoft.RecoveryServices/Vaults/usages/readMicrosoft.RecoveryServices/Vaults/usages/read | 返回恢复服务保管库的使用情况详细信息。Returns usage details for a Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupValidateFeatures/actionMicrosoft.RecoveryServices/locations/backupValidateFeatures/action | 验证功能Validate Features |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can view backup services, but can't make changes",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
"name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/read",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
"Microsoft.RecoveryServices/Vaults/backupconfig/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
经典存储帐户参与者Classic Storage Account Contributor
允许管理经典存储帐户,但不允许对其进行访问。Lets you manage classic storage accounts, but not access to them.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.ClassicStorage/storageAccounts/*Microsoft.ClassicStorage/storageAccounts/* | 创建和管理存储帐户Create and manage storage accounts |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic storage accounts, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
经典存储帐户密钥操作员服务角色Classic Storage Account Key Operator Service Role
允许经典存储帐户密钥操作员在经典存储帐户上列出和再生成密钥 了解详细信息Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ClassicStorage/storageAccounts/listkeys/actionMicrosoft.ClassicStorage/storageAccounts/listkeys/action | 列出存储帐户的访问密钥。Lists the access keys for the storage accounts. |
| Microsoft.ClassicStorage/storageAccounts/regeneratekey/actionMicrosoft.ClassicStorage/storageAccounts/regeneratekey/action | 再生成存储帐户的现有访问密钥。Regenerates the existing access keys for the storage account. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"permissions": [
{
"actions": [
"Microsoft.ClassicStorage/storageAccounts/listkeys/action",
"Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Box 参与者Data Box Contributor
可让你管理 Data Box 服务下的所有内容,但不能向其他人授予访问权限。Lets you manage everything under Data Box Service except giving access to others.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Databox/*Microsoft.Databox/* | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage everything under Data Box Service except giving access to others.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
"name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Databox/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Box 读者Data Box Reader
可让你管理 Data Box 服务,但不能创建订单或编辑订单详细信息,以及向其他人授予访问权限。Lets you manage Data Box Service except creating order or editing order details and giving access to others.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Databox/*/readMicrosoft.Databox/*/read | |
| Microsoft.Databox/jobs/listsecrets/actionMicrosoft.Databox/jobs/listsecrets/action | |
| Microsoft.Databox/jobs/listcredentials/actionMicrosoft.Databox/jobs/listcredentials/action | 列出与订单相关的未加密凭据。Lists the unencrypted credentials related to the order. |
| Microsoft.Databox/locations/availableSkus/actionMicrosoft.Databox/locations/availableSkus/action | 此方法返回可用 SKU 列表。This method returns the list of available skus. |
| Microsoft.Databox/locations/validateInputs/actionMicrosoft.Databox/locations/validateInputs/action | 此方法执行所有类型的验证。This method does all type of validations. |
| Microsoft.Databox/locations/regionConfiguration/actionMicrosoft.Databox/locations/regionConfiguration/action | 此方法返回区域的配置。This method returns the configurations for the region. |
| Microsoft.Databox/locations/validateAddress/actionMicrosoft.Databox/locations/validateAddress/action | 验证送货地址,并提供备用地址(如有)。Validates the shipping address and provides alternate addresses if any. |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Databox/*/read",
"Microsoft.Databox/jobs/listsecrets/action",
"Microsoft.Databox/jobs/listcredentials/action",
"Microsoft.Databox/locations/availableSkus/action",
"Microsoft.Databox/locations/validateInputs/action",
"Microsoft.Databox/locations/regionConfiguration/action",
"Microsoft.Databox/locations/validateAddress/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Lake Analytics 开发人员Data Lake Analytics Developer
允许提交、监视和管理自己的作业,但是不允许创建或删除 Data Lake Analytics 帐户。Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.BigAnalytics/accounts/*Microsoft.BigAnalytics/accounts/* | |
| Microsoft.DataLakeAnalytics/accounts/*Microsoft.DataLakeAnalytics/accounts/* | |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| Microsoft.BigAnalytics/accounts/DeleteMicrosoft.BigAnalytics/accounts/Delete | |
| Microsoft.BigAnalytics/accounts/TakeOwnership/actionMicrosoft.BigAnalytics/accounts/TakeOwnership/action | |
| Microsoft.BigAnalytics/accounts/WriteMicrosoft.BigAnalytics/accounts/Write | |
| Microsoft.DataLakeAnalytics/accounts/DeleteMicrosoft.DataLakeAnalytics/accounts/Delete | 删除 DataLakeAnalytics 帐户。Delete a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/TakeOwnership/actionMicrosoft.DataLakeAnalytics/accounts/TakeOwnership/action | 授予取消由其他用户提交的作业的权限。Grant permissions to cancel jobs submitted by other users. |
| Microsoft.DataLakeAnalytics/accounts/WriteMicrosoft.DataLakeAnalytics/accounts/Write | 创建或更新 DataLakeAnalytics 帐户。Create or update a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/WriteMicrosoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write | 获取或更新 DataLakeAnalytics 帐户的链接 DataLakeStore 帐户。Create or update a linked DataLakeStore account of a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/DeleteMicrosoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete | 从 DataLakeAnalytics 帐户取消链接 DataLakeStore 帐户。Unlink a DataLakeStore account from a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/storageAccounts/WriteMicrosoft.DataLakeAnalytics/accounts/storageAccounts/Write | 创建或更新 DataLakeAnalytics 帐户的链接存储帐户。Create or update a linked Storage account of a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/storageAccounts/DeleteMicrosoft.DataLakeAnalytics/accounts/storageAccounts/Delete | 从 DataLakeAnalytics 帐户取消链接存储帐户。Unlink a Storage account from a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/firewallRules/WriteMicrosoft.DataLakeAnalytics/accounts/firewallRules/Write | 创建或更新防火墙规则。Create or update a firewall rule. |
| Microsoft.DataLakeAnalytics/accounts/firewallRules/DeleteMicrosoft.DataLakeAnalytics/accounts/firewallRules/Delete | 删除防火墙规则。Delete a firewall rule. |
| Microsoft.DataLakeAnalytics/accounts/computePolicies/WriteMicrosoft.DataLakeAnalytics/accounts/computePolicies/Write | 创建或更新计算策略。Create or update a compute policy. |
| Microsoft.DataLakeAnalytics/accounts/computePolicies/DeleteMicrosoft.DataLakeAnalytics/accounts/computePolicies/Delete | 删除计算策略。Delete a compute policy. |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
"name": "47b7735b-770e-4598-a7da-8b91488b4c88",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.BigAnalytics/accounts/*",
"Microsoft.DataLakeAnalytics/accounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.BigAnalytics/accounts/Delete",
"Microsoft.BigAnalytics/accounts/TakeOwnership/action",
"Microsoft.BigAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
"Microsoft.DataLakeAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Lake Analytics Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
读取器和数据访问Reader and Data Access
允许查看所有内容,但不允许删除或创建存储帐户或包含的资源。Lets you view everything but will not let you delete or create a storage account or contained resource. 它还允许使用存储帐户密钥对存储帐户中包含的所有数据进行读/写访问。It will also allow read/write access to all data contained in a storage account via access to storage account keys.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Storage/storageAccounts/listKeys/actionMicrosoft.Storage/storageAccounts/listKeys/action | 返回指定存储帐户的访问密钥。Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/ListAccountSas/actionMicrosoft.Storage/storageAccounts/ListAccountSas/action | 返回指定存储帐户的帐户 SAS 令牌。Returns the Account SAS token for the specified storage account. |
| Microsoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。Returns the list of storage accounts or gets the properties for the specified storage account. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
"name": "c12c1c16-33a1-487b-954d-41c89c60f349",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/ListAccountSas/action",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader and Data Access",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储帐户参与者Storage Account Contributor
允许管理存储帐户。Permits management of storage accounts. 提供对帐户密钥的访问权限,而帐户密钥可以用来通过共享密钥授权对数据进行访问。Provides access to the account key, which can be used to access data via Shared Key authorization. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Insights/diagnosticSettings/*Microsoft.Insights/diagnosticSettings/* | 创建、更新或读取 Analysis Server 的诊断设置Creates, updates, or reads the diagnostic setting for Analysis Server |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionMicrosoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。Joins resource such as storage account or SQL database to a subnet. 不可发出警报。Not alertable. |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/*Microsoft.Storage/storageAccounts/* | 创建和管理存储帐户Create and manage storage accounts |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储帐户密钥操作员服务角色Storage Account Key Operator Service Role
允许列出和重新生成存储帐户访问密钥。Permits listing and regenerating storage account access keys. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Storage/storageAccounts/listkeys/actionMicrosoft.Storage/storageAccounts/listkeys/action | 返回指定存储帐户的访问密钥。Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/regeneratekey/actionMicrosoft.Storage/storageAccounts/regeneratekey/action | 再生成指定存储帐户的访问密钥。Regenerates the access keys for the specified storage account. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
"name": "81a9662b-bebf-436f-a333-f67b29880f12",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储 Blob 数据参与者Storage Blob Data Contributor
读取、写入和删除 Azure 存储容器和 Blob。Read, write, and delete Azure Storage containers and blobs. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/delete | 删除容器。Delete a container. |
| Microsoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/blobServices/containers/read | 返回容器或容器列表。Return a container or a list of containers. |
| Microsoft.Storage/storageAccounts/blobServices/containers/writeMicrosoft.Storage/storageAccounts/blobServices/containers/write | 修改容器的元数据或属性。Modify a container's metadata or properties. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/actionMicrosoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 返回 Blob 服务的用户委托密钥。Returns a user delegation key for the Blob service. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/delete | 删除 Blob。Delete a blob. |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read | 返回 Blob 或 Blob 列表。Return a blob or a list of blobs. |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write | 写入到 Blob。Write to a blob. |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/actionMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | 将 Blob 从一个路径移到另一个路径Moves the blob from one path to another |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/actionMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | 返回添加 blob 内容的结果Returns the result of adding blob content |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage blob containers and data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储 Blob 数据所有者Storage Blob Data Owner
提供对 Azure 存储 Blob 容器和数据的完全访问权限,包括分配 POSIX 访问控制。Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/*Microsoft.Storage/storageAccounts/blobServices/containers/* | 对容器的完全权限。Full permissions on containers. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/actionMicrosoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 返回 Blob 服务的用户委托密钥。Returns a user delegation key for the Blob service. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* | 对 Blob 的完全权限。Full permissions on blobs. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/*",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储 Blob 数据读取者Storage Blob Data Reader
读取和列出 Azure 存储容器和 Blob。Read and list Azure Storage containers and blobs. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/blobServices/containers/read | 返回容器或容器列表。Return a container or a list of containers. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/actionMicrosoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 返回 Blob 服务的用户委托密钥。Returns a user delegation key for the Blob service. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read | 返回 Blob 或 Blob 列表。Return a blob or a list of blobs. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage blob containers and data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储 Blob 委托者Storage Blob Delegator
获取用户委托密钥,该密钥随后可用于为使用 Azure AD 凭据签名的容器或 Blob 创建共享访问签名。Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. 有关详细信息,请参阅创建用户委托 SAS。For more information, see Create a user delegation SAS. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/actionMicrosoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 返回 Blob 服务的用户委托密钥。Returns a user delegation key for the Blob service. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Blob Delegator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储文件数据 SMB 共享参与者Storage File Data SMB Share Contributor
允许针对 Azure 文件共享中的文件/目录的读取、写入和删除权限。Allows for read, write, and delete access on files/directories in Azure file shares. 在 Windows 文件服务器上,此角色没有内置的等效角色。This role has no built-in equivalent on Windows file servers.
