用于计算的 Azure 内置角色
本文列出了计算类别的 Azure 内置角色。
Azure Arc VMware VM 参与者
Arc VMware VM 参与者有权执行所有 VM 操作。
| 操作 | 说明 |
|---|---|
| Microsoft.ConnectedVMwarevSphere/virtualmachines/* | |
| Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/* | |
| Microsoft.Insights/AlertRules/Write | 创建或更新经典指标警报 |
| Microsoft.Insights/AlertRules/Delete | 删除经典指标警报 |
| Microsoft.Insights/AlertRules/Read | 读取经典指标警报 |
| Microsoft.Insights/AlertRules/Activated/Action | 经典指标警报已激活 |
| Microsoft.Insights/AlertRules/Resolved/Action | 经典指标警报已解决 |
| Microsoft.Insights/AlertRules/Throttled/Action | 经典指标预警规则已中止 |
| Microsoft.Insights/AlertRules/Incidents/Read | 读取经典指标警报事件 |
| Microsoft.Resources/deployments/read | 获取或列出部署。 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/deployments/delete | 删除部署。 |
| Microsoft.Resources/deployments/cancel/action | 取消部署。 |
| Microsoft.Resources/deployments/validate/action | 验证部署。 |
| Microsoft.Resources/deployments/whatIf/action | 预测模板部署更改。 |
| Microsoft.Resources/deployments/exportTemplate/action | 导出部署的模板 |
| Microsoft.Resources/deployments/operations/read | 获取或列出部署操作。 |
| Microsoft.Resources/deployments/operationstatuses/read | 获取或列出部署操作状态。 |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/read | 获取或列出部署。 |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read | 获取或列出部署操作。 |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read | 获取或列出部署操作状态。 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
| Microsoft.HybridCompute/machines/read | 读取任何 Azure Arc 计算机 |
| Microsoft.HybridCompute/machines/write | 写入 Azure Arc 计算机 |
| Microsoft.HybridCompute/machines/delete | 删除 Azure Arc 计算机 |
| Microsoft.HybridCompute/machines/UpgradeExtensions/action | 升级 Azure Arc 计算机上的扩展 |
| Microsoft.HybridCompute/machines/assessPatches/action | 评估任何 Azure Arc 计算机以获取缺失的软件补丁 |
| Microsoft.HybridCompute/machines/installPatches/action | 在任何 Azure Arc 计算机上安装补丁 |
| Microsoft.HybridCompute/machines/extensions/read | 读取任何 Azure Arc 扩展 |
| Microsoft.HybridCompute/machines/extensions/write | 安装或更新 Azure Arc 扩展 |
| Microsoft.HybridCompute/machines/extensions/delete | 删除 Azure Arc 扩展 |
| Microsoft.HybridCompute/operations/read | 读取适用于服务器的 Azure Arc 的所有操作 |
| Microsoft.HybridCompute/locations/operationresults/read | 读取 Microsoft.HybridCompute 资源提供程序的操作状态 |
| Microsoft.HybridCompute/locations/operationstatus/read | 读取 Microsoft.HybridCompute 资源提供程序的操作状态 |
| Microsoft.HybridCompute/machines/patchAssessmentResults/read | 读取任何 Azure Arc patchAssessmentResults |
| Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read | 读取任何 Azure Arc patchAssessmentResults/softwarePatches |
| Microsoft.HybridCompute/machines/patchInstallationResults/read | 读取任何 Azure Arc patchInstallationResults |
| Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read | 读取任何 Azure Arc patchInstallationResults/softwarePatches |
| Microsoft.HybridCompute/locations/updateCenterOperationResults/read | 在计算机上读取更新中心操作的状态 |
| Microsoft.HybridCompute/machines/hybridIdentityMetadata/read | 读取任何 Azure Arc 计算机的混合标识元数据 |
| Microsoft.HybridCompute/osType/agentVersions/read | 读取所有可用的 Azure Connected Machine Agent 版本 |
| Microsoft.HybridCompute/osType/agentVersions/latest/read | 读取最新的 Azure Connected Machine Agent 版本 |
| Microsoft.HybridCompute/machines/runcommands/read | 读取任何 Azure Arc runcommand |
| Microsoft.HybridCompute/machines/runcommands/write | 安装或更新 Azure Arc runcommand |
| Microsoft.HybridCompute/machines/runcommands/delete | 删除任何 Azure Arc runcommand |
| Microsoft.HybridCompute/machines/licenseProfiles/read | 读取任何 Azure Arc licenseProfiles |
| Microsoft.HybridCompute/machines/licenseProfiles/write | 安装或更新 Azure Arc licenseProfiles |
| Microsoft.HybridCompute/machines/licenseProfiles/delete | 删除 Azure Arc licenseProfiles |
| Microsoft.HybridCompute/licenses/read | 读取任何 Azure Arc 许可证 |
| Microsoft.HybridCompute/licenses/write | 安装或更新 Azure Arc 许可证 |
| Microsoft.HybridCompute/licenses/delete | 删除 Azure Arc 许可证 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Arc VMware VM Contributor has permissions to perform all VM actions.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb",
"name": "b748a06d-6150-4f8a-aaa9-ce3940cd96cb",
"permissions": [
{
"actions": [
"Microsoft.ConnectedVMwarevSphere/virtualmachines/*",
"Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/*",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/machines/UpgradeExtensions/action",
"Microsoft.HybridCompute/machines/assessPatches/action",
"Microsoft.HybridCompute/machines/installPatches/action",
"Microsoft.HybridCompute/machines/extensions/read",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.HybridCompute/machines/extensions/delete",
"Microsoft.HybridCompute/operations/read",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
"Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
"Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
"Microsoft.HybridCompute/osType/agentVersions/read",
"Microsoft.HybridCompute/osType/agentVersions/latest/read",
"Microsoft.HybridCompute/machines/runcommands/read",
"Microsoft.HybridCompute/machines/runcommands/write",
"Microsoft.HybridCompute/machines/runcommands/delete",
"Microsoft.HybridCompute/machines/licenseProfiles/read",
