用于常规性的 Azure 内置角色

  • 项目

本文列出了常规类别的 Azure 内置角色。

参与者

授予完全访问权限来管理所有资源,但不允许在 Azure RBAC 中分配角色或在 Azure 蓝图中管理分配,也不允许共享映像库。

了解详细信息

操作 描述
* 创建和管理所有类型的资源
不操作
Microsoft.Authorization/*/Delete 删除角色、策略分配、策略定义和策略集定义
Microsoft.Authorization/*/Write 创建角色、角色分配、策略分配、策略定义和策略集定义
Microsoft.Authorization/elevateAccess/Action 向调用方授予租户范围的“用户访问管理员”访问权限
Microsoft.Blueprint/blueprintAssignments/write 创建或更新任何蓝图分配
Microsoft.Blueprint/blueprintAssignments/delete 删除任何蓝图分配
Microsoft.Compute/galleries/share/action 将库共享到不同的范围
Microsoft.Purview/consents/write 创建或更新同意资源。
Microsoft.Purview/consents/delete 删除同意资源。
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
  "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.Compute/galleries/share/action",
        "Microsoft.Purview/consents/write",
        "Microsoft.Purview/consents/delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

所有者

授予管理所有资源的完全访问权限,包括允许在 Azure RBAC 中分配角色。

了解详细信息

操作 描述
* 创建和管理所有类型的资源
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

读取器

查看所有资源,但不允许进行任何更改。

了解详细信息

操作 描述
*/read 读取除密码外的所有类型的资源。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "View all resources, but does not allow you to make any changes.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

基于角色的访问控制管理员

通过使用 Azure RBAC 分配角色来管理对 Azure 资源的访问。 此角色不允许使用其他方式(如 Azure Policy)管理访问权限。

操作 说明
Microsoft.Authorization/roleAssignments/write 创建指定范围的角色分配。
Microsoft.Authorization/roleAssignments/delete 删除指定范围的角色分配。
*/read 读取除密码外的所有类型的资源。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
  "name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Role Based Access Control Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

用户访问管理员

允许管理用户对 Azure 资源的访问权限。

了解详细信息

操作 描述
*/read 读取除密码外的所有类型的资源。
Microsoft.Authorization/* 管理授权
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage user access to Azure resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "User Access Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

后续步骤