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/readMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/read | 返回某个文件/文件夹,或文件/文件夹列表。Returns a file/folder or a list of files/folders. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/writeMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/write | 返回写入文件或创建文件夹的结果。Returns the result of writing a file or creating a folder. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/deleteMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/delete | 返回删除文件/文件夹的结果。Returns the result of deleting a file/folder. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储文件数据 SMB 共享提升参与者Storage File Data SMB Share Elevated Contributor
允许读取、写入、删除和修改 Azure 文件共享中文件/目录上的 ACL。Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. 此角色等效于 Windows 文件服务器上更改的文件共享 ACL。This role is equivalent to a file share ACL of change on Windows file servers.
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/readMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/read | 返回某个文件/文件夹,或文件/文件夹列表。Returns a file/folder or a list of files/folders. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/writeMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/write | 返回写入文件或创建文件夹的结果。Returns the result of writing a file or creating a folder. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/deleteMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/delete | 返回删除文件/文件夹的结果。Returns the result of deleting a file/folder. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/actionMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | 返回修改文件/文件夹权限的结果。Returns the result of modifying permission on a file/folder. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
"name": "a7264617-510b-434b-a828-9731dc254ea7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Elevated Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储文件数据 SMB 共享读取者Storage File Data SMB Share Reader
允许针对 Azure 文件共享中的文件/目录的读取权限。Allows for read access on files/directories in Azure file shares. 此角色等效于 Windows 文件服务器上读取的文件共享 ACL。This role is equivalent to a file share ACL of read on Windows file servers.
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/readMicrosoft.Storage/storageAccounts/fileServices/fileshares/files/read | 返回某个文件/文件夹,或文件/文件夹列表。Returns a file/folder or a list of files/folders. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure File Share over SMB",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
"name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储队列数据参与者Storage Queue Data Contributor
读取、写入和删除 Azure 存储队列和队列消息。Read, write, and delete Azure Storage queues and queue messages. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Storage/storageAccounts/queueServices/queues/deleteMicrosoft.Storage/storageAccounts/queueServices/queues/delete | 删除队列。Delete a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/readMicrosoft.Storage/storageAccounts/queueServices/queues/read | 返回队列或队列列表。Return a queue or a list of queues. |
| Microsoft.Storage/storageAccounts/queueServices/queues/writeMicrosoft.Storage/storageAccounts/queueServices/queues/write | 修改队列元数据或属性。Modify queue metadata or properties. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/deleteMicrosoft.Storage/storageAccounts/queueServices/queues/messages/delete | 从队列中删除一个或多个消息。Delete one or more messages from a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/readMicrosoft.Storage/storageAccounts/queueServices/queues/messages/read | 扫视或检索队列中的一个或多个消息。Peek or retrieve one or more messages from a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/writeMicrosoft.Storage/storageAccounts/queueServices/queues/messages/write | 向队列添加消息。Add a message to a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/actionMicrosoft.Storage/storageAccounts/queueServices/queues/messages/process/action | 返回处理消息的结果Returns the result of processing a message |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储队列数据消息处理器Storage Queue Data Message Processor
速览、检索和删除 Azure 存储队列中的消息。Peek, retrieve, and delete a message from an Azure Storage queue. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/readMicrosoft.Storage/storageAccounts/queueServices/queues/messages/read | 扫视消息。Peek a message. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/actionMicrosoft.Storage/storageAccounts/queueServices/queues/messages/process/action | 检索和删除消息。Retrieve and delete a message. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
"name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Processor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储队列数据消息发送者Storage Queue Data Message Sender
将消息添加到 Azure 存储队列。Add messages to an Azure Storage queue. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/actionMicrosoft.Storage/storageAccounts/queueServices/queues/messages/add/action | 向队列添加消息。Add a message to a queue. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for sending of Azure Storage queue messages",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储队列数据读取者Storage Queue Data Reader
读取并列出 Azure 存储队列和队列消息。Read and list Azure Storage queues and queue messages. 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限。To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Storage/storageAccounts/queueServices/queues/readMicrosoft.Storage/storageAccounts/queueServices/queues/read | 返回队列或队列列表。Returns a queue or a list of queues. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/readMicrosoft.Storage/storageAccounts/queueServices/queues/messages/read | 扫视或检索队列中的一个或多个消息。Peek or retrieve one or more messages from a queue. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage queues and queue messages",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
"name": "19e7f393-937e-4f77-808e-94535e297925",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
WebWeb
Azure Maps 数据参与者Azure Maps Data Contributor
从 Azure Maps 帐户中授予地图相关数据的读取、写入和删除权限。Grants access to read, write, and delete access to map related data from an Azure maps account.
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Maps/accounts/*/readMicrosoft.Maps/accounts/*/read | |
| Microsoft.Maps/accounts/*/writeMicrosoft.Maps/accounts/*/write | |
| Microsoft.Maps/accounts/*/deleteMicrosoft.Maps/accounts/*/delete | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read, write, and delete access to map related data from an Azure maps account.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
"name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Maps/accounts/*/read",
"Microsoft.Maps/accounts/*/write",
"Microsoft.Maps/accounts/*/delete"
],
"notDataActions": []
}
],
"roleName": "Azure Maps Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Maps 数据读取器Azure Maps Data Reader
授予从 Azure Maps 帐户中读取地图相关数据的权限。Grants access to read map related data from an Azure maps account.
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Maps/accounts/*/readMicrosoft.Maps/accounts/*/read | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read map related data from an Azure maps account.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
"name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Maps/accounts/*/read"
],
"notDataActions": []
}
],
"roleName": "Azure Maps Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
搜索服务参与者Search Service Contributor
允许管理搜索服务,但不允许访问这些服务。Lets you manage Search services, but not access to them. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Search/searchServices/*Microsoft.Search/searchServices/* | 创建和管理搜索服务Create and manage search services |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Search services, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0",
"name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Search/searchServices/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Search Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR AccessKey 读取者SignalR AccessKey Reader
读取 SignalR 服务访问密钥Read SignalR Service Access Keys
| 操作Actions | 描述Description |
|---|---|
| Microsoft.SignalRService/*/readMicrosoft.SignalRService/*/read | |
| Microsoft.SignalRService/SignalR/listkeys/actionMicrosoft.SignalRService/SignalR/listkeys/action | 通过管理门户或 API 查看 SignalR 访问密钥的值View the value of SignalR access keys in the management portal or through API |
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Read SignalR Service Access Keys",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e",
"name": "04165923-9d83-45d5-8227-78b77b0a687e",
"permissions": [
{
"actions": [
"Microsoft.SignalRService/*/read",
"Microsoft.SignalRService/SignalR/listkeys/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SignalR AccessKey Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR 应用服务器(预览版)SignalR App Server (Preview)
允许应用服务器使用 AAD 身份验证选项访问 SignalR 服务。Lets your app server access SignalR Service with AAD auth options.
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.SignalRService/SignalR/auth/accessKey/actionMicrosoft.SignalRService/SignalR/auth/accessKey/action | 生成用于为客户端令牌签名的临时访问密钥。Generate a temporary AccessKey for signing ClientTokens. |
| Microsoft.SignalRService/SignalR/serverConnection/writeMicrosoft.SignalRService/SignalR/serverConnection/write | 启动服务器连接。Start a server connection. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets your app server access SignalR Service with AAD auth options.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7",
"name": "420fcaa2-552c-430f-98ca-3264be4806c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/auth/accessKey/action",
"Microsoft.SignalRService/SignalR/serverConnection/write"
],
"notDataActions": []
}
],
"roleName": "SignalR App Server (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR 参与者SignalR Contributor
创建、读取、更新和删除 SignalR 服务资源Create, Read, Update, and Delete SignalR service resources
| 操作Actions | 描述Description |
|---|---|
| Microsoft.SignalRService/*Microsoft.SignalRService/* | |
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete SignalR service resources",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
"name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
"permissions": [
{
"actions": [
"Microsoft.SignalRService/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SignalR Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR 无服务器参与者(预览版)SignalR Serverless Contributor (Preview)
允许应用在无服务器模式下使用 AAD 身份验证选项来访问服务。Lets your app access service in serverless mode with AAD auth options.
