用于数据库的 Azure 内置角色
本文列出了数据库类别的 Azure 内置角色。
连接到 Azure 的 SQL Server 载入
对于已启用 Arc 的服务器上的 SQL Server,允许对 Azure 资源的读取和写入访问。
| 操作 | 说明 |
|---|---|
| Microsoft.AzureArcData/sqlServerInstances/read | 检索 SQL Server 实例资源 |
| Microsoft.AzureArcData/sqlServerInstances/write | 更新 SQL Server 实例资源 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508",
"name": "e8113dce-c529-4d33-91fa-e9b972617508",
"permissions": [
{
"actions": [
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected SQL Server Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB 帐户读者角色
可以读取 Azure Cosmos DB 帐户数据。 请参阅 Cosmos DB 帐户参与者,了解如何管理 Azure Cosmos DB 帐户。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.DocumentDB/*/read | 读取任何集合 |
| Microsoft.DocumentDB/databaseAccounts/readonlykeys/action | 读取数据库帐户只读密钥。 |
| Microsoft.Insights/MetricDefinitions/read | 读取指标定义 |
| Microsoft.Insights/Metrics/read | 添加指标 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB 操作员
允许管理 Azure Cosmos DB 帐户,但不能访问其中的数据。 阻止访问帐户密钥和连接字符串。
| 操作 | 描述 |
|---|---|
| Microsoft.DocumentDb/databaseAccounts/* | |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。 |
| 不操作 | |
| Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/* | |
| Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/regenerateKey/* | |
| Microsoft.DocumentDB/databaseAccounts/listKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* | |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write | 创建或更新 SQL 角色定义 |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete | 删除 SQL 角色定义 |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write | 创建或更新 SQL 角色分配 |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete | 删除 SQL 角色分配 |
| Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write | 创建或更新 MongoDB 角色定义 |
| Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete | 删除 MongoDB 角色定义 |
| Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write | 创建或更新 MongoDB 用户定义 |
| Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete | 删除 MongoDB 用户定义 |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
"name": "230815da-be43-4aae-9cb4-875f7bd000aa",
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [
"Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*",
"Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
"Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
"Microsoft.DocumentDB/databaseAccounts/listKeys/*",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosBackupOperator
可以为帐户提交 Cosmos DB 数据库或容器的还原请求
| 操作 | 描述 |
|---|---|
| Microsoft.DocumentDB/databaseAccounts/backup/action | 提交配置备份的请求 |
| Microsoft.DocumentDB/databaseAccounts/restore/action | 提交还原请求 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Can submit restore request for a Cosmos DB database or a container for an account",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/databaseAccounts/backup/action",
"Microsoft.DocumentDB/databaseAccounts/restore/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosBackupOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosRestoreOperator
可以对连续备份模式下的 Cosmos DB 数据库帐户执行还原操作
| 操作 | 说明 |
|---|---|
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action | 提交还原请求 |
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read | |
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read | 读取可还原数据库帐户或列出所有可还原数据库帐户 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosRestoreOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DocumentDB 帐户参与者
可管理 Azure Cosmos DB 帐户。 Azure Cosmos DB 以前称为 DocumentDB。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.DocumentDb/databaseAccounts/* | 创建并管理 Azure Cosmos DB 帐户 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DocumentDB accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
"name": "5bd9cd88-fe45-4216-938b-f97437e15450",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DocumentDB Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
PostgreSQL 灵活服务器长期保留备份角色
允许备份保管库访问用于长期保留备份的 PostgreSQL 灵活服务器资源 API 的角色。
| 操作 | 说明 |
|---|---|
| Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read | 返回 PostgreSQL 服务器长期备份操作跟踪列表。 |
| Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action | 检查服务器是否已准备好进行长期备份 |
| Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action | 为服务器启动长期备份 |
| Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read | 返回 PostgreSQL 服务器操作结果 |
| Microsoft.DBforPostgreSQL/locations/operationResults/read | 返回 PostgreSQL 服务器操作结果 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c088a766-074b-43ba-90d4-1fb21feae531",
"name": "c088a766-074b-43ba-90d4-1fb21feae531",
"permissions": [
{
"actions": [
"Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action",
"Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action",
"Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read",
"Microsoft.DBforPostgreSQL/locations/operationResults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "PostgreSQL Flexible Server Long Term Retention Backup Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Redis 缓存参与者
允许管理 Redis 缓存,但不允许访问这些缓存。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Cache/register/action | 将“Microsoft.Cache”资源提供程序注册到订阅 |
| Microsoft.Cache/redis/* | 创建和管理 Redis 缓存 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Redis caches, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
"name": "e0f68234-74aa-48ed-b826-c38b57376e17",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/register/action",
"Microsoft.Cache/redis/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Redis Cache Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL DB 参与者
允许管理 SQL 数据库,但不允许访问这些数据库。 此外,不允许管理其安全相关的策略或其父 SQL 服务器。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Sql/locations/*/read | |
| Microsoft.Sql/servers/databases/* | 创建和管理 SQL 数据库 |
| Microsoft.Sql/servers/read | 返回服务器列表,或获取指定服务器的属性。 |
| Microsoft.Insights/metrics/read | 添加指标 |
| Microsoft.Insights/metricDefinitions/read | 读取指标定义 |
| 不操作 | |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/write | 启用上传账本摘要 |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action | 禁用上传账本摘要 |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/auditingSettings/* | 编辑审核设置 |
| Microsoft.Sql/servers/databases/auditRecords/read | 检索数据库 Blob 审核记录 |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 编辑数据屏蔽策略 |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/securityAlertPolicies/* | 编辑安全警报策略 |
| Microsoft.Sql/servers/databases/securityMetrics/* | 编辑安全度量值 |
| Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL DB Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL 托管实例参与者
允许你管理 SQL 托管实例和必需的网络配置,但无法向其他人授予访问权限。
| 操作 | 描述 |
|---|---|
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Network/networkSecurityGroups/* | |
| Microsoft.Network/routeTables/* | |
| Microsoft.Sql/locations/*/read | |
| Microsoft.Sql/locations/instanceFailoverGroups/* | |
| Microsoft.Sql/managedInstances/* | |
| Microsoft.Network/virtualNetworks/subnets/* | |
| Microsoft.Network/virtualNetworks/* | |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Insights/metrics/read | 添加指标 |
| Microsoft.Insights/metricDefinitions/read | 读取指标定义 |
| 不操作 | |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete | 删除特定的托管服务器仅限 Azure Active Directory 的身份验证对象 |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | 添加或更新特定的托管服务器仅限 Azure Active Directory 的身份验证对象 |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"permissions": [
{
"actions": [
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/locations/instanceFailoverGroups/*",
"Microsoft.Sql/managedInstances/*",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Managed Instance Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL 安全管理器
允许管理 SQL 服务器和数据库的安全相关策略,但不允许访问它们。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Sql/locations/administratorAzureAsyncOperation/read | 获取托管实例 Azure 异步管理员操作结果。 |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read | 检索为给定实例配置的托管实例高级威胁防护设置列表 |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write | 更改给定托管实例的托管实例高级威胁防护设置 |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read | 检索为给定托管数据库配置的托管数据库高级威胁防护设置列表 |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write | 更改给定托管数据库的数据库高级威胁防护设置 |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read | 检索为给定实例配置的托管实例高级威胁防护设置列表 |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write | 更改给定托管实例的托管实例高级威胁防护设置 |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read | 检索为给定托管数据库配置的托管数据库高级威胁防护设置列表 |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write | 更改给定托管数据库的数据库高级威胁防护设置 |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/read | 检索为给定服务器配置的服务器高级威胁防护设置列表 |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/write | 更改给定服务器的服务器高级威胁防护设置 |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/serverConfigurationOptions/read | 获取指定的 Azure SQL 托管实例服务器配置选项的属性。 |
| Microsoft.Sql/managedInstances/serverConfigurationOptions/write | 更新指定的实例的 Azure SQL 托管实例服务器配置选项属性。 |
| Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read | 获取 Azure SQL 托管实例服务器配置选项 Azure 异步操作的状态。 |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/read | 检索为给定服务器配置的服务器高级威胁防护设置列表 |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/write | 更改给定服务器的服务器高级威胁防护设置 |
