用于 Analytics 的 Azure 内置角色
本文列出了 Analytics 类别的 Azure 内置角色。
Azure 事件中心数据所有者
允许完全访问 Azure 事件中心资源。
| 操作 | 说明 |
|---|---|
| Microsoft.EventHub/* | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.EventHub/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Event Hubs resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec",
"name": "f526a384-b230-433a-b45c-95f59c4a2dec",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 事件中心数据接收方
允许接收对 Azure 事件中心资源的访问权限。
| 操作 | 描述 |
|---|---|
| Microsoft.EventHub/*/eventhubs/consumergroups/read | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.EventHub/*/receive/action | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows receive access to Azure Event Hubs resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/consumergroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/receive/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Receiver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 事件中心数据发送方
允许以发送方式访问 Azure 事件中心资源。
| 操作 | 描述 |
|---|---|
| Microsoft.EventHub/*/eventhubs/read | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.EventHub/*/send/action | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows send access to Azure Event Hubs resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975",
"name": "2b629674-e913-4c01-ae53-ef4638d8f975",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
数据工厂参与者
创建和管理数据工厂,以及其中的子资源。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.DataFactory/dataFactories/* | 创建和管理数据工厂,以及它们包含的子资源。 |
| Microsoft.DataFactory/factories/* | 创建和管理数据工厂,以及它们包含的子资源。 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.EventGrid/eventSubscriptions/write | 创建或更新事件订阅 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Create and manage data factories, as well as child resources within them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5",
"name": "673868aa-7521-48a0-acc6-0f60742d39f5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DataFactory/dataFactories/*",
"Microsoft.DataFactory/factories/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.EventGrid/eventSubscriptions/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Factory Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
数据清除程序
从 Log Analytics 工作区中删除专用数据。
| 操作 | 描述 |
|---|---|
| Microsoft.Insights/components/*/read | |
| Microsoft.Insights/components/purge/action | 从 Application Insights 清除数据 |
| Microsoft.OperationalInsights/workspaces/*/read | 查看日志分析数据 |
| Microsoft.OperationalInsights/workspaces/purge/action | 通过查询从工作区中删除指定的数据。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Can purge analytics data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90",
"name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90",
"permissions": [
{
"actions": [
"Microsoft.Insights/components/*/read",
"Microsoft.Insights/components/purge/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/purge/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Purger",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
HDInsight 群集操作员
允许你读取和修改 HDInsight 群集配置。
| 操作 | 描述 |
|---|---|
| Microsoft.HDInsight/*/read | |
| Microsoft.HDInsight/clusters/getGatewaySettings/action | 获取 HDInsight 群集的网关设置 |
| Microsoft.HDInsight/clusters/updateGatewaySettings/action | 更新 HDInsight 群集的网关设置 |
| Microsoft.HDInsight/clusters/configurations/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/operations/read | 获取或列出部署操作。 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you read and modify HDInsight cluster configurations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a",
"name": "61ed4efc-fab3-44fd-b111-e24485cc132a",
"permissions": [
{
"actions": [
"Microsoft.HDInsight/*/read",
"Microsoft.HDInsight/clusters/getGatewaySettings/action",
"Microsoft.HDInsight/clusters/updateGatewaySettings/action",
"Microsoft.HDInsight/clusters/configurations/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Cluster Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
HDInsight 域服务参与者
可以读取、创建、修改和删除 HDInsight 企业安全性套餐所需的域服务相关操作
| 操作 | 描述 |
|---|---|
| Microsoft.AAD/*/read | |
| Microsoft.AAD/domainServices/*/read | |
| Microsoft.AAD/domainServices/oucontainer/* | |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c",
"name": "8d8d5a11-05d3-4bda-a417-a08778121c7c",
"permissions": [
{
"actions": [
"Microsoft.AAD/*/read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.AAD/domainServices/oucontainer/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Log Analytics 参与者
Log Analytics 参与者可以读取所有监视数据并编辑监视设置。 编辑监视设置包括向 VM 添加 VM 扩展、读取存储帐户密钥以便能够从 Azure 存储配置日志收集、添加解决方案以及配置所有 Azure 资源上的 Azure 诊断。
| 操作 | 描述 |
|---|---|
| */read | 读取除密码外的所有类型的资源。 |
| Microsoft.ClassicCompute/virtualMachines/extensions/* | |
| Microsoft.ClassicStorage/storageAccounts/listKeys/action | 列出存储帐户的访问密钥。 |
| Microsoft.Compute/virtualMachines/extensions/* | |
| Microsoft.HybridCompute/machines/extensions/write | 安装或更新 Azure Arc 扩展 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Insights/diagnosticSettings/* | 创建、更新或读取 Analysis Server 的诊断设置 |
| Microsoft.OperationalInsights/* | |
| Microsoft.OperationsManagement/* | |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
| Microsoft.Storage/storageAccounts/listKeys/action | 返回指定存储帐户的访问密钥。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.ClassicCompute/virtualMachines/extensions/*",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.Compute/virtualMachines/extensions/*",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.OperationalInsights/*",
"Microsoft.OperationsManagement/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Log Analytics 读者
Log Analytics 读者可以查看和搜索所有监视数据并查看监视设置,其中包括查看所有 Azure 资源上的 Azure 诊断的配置。
| 操作 | 描述 |
|---|---|
| */read | 读取除密码外的所有类型的资源。 |
| Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新引擎进行搜索。 |
| Microsoft.OperationalInsights/workspaces/search/action | 执行搜索查询 |
| 不操作 | |
| Microsoft.OperationalInsights/workspaces/sharedKeys/read | 检索工作区的共享密钥。 这些密钥用于将 Microsoft Operational Insights 代理连接到工作区。 |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893",
"name": "73c42c96-874c-492b-b04d-ab87d138a893",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action"
],
"notActions": [
"Microsoft.OperationalInsights/workspaces/sharedKeys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
架构注册表参与者(预览)
读取、写入和删除架构注册表组和架构。
| 操作 | 描述 |
|---|---|
| Microsoft.EventHub/namespaces/schemagroups/* | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.EventHub/namespaces/schemas/* | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Read, write, and delete Schema Registry groups and schemas.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25",
"name": "5dffeca3-4936-4216-b2bc-10343a5abb25",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/*"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Contributor (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
架构注册表读取器(预览版)
读取和列出架构注册表组和架构。
| 操作 | 描述 |
|---|---|
| Microsoft.EventHub/namespaces/schemagroups/read | 获取 SchemaGroup 资源说明列表 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.EventHub/namespaces/schemas/read | 检索架构 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Read and list Schema Registry groups and schemas.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
"name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/read"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
流分析查询测试者
可以执行查询测试,而无需先创建流分析作业
| 操作 | 说明 |
|---|---|
| Microsoft.StreamAnalytics/locations/TestQuery/action | 测试流分析资源提供程序的查询 |
| Microsoft.StreamAnalytics/locations/OperationResults/read | 读取流分析操作结果 |
| Microsoft.StreamAnalytics/locations/SampleInput/action | 流分析资源提供程序的示例输入 |
| Microsoft.StreamAnalytics/locations/CompileQuery/action | 流分析资源提供程序的编译查询 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you perform query testing without creating a stream analytics job first",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
"name": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
"permissions": [
{
"actions": [
"Microsoft.StreamAnalytics/locations/TestQuery/action",
"Microsoft.StreamAnalytics/locations/OperationResults/read",
"Microsoft.StreamAnalytics/locations/SampleInput/action",
"Microsoft.StreamAnalytics/locations/CompileQuery/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Stream Analytics Query Tester",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}