用于混合 + 多云的 Azure 内置角色

本文列出了混合 + 多云类别的 Azure 内置角色。

Azure 资源网桥部署角色

Azure 资源网桥部署角色

操作 说明
Microsoft.Authorization/roleassignments/read 获取有关角色分配的信息。
Microsoft.AzureStackHCI/Register/Action 注册 Azure Stack HCI 资源提供程序的订阅,允许创建 Azure Stack HCI 资源。
Microsoft.ResourceConnector/register/action 注册设备资源提供程序的订阅,并启用设备的创建。
Microsoft.ResourceConnector/appliances/read 获取设备资源
Microsoft.ResourceConnector/appliances/write 创建或更新设备资源
Microsoft.ResourceConnector/appliances/delete 删除设备资源
Microsoft.ResourceConnector/locations/operationresults/read 获取设备操作的结果
Microsoft.ResourceConnector/locations/operationsstatus/read 获取设备操作的结果
Microsoft.ResourceConnector/appliances/listClusterUserCredential/action 获取设备群集用户凭据
Microsoft.ResourceConnector/appliances/listKeys/action 获取设备群集客户用户密钥
Microsoft.ResourceConnector/appliances/upgradeGraphs/read 获取设备群集的升级图
Microsoft.ResourceConnector/telemetryconfig/read 获取设备 CLI 使用的设备遥测配置
Microsoft.ResourceConnector/operations/read 获取设备可用操作的列表
Microsoft.ExtendedLocation/register/action 注册自定义位置资源提供程序的订阅,并启用自定义位置的创建。
Microsoft.ExtendedLocation/customLocations/deploy/action 部署自定义位置资源的权限
Microsoft.ExtendedLocation/customLocations/read 获取自定义位置资源
Microsoft.ExtendedLocation/customLocations/write 创建或更新自定义位置资源
Microsoft.ExtendedLocation/customLocations/delete 删除自定义位置资源
Microsoft.HybridConnectivity/register/action 注册 Microsoft.HybridConnectivity 的订阅
Microsoft.Kubernetes/register/action 向 Microsoft.Kubernetes 资源提供程序注册订阅
Microsoft.KubernetesConfiguration/register/action 注册 Microsoft.KubernetesConfiguration 资源提供程序订阅。
Microsoft.KubernetesConfiguration/extensions/write 创建或更新扩展资源。
Microsoft.KubernetesConfiguration/extensions/read 获取扩展实例资源。
Microsoft.KubernetesConfiguration/extensions/delete 删除扩展实例资源。
Microsoft.KubernetesConfiguration/extensions/operations/read 获取异步操作状态。
Microsoft.KubernetesConfiguration/namespaces/read 获取命名空间资源
Microsoft.KubernetesConfiguration/operations/read 获取 Microsoft.KubernetesConfiguration 资源提供程序的可用操作。
Microsoft.GuestConfiguration/guestConfigurationAssignments/read 获取来宾配置分配。
Microsoft.HybridContainerService/register/action 注册 Microsoft.HybridContainerService 的订阅
Microsoft.HybridContainerService/kubernetesVersions/read 列出基础自定义位置中受支持的 kubernetes 版本
Microsoft.HybridContainerService/kubernetesVersions/write 放置 Kubernetes 版本资源类型
Microsoft.HybridContainerService/skus/read 列出基础自定义位置中受支持的 VM SKU
Microsoft.HybridContainerService/skus/write 放置 VM SKU 资源类型
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.AzureStackHCI/StorageContainers/Write 创建/更新存储容器资源
Microsoft.AzureStackHCI/StorageContainers/Read 获取/列出存储容器资源
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Resource Bridge Deployment Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7b1f81f9-4196-4058-8aae-762e593270df",
  "name": "7b1f81f9-4196-4058-8aae-762e593270df",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleassignments/read",
        "Microsoft.AzureStackHCI/Register/Action",
        "Microsoft.ResourceConnector/register/action",
        "Microsoft.ResourceConnector/appliances/read",
        "Microsoft.ResourceConnector/appliances/write",
        "Microsoft.ResourceConnector/appliances/delete",
        "Microsoft.ResourceConnector/locations/operationresults/read",
        "Microsoft.ResourceConnector/locations/operationsstatus/read",
        "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
        "Microsoft.ResourceConnector/appliances/listKeys/action",
        "Microsoft.ResourceConnector/appliances/upgradeGraphs/read",
        "Microsoft.ResourceConnector/telemetryconfig/read",
        "Microsoft.ResourceConnector/operations/read",
        "Microsoft.ExtendedLocation/register/action",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.ExtendedLocation/customLocations/write",
        "Microsoft.ExtendedLocation/customLocations/delete",
        "Microsoft.HybridConnectivity/register/action",
        "Microsoft.Kubernetes/register/action",
        "Microsoft.KubernetesConfiguration/register/action",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.KubernetesConfiguration/namespaces/read",
        "Microsoft.KubernetesConfiguration/operations/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
        "Microsoft.HybridContainerService/register/action",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStackHCI/StorageContainers/Write",
        "Microsoft.AzureStackHCI/StorageContainers/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Resource Bridge Deployment Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI 管理员