"Microsoft.HybridCompute/machines/licenseProfiles/write",
"Microsoft.HybridCompute/machines/licenseProfiles/delete",
"Microsoft.HybridCompute/licenses/read",
"Microsoft.HybridCompute/licenses/write",
"Microsoft.HybridCompute/licenses/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc VMware VM Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
经典虚拟机参与者
允许管理经典虚拟机,但不允许访问这些虚拟机及其连接到的虚拟网络或存储帐户。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.ClassicCompute/domainNames/* | 创建和管理经典计算域名 |
| Microsoft.ClassicCompute/virtualMachines/* | 创建和管理虚拟机 |
| Microsoft.ClassicNetwork/networkSecurityGroups/join/action | |
| Microsoft.ClassicNetwork/reservedIps/link/action | 链接保留 IP |
| Microsoft.ClassicNetwork/reservedIps/read | 获取保留 IP |
| Microsoft.ClassicNetwork/virtualNetworks/join/action | 加入虚拟网络。 |
| Microsoft.ClassicNetwork/virtualNetworks/read | 获取虚拟网络。 |
| Microsoft.ClassicStorage/storageAccounts/disks/read | 返回存储帐户磁盘。 |
| Microsoft.ClassicStorage/storageAccounts/images/read | 返回存储帐户映像。 (已弃用。请使用“Microsoft.ClassicStorage/storageAccounts/vmImages”) |
| Microsoft.ClassicStorage/storageAccounts/listKeys/action | 列出存储帐户的访问密钥。 |
| Microsoft.ClassicStorage/storageAccounts/read | 返回包含给定帐户的存储帐户。 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/domainNames/*",
"Microsoft.ClassicCompute/virtualMachines/*",
"Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
"Microsoft.ClassicNetwork/reservedIps/link/action",
"Microsoft.ClassicNetwork/reservedIps/read",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicStorage/storageAccounts/disks/read",
"Microsoft.ClassicStorage/storageAccounts/images/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Compute Gallery 工件发布者
这是可发布库工件的角色。
| 操作 | 说明 |
|---|---|
| Microsoft.Compute/galleries/* | |
| Microsoft.Compute/locations/capsOperations/read | 获取异步大写操作的状态 |
| Microsoft.Compute/locations/communityGalleries/* | |
| Microsoft.Compute/locations/sharedGalleries/* | |
| Microsoft.Compute/images/* | |
| Microsoft.Compute/virtualMachines/write | 创建新的虚拟机,或更新现有的虚拟机 |
| Microsoft.Compute/disks/write | 创建新的磁盘,或更新现有的磁盘 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| Microsoft.Compute/galleries/share/action | 将库共享到不同的范围 |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "This is the role for publishing gallery artifacts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85a2d0d9-2eba-4c9c-b355-11c2cc0788ab",
"name": "85a2d0d9-2eba-4c9c-b355-11c2cc0788ab",
"permissions": [
{
"actions": [
"Microsoft.Compute/galleries/*",
"Microsoft.Compute/locations/capsOperations/read",
"Microsoft.Compute/locations/communityGalleries/*",
"Microsoft.Compute/locations/sharedGalleries/*",
"Microsoft.Compute/images/*",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/disks/write",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Compute Gallery Artifacts Publisher",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Compute Gallery 共享管理员
此角色允许用户将库共享给另一个订阅/租户,或共享给公众。
| 操作 | 说明 |
|---|---|
| Microsoft.Compute/galleries/share/action | 将库共享到不同的范围 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "This role allows user to share gallery to another subscription/tenant or share it to the public.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b",
"name": "1ef6a3be-d0ac-425d-8c01-acb62866290b",
"permissions": [
{
"actions": [
"Microsoft.Compute/galleries/share/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Compute Gallery Sharing Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
托管磁盘的数据操作员
提供使用 SAS URI 和 Azure AD 身份验证将数据上传到空托管磁盘、读取或导出托管磁盘(未附加到正在运行的 VM)的数据和快照的权限。
| 操作 | 描述 |
|---|---|
| 无 | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Compute/disks/download/action | 对磁盘 SAS URI 执行读取数据操作 |
| Microsoft.Compute/disks/upload/action | 对磁盘 SAS URI 执行写入数据操作 |
| Microsoft.Compute/snapshots/download/action | 对快照 SAS URI 执行读取数据操作 |
| Microsoft.Compute/snapshots/upload/action | 对快照 SAS URI 执行写入数据操作 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e",
"name": "959f8984-c045-4866-89c7-12bf9737be2e",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Compute/disks/download/action",
"Microsoft.Compute/disks/upload/action",
"Microsoft.Compute/snapshots/download/action",
"Microsoft.Compute/snapshots/upload/action"
],
"notDataActions": []
}
],
"roleName": "Data Operator for Managed Disks",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化应用程序组参与者
桌面虚拟化应用程序组参与者。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/applicationgroups/* | |
| Microsoft.DesktopVirtualization/hostpools/read | 读取 hostpools |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 读取 hostpools/sessionhosts |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Contributor of the Desktop Virtualization Application Group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8",
"name": "86240b0e-9422-4c43-887b-b61143f32ba8",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/applicationgroups/*",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Application Group Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化应用程序组读取者
桌面虚拟化应用程序组读取者。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/applicationgroups/*/read | |
| Microsoft.DesktopVirtualization/applicationgroups/read | 读取 applicationgroups |