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.SignalRService/SignalR/auth/clientToken/actionMicrosoft.SignalRService/SignalR/auth/clientToken/action | 生成用于启动客户端连接的客户端令牌。Generate a ClientToken for starting a client connection. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets your app access service in serverless mode with AAD auth options.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521",
"name": "fd53cd77-2268-407a-8f46-7e7863d0f521",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/auth/clientToken/action"
],
"notDataActions": []
}
],
"roleName": "SignalR Serverless Contributor (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR 服务所有者(预览版)SignalR Service Owner (Preview)
完全访问 Azure Signal 服务 REST APIFull access to Azure SignalR Service REST APIs
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.SignalRService/SignalR/hub/send/actionMicrosoft.SignalRService/SignalR/hub/send/action | 将消息广播到中心内的所有客户端连接。Broadcast messages to all client connections in hub. |
| Microsoft.SignalRService/SignalR/group/send/actionMicrosoft.SignalRService/SignalR/group/send/action | 将消息广播到组。Broadcast message to group. |
| Microsoft.SignalRService/SignalR/group/readMicrosoft.SignalRService/SignalR/group/read | 检查组是否存在或用户是否存在于组中。Check group existence or user existence in group. |
| Microsoft.SignalRService/SignalR/group/writeMicrosoft.SignalRService/SignalR/group/write | 加入/退出组。Join / Leave group. |
| Microsoft.SignalRService/SignalR/clientConnection/send/actionMicrosoft.SignalRService/SignalR/clientConnection/send/action | 将消息直接发送到客户端连接。Send messages directly to a client connection. |
| Microsoft.SignalRService/SignalR/clientConnection/readMicrosoft.SignalRService/SignalR/clientConnection/read | 检查客户端连接是否存在。Check client connection existence. |
| Microsoft.SignalRService/SignalR/clientConnection/writeMicrosoft.SignalRService/SignalR/clientConnection/write | 关闭客户端连接。Close client connection. |
| Microsoft.SignalRService/SignalR/user/send/actionMicrosoft.SignalRService/SignalR/user/send/action | 将消息发送给可能有多个客户端连接的用户。Send messages to user, who may consist of multiple client connections. |
| Microsoft.SignalRService/SignalR/user/readMicrosoft.SignalRService/SignalR/user/read | 检查用户是否存在。Check user existence. |
| Microsoft.SignalRService/SignalR/user/writeMicrosoft.SignalRService/SignalR/user/write | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Full access to Azure SignalR Service REST APIs",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
"name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/hub/send/action",
"Microsoft.SignalRService/SignalR/group/send/action",
"Microsoft.SignalRService/SignalR/group/read",
"Microsoft.SignalRService/SignalR/group/write",
"Microsoft.SignalRService/SignalR/clientConnection/send/action",
"Microsoft.SignalRService/SignalR/clientConnection/read",
"Microsoft.SignalRService/SignalR/clientConnection/write",
"Microsoft.SignalRService/SignalR/user/send/action",
"Microsoft.SignalRService/SignalR/user/read",
"Microsoft.SignalRService/SignalR/user/write"
],
"notDataActions": []
}
],
"roleName": "SignalR Service Owner (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR 服务读取者(预览版)SignalR Service Reader (Preview)
以只读方式访问 Azure Signal 服务 REST APIRead-only access to Azure SignalR Service REST APIs
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.SignalRService/SignalR/group/readMicrosoft.SignalRService/SignalR/group/read | 检查组是否存在或用户是否存在于组中。Check group existence or user existence in group. |
| Microsoft.SignalRService/SignalR/clientConnection/readMicrosoft.SignalRService/SignalR/clientConnection/read | 检查客户端连接是否存在。Check client connection existence. |
| Microsoft.SignalRService/SignalR/user/readMicrosoft.SignalRService/SignalR/user/read | 检查用户是否存在。Check user existence. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Read-only access to Azure SignalR Service REST APIs",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035",
"name": "ddde6b66-c0df-4114-a159-3618637b3035",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/group/read",
"Microsoft.SignalRService/SignalR/clientConnection/read",
"Microsoft.SignalRService/SignalR/user/read"
],
"notDataActions": []
}
],
"roleName": "SignalR Service Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Web 计划参与者Web Plan Contributor
允许管理网站的 Web 计划,但不允许访问这些计划。Lets you manage the web plans for websites, but not access to them.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Web/serverFarms/*Microsoft.Web/serverFarms/* | 创建和管理服务器场Create and manage server farms |
| Microsoft.Web/hostingEnvironments/Join/ActionMicrosoft.Web/hostingEnvironments/Join/Action | 加入应用服务环境Joins an App Service Environment |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the web plans for websites, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
"name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/serverFarms/*",
"Microsoft.Web/hostingEnvironments/Join/Action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Web Plan Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
网站参与者Website Contributor
允许管理网站(而非 Web 计划),但不允许访问这些网站。Lets you manage websites (not web plans), but not access to them.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Insights/components/*Microsoft.Insights/components/* | 创建和管理 Insights 组件Create and manage Insights components |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Web/certificates/*Microsoft.Web/certificates/* | 创建和管理网站证书Create and manage website certificates |
| Microsoft.Web/listSitesAssignedToHostName/readMicrosoft.Web/listSitesAssignedToHostName/read | 获取分配给主机名的站点名称。Get names of sites assigned to hostname. |
| Microsoft.Web/serverFarms/join/actionMicrosoft.Web/serverFarms/join/action | 加入应用服务计划Joins an App Service Plan |
| Microsoft.Web/serverFarms/readMicrosoft.Web/serverFarms/read | 获取应用服务计划的属性Get the properties on an App Service Plan |
| Microsoft.Web/sites/*Microsoft.Web/sites/* | 创建和管理网站(站点创建还需要对关联的应用服务计划有写入权限)Create and manage websites (site creation also requires write permissions to the associated App Service Plan) |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage websites (not web plans), but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
"name": "de139f84-1756-47ae-9be6-808fbbe84772",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/components/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/certificates/*",
"Microsoft.Web/listSitesAssignedToHostName/read",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Website Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器Containers
AcrDeleteAcrDelete
acr 删除 了解详细信息acr delete Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/deleteMicrosoft.ContainerRegistry/registries/artifacts/delete | 删除容器注册表中的项目。Delete artifact in a container registry. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSignerAcrImageSigner
acr 映像签名程序 了解详细信息acr image signer Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/writeMicrosoft.ContainerRegistry/registries/sign/write | 推送/拉取容器注册表的内容信任元数据。Push/Pull content trust metadata for a container registry. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPullAcrPull
acr 拉取 了解详细信息acr pull Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/readMicrosoft.ContainerRegistry/registries/pull/read | 从容器注册表中拉取或获取映像。Pull or Get images from a container registry. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPushAcrPush
acr 推送 了解详细信息acr push Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/readMicrosoft.ContainerRegistry/registries/pull/read | 从容器注册表中拉取或获取映像。Pull or Get images from a container registry. |
| Microsoft.ContainerRegistry/registries/push/writeMicrosoft.ContainerRegistry/registries/push/write | 将映像推送或写入容器注册表。Push or Write images to a container registry. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReaderAcrQuarantineReader
ACR 隔离数据读取器acr quarantine data reader
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/readMicrosoft.ContainerRegistry/registries/quarantine/read | 从容器注册表中拉取或获取已隔离的映像Pull or Get quarantined images from container registry |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriterAcrQuarantineWriter
ACR 隔离数据编写器acr quarantine data writer
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/readMicrosoft.ContainerRegistry/registries/quarantine/read | 从容器注册表中拉取或获取已隔离的映像Pull or Get quarantined images from container registry |
| Microsoft.ContainerRegistry/registries/quarantine/writeMicrosoft.ContainerRegistry/registries/quarantine/write | 写入/修改已隔离映像的隔离状态Write/Modify quarantine state of quarantined images |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务群集管理员角色Azure Kubernetes Service Cluster Admin Role
列出群集管理员凭据操作。List cluster admin credential action. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/actionMicrosoft.ContainerService/managedClusters/listClusterAdminCredential/action | 列出托管群集的 clusterAdmin 凭据List the clusterAdmin credential of a managed cluster |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/actionMicrosoft.ContainerService/managedClusters/accessProfiles/listCredential/action | 使用列表凭据按角色名称获取托管的群集访问配置文件Get a managed cluster access profile by role name using list credential |
| Microsoft.ContainerService/managedClusters/readMicrosoft.ContainerService/managedClusters/read | 获取托管的群集Get a managed cluster |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务群集用户角色Azure Kubernetes Service Cluster User Role
列出群集用户凭据操作。List cluster user credential action. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/actionMicrosoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出托管群集的 clusterUser 凭据List the clusterUser credential of a managed cluster |
| Microsoft.ContainerService/managedClusters/readMicrosoft.ContainerService/managedClusters/read | 获取托管的群集Get a managed cluster |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务参与者角色Azure Kubernetes Service Contributor Role
授予对 Azure Kubernetes 服务群集的读写访问权限了解更多Grants access to read and write Azure Kubernetes Service clusters Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ContainerService/managedClusters/readMicrosoft.ContainerService/managedClusters/read | 获取托管的群集Get a managed cluster |
| Microsoft.ContainerService/managedClusters/writeMicrosoft.ContainerService/managedClusters/write | 创建新的或更新现有的托管的群集Creates a new managed cluster or updates an existing one |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 管理员Azure Kubernetes Service RBAC Admin
允许管理群集/命名空间下的所有资源,但不能更新或删除资源配额和命名空间。Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/deployments/writeMicrosoft.Resources/deployments/write | 创建或更新部署。Creates or updates an deployment. |
| Microsoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。Get the subscription operation results. |
| Microsoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/read | 获取订阅的列表。Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/actionMicrosoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出托管群集的 clusterUser 凭据List the clusterUser credential of a managed cluster |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.ContainerService/managedClusters/*Microsoft.ContainerService/managedClusters/* | |
| NotDataActionsNotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/writeMicrosoft.ContainerService/managedClusters/resourcequotas/write | 写入 resourcequotasWrites resourcequotas |