授予对群集及其资源的完全访问权限,包括注册 Azure Stack HCI 并将其他人分配为 Azure Arc HCI VM 参与者和/或 Azure Arc HCI VM 读者的权限

操作 说明
Microsoft.AzureStackHCI/register/action 注册 Azure Stack HCI 资源提供程序的订阅,允许创建 Azure Stack HCI 资源。
Microsoft.AzureStackHCI/Unregister/Action 取消注册 Azure Stack HCI 资源提供程序的订阅。
Microsoft.AzureStackHCI/clusters/*
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read 获取/列出网络安全组资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read 获取/列出安全规则资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/Write 创建/更新网络安全组资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write 创建/更新安全规则资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete 删除网络安全组资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete 删除安全规则资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action 加入网络安全组资源
Microsoft.HybridCompute/register/action 注册 Microsoft.HybridCompute 资源提供程序的订阅
Microsoft.GuestConfiguration/register/action 注册 Microsoft.GuestConfiguration 资源提供程序的订阅。
Microsoft.GuestConfiguration/guestConfigurationAssignments/read 获取来宾配置分配。
Microsoft.Resources/subscriptions/resourceGroups/write 创建或更新资源组。
Microsoft.Resources/subscriptions/resourceGroups/delete 删除资源组及其所有资源。
Microsoft.HybridConnectivity/register/action 注册 Microsoft.HybridConnectivity 的订阅
Microsoft.Authorization/roleAssignments/write 创建指定范围的角色分配。
Microsoft.Authorization/roleAssignments/delete 删除指定范围的角色分配。
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.AzureStackHCI/*
Microsoft.Insights/AlertRules/Write 创建或更新经典指标警报
Microsoft.Insights/AlertRules/Delete 删除经典指标警报
Microsoft.Insights/AlertRules/Read 读取经典指标警报
Microsoft.Insights/AlertRules/Activated/Action 经典指标警报已激活
Microsoft.Insights/AlertRules/Resolved/Action 经典指标警报已解决
Microsoft.Insights/AlertRules/Throttled/Action 经典指标预警规则已中止
Microsoft.Insights/AlertRules/Incidents/Read 读取经典指标警报事件
Microsoft.Resources/subscriptions/resourcegroups/deployments/read 获取或列出部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/write 创建或更新部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read 获取或列出部署操作状态。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.HybridCompute/machines/read 读取任何 Azure Arc 计算机
Microsoft.HybridCompute/machines/write 写入 Azure Arc 计算机
Microsoft.HybridCompute/machines/delete 删除 Azure Arc 计算机
Microsoft.HybridCompute/machines/UpgradeExtensions/action 升级 Azure Arc 计算机上的扩展
Microsoft.HybridCompute/machines/assessPatches/action 评估任何 Azure Arc 计算机以获取缺失的软件补丁
Microsoft.HybridCompute/machines/installPatches/action 在任何 Azure Arc 计算机上安装补丁
Microsoft.HybridCompute/machines/extensions/read 读取任何 Azure Arc 扩展
Microsoft.HybridCompute/machines/extensions/write 安装或更新 Azure Arc 扩展
Microsoft.HybridCompute/machines/extensions/delete 删除 Azure Arc 扩展
Microsoft.HybridCompute/operations/read 读取适用于服务器的 Azure Arc 的所有操作
Microsoft.HybridCompute/locations/operationresults/read 读取 Microsoft.HybridCompute 资源提供程序的操作状态
Microsoft.HybridCompute/locations/operationstatus/read 读取 Microsoft.HybridCompute 资源提供程序的操作状态
Microsoft.HybridCompute/machines/patchAssessmentResults/read 读取任何 Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read 读取任何 Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read 读取任何 Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read 读取任何 Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/locations/updateCenterOperationResults/read 在计算机上读取更新中心操作的状态