| Microsoft.DesktopVirtualization/hostpools/read | 读取 hostpools |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 读取 hostpools/sessionhosts |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/read | 获取或列出部署。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/read | 读取经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Reader of the Desktop Virtualization Application Group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55",
"name": "aebf23d0-b568-4e86-b8f9-fe83a2c6ab55",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/applicationgroups/*/read",
"Microsoft.DesktopVirtualization/applicationgroups/read",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Application Group Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化参与者
桌面虚拟化参与者。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Contributor of Desktop Virtualization.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387",
"name": "082f0a83-3be5-4ba1-904c-961cca79b387",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化主机池参与者
桌面虚拟化主机池参与者。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Contributor of the Desktop Virtualization Host Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc",
"name": "e307426c-f9b6-4e81-87de-d99efb3c32bc",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Host Pool Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化主机池读取者
桌面虚拟化主机池读取者。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/*/read | |
| Microsoft.DesktopVirtualization/hostpools/read | 读取 hostpools |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/read | 获取或列出部署。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/read | 读取经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Reader of the Desktop Virtualization Host Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822",
"name": "ceadfde2-b300-400a-ab7b-6143895aa822",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/*/read",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Host Pool Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化启用参与者
向 Azure 虚拟桌面资源提供程序提供启动虚拟机的权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Compute/virtualMachines/start/action | 启动虚拟机 |
| Microsoft.Compute/virtualMachines/read | 获取虚拟机的属性 |
| Microsoft.Compute/virtualMachines/instanceView/read | 获取虚拟机的详细运行时状态及其资源 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.HybridCompute/machines/read | 读取任何 Azure Arc 计算机 |
| Microsoft.HybridCompute/operations/read | 读取适用于服务器的 Azure Arc 的所有操作 |
| Microsoft.HybridCompute/locations/operationresults/read | 读取 Microsoft.HybridCompute 资源提供程序的操作状态 |
| Microsoft.HybridCompute/locations/operationstatus/read | 读取 Microsoft.HybridCompute 资源提供程序的操作状态 |
| Microsoft.AzureStackHCI/virtualMachineInstances/read | 获取/列出虚拟机实例资源 |
| Microsoft.AzureStackHCI/virtualMachineInstances/start/action | 启动虚拟机实例资源 |
| Microsoft.AzureStackHCI/operations/read | Get 操作 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33",
"name": "489581de-a3bd-480d-9518-53dea7416b33",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/operations/read",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/start/action",
"Microsoft.AzureStackHCI/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Power On Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化禁用参与者
向 Azure 虚拟桌面资源提供程序提供启动和停止虚拟机的权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.AzureStackHCI/operations/read | Get 操作 |
| Microsoft.AzureStackHCI/virtualMachineInstances/read | 获取/列出虚拟机实例资源 |
| Microsoft.AzureStackHCI/virtualMachineInstances/restart/action | 重启虚拟机实例资源 |
| Microsoft.AzureStackHCI/virtualMachineInstances/start/action | 启动虚拟机实例资源 |
| Microsoft.AzureStackHCI/virtualMachineInstances/stop/action | 停止虚拟机实例资源 |
| Microsoft.Compute/virtualMachines/deallocate/action | 关闭虚拟机并释放计算资源 |
| Microsoft.Compute/virtualMachines/instanceView/read | 获取虚拟机的详细运行时状态及其资源 |
| Microsoft.Compute/virtualMachines/powerOff/action | 关闭虚拟机。 请注意,该虚拟机会继续产生费用。 |
| Microsoft.Compute/virtualMachines/read | 获取虚拟机的属性 |
| Microsoft.Compute/virtualMachines/restart/action | 重新启动虚拟机 |
| Microsoft.Compute/virtualMachines/start/action | 启动虚拟机 |
| Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action | virtualMachinesCancelOperations:虚拟机的 cancelOperations |
| Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action | virtualMachinesExecuteDeallocate:虚拟机的 executeDeallocate |
| Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action | virtualMachinesExecuteHibernate:虚拟机的 executeHibernate |
| Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action | virtualMachinesExecuteStart:虚拟机的 executeStart |
| Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/action | |
| Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action | virtualMachinesGetOperationStatus:虚拟机的 getOperationStatus |
| Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action | virtualMachinesSubmitDeallocate:虚拟机的 submitDeallocate |
| Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action | virtualMachinesSubmitHibernate:虚拟机的 submitHibernate |
| Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action | virtualMachinesSubmitStart:虚拟机的 submitStart |
| Microsoft.ComputeSchedule/register/action | 注册 Microsoft.ComputeSchedule 的订阅 |