| Microsoft.ContainerService/managedClusters/resourcequotas/deleteMicrosoft.ContainerService/managedClusters/resourcequotas/delete | 删除 resourcequotasDeletes resourcequotas |
| Microsoft.ContainerService/managedClusters/namespaces/writeMicrosoft.ContainerService/managedClusters/namespaces/write | 写入 namespacesWrites namespaces |
| Microsoft.ContainerService/managedClusters/namespaces/deleteMicrosoft.ContainerService/managedClusters/namespaces/delete | 删除 namespacesDeletes namespaces |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 群集管理员Azure Kubernetes Service RBAC Cluster Admin
允许管理群集中的所有资源。Lets you manage all resources in the cluster.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/deployments/writeMicrosoft.Resources/deployments/write | 创建或更新部署。Creates or updates an deployment. |
| Microsoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。Get the subscription operation results. |
| Microsoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/read | 获取订阅的列表。Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/actionMicrosoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出托管群集的 clusterUser 凭据List the clusterUser credential of a managed cluster |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.ContainerService/managedClusters/*Microsoft.ContainerService/managedClusters/* | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 读取者Azure Kubernetes Service RBAC Reader
允许进行只读访问并查看命名空间中的大多数对象。Allows read-only access to see most objects in a namespace. 不允许查看角色或角色绑定。It does not allow viewing roles or role bindings. 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). 在群集范围内应用此角色将提供对所有命名空间的访问权限。Applying this role at cluster scope will give access across all namespaces.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/deployments/writeMicrosoft.Resources/deployments/write | 创建或更新部署。Creates or updates an deployment. |
| Microsoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。Get the subscription operation results. |
| Microsoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/read | 获取订阅的列表。Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/readMicrosoft.ContainerService/managedClusters/apps/controllerrevisions/read | 读取 controllerrevisionsReads controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/readMicrosoft.ContainerService/managedClusters/apps/daemonsets/read | 读取 daemonsetsReads daemonsets |
| Microsoft.ContainerService/managedClusters/apps/deployments/readMicrosoft.ContainerService/managedClusters/apps/deployments/read | 读取 deploymentsReads deployments |
| Microsoft.ContainerService/managedClusters/apps/replicasets/readMicrosoft.ContainerService/managedClusters/apps/replicasets/read | 读取 replicasetsReads replicasets |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/readMicrosoft.ContainerService/managedClusters/apps/statefulsets/read | 读取 statefulsetsReads statefulsets |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/readMicrosoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | 读取 horizontalpodautoscalersReads horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/readMicrosoft.ContainerService/managedClusters/batch/cronjobs/read | 读取 cronjobsReads cronjobs |
| Microsoft.ContainerService/managedClusters/batch/jobs/readMicrosoft.ContainerService/managedClusters/batch/jobs/read | 读取作业Reads jobs |
| Microsoft.ContainerService/managedClusters/configmaps/readMicrosoft.ContainerService/managedClusters/configmaps/read | 读取 configmapsReads configmaps |
| Microsoft.ContainerService/managedClusters/endpoints/readMicrosoft.ContainerService/managedClusters/endpoints/read | 读取 endpointsReads endpoints |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/readMicrosoft.ContainerService/managedClusters/events.k8s.io/events/read | 读取 eventsReads events |
| Microsoft.ContainerService/managedClusters/events/readMicrosoft.ContainerService/managedClusters/events/read | 读取 eventsReads events |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/readMicrosoft.ContainerService/managedClusters/extensions/daemonsets/read | 读取 daemonsetsReads daemonsets |
| Microsoft.ContainerService/managedClusters/extensions/deployments/readMicrosoft.ContainerService/managedClusters/extensions/deployments/read | 读取 deploymentsReads deployments |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/readMicrosoft.ContainerService/managedClusters/extensions/ingresses/read | 读取 ingressesReads ingresses |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/readMicrosoft.ContainerService/managedClusters/extensions/networkpolicies/read | 读取 networkpoliciesReads networkpolicies |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/readMicrosoft.ContainerService/managedClusters/extensions/replicasets/read | 读取 replicasetsReads replicasets |
| Microsoft.ContainerService/managedClusters/limitranges/readMicrosoft.ContainerService/managedClusters/limitranges/read | 读取 limitrangesReads limitranges |
| Microsoft.ContainerService/managedClusters/namespaces/readMicrosoft.ContainerService/managedClusters/namespaces/read | 读取 namespacesReads namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/readMicrosoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | 读取 ingressesReads ingresses |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/readMicrosoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | 读取 networkpoliciesReads networkpolicies |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/readMicrosoft.ContainerService/managedClusters/persistentvolumeclaims/read | 读取 persistentvolumeclaimsReads persistentvolumeclaims |
| Microsoft.ContainerService/managedClusters/pods/readMicrosoft.ContainerService/managedClusters/pods/read | 读取 PodReads pods |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/readMicrosoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | 读取 poddisruptionbudgetsReads poddisruptionbudgets |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/readMicrosoft.ContainerService/managedClusters/replicationcontrollers/read | 读取 replicationcontrollersReads replicationcontrollers |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/readMicrosoft.ContainerService/managedClusters/replicationcontrollers/read | 读取 replicationcontrollersReads replicationcontrollers |
| Microsoft.ContainerService/managedClusters/resourcequotas/readMicrosoft.ContainerService/managedClusters/resourcequotas/read | 读取 resourcequotasReads resourcequotas |
| Microsoft.ContainerService/managedClusters/serviceaccounts/readMicrosoft.ContainerService/managedClusters/serviceaccounts/read | 读取 serviceaccountsReads serviceaccounts |
| Microsoft.ContainerService/managedClusters/services/readMicrosoft.ContainerService/managedClusters/services/read | 读取 servicesReads services |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes 服务 RBAC 写入者Azure Kubernetes Service RBAC Writer
允许对命名空间中的大多数对象进行读取/写入访问。不允许此角色查看或修改角色或角色绑定。Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密和运行 Pod,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. 在群集范围内应用此角色将提供对所有命名空间的访问权限。Applying this role at cluster scope will give access across all namespaces.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Resources/deployments/writeMicrosoft.Resources/deployments/write | 创建或更新部署。Creates or updates an deployment. |
| Microsoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。Get the subscription operation results. |
| Microsoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/read | 获取订阅的列表。Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/readMicrosoft.ContainerService/managedClusters/apps/controllerrevisions/read | 读取 controllerrevisionsReads controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/*Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/*Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/*Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/*Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/*Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/batch/jobs/*Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/*Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/*Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/readMicrosoft.ContainerService/managedClusters/events.k8s.io/events/read | 读取 eventsReads events |
| Microsoft.ContainerService/managedClusters/events/readMicrosoft.ContainerService/managedClusters/events/read | 读取 eventsReads events |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/*Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/*Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/*Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/*Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/readMicrosoft.ContainerService/managedClusters/limitranges/read | 读取 limitrangesReads limitranges |
| Microsoft.ContainerService/managedClusters/namespaces/readMicrosoft.ContainerService/managedClusters/namespaces/read | 读取 namespacesReads namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/*Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/*Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/*Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/readMicrosoft.ContainerService/managedClusters/resourcequotas/read | 读取 resourcequotasReads resourcequotas |
| Microsoft.ContainerService/managedClusters/secrets/*Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/*Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/*Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
数据库Databases
Cosmos DB 帐户读者角色Cosmos DB Account Reader Role
可以读取 Azure Cosmos DB 帐户数据。Can read Azure Cosmos DB account data. 请参阅 Cosmos DB 帐户参与者,了解如何管理 Azure Cosmos DB 帐户。See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.DocumentDB/*/readMicrosoft.DocumentDB/*/read | 读取任何集合Read any collection |
| Microsoft.DocumentDB/databaseAccounts/readonlykeys/actionMicrosoft.DocumentDB/databaseAccounts/readonlykeys/action | 读取数据库帐户只读密钥。Reads the database account readonly keys. |
| Microsoft.Insights/MetricDefinitions/readMicrosoft.Insights/MetricDefinitions/read | 读取指标定义Read metric definitions |
| Microsoft.Insights/Metrics/readMicrosoft.Insights/Metrics/read | 添加指标Read metrics |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB 操作员Cosmos DB Operator
允许管理 Azure Cosmos DB 帐户,但不能访问其中的数据。Lets you manage Azure Cosmos DB accounts, but not access data in them. 阻止访问帐户密钥和连接字符串。Prevents access to account keys and connection strings. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.DocumentDb/databaseAccounts/*Microsoft.DocumentDb/databaseAccounts/* | |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionMicrosoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。Joins resource such as storage account or SQL database to a subnet. 不可发出警报。Not alertable. |
| 不操作NotActions | |
| Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/regenerateKey/*Microsoft.DocumentDB/databaseAccounts/regenerateKey/* | |
| Microsoft.DocumentDB/databaseAccounts/listKeys/*Microsoft.DocumentDB/databaseAccounts/listKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* | |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/writeMicrosoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write | 创建或更新 SQL 角色定义Create or update a SQL Role Definition |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/deleteMicrosoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete | 删除 SQL 角色定义Delete a SQL Role Definition |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/writeMicrosoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write | 创建或更新 SQL 角色分配Create or update a SQL Role Assignment |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/deleteMicrosoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete | 删除 SQL 角色分配Delete a SQL Role Assignment |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