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read 读取任何 Azure Arc 计算机的混合标识元数据
Microsoft.HybridCompute/osType/agentVersions/read 读取所有可用的 Azure Connected Machine Agent 版本
Microsoft.HybridCompute/osType/agentVersions/latest/read 读取最新的 Azure Connected Machine Agent 版本
Microsoft.HybridCompute/machines/runcommands/read 读取任何 Azure Arc runcommand
Microsoft.HybridCompute/machines/runcommands/write 安装或更新 Azure Arc runcommand
Microsoft.HybridCompute/machines/runcommands/delete 删除任何 Azure Arc runcommand
Microsoft.HybridCompute/machines/licenseProfiles/read 读取任何 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write 安装或更新 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/delete 删除 Azure Arc licenseProfiles
Microsoft.HybridCompute/licenses/read 读取任何 Azure Arc 许可证
Microsoft.HybridCompute/licenses/write 安装或更新 Azure Arc 许可证
Microsoft.HybridCompute/licenses/delete 删除 Azure Arc 许可证
Microsoft.ResourceConnector/register/action 注册设备资源提供程序的订阅,并启用设备的创建。
Microsoft.ResourceConnector/appliances/read 获取设备资源
Microsoft.ResourceConnector/appliances/write 创建或更新设备资源
Microsoft.ResourceConnector/appliances/delete 删除设备资源
Microsoft.ResourceConnector/locations/operationresults/read 获取设备操作的结果
Microsoft.ResourceConnector/locations/operationsstatus/read 获取设备操作的结果
Microsoft.ResourceConnector/appliances/listClusterUserCredential/action 获取设备群集用户凭据
Microsoft.ResourceConnector/appliances/listKeys/action 获取设备群集客户用户密钥
Microsoft.ResourceConnector/operations/read 获取设备可用操作的列表
Microsoft.ExtendedLocation/register/action 注册自定义位置资源提供程序的订阅,并启用自定义位置的创建。
Microsoft.ExtendedLocation/customLocations/read 获取自定义位置资源
Microsoft.ExtendedLocation/customLocations/deploy/action 部署自定义位置资源的权限
Microsoft.ExtendedLocation/customLocations/write 创建或更新自定义位置资源
Microsoft.ExtendedLocation/customLocations/delete 删除自定义位置资源
Microsoft.EdgeMarketplace/offers/read 获取产品/服务
Microsoft.EdgeMarketplace/publishers/read 获取发布者
Microsoft.Kubernetes/register/action 向 Microsoft.Kubernetes 资源提供程序注册订阅
Microsoft.KubernetesConfiguration/register/action 注册 Microsoft.KubernetesConfiguration 资源提供程序订阅。
Microsoft.KubernetesConfiguration/extensions/write 创建或更新扩展资源。
Microsoft.KubernetesConfiguration/extensions/read 获取扩展实例资源。
Microsoft.KubernetesConfiguration/extensions/delete 删除扩展实例资源。
Microsoft.KubernetesConfiguration/extensions/operations/read 获取异步操作状态。
Microsoft.KubernetesConfiguration/namespaces/read 获取命名空间资源
Microsoft.KubernetesConfiguration/operations/read 获取 Microsoft.KubernetesConfiguration 资源提供程序的可用操作。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.AzureStackHCI/StorageContainers/Write 创建/更新存储容器资源
Microsoft.AzureStackHCI/StorageContainers/Read 获取/列出存储容器资源
Microsoft.HybridContainerService/register/action 注册 Microsoft.HybridContainerService 的订阅
不操作
DataActions
NotDataActions
条件
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) 添加或移除以下角色的角色分配:
Azure Connected Machine 资源管理员
Azure Connected Machine 资源管理员
Azure Connected Machine 加入
Azure Stack HCI VM 读者
Azure Stack HCI VM 参与者