| Microsoft.DesktopVirtualization/hostpools/read | 读取 hostpools |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 读取 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete | 删除 hostpools/sessionhosts/usersessions |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read | 读取 hostpools/sessionhosts/usersessions |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action | 向用户会话发送消息 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/write | 写入 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/write | 写入 hostpools |
| Microsoft.HybridCompute/locations/operationresults/read | 读取 Microsoft.HybridCompute 资源提供程序的操作状态 |
| Microsoft.HybridCompute/locations/operationstatus/read | 读取 Microsoft.HybridCompute 资源提供程序的操作状态 |
| Microsoft.HybridCompute/machines/read | 读取任何 Azure Arc 计算机 |
| Microsoft.HybridCompute/operations/read | 读取适用于服务器的 Azure Arc 的所有操作 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Insights/eventtypes/values/read | 读取活动日志事件 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e",
"name": "40c5ff49-9181-41f8-ae61-143b0e78555e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.AzureStackHCI/operations/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/restart/action",
"Microsoft.AzureStackHCI/virtualMachineInstances/start/action",
"Microsoft.AzureStackHCI/virtualMachineInstances/stop/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action",
"Microsoft.ComputeSchedule/register/action",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write",
"Microsoft.DesktopVirtualization/hostpools/write",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/operations/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/eventtypes/values/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Power On Off Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化读取者
桌面虚拟化读取者。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/*/read | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/read | 获取或列出部署。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/read | 读取经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Reader of Desktop Virtualization.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868",
"name": "49a72310-ab8d-41df-bbb0-79b649203868",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化会话主机操作员
桌面虚拟化会话主机操作员。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/read | 读取 hostpools |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Operator of the Desktop Virtualization Session Host.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408",
"name": "2ad6aaab-ead9-4eaa-8ac5-da422f562408",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Session Host Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化用户
允许用户使用应用程序组中的应用程序。
| 操作 | 描述 |
|---|---|
| 无 | |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.DesktopVirtualization/applicationGroups/useApplications/action | 使用 ApplicationGroup |
| Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action | 允许用户对应用程序组中的应用附加包授予权限 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Allows user to use the applications in an application group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
"name": "1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.DesktopVirtualization/applicationGroups/useApplications/action",
"Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action"
],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化用户会话操作员
桌面虚拟化用户会话操作员。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/read | 读取 hostpools |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 读取 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Operator of the Desktop Virtualization Uesr Session.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6",
"name": "ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization User Session Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化虚拟机参与者
此角色处于预览版阶段,可能会有所更改。 向 Azure 虚拟桌面资源提供程序提供创建、删除、更新、启动和停止虚拟机的权限。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/read | 读取 hostpools |
| Microsoft.DesktopVirtualization/hostpools/write | 写入 hostpools |
| Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action | 列出主机池的注册令牌 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 读取 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/write | 写入 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete | 删除 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read | 读取 hostpools/sessionhosts/usersessions |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action | 从会话主机断开用户会话的连接 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action | 向用户会话发送消息 |
| Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read | 读取 hostpools/sessionhostconfigurations |
| Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action | 客户不应调用的内部操作。 未来的版本中会将这移除。 请勿使用。 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action | 重试预配的操作。 |
| Microsoft.Compute/availabilitySets/read | 获取可用性集的属性 |
| Microsoft.Compute/availabilitySets/write | 创建新的可用性集,或更新现有的可用性集 |
| Microsoft.Compute/availabilitySets/vmSizes/read | 列出可在可用性集中创建或更新的虚拟机大小 |
| Microsoft.Compute/disks/read | 获取磁盘的属性 |
| Microsoft.Compute/disks/write | 创建新的磁盘,或更新现有的磁盘 |
| Microsoft.Compute/disks/delete | 删除磁盘 |
| Microsoft.Compute/galleries/read | 获取库的属性 |
| Microsoft.Compute/galleries/images/read | 获取库映像的属性 |
| Microsoft.Compute/galleries/images/versions/read | 获取库映像版本的属性 |