"name": "230815da-be43-4aae-9cb4-875f7bd000aa",
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [
"Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
"Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
"Microsoft.DocumentDB/databaseAccounts/listKeys/*",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosBackupOperatorCosmosBackupOperator
可以为帐户提交 Cosmos DB 数据库或容器的还原请求 了解详细信息Can submit restore request for a Cosmos DB database or a container for an account Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.DocumentDB/databaseAccounts/backup/actionMicrosoft.DocumentDB/databaseAccounts/backup/action | 提交配置备份的请求Submit a request to configure backup |
| Microsoft.DocumentDB/databaseAccounts/restore/actionMicrosoft.DocumentDB/databaseAccounts/restore/action | 提交还原请求Submit a restore request |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can submit restore request for a Cosmos DB database or a container for an account",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/databaseAccounts/backup/action",
"Microsoft.DocumentDB/databaseAccounts/restore/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosBackupOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosRestoreOperatorCosmosRestoreOperator
可以对连续备份模式下的 Cosmos DB 数据库帐户执行还原操作Can perform restore action for Cosmos DB database account with continuous backup mode
| 操作Actions | 说明Description |
|---|---|
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/actionMicrosoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action | 提交还原请求Submit a restore request |
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/readMicrosoft.DocumentDB/locations/restorableDatabaseAccounts/*/read | |
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/readMicrosoft.DocumentDB/locations/restorableDatabaseAccounts/read | 读取可还原数据库帐户或列出所有可还原数据库帐户Read a restorable database account or List all the restorable database accounts |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosRestoreOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DocumentDB 帐户参与者DocumentDB Account Contributor
可管理 Azure Cosmos DB 帐户。Can manage Azure Cosmos DB accounts. Azure Cosmos DB 以前称为 DocumentDB。Azure Cosmos DB is formerly known as DocumentDB. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.DocumentDb/databaseAccounts/*Microsoft.DocumentDb/databaseAccounts/* | 创建并管理 Azure Cosmos DB 帐户Create and manage Azure Cosmos DB accounts |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionMicrosoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。Joins resource such as storage account or SQL database to a subnet. 不可发出警报。Not alertable. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DocumentDB accounts, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
"name": "5bd9cd88-fe45-4216-938b-f97437e15450",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DocumentDB Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Redis 缓存参与者Redis Cache Contributor
允许管理 Redis 缓存,但不允许访问这些缓存。Lets you manage Redis caches, but not access to them.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Cache/register/actionMicrosoft.Cache/register/action | 将“Microsoft.Cache”资源提供程序注册到订阅Registers the 'Microsoft.Cache' resource provider with a subscription |
| Microsoft.Cache/redis/*Microsoft.Cache/redis/* | 创建和管理 Redis 缓存Create and manage Redis caches |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Redis caches, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
"name": "e0f68234-74aa-48ed-b826-c38b57376e17",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/register/action",
"Microsoft.Cache/redis/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Redis Cache Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL DB 参与者SQL DB Contributor
允许管理 SQL 数据库,但不允许访问这些数据库。Lets you manage SQL databases, but not access to them. 此外,不允许管理其安全相关的策略或其父 SQL 服务器。Also, you can't manage their security-related policies or their parent SQL servers.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Sql/locations/*/readMicrosoft.Sql/locations/*/read | |
| Microsoft.Sql/servers/databases/*Microsoft.Sql/servers/databases/* | 创建和管理 SQL 数据库Create and manage SQL databases |
| Microsoft.Sql/servers/readMicrosoft.Sql/servers/read | 返回服务器列表,或获取指定服务器的属性。Return the list of servers or gets the properties for the specified server. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Insights/metrics/readMicrosoft.Insights/metrics/read | 添加指标Read metrics |
| Microsoft.Insights/metricDefinitions/readMicrosoft.Insights/metricDefinitions/read | 读取指标定义Read metric definitions |
| 不操作NotActions | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/*Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/*Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/auditingSettings/*Microsoft.Sql/servers/databases/auditingSettings/* | 编辑审核设置Edit audit settings |
| Microsoft.Sql/servers/databases/auditRecords/readMicrosoft.Sql/servers/databases/auditRecords/read | 检索数据库 Blob 审核记录Retrieve the database blob audit records |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/*Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/*Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 编辑数据屏蔽策略Edit data masking policies |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/*Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/securityAlertPolicies/*Microsoft.Sql/servers/databases/securityAlertPolicies/* | 编辑安全警报策略Edit security alert policies |
| Microsoft.Sql/servers/databases/securityMetrics/*Microsoft.Sql/servers/databases/securityMetrics/* | 编辑安全度量值Edit security metrics |
| Microsoft.Sql/servers/databases/sensitivityLabels/*Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/*Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/vulnerabilityAssessments/*Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL DB Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL 托管实例参与者SQL Managed Instance Contributor
允许你管理 SQL 托管实例和必需的网络配置,但无法向其他人授予访问权限。Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Network/networkSecurityGroups/*Microsoft.Network/networkSecurityGroups/* | |
| Microsoft.Network/routeTables/*Microsoft.Network/routeTables/* | |
| Microsoft.Sql/locations/*/readMicrosoft.Sql/locations/*/read | |
| Microsoft.Sql/locations/instanceFailoverGroups/*Microsoft.Sql/locations/instanceFailoverGroups/* | |
| Microsoft.Sql/managedInstances/*Microsoft.Sql/managedInstances/* | |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/virtualNetworks/subnets/* | |
| Microsoft.Network/virtualNetworks/*Microsoft.Network/virtualNetworks/* | |
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Insights/metrics/readMicrosoft.Insights/metrics/read | 添加指标Read metrics |
| Microsoft.Insights/metricDefinitions/readMicrosoft.Insights/metricDefinitions/read | 读取指标定义Read metric definitions |
| 不操作NotActions | |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/deleteMicrosoft.Sql/managedInstances/azureADOnlyAuthentications/delete | 删除特定的托管服务器仅限 Azure Active Directory 的身份验证对象Deletes a specific managed server Azure Active Directory only authentication object |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/writeMicrosoft.Sql/managedInstances/azureADOnlyAuthentications/write | 添加或更新特定的托管服务器仅限 Azure Active Directory 的身份验证对象Adds or updates a specific managed server Azure Active Directory only authentication object |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"permissions": [
{
"actions": [
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/locations/instanceFailoverGroups/*",
"Microsoft.Sql/managedInstances/*",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Managed Instance Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL 安全管理器SQL Security Manager
允许管理 SQL 服务器和数据库的安全相关策略,但不允许访问它们。Lets you manage the security-related policies of SQL servers and databases, but not access to them. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionMicrosoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。Joins resource such as storage account or SQL database to a subnet. 不可发出警报。Not alertable. |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Sql/locations/administratorAzureAsyncOperation/readMicrosoft.Sql/locations/administratorAzureAsyncOperation/read | 获取托管实例 Azure 异步管理员操作结果。Gets the Managed instance azure async administrator operations result. |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/*Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/*Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/auditingSettings/*Microsoft.Sql/servers/auditingSettings/* | 创建和管理 SQL 服务器审核设置Create and manage SQL server auditing setting |
| Microsoft.Sql/servers/extendedAuditingSettings/readMicrosoft.Sql/servers/extendedAuditingSettings/read | 检索在给定服务器上配置的扩展服务器 blob 审核策略的详细信息Retrieve details of the extended server blob auditing policy configured on a given server |
| Microsoft.Sql/servers/databases/auditingSettings/*Microsoft.Sql/servers/databases/auditingSettings/* | 创建和管理 SQL 服务器数据库审核设置Create and manage SQL server database auditing settings |
| Microsoft.Sql/servers/databases/auditRecords/readMicrosoft.Sql/servers/databases/auditRecords/read | 检索数据库 Blob 审核记录Retrieve the database blob audit records |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/*Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/*Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 创建和管理 SQL 服务器数据库数据屏蔽策略Create and manage SQL server database data masking policies |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/readMicrosoft.Sql/servers/databases/extendedAuditingSettings/read | 检索在给定的数据库上配置的扩展 blob 审核策略的详细信息Retrieve details of the extended blob auditing policy configured on a given database |
| Microsoft.Sql/servers/databases/readMicrosoft.Sql/servers/databases/read | 返回数据库的列表,或获取指定数据库的属性。Return the list of databases or gets the properties for the specified database. |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/readMicrosoft.Sql/servers/databases/schemas/read | 获取数据库架构。Get a database schema. |
| Microsoft.Sql/servers/databases/schemas/tables/columns/readMicrosoft.Sql/servers/databases/schemas/tables/columns/read | 获取数据库列。Get a database column. |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/readMicrosoft.Sql/servers/databases/schemas/tables/read | 获取数据库表。Get a database table. |
| Microsoft.Sql/servers/databases/securityAlertPolicies/*Microsoft.Sql/servers/databases/securityAlertPolicies/* | 创建和管理 SQL 服务器数据库安全警报策略Create and manage SQL server database security alert policies |
| Microsoft.Sql/servers/databases/securityMetrics/*Microsoft.Sql/servers/databases/securityMetrics/* | 创建和管理 SQL 服务器数据库安全度量值Create and manage SQL server database security metrics |
| Microsoft.Sql/servers/databases/sensitivityLabels/*Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/transparentDataEncryption/*Microsoft.Sql/servers/databases/transparentDataEncryption/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/*Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/firewallRules/*Microsoft.Sql/servers/firewallRules/* | |