| Microsoft.Sql/servers/auditingSettings/* | 创建和管理 SQL 服务器审核设置 |
| Microsoft.Sql/servers/extendedAuditingSettings/read | 检索在给定服务器上配置的扩展服务器 blob 审核策略的详细信息 |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read | 检索为给定数据库配置的数据库高级威胁防护设置列表 |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write | 更改给定数据库的数据库高级威胁防护设置 |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read | 检索为给定数据库配置的数据库高级威胁防护设置列表 |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write | 更改给定数据库的数据库高级威胁防护设置 |
| Microsoft.Sql/servers/databases/auditingSettings/* | 创建和管理 SQL 服务器数据库审核设置 |
| Microsoft.Sql/servers/databases/auditRecords/read | 检索数据库 Blob 审核记录 |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 创建和管理 SQL 服务器数据库数据屏蔽策略 |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/read | 检索在给定的数据库上配置的扩展 blob 审核策略的详细信息 |
| Microsoft.Sql/servers/databases/read | 返回数据库的列表,或获取指定数据库的属性。 |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/read | 获取数据库架构。 |
| Microsoft.Sql/servers/databases/schemas/tables/columns/read | 获取数据库列。 |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/read | 获取数据库表。 |
| Microsoft.Sql/servers/databases/securityAlertPolicies/* | 创建和管理 SQL 服务器数据库安全警报策略 |
| Microsoft.Sql/servers/databases/securityMetrics/* | 创建和管理 SQL 服务器数据库安全度量值 |
| Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/transparentDataEncryption/* | |
| Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/devOpsAuditingSettings/* | |
| Microsoft.Sql/servers/firewallRules/* | |
| Microsoft.Sql/servers/read | 返回服务器列表,或获取指定服务器的属性。 |
| Microsoft.Sql/servers/securityAlertPolicies/* | 创建和管理 SQL 服务器安全警报策略 |
| Microsoft.Sql/servers/sqlvulnerabilityAssessments/* | |
| Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/azureADOnlyAuthentications/* | |
| Microsoft.Sql/managedInstances/read | 返回托管实例的列表,或获取指定托管实例的属性。 |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* | |
| Microsoft.Security/sqlVulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/administrators/read | 获取托管实例管理员的列表。 |
| Microsoft.Sql/servers/administrators/read | 获取特定的 Azure Active Directory 管理员对象 |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/* | |
| Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read | 获取账本摘要上传设置的正在进行的操作 |
| Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read | 获取账本摘要上传设置的正在进行的操作 |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/* | |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/read",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/write",
"Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/transparentDataEncryption/*",
"Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/firewallRules/*",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/*",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
"Microsoft.Security/sqlVulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/administrators/read",
"Microsoft.Sql/servers/administrators/read",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/*",
"Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read",
"Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Security Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Server 参与者
允许管理SQL 服务器和数据库,但不允许访问它们及其安全相关策略。
| 操作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
| Microsoft.Sql/locations/*/read | |
| Microsoft.Sql/servers/* | 创建和管理 SQL 服务器 |
| Microsoft.Insights/metrics/read | 添加指标 |
| Microsoft.Insights/metricDefinitions/read | 读取指标定义 |
| 不操作 | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/auditingSettings/* | 编辑 SQL 服务器审核设置 |
| Microsoft.Sql/servers/databases/auditingSettings/* | 编辑 SQL 服务器数据库审核设置 |
| Microsoft.Sql/servers/databases/auditRecords/read | 检索数据库 Blob 审核记录 |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 编辑 SQL 服务器数据库数据屏蔽策略 |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/securityAlertPolicies/* | 编辑 SQL 服务器数据库安全警报策略 |
| Microsoft.Sql/servers/databases/securityMetrics/* | 编辑 SQL 服务器数据库安全度量值 |
| Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/devOpsAuditingSettings/* | |
| Microsoft.Sql/servers/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/securityAlertPolicies/* | 编辑 SQL 服务器安全警报策略 |
| Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/azureADOnlyAuthentications/delete | 删除特定服务器仅限 Azure Active Directory 的身份验证对象 |
| Microsoft.Sql/servers/azureADOnlyAuthentications/write | 添加或更新特定服务器仅限 Azure Active Directory 的身份验证对象 |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete | 删除特定服务器基于外部策略的授权属性 |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write | 添加或更新特定服务器基于外部策略的授权属性 |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}