| Microsoft.Compute/images/read | 获取映像的属性 |
| Microsoft.Compute/locations/usages/read | 获取某个位置中订阅的计算资源的服务限制和当前用量 |
| Microsoft.Compute/locations/vmSizes/read | 列出某个位置的可用虚拟机大小 |
| Microsoft.Compute/operations/read | 列出可对 Microsoft.Compute 资源提供程序使用的操作 |
| Microsoft.Compute/skus/read | 获取订阅可用的 Microsoft.Compute SKU 列表 |
| Microsoft.Compute/virtualMachines/read | 获取虚拟机的属性 |
| Microsoft.Compute/virtualMachines/write | 创建新的虚拟机,或更新现有的虚拟机 |
| Microsoft.Compute/virtualMachines/delete | 删除虚拟机 |
| Microsoft.Compute/virtualMachines/start/action | 启动虚拟机 |
| Microsoft.Compute/virtualMachines/powerOff/action | 关闭虚拟机。 请注意,该虚拟机会继续产生费用。 |
| Microsoft.Compute/virtualMachines/restart/action | 重新启动虚拟机 |
| Microsoft.Compute/virtualMachines/deallocate/action | 关闭虚拟机并释放计算资源 |
| Microsoft.Compute/virtualMachines/runCommand/action | 执行虚拟机上的预定义脚本 |
| Microsoft.Compute/virtualMachines/extensions/read | 获取虚拟机扩展的属性 |
| Microsoft.Compute/virtualMachines/extensions/write | 创建新的或更新现有的虚拟机扩展 |
| Microsoft.Compute/virtualMachines/extensions/delete | 删除虚拟机扩展 |
| Microsoft.Compute/virtualMachines/runCommands/read | 获取虚拟机运行命令的属性 |
| Microsoft.Compute/virtualMachines/runCommands/write | 新建虚拟机运行命令或更新现有的命令 |
| Microsoft.Compute/virtualMachines/vmSizes/read | 列出可将虚拟机更新到的大小 |
| Microsoft.Network/networkSecurityGroups/read | 获取网络安全组定义 |
| Microsoft.Network/networkInterfaces/write | 创建网络接口,或更新现有的网络接口。 |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Network/networkInterfaces/join/action | 将虚拟机加入到网络接口。 不可发出警报。 |
| Microsoft.Network/networkInterfaces/delete | 删除网络接口 |
| Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。 不可发出警报。 |
| Microsoft.Network/virtualNetworks/usages/read | 获取虚拟网络的每个子网的 IP 使用情况 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/networkSecurityGroups/read | 获取网络安全组定义 |
| Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read | 返回一个协议。 |
| Microsoft.KeyVault/vaults/deploy/action | 部署 Azure 资源时启用对密钥保管库中机密的访问 |
| Microsoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.DesktopVirtualization/scalingPlans/read | 读取 scalingplans |
| Microsoft.DesktopVirtualization/scalingPlans/write | 写入 scalingplans |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c",
"name": "a959dbd1-f747-45e3-8ba6-dd80f235f97c",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/write",
"Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action",
"Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read",
"Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/images/read",
"Microsoft.Compute/locations/usages/read",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/operations/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Compute/virtualMachines/extensions/delete",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/runCommands/write",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/usages/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read",
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.DesktopVirtualization/scalingPlans/read",
"Microsoft.DesktopVirtualization/scalingPlans/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化工作区参与者
桌面虚拟化工作区参与者。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/workspaces/* | |
| Microsoft.DesktopVirtualization/applicationgroups/read | 读取 applicationgroups |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Contributor of the Desktop Virtualization Workspace.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b",
"name": "21efdde3-836f-432b-bf3d-3e8e734d4b2b",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/workspaces/*",
"Microsoft.DesktopVirtualization/applicationgroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Workspace Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虚拟化工作区读取者
桌面虚拟化工作区读取者。
| 操作 | 说明 |
|---|---|
| Microsoft.DesktopVirtualization/workspaces/read | 读取工作区 |
| Microsoft.DesktopVirtualization/applicationgroups/read | 读取 applicationgroups |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/read | 获取或列出部署。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/read | 读取经典指标警报 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Reader of the Desktop Virtualization Workspace.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d",
"name": "0fa44ee9-7a7d-466b-9bb2-2bf446b1204d",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/workspaces/read",
"Microsoft.DesktopVirtualization/applicationgroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Workspace Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁盘备份读取者
向备份保管库提供执行磁盘备份的权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Compute/disks/read | 获取磁盘的属性 |
| Microsoft.Compute/disks/beginGetAccess/action | 获取用于 Blob 访问的磁盘 SAS URI |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk backup.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/beginGetAccess/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁盘池操作员
向 StoragePool 资源提供程序提供管理添加到磁盘池的磁盘的权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Compute/disks/write | 创建新的磁盘,或更新现有的磁盘 |
| Microsoft.Compute/disks/read | 获取磁盘的属性 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840",
"name": "60fc6e62-5479-42d4-8bf4-67625fcc2840",
"permissions": [
{
"actions": [