| Microsoft.Sql/servers/readMicrosoft.Sql/servers/read | 返回服务器列表,或获取指定服务器的属性。Return the list of servers or gets the properties for the specified server. |
| Microsoft.Sql/servers/securityAlertPolicies/*Microsoft.Sql/servers/securityAlertPolicies/* | 创建和管理 SQL 服务器安全警报策略Create and manage SQL server security alert policies |
| Microsoft.Sql/servers/vulnerabilityAssessments/*Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Sql/servers/azureADOnlyAuthentications/*Microsoft.Sql/servers/azureADOnlyAuthentications/* | |
| Microsoft.Sql/managedInstances/readMicrosoft.Sql/managedInstances/read | 返回托管实例的列表,或获取指定托管实例的属性。Return the list of managed instances or gets the properties for the specified managed instance. |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* | |
| Microsoft.Security/sqlVulnerabilityAssessments/*Microsoft.Security/sqlVulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/administrators/readMicrosoft.Sql/managedInstances/administrators/read | 获取托管实例管理员的列表。Gets a list of managed instance administrators. |
| Microsoft.Sql/servers/administrators/readMicrosoft.Sql/servers/administrators/read | 获取特定的 Azure Active Directory 管理员对象Gets a specific Azure Active Directory administrator object |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/transparentDataEncryption/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/firewallRules/*",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Support/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/*",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
"Microsoft.Security/sqlVulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/administrators/read",
"Microsoft.Sql/servers/administrators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Security Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Server 参与者SQL Server Contributor
允许管理 SQL Server 和数据库,但不允许访问它们及其安全相关策略。Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Sql/locations/*/readMicrosoft.Sql/locations/*/read | |
| Microsoft.Sql/servers/*Microsoft.Sql/servers/* | 创建和管理 SQL 服务器Create and manage SQL servers |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.Insights/metrics/readMicrosoft.Insights/metrics/read | 添加指标Read metrics |
| Microsoft.Insights/metricDefinitions/readMicrosoft.Insights/metricDefinitions/read | 读取指标定义Read metric definitions |
| 不操作NotActions | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/*Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/*Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/*Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/auditingSettings/*Microsoft.Sql/servers/auditingSettings/* | 编辑 SQL 服务器审核设置Edit SQL server auditing settings |
| Microsoft.Sql/servers/databases/auditingSettings/*Microsoft.Sql/servers/databases/auditingSettings/* | 编辑 SQL 服务器数据库审核设置Edit SQL server database auditing settings |
| Microsoft.Sql/servers/databases/auditRecords/readMicrosoft.Sql/servers/databases/auditRecords/read | 检索数据库 Blob 审核记录Retrieve the database blob audit records |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/*Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/*Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 编辑 SQL 服务器数据库数据屏蔽策略Edit SQL server database data masking policies |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/*Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/securityAlertPolicies/*Microsoft.Sql/servers/databases/securityAlertPolicies/* | 编辑 SQL 服务器数据库安全警报策略Edit SQL server database security alert policies |
| Microsoft.Sql/servers/databases/securityMetrics/*Microsoft.Sql/servers/databases/securityMetrics/* | 编辑 SQL 服务器数据库安全度量值Edit SQL server database security metrics |
| Microsoft.Sql/servers/databases/sensitivityLabels/*Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/*Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/extendedAuditingSettings/*Microsoft.Sql/servers/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/securityAlertPolicies/*Microsoft.Sql/servers/securityAlertPolicies/* | 编辑 SQL 服务器安全警报策略Edit SQL server security alert policies |
| Microsoft.Sql/servers/vulnerabilityAssessments/*Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/azureADOnlyAuthentications/deleteMicrosoft.Sql/servers/azureADOnlyAuthentications/delete | 删除特定服务器仅限 Azure Active Directory 的身份验证对象Deletes a specific server Azure Active Directory only authentication object |
| Microsoft.Sql/servers/azureADOnlyAuthentications/writeMicrosoft.Sql/servers/azureADOnlyAuthentications/write | 添加或更新特定服务器仅限 Azure Active Directory 的身份验证对象Adds or updates a specific server Azure Active Directory only authentication object |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AnalyticsAnalytics
Azure 事件中心数据所有者Azure Event Hubs Data Owner
允许完全访问 Azure 事件中心资源。Allows for full access to Azure Event Hubs resources. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.EventHub/*Microsoft.EventHub/* | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.EventHub/*Microsoft.EventHub/* | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Event Hubs resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec",
"name": "f526a384-b230-433a-b45c-95f59c4a2dec",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 事件中心数据接收方Azure Event Hubs Data Receiver
允许接收对 Azure 事件中心资源的访问权限。Allows receive access to Azure Event Hubs resources. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.EventHub/*/eventhubs/consumergroups/readMicrosoft.EventHub/*/eventhubs/consumergroups/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.EventHub/*/receive/actionMicrosoft.EventHub/*/receive/action | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows receive access to Azure Event Hubs resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/consumergroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/receive/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Receiver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 事件中心数据发送方Azure Event Hubs Data Sender
允许以发送方式访问 Azure 事件中心资源。Allows send access to Azure Event Hubs resources. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.EventHub/*/eventhubs/readMicrosoft.EventHub/*/eventhubs/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.EventHub/*/send/actionMicrosoft.EventHub/*/send/action | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows send access to Azure Event Hubs resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975",
"name": "2b629674-e913-4c01-ae53-ef4638d8f975",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
数据工厂参与者Data Factory Contributor
创建和管理数据工厂,以及其中的子资源。Create and manage data factories, as well as child resources within them. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.DataFactory/dataFactories/*Microsoft.DataFactory/dataFactories/* | 创建和管理数据工厂,以及它们包含的子资源。Create and manage data factories, and child resources within them. |
| Microsoft.DataFactory/factories/*Microsoft.DataFactory/factories/* | 创建和管理数据工厂,以及它们包含的子资源。Create and manage data factories, and child resources within them. |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| Microsoft.EventGrid/eventSubscriptions/writeMicrosoft.EventGrid/eventSubscriptions/write | 创建或更新事件订阅Create or update an eventSubscription |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Create and manage data factories, as well as child resources within them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5",
"name": "673868aa-7521-48a0-acc6-0f60742d39f5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DataFactory/dataFactories/*",
"Microsoft.DataFactory/factories/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.EventGrid/eventSubscriptions/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Factory Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
数据清除程序Data Purger
从 Log Analytics 工作区中删除专用数据。Delete private data from a Log Analytics workspace.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Insights/components/*/readMicrosoft.Insights/components/*/read | |
| Microsoft.Insights/components/purge/actionMicrosoft.Insights/components/purge/action | 从 Application Insights 清除数据Purging data from Application Insights |
| Microsoft.OperationalInsights/workspaces/*/readMicrosoft.OperationalInsights/workspaces/*/read | 查看日志分析数据View log analytics data |
| Microsoft.OperationalInsights/workspaces/purge/actionMicrosoft.OperationalInsights/workspaces/purge/action | 从工作区中删除指定数据Delete specified data from workspace |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can purge analytics data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90",
"name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90",
"permissions": [
{
"actions": [
"Microsoft.Insights/components/*/read",
"Microsoft.Insights/components/purge/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/purge/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Purger",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
HDInsight 群集操作员HDInsight Cluster Operator
允许你读取和修改 HDInsight 群集配置。Lets you read and modify HDInsight cluster configurations. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.HDInsight/*/readMicrosoft.HDInsight/*/read | |
| Microsoft.HDInsight/clusters/getGatewaySettings/actionMicrosoft.HDInsight/clusters/getGatewaySettings/action | 获取 HDInsight 群集的网关设置Get gateway settings for HDInsight Cluster |
| Microsoft.HDInsight/clusters/updateGatewaySettings/actionMicrosoft.HDInsight/clusters/updateGatewaySettings/action | 更新 HDInsight 群集的网关设置Update gateway settings for HDInsight Cluster |
| Microsoft.HDInsight/clusters/configurations/*Microsoft.HDInsight/clusters/configurations/* | |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Resources/deployments/operations/readMicrosoft.Resources/deployments/operations/read | 获取或列出部署操作。Gets or lists deployment operations. |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you read and modify HDInsight cluster configurations.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a",
"name": "61ed4efc-fab3-44fd-b111-e24485cc132a",
"permissions": [
{
"actions": [
"Microsoft.HDInsight/*/read",
"Microsoft.HDInsight/clusters/getGatewaySettings/action",
"Microsoft.HDInsight/clusters/updateGatewaySettings/action",
"Microsoft.HDInsight/clusters/configurations/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Cluster Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
HDInsight 域服务参与者HDInsight Domain Services Contributor
可以读取、创建、修改和删除 HDInsight 企业安全性套餐所需的域服务相关操作了解更多Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.AAD/*/readMicrosoft.AAD/*/read | |
| Microsoft.AAD/domainServices/*/readMicrosoft.AAD/domainServices/*/read | |
| Microsoft.AAD/domainServices/oucontainer/*Microsoft.AAD/domainServices/oucontainer/* | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c",
"name": "8d8d5a11-05d3-4bda-a417-a08778121c7c",
"permissions": [
{
"actions": [
"Microsoft.AAD/*/read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.AAD/domainServices/oucontainer/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Log Analytics 参与者Log Analytics Contributor
Log Analytics 参与者可以读取所有监视数据并编辑监视设置。Log Analytics Contributor can read all monitoring data and edit monitoring settings. 编辑监视设置包括向 VM 添加 VM 扩展、读取存储帐户密钥以便能够从 Azure 存储配置日志收集、创建和配置自动化帐户、添加解决方案以及配置所有 Azure 资源上的 Azure 诊断。Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| */read*/read | 读取除密码外的所有类型的资源。Read resources of all types, except secrets. |
| Microsoft.Automation/automationAccounts/*Microsoft.Automation/automationAccounts/* | |