Azure Stack HCI 设备管理角色
Azure 资源网桥部署角色
Key Vault 机密用户
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06",
  "name": "bda0d508-adf1-4af0-9c28-88919fc3ae06",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/register/action",
        "Microsoft.AzureStackHCI/Unregister/Action",
        "Microsoft.AzureStackHCI/clusters/*",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Write",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action",
        "Microsoft.HybridCompute/register/action",
        "Microsoft.GuestConfiguration/register/action",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.HybridConnectivity/register/action",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.AzureStackHCI/*",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/assessPatches/action",
        "Microsoft.HybridCompute/machines/installPatches/action",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.HybridCompute/locations/operationresults/read",
        "Microsoft.HybridCompute/locations/operationstatus/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
        "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
        "Microsoft.HybridCompute/osType/agentVersions/read",
        "Microsoft.HybridCompute/osType/agentVersions/latest/read",
        "Microsoft.HybridCompute/machines/runcommands/read",
        "Microsoft.HybridCompute/machines/runcommands/write",
        "Microsoft.HybridCompute/machines/runcommands/delete",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/write",
        "Microsoft.HybridCompute/machines/licenseProfiles/delete",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/licenses/write",
        "Microsoft.HybridCompute/licenses/delete",
        "Microsoft.ResourceConnector/register/action",
        "Microsoft.ResourceConnector/appliances/read",
        "Microsoft.ResourceConnector/appliances/write",
        "Microsoft.ResourceConnector/appliances/delete",
        "Microsoft.ResourceConnector/locations/operationresults/read",
        "Microsoft.ResourceConnector/locations/operationsstatus/read",
        "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
        "Microsoft.ResourceConnector/appliances/listKeys/action",
        "Microsoft.ResourceConnector/operations/read",
        "Microsoft.ExtendedLocation/register/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/write",
        "Microsoft.ExtendedLocation/customLocations/delete",
        "Microsoft.EdgeMarketplace/offers/read",
        "Microsoft.EdgeMarketplace/publishers/read",
        "Microsoft.Kubernetes/register/action",
        "Microsoft.KubernetesConfiguration/register/action",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.KubernetesConfiguration/namespaces/read",
        "Microsoft.KubernetesConfiguration/operations/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStackHCI/StorageContainers/Write",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.HybridContainerService/register/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6}))"
    }
  ],
  "roleName": "Azure Stack HCI Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI 设备管理角色