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Pool Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁盘还原操作员
向备份保管库提供执行磁盘还原的权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Compute/disks/write | 创建新的磁盘,或更新现有的磁盘 |
| Microsoft.Compute/disks/read | 获取磁盘的属性 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk restore.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13",
"name": "b50d9833-a0cb-478e-945f-707fcc997c13",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Restore Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁盘快照参与者
向备份保管库提供管理磁盘快照的权限。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Compute/snapshots/delete | 删除快照 |
| Microsoft.Compute/snapshots/write | 创建新的快照,或更新现有的快照 |
| Microsoft.Compute/snapshots/read | 获取快照的属性 |
| Microsoft.Compute/snapshots/beginGetAccess/action | 获取用于 blob 访问的快照 SAS URI |
| Microsoft.Compute/snapshots/endGetAccess/action | 撤销快照的 SAS URI |
| Microsoft.Compute/disks/beginGetAccess/action | 获取用于 Blob 访问的磁盘 SAS URI |
| Microsoft.Storage/storageAccounts/listkeys/action | 返回指定存储帐户的访问密钥。 |
| Microsoft.Storage/storageAccounts/write | 使用指定的参数创建存储帐户、更新指定存储帐户的属性或标记,或者为其添加自定义域。 |
| Microsoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。 |
| Microsoft.Storage/storageAccounts/delete | 删除现有的存储帐户。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to manage disk snapshots.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce",
"name": "7efff54f-a5b4-42b5-a1c5-5411624893ce",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Snapshot Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虚拟机管理员登录
在门户中查看虚拟机并以管理员身份登录
| 操作 | 描述 |
|---|---|
| Microsoft.Network/publicIPAddresses/read | 获取公共 IP 地址定义。 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/loadBalancers/read | 获取负载均衡器定义 |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Compute/virtualMachines/*/read | |
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridConnectivity/endpoints/listCredentials/action | 列出资源的终结点访问凭据。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Compute/virtualMachines/login/action | 以普通用户身份登录虚拟机 |
| Microsoft.Compute/virtualMachines/loginAsAdmin/action | 以 Windows 管理员身份或 Linux 根用户权限登录虚拟机 |
| Microsoft.HybridCompute/machines/login/action | 以常规用户身份登录 Azure Arc 计算机 |
| Microsoft.HybridCompute/machines/loginAsAdmin/action | 使用 Windows 管理员或 Linux 根用户权限登录 Azure Arc 计算机 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as administrator",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4",
"name": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.Compute/virtualMachines/loginAsAdmin/action",
"Microsoft.HybridCompute/machines/login/action",
"Microsoft.HybridCompute/machines/loginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虚拟机参与者
创建并管理虚拟机、管理磁盘、安装并运行软件、使用 VM 扩展重置虚拟机根用户的密码,以及使用 VM 扩展管理本地用户帐户。 此角色不会授予你对虚拟机连接到的虚拟网络或存储帐户的管理访问权限。 此角色不允许在 Azure RBAC 中分配角色。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Compute/availabilitySets/* | 创建和管理计算可用性集 |
| Microsoft.Compute/locations/* | 创建和管理计算位置 |
| Microsoft.Compute/virtualMachines/* | 执行所有虚拟机操作,包括创建、更新、删除、启动、重新启动和关闭虚拟机。 在虚拟机上执行脚本。 |
| Microsoft.Compute/virtualMachineScaleSets/* | 创建和管理虚拟机规模集 |
| Microsoft.Compute/cloudServices/* | |
| Microsoft.Compute/disks/write | 创建新的磁盘,或更新现有的磁盘 |
| Microsoft.Compute/disks/read | 获取磁盘的属性 |
| Microsoft.Compute/disks/delete | 删除磁盘 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Network/applicationGateways/backendAddressPools/join/action | 加入应用程序网关后端地址池。 不可发出警报。 |
| Microsoft.Network/loadBalancers/backendAddressPools/join/action | 加入负载均衡器后端地址池。 不可发出警报。 |
| Microsoft.Network/loadBalancers/inboundNatPools/join/action | 加入负载均衡器入站 NAT 池。 不可发出警报。 |
| Microsoft.Network/loadBalancers/inboundNatRules/join/action | 加入负载均衡器入站 NAT 规则。 不可发出警报。 |
| Microsoft.Network/loadBalancers/probes/join/action | 允许使用负载均衡器的探测。 例如,使用此权限,VM 规模集的 healthProbe 属性可以引用探测。 不可发出警报。 |
| Microsoft.Network/loadBalancers/read | 获取负载均衡器定义 |
| Microsoft.Network/locations/* | 创建和管理网络位置 |
| Microsoft.Network/networkInterfaces/* | 创建和管理网络接口 |
| Microsoft.Network/networkSecurityGroups/join/action | 加入网络安全组。 不可发出警报。 |
| Microsoft.Network/networkSecurityGroups/read | 获取网络安全组定义 |
| Microsoft.Network/publicIPAddresses/join/action | 加入公共 IP 地址。 不可发出警报。 |
| Microsoft.Network/publicIPAddresses/read | 获取公共 IP 地址定义。 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。 不可发出警报。 |
| Microsoft.RecoveryServices/locations/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | 创建备份保护意向 |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 返回受保护项的对象详细信息 |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | 创建备份受保护项 |
| Microsoft.RecoveryServices/Vaults/backupPolicies/read | 返回所有保护策略 |
| Microsoft.RecoveryServices/Vaults/backupPolicies/write | 创建保护策略 |
| Microsoft.RecoveryServices/Vaults/read | “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象 |
| Microsoft.RecoveryServices/Vaults/usages/read | 返回恢复服务保管库的使用情况详细信息。 |
| Microsoft.RecoveryServices/Vaults/write | “创建保管库”操作创建“vault”类型的 Azure 资源 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.SerialConsole/serialPorts/connect/action | 连接到串行端口 |
| Microsoft.SqlVirtualMachine/* | |
| Microsoft.Storage/storageAccounts/listKeys/action | 返回指定存储帐户的访问密钥。 |
| Microsoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/cloudServices/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.SerialConsole/serialPorts/connect/action",