| Microsoft.ClassicCompute/virtualMachines/extensions/*Microsoft.ClassicCompute/virtualMachines/extensions/* | |
| Microsoft.ClassicStorage/storageAccounts/listKeys/actionMicrosoft.ClassicStorage/storageAccounts/listKeys/action | 列出存储帐户的访问密钥。Lists the access keys for the storage accounts. |
| Microsoft.Compute/virtualMachines/extensions/*Microsoft.Compute/virtualMachines/extensions/* | |
| Microsoft.HybridCompute/machines/extensions/writeMicrosoft.HybridCompute/machines/extensions/write | 安装或更新 Azure Arc 扩展Installs or Updates an Azure Arc extensions |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Insights/diagnosticSettings/*Microsoft.Insights/diagnosticSettings/* | 创建、更新或读取 Analysis Server 的诊断设置Creates, updates, or reads the diagnostic setting for Analysis Server |
| Microsoft.OperationalInsights/*Microsoft.OperationalInsights/* | |
| Microsoft.OperationsManagement/*Microsoft.OperationsManagement/* | |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/*Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
| Microsoft.Storage/storageAccounts/listKeys/actionMicrosoft.Storage/storageAccounts/listKeys/action | 返回指定存储帐户的访问密钥。Returns the access keys for the specified storage account. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Automation/automationAccounts/*",
"Microsoft.ClassicCompute/virtualMachines/extensions/*",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.Compute/virtualMachines/extensions/*",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.OperationalInsights/*",
"Microsoft.OperationsManagement/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Log Analytics 读者Log Analytics Reader
Log Analytics 读者可以查看和搜索所有监视数据并查看监视设置,其中包括查看所有 Azure 资源上的 Azure 诊断的配置。Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| */read*/read | 读取除密码外的所有类型的资源。Read resources of all types, except secrets. |
| Microsoft.OperationalInsights/workspaces/analytics/query/actionMicrosoft.OperationalInsights/workspaces/analytics/query/action | 使用新引擎进行搜索。Search using new engine. |
| Microsoft.OperationalInsights/workspaces/search/actionMicrosoft.OperationalInsights/workspaces/search/action | 执行搜索查询Executes a search query |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| Microsoft.OperationalInsights/workspaces/sharedKeys/readMicrosoft.OperationalInsights/workspaces/sharedKeys/read | 检索工作区的共享密钥。Retrieves the shared keys for the workspace. 这些密钥用于将 Microsoft Operational Insights 代理连接到工作区。These keys are used to connect Microsoft Operational Insights agents to the workspace. |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893",
"name": "73c42c96-874c-492b-b04d-ab87d138a893",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.OperationalInsights/workspaces/sharedKeys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Purview 数据管护者Purview Data Curator
Microsoft.Purview 数据管护者可以创建、读取、修改和删除目录数据对象,并可以建立对象之间的关系。The Microsoft.Purview data curator can create, read, modify and delete catalog data objects and establish relationships between objects. 此角色处于预览状态,可能会发生更改。This role is in preview and subject to change.
| 操作Actions | 说明Description |
|---|---|
| Microsoft.Purview/accounts/readMicrosoft.Purview/accounts/read | 读取 Microsoft Purview 提供商的帐户资源。Read account resource for Microsoft Purview provider. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Purview/accounts/data/readMicrosoft.Purview/accounts/data/read | 读取数据对象。Read data objects. |
| Microsoft.Purview/accounts/data/writeMicrosoft.Purview/accounts/data/write | 创建、更新和删除数据对象。Create, update and delete data objects. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "The Microsoft.Purview data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8a3c2885-9b38-4fd2-9d99-91af537c1347",
"name": "8a3c2885-9b38-4fd2-9d99-91af537c1347",
"permissions": [
{
"actions": [
"Microsoft.Purview/accounts/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Purview/accounts/data/read",
"Microsoft.Purview/accounts/data/write"
],
"notDataActions": []
}
],
"roleName": "Purview Data Curator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Purview 数据读取者Purview Data Reader
Microsoft.Purview 数据读取者可以读取目录数据对象。The Microsoft.Purview data reader can read catalog data objects. 此角色处于预览状态,可能会发生更改。This role is in preview and subject to change.
| 操作Actions | 说明Description |
|---|---|
| Microsoft.Purview/accounts/readMicrosoft.Purview/accounts/read | 读取 Microsoft Purview 提供商的帐户资源。Read account resource for Microsoft Purview provider. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Purview/accounts/data/readMicrosoft.Purview/accounts/data/read | 读取数据对象。Read data objects. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "The Microsoft.Purview data reader can read catalog data objects. This role is in preview and subject to change.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ff100721-1b9d-43d8-af52-42b69c1272db",
"name": "ff100721-1b9d-43d8-af52-42b69c1272db",
"permissions": [
{
"actions": [
"Microsoft.Purview/accounts/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Purview/accounts/data/read"
],
"notDataActions": []
}
],
"roleName": "Purview Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Purview 数据源管理员Purview Data Source Administrator
Microsoft.Purview 数据源管理员可以管理数据源和数据扫描。The Microsoft.Purview data source administrator can manage data sources and data scans. 此角色处于预览状态,可能会发生更改。This role is in preview and subject to change.
| 操作Actions | 说明Description |
|---|---|
| Microsoft.Purview/accounts/readMicrosoft.Purview/accounts/read | 读取 Microsoft Purview 提供商的帐户资源。Read account resource for Microsoft Purview provider. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Purview/accounts/scan/readMicrosoft.Purview/accounts/scan/read | 读取数据源和扫描。Read data sources and scans. |
| Microsoft.Purview/accounts/scan/writeMicrosoft.Purview/accounts/scan/write | 创建、更新和删除数据源以及管理扫描。Create, update and delete data sources and manage scans. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "The Microsoft.Purview data source administrator can manage data sources and data scans. This role is in preview and subject to change.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/200bba9e-f0c8-430f-892b-6f0794863803",
"name": "200bba9e-f0c8-430f-892b-6f0794863803",
"permissions": [
{
"actions": [
"Microsoft.Purview/accounts/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Purview/accounts/scan/read",
"Microsoft.Purview/accounts/scan/write"
],
"notDataActions": []
}
],
"roleName": "Purview Data Source Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
架构注册表参与者(预览)Schema Registry Contributor (Preview)
读取、写入和删除架构注册表组和架构。Read, write, and delete Schema Registry groups and schemas.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.EventHub/namespaces/schemagroups/*Microsoft.EventHub/namespaces/schemagroups/* | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.EventHub/namespaces/schemas/*Microsoft.EventHub/namespaces/schemas/* | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Read, write, and delete Schema Registry groups and schemas.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25",
"name": "5dffeca3-4936-4216-b2bc-10343a5abb25",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/*"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Contributor (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
架构注册表读取器(预览版)Schema Registry Reader (Preview)
读取和列出架构注册表组和架构。Read and list Schema Registry groups and schemas.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.EventHub/namespaces/schemagroups/readMicrosoft.EventHub/namespaces/schemagroups/read | 获取 SchemaGroup 资源说明列表Get list of SchemaGroup Resource Descriptions |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.EventHub/namespaces/schemas/readMicrosoft.EventHub/namespaces/schemas/read | 检索架构Retrieve schemas |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Read and list Schema Registry groups and schemas.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
"name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/read"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
区块链Blockchain
区块链成员节点访问(预览版)Blockchain Member Node Access (Preview)
允许访问区块链成员节点。Allows for access to Blockchain Member nodes.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Blockchain/blockchainMembers/transactionNodes/readMicrosoft.Blockchain/blockchainMembers/transactionNodes/read | 获取或列出现有的区块链成员事务节点。Gets or Lists existing Blockchain Member Transaction Node(s). |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/actionMicrosoft.Blockchain/blockchainMembers/transactionNodes/connect/action | 连接到区块链成员事务节点。Connects to a Blockchain Member Transaction Node. |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Allows for access to Blockchain Member nodes",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24",
"name": "31a002a1-acaf-453e-8a5b-297c9ca1ea24",
"permissions": [
{
"actions": [
"Microsoft.Blockchain/blockchainMembers/transactionNodes/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action"
],
"notDataActions": []
}
],
"roleName": "Blockchain Member Node Access (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AI + 机器学习AI + machine learning
认知服务参与者Cognitive Services Contributor
允许创建、读取、更新、删除和管理认知服务的密钥。Lets you create, read, update, delete and manage keys of Cognitive Services. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.Authorization/*/readMicrosoft.Authorization/*/read | 读取角色和角色分配Read roles and role assignments |
| Microsoft.CognitiveServices/*Microsoft.CognitiveServices/* | |
| Microsoft.Features/features/readMicrosoft.Features/features/read | 获取订阅的功能。Gets the features of a subscription. |
| Microsoft.Features/providers/features/readMicrosoft.Features/providers/features/read | 获取给定资源提供程序中某个订阅的功能。Gets the feature of a subscription in a given resource provider. |
| Microsoft.Insights/alertRules/*Microsoft.Insights/alertRules/* | 创建和管理经典指标警报Create and manage a classic metric alert |
| Microsoft.Insights/diagnosticSettings/*Microsoft.Insights/diagnosticSettings/* | 创建、更新或读取 Analysis Server 的诊断设置Creates, updates, or reads the diagnostic setting for Analysis Server |
| Microsoft.Insights/logDefinitions/readMicrosoft.Insights/logDefinitions/read | 读取日志定义Read log definitions |
| Microsoft.Insights/metricdefinitions/readMicrosoft.Insights/metricdefinitions/read | 读取指标定义Read metric definitions |
| Microsoft.Insights/metrics/readMicrosoft.Insights/metrics/read | 添加指标Read metrics |
| Microsoft.ResourceHealth/availabilityStatuses/readMicrosoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/*Microsoft.Resources/deployments/* | 创建和管理部署Create and manage a deployment |
| Microsoft.Resources/deployments/operations/readMicrosoft.Resources/deployments/operations/read | 获取或列出部署操作。Gets or lists deployment operations. |
| Microsoft.Resources/subscriptions/operationresults/readMicrosoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。Get the subscription operation results. |
| Microsoft.Resources/subscriptions/readMicrosoft.Resources/subscriptions/read | 获取订阅的列表。Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/*Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
| Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。Gets or lists resource groups. |
| Microsoft.Support/*Microsoft.Support/* | 创建和更新支持票证Create and update a support ticket |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| 无none | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you create, read, update, delete and manage keys of Cognitive Services.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