Microsoft.AzureStackHCI 设备管理角色

操作 说明
Microsoft.AzureStackHCI/Clusters/*
Microsoft.AzureStackHCI/EdgeDevices/*
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft.AzureStackHCI Device Management Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
  "name": "865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/Clusters/*",
        "Microsoft.AzureStackHCI/EdgeDevices/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI Device Management Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI VM 参与者

授予执行所有 VM 操作的权限

操作 说明
Microsoft.AzureStackHCI/VirtualMachines/*
Microsoft.AzureStackHCI/virtualMachineInstances/*
Microsoft.AzureStackHCI/NetworkInterfaces/*
Microsoft.AzureStackHCI/VirtualHardDisks/*
Microsoft.AzureStackHCI/VirtualNetworks/Read 获取/列出虚拟网络资源
Microsoft.AzureStackHCI/VirtualNetworks/join/action 联接虚拟网络资源
Microsoft.AzureStackHCI/LogicalNetworks/Read 获取/列出逻辑网络资源
Microsoft.AzureStackHCI/LogicalNetworks/join/action 联接逻辑网络资源
Microsoft.AzureStackHCI/GalleryImages/Read 获取/列出库映像资源
Microsoft.AzureStackHCI/GalleryImages/deploy/action 部署库映像资源
Microsoft.AzureStackHCI/StorageContainers/Read 获取/列出存储容器资源
Microsoft.AzureStackHCI/StorageContainers/deploy/action 部署存储容器资源
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read 获取/列出市场库映像资源
Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action 部署市场库映像资源
Microsoft.AzureStackHCI/Clusters/Read 获取群集
Microsoft.AzureStackHCI/Clusters/ArcSettings/Read 获取 HCI 群集的 Arc 资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read 获取/列出网络安全组资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read 获取/列出安全规则资源
Microsoft.Insights/AlertRules/Write 创建或更新经典指标警报
Microsoft.Insights/AlertRules/Delete 删除经典指标警报
Microsoft.Insights/AlertRules/Read 读取经典指标警报
Microsoft.Insights/AlertRules/Activated/Action 经典指标警报已激活
Microsoft.Insights/AlertRules/Resolved/Action 经典指标警报已解决
Microsoft.Insights/AlertRules/Throttled/Action 经典指标预警规则已中止
Microsoft.Insights/AlertRules/Incidents/Read 读取经典指标警报事件
Microsoft.Resources/deployments/read 获取或列出部署。
Microsoft.Resources/deployments/write 创建或更新部署。
Microsoft.Resources/deployments/delete 删除部署。
Microsoft.Resources/deployments/cancel/action 取消部署。
Microsoft.Resources/deployments/validate/action 验证部署。
Microsoft.Resources/deployments/whatIf/action 预测模板部署更改。
Microsoft.Resources/deployments/exportTemplate/action 导出部署的模板
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/deployments/operationstatuses/read 获取或列出部署操作状态。
Microsoft.Resources/subscriptions/resourcegroups/deployments/read 获取或列出部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/write 创建或更新部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read 获取或列出部署操作状态。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.HybridCompute/machines/read 读取任何 Azure Arc 计算机
Microsoft.HybridCompute/machines/write 写入 Azure Arc 计算机
Microsoft.HybridCompute/machines/delete 删除 Azure Arc 计算机
Microsoft.HybridCompute/machines/UpgradeExtensions/action 升级 Azure Arc 计算机上的扩展
Microsoft.HybridCompute/machines/assessPatches/action 评估任何 Azure Arc 计算机以获取缺失的软件补丁
Microsoft.HybridCompute/machines/installPatches/action 在任何 Azure Arc 计算机上安装补丁
Microsoft.HybridCompute/machines/extensions/read 读取任何 Azure Arc 扩展
Microsoft.HybridCompute/machines/extensions/write 安装或更新 Azure Arc 扩展
Microsoft.HybridCompute/machines/extensions/delete 删除 Azure Arc 扩展
Microsoft.HybridCompute/operations/read 读取适用于服务器的 Azure Arc 的所有操作
Microsoft.HybridCompute/locations/operationresults/read 读取 Microsoft.HybridCompute 资源提供程序的操作状态
Microsoft.HybridCompute/locations/operationstatus/read 读取 Microsoft.HybridCompute 资源提供程序的操作状态
Microsoft.HybridCompute/machines/patchAssessmentResults/read 读取任何 Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read 读取任何 Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read 读取任何 Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read 读取任何 Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/locations/updateCenterOperationResults/read 在计算机上读取更新中心操作的状态
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read 读取任何 Azure Arc 计算机的混合标识元数据
Microsoft.HybridCompute/osType/agentVersions/read 读取所有可用的 Azure Connected Machine Agent 版本
Microsoft.HybridCompute/osType/agentVersions/latest/read 读取最新的 Azure Connected Machine Agent 版本