"Microsoft.SqlVirtualMachine/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虚拟机数据访问管理员(预览版)
通过添加或删除“虚拟机管理员登录名”角色和“虚拟机用户登录名”角色的角色分配来管理对虚拟机的访问。 包括用于约束角色分配的 ABAC 条件。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/roleAssignments/write | 创建指定范围的角色分配。 |
| Microsoft.Authorization/roleAssignments/delete | 删除指定范围的角色分配。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Management/managementGroups/read | 列出已通过身份验证的用户的管理组。 |
| Microsoft.Network/publicIPAddresses/read | 获取公共 IP 地址定义。 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/loadBalancers/read | 获取负载均衡器定义 |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Compute/virtualMachines/*/read | |
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 | |
| 条件 | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) 或 (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) 和 ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) 或 (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) | 添加或移除以下角色的角色分配: 虚拟机管理员登录 虚拟机用户登录 |
{
"assignableScopes": [
"/"
],
"description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
"name": "66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52}))"
}
],
"roleName": "Virtual Machine Data Access Administrator (preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虚拟机本地用户登录
在门户中查看虚拟机,并以在 Arc 服务器上配置的本地用户身份登录
| 操作 | 说明 |
|---|---|
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridConnectivity/endpoints/listCredentials/action | 列出资源的终结点访问凭据。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as a local user configured on the arc server",
"id": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525",
"name": "602da2ba-a5c2-41da-b01d-5360126ab525",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Local User Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虚拟机用户登录
在门户中查看虚拟机并以普通用户身份登录。
| 操作 | 描述 |
|---|---|
| Microsoft.Network/publicIPAddresses/read | 获取公共 IP 地址定义。 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/loadBalancers/read | 获取负载均衡器定义 |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Compute/virtualMachines/*/read | |
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridConnectivity/endpoints/listCredentials/action | 列出资源的终结点访问凭据。 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.Compute/virtualMachines/login/action | 以普通用户身份登录虚拟机 |
| Microsoft.HybridCompute/machines/login/action | 以常规用户身份登录 Azure Arc 计算机 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as a regular user.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52",
"name": "fb879df8-f326-4884-b1cf-06f3ad86be52",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.HybridCompute/machines/login/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine User Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Windows 365 网络接口参与者
Windows 365 使用此角色来预配所需的网络资源,并将 Microsoft 托管的 VM 加入到网络接口。
| 操作 | 说明 |
|---|---|
| Microsoft.Resources/subscriptions/resourcegroups/read | 获取或列出资源组。 |
| Microsoft.Resources/deployments/read | 获取或列出部署。 |
| Microsoft.Resources/deployments/write | 创建或更新部署。 |
| Microsoft.Resources/deployments/delete | 删除部署。 |
| Microsoft.Resources/deployments/operations/read | 获取或列出部署操作。 |
| Microsoft.Resources/deployments/operationstatuses/read | 获取或列出部署操作状态。 |
| Microsoft.Network/locations/operations/read | 获取表示异步操作状态的操作资源 |
| Microsoft.Network/locations/operationResults/read | 获取异步 POST 或 DELETE 操作的操作结果 |
| Microsoft.Network/locations/usages/read | 获取资源用量指标 |
| Microsoft.Network/networkInterfaces/write | 创建网络接口,或更新现有的网络接口。 |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Network/networkInterfaces/delete | 删除网络接口 |
| Microsoft.Network/networkInterfaces/join/action | 将虚拟机加入到网络接口。 不可发出警报。 |
| Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action | 获取 VM 的网络接口上配置的网络安全组 |
| Microsoft.Network/networkInterfaces/effectiveRouteTable/action | 获取 VM 的网络接口上配置的路由表 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1f135831-5bbe-4924-9016-264044c00788",
"name": "1f135831-5bbe-4924-9016-264044c00788",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourcegroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Network/locations/operations/read",
"Microsoft.Network/locations/operationResults/read",
"Microsoft.Network/locations/usages/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",
"Microsoft.Network/networkInterfaces/effectiveRouteTable/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Windows 365 Network Interface Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Windows 365 网络用户
Windows 365 使用此角色来读取虚拟网络并加入指定的虚拟网络。
| 操作 | 说明 |
|---|---|
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
| Microsoft.Network/virtualNetworks/usages/read | 获取虚拟网络的每个子网的 IP 使用情况 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。 不可发出警报。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "This role is used by Windows 365 to read virtual networks and join the designated virtual networks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7eabc9a4-85f7-4f71-b8ab-75daaccc1033",
"name": "7eabc9a4-85f7-4f71-b8ab-75daaccc1033",
"permissions": [
{
"actions": [
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/usages/read",