"name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.CognitiveServices/*",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/logDefinitions/read",
"Microsoft.Insights/metricdefinitions/read",
"Microsoft.Insights/metrics/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cognitive Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
认知服务自定义视觉参与者Cognitive Services Custom Vision Contributor
对项目的完全访问权限,包括可以查看、创建、编辑或删除项目。Full access to the project, including the ability to view, create, edit, or delete projects.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/*/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/*Microsoft.CognitiveServices/accounts/CustomVision/* | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Full access to the project, including the ability to view, create, edit, or delete projects.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
"name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Custom Vision Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
认知服务自定义视觉部署Cognitive Services Custom Vision Deployment
发布、取消发布或导出模型。Publish, unpublish or export models. 部署可以查看项目,但不能更新项目。Deployment can view the project but can't update.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/*/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/*/readMicrosoft.CognitiveServices/accounts/CustomVision/*/read | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/classify/*Microsoft.CognitiveServices/accounts/CustomVision/classify/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/detect/*Microsoft.CognitiveServices/accounts/CustomVision/detect/* | |
| NotDataActionsNotDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/export/readMicrosoft.CognitiveServices/accounts/CustomVision/projects/export/read | 导出项目。Exports a project. |
{
"assignableScopes": [
"/"
],
"description": "Publish, unpublish or export models. Deployment can view the project but can't update.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f",
"name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*",
"Microsoft.CognitiveServices/accounts/CustomVision/classify/*",
"Microsoft.CognitiveServices/accounts/CustomVision/detect/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Deployment",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
认知服务自定义视觉标记者Cognitive Services Custom Vision Labeler
查看、编辑训练图像,创建、添加、移除或删除图像标记。View, edit training images and create, add, remove, or delete the image tags. 标记者可以查看项目,但不能更新除训练图像和标记以外的任何内容。Labelers can view the project but can't update anything other than training images and tags.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/*/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/*/readMicrosoft.CognitiveServices/accounts/CustomVision/*/read | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/actionMicrosoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | 获取已发送到预测终结点的图像。Get images that were sent to your prediction endpoint. |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*Microsoft.CognitiveServices/accounts/CustomVision/projects/images/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/actionMicrosoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action | 此 API 获取未标记图像数组/批的建议标记和区域,以及标记的置信度。This API will get suggested tags and regions for an array/batch of untagged images along with confidences for the tags. 如果未找到标记,则返回空数组。It returns an empty array if no tags are found. |
| NotDataActionsNotDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/export/readMicrosoft.CognitiveServices/accounts/CustomVision/projects/export/read | 导出项目。Exports a project. |
{
"assignableScopes": [
"/"
],
"description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c",
"name": "88424f51-ebe7-446f-bc41-7fa16989e96c",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Labeler",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
认知服务自定义视觉读取者Cognitive Services Custom Vision Reader
只读项目中的操作。Read-only actions in the project. 读取者不能创建或更新项目。Readers can't create or update the project.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/*/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/*/readMicrosoft.CognitiveServices/accounts/CustomVision/*/read | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/actionMicrosoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | 获取已发送到预测终结点的图像。Get images that were sent to your prediction endpoint. |
| NotDataActionsNotDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/export/readMicrosoft.CognitiveServices/accounts/CustomVision/projects/export/read | 导出项目。Exports a project. |
{
"assignableScopes": [
"/"
],
"description": "Read-only actions in the project. Readers can't create or update the project.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73",
"name": "93586559-c37d-4a6b-ba08-b9f0940c2d73",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
认知服务自定义视觉训练者Cognitive Services Custom Vision Trainer
查看、编辑项目和训练模型,包括可以发布、取消发布、导出模型。View, edit projects and train the models, including the ability to publish, unpublish, export the models. 训练者不能创建或删除项目。Trainers can't create or delete the project.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/*/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/*Microsoft.CognitiveServices/accounts/CustomVision/* | |
| NotDataActionsNotDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/actionMicrosoft.CognitiveServices/accounts/CustomVision/projects/action | 创建项目。Create a project. |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/deleteMicrosoft.CognitiveServices/accounts/CustomVision/projects/delete | 删除特定的项目。Delete a specific project. |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/import/actionMicrosoft.CognitiveServices/accounts/CustomVision/projects/import/action | 导入项目。Imports a project. |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/export/readMicrosoft.CognitiveServices/accounts/CustomVision/projects/export/read | 导出项目。Exports a project. |
{
"assignableScopes": [
"/"
],
"description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
"name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/delete",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Trainer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
认知服务数据读取者(预览版)Cognitive Services Data Reader (Preview)
允许读取认知服务数据。Lets you read Cognitive Services data.
| 操作Actions | 描述Description |
|---|---|
| 无none | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/*/read | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Lets you read Cognitive Services data.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c",
"name": "b59867f0-fa02-499b-be73-45a86b5b3e1c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/*/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Data Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
认知服务指标顾问管理员Cognitive Services Metrics Advisor Administrator
拥有对项目的完全访问权限,包括系统级配置。Full access to the project, including the system level configuration. 了解详细信息Learn more
| 操作Actions | 描述Description |
|---|---|
| Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/*/read | |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.CognitiveServices/accounts/MetricsAdvisor/*Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | |
| NotDataActionsNotDataActions | |
| 无none |
{
"assignableScopes": [
"/"
],
"description": "Full access to the project, including the system level configuration.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a",
"name": "cb43c632-a144-4ec5-977c-e80c4affc34a",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Metrics Advisor Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
认知服务 QnA Maker 编辑者Cognitive Services QnA Maker Editor
允许你创建、编辑、导入和导出知识库。Let's you create, edit, import and export a KB. 但不能发布或删除知识库。You cannot publish or delete a KB.
| 操作Actions | 描述Description |
|---|---|
| Microsoft.CognitiveServices/*/readMicrosoft.CognitiveServices/*/read | |
| Microsoft.Authorization/roleAssignments/readMicrosoft.Authorization/roleAssignments/read | 获取有关角色分配的信息。Get information about a role assignment. |
| Microsoft.Authorization/roleDefinitions/readMicrosoft.Authorization/roleDefinitions/read | 获取有关角色定义的信息。Get information about a role definition. |
| 不操作NotActions | |
| 无none | |
| DataActionsDataActions | |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/readMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read | 获取知识库列表或特定知识库的详细信息。Gets List of Knowledgebases or details of a specific knowledgebaser. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/readMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read | 下载知识库。Download the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/writeMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write | 用于创建新知识库的异步操作。Asynchronous operation to create a new knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/writeMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write | 用于修改知识库或替换知识库内容的异步操作。Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/actionMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action | 用于查询知识库的 GenerateAnswer 调用。GenerateAnswer call to query the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/actionMicrosoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action | 用于将建议添加到知识库的 Train 调用。Train call to add suggestions to the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/alterations/readMicrosoft.CognitiveServices/accounts/QnAMaker/alterations/read | 从运行时下载更改。Download alterations from runtime. |
| Microsoft.CognitiveServices/accounts/QnAMaker/alterations/writeMicrosoft.CognitiveServices/accounts/QnAMaker/alterations/write | 替换更改数据。Replace alterations data. |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/readMicrosoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read | 获取终结点的终结点密钥Gets endpoint keys for an endpoint |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/actionMicrosoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action | 重新生成终结点密钥。Re-generates an endpoint key. |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/readMicrosoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read | 获取终结点的终结点设置Gets endpoint settings for an endpoint |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/writeMicrosoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write | 更新终结点的终结点设置。Update endpoint seettings for an endpoint. |
| Microsoft.CognitiveServices/accounts/QnAMaker/operations/readMicrosoft.CognitiveServices/accounts/QnAMaker/operations/read | 获取特定的长时间运行的操作的详细信息。Gets details of a specific long running operation. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read | 获取知识库列表或特定知识库的详细信息。Gets List of Knowledgebases or details of a specific knowledgebaser. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/readMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read | 下载知识库。Download the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/writeMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write | 用于创建新知识库的异步操作。Asynchronous operation to create a new knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/writeMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write | 用于修改知识库或替换知识库内容的异步操作。Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/actionMicrosoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action |