"Microsoft.Network/virtualNetworks/subnets/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Windows 365 Network User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Windows Admin Center 管理员登录
允许以管理员身份通过 Windows Admin Center 管理资源的 OS。
| 操作 | 说明 |
|---|---|
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridCompute/machines/extensions/* | |
| Microsoft.HybridCompute/machines/upgradeExtensions/action | 升级 Azure Arc 计算机上的扩展 |
| Microsoft.HybridCompute/operations/read | 读取适用于服务器的 Azure Arc 的所有操作 |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Network/loadBalancers/read | 获取负载均衡器定义 |
| Microsoft.Network/publicIPAddresses/read | 获取公共 IP 地址定义。 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/networkSecurityGroups/read | 获取网络安全组定义 |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | 获取默认的安全规则定义 |
| Microsoft.Network/networkWatchers/securityGroupView/action | 查看 VM 上应用的已配置和有效的网络安全组规则。 |
| Microsoft.Network/networkSecurityGroups/securityRules/read | 获取安全规则定义 |
| Microsoft.Network/networkSecurityGroups/securityRules/write | 创建安全规则,或更新现有的安全规则 |
| Microsoft.HybridConnectivity/endpoints/write | 创建或更新目标资源的终结点。 |
| Microsoft.HybridConnectivity/endpoints/read | 获取或列出目标资源的终结点。 |
| Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write | 为终结点资源创建或更新 serviceConfigurations。 |
| Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read | 获取或列出终结点资源的 serviceConfigurations。 |
| Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action | 列出资源的托管代理详细信息。 |
| Microsoft.Compute/virtualMachines/read | 获取虚拟机的属性 |
| Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read | 检索最新补丁评估操作的摘要 |
| Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read | 检索上次补丁评估操作期间评估的补丁列表 |
| Microsoft.Compute/virtualMachines/patchInstallationResults/read | 检索最新补丁安装操作的摘要 |
| Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read | 检索上次补丁安装操作期间尝试安装的补丁列表 |
| Microsoft.Compute/virtualMachines/extensions/read | 获取虚拟机扩展的属性 |
| Microsoft.Compute/virtualMachines/instanceView/read | 获取虚拟机的详细运行时状态及其资源 |
| Microsoft.Compute/virtualMachines/runCommands/read | 获取虚拟机运行命令的属性 |
| Microsoft.Compute/virtualMachines/vmSizes/read | 列出可将虚拟机更新到的大小 |
| Microsoft.Compute/locations/publishers/artifacttypes/types/read | 获取 VMExtension 类型的属性 |
| Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read | 获取 VMExtension 版本的属性 |
| Microsoft.Compute/diskAccesses/read | 获取 DiskAccess 资源的属性 |
| Microsoft.Compute/galleries/images/read | 获取库映像的属性 |
| Microsoft.Compute/images/read | 获取映像的属性 |
| Microsoft.AzureStackHCI/Clusters/Read | 获取群集 |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Read | 获取 HCI 群集的 Arc 资源 |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read | 获取 HCI 群集的扩展资源 |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write | 创建或更新 HCI 群集的扩展资源 |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete | 删除 HCI 群集的扩展资源 |
| Microsoft.AzureStackHCI/Operations/Read | Get 操作 |
| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read | 读取 virtualmachines |
| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write | 写入扩展资源 |
| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read | 获取扩展资源 |
| 不操作 | |
| 无 | |
| DataActions | |
| Microsoft.HybridCompute/machines/WACLoginAsAdmin/action | 允许以管理员身份通过 Windows Admin Center 管理资源的 OS。 |
| Microsoft.Compute/virtualMachines/WACloginAsAdmin/action | 允许以管理员身份通过 Windows Admin Center 管理资源的 OS |
| Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action | 以管理员身份通过 Windows Admin Center 管理 HCI 资源的 OS |
| Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action | 允许以管理员身份通过 Windows Admin Center 管理资源的 OS。 |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Let's you manage the OS of your resource via Windows Admin Center as an administrator.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f",
"name": "a6333a3e-0164-44c3-b281-7a577aff287f",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridCompute/machines/extensions/*",
"Microsoft.HybridCompute/machines/upgradeExtensions/action",
"Microsoft.HybridCompute/operations/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkWatchers/securityGroupView/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.HybridConnectivity/endpoints/write",
"Microsoft.HybridConnectivity/endpoints/read",
"Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write",
"Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read",
"Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read",
"Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read",
"Microsoft.Compute/virtualMachines/patchInstallationResults/read",
"Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
"Microsoft.Compute/diskAccesses/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/images/read",
"Microsoft.AzureStackHCI/Clusters/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete",
"Microsoft.AzureStackHCI/Operations/Read",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read"
],
"notActions": [],
"dataActions": [
"Microsoft.HybridCompute/machines/WACLoginAsAdmin/action",
"Microsoft.Compute/virtualMachines/WACloginAsAdmin/action",
"Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action",
"Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Windows Admin Center Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}