Microsoft.HybridCompute/machines/runcommands/read 读取任何 Azure Arc runcommand
Microsoft.HybridCompute/machines/runcommands/write 安装或更新 Azure Arc runcommand
Microsoft.HybridCompute/machines/runcommands/delete 删除任何 Azure Arc runcommand
Microsoft.HybridCompute/machines/licenseProfiles/read 读取任何 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write 安装或更新 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/delete 删除 Azure Arc licenseProfiles
Microsoft.HybridCompute/licenses/read 读取任何 Azure Arc 许可证
Microsoft.HybridCompute/licenses/write 安装或更新 Azure Arc 许可证
Microsoft.HybridCompute/licenses/delete 删除 Azure Arc 许可证
Microsoft.ExtendedLocation/customLocations/Read 获取自定义位置资源
Microsoft.ExtendedLocation/customLocations/deploy/action 部署自定义位置资源的权限
Microsoft.KubernetesConfiguration/extensions/read 获取扩展实例资源。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permissions to perform all VM actions",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/874d1c73-6003-4e60-a13a-cb31ea190a85",
  "name": "874d1c73-6003-4e60-a13a-cb31ea190a85",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/VirtualMachines/*",
        "Microsoft.AzureStackHCI/virtualMachineInstances/*",
        "Microsoft.AzureStackHCI/NetworkInterfaces/*",
        "Microsoft.AzureStackHCI/VirtualHardDisks/*",
        "Microsoft.AzureStackHCI/VirtualNetworks/Read",
        "Microsoft.AzureStackHCI/VirtualNetworks/join/action",
        "Microsoft.AzureStackHCI/LogicalNetworks/Read",
        "Microsoft.AzureStackHCI/LogicalNetworks/join/action",
        "Microsoft.AzureStackHCI/GalleryImages/Read",
        "Microsoft.AzureStackHCI/GalleryImages/deploy/action",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.AzureStackHCI/StorageContainers/deploy/action",
        "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
        "Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action",
        "Microsoft.AzureStackHCI/Clusters/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/deployments/whatIf/action",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/assessPatches/action",
        "Microsoft.HybridCompute/machines/installPatches/action",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.HybridCompute/locations/operationresults/read",
        "Microsoft.HybridCompute/locations/operationstatus/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
        "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
        "Microsoft.HybridCompute/osType/agentVersions/read",
        "Microsoft.HybridCompute/osType/agentVersions/latest/read",
        "Microsoft.HybridCompute/machines/runcommands/read",
        "Microsoft.HybridCompute/machines/runcommands/write",
        "Microsoft.HybridCompute/machines/runcommands/delete",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/write",
        "Microsoft.HybridCompute/machines/licenseProfiles/delete",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/licenses/write",
        "Microsoft.HybridCompute/licenses/delete",
        "Microsoft.ExtendedLocation/customLocations/Read",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.KubernetesConfiguration/extensions/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI VM Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI VM 读者

授予查看 VM 的权限

操作 说明
Microsoft.AzureStackHCI/VirtualMachines/Read 获取/列出虚拟机资源
Microsoft.AzureStackHCI/virtualMachineInstances/Read 获取/列出虚拟机实例资源
Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read 获取/列出虚拟机扩展资源
Microsoft.AzureStackHCI/VirtualNetworks/Read 获取/列出虚拟网络资源
Microsoft.AzureStackHCI/LogicalNetworks/Read 获取/列出逻辑网络资源
Microsoft.AzureStackHCI/NetworkInterfaces/Read 获取/列出网络接口资源
Microsoft.AzureStackHCI/VirtualHardDisks/Read 获取/列出虚拟硬盘资源
Microsoft.AzureStackHCI/StorageContainers/Read 获取/列出存储容器资源
Microsoft.AzureStackHCI/GalleryImages/Read 获取/列出库映像资源
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read 获取/列出市场库映像资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read 获取/列出网络安全组资源
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read 获取/列出安全规则资源
Microsoft.HybridCompute/licenses/read 读取任何 Azure Arc 许可证
Microsoft.HybridCompute/machines/extensions/read 读取任何 Azure Arc 扩展
Microsoft.HybridCompute/machines/licenseProfiles/read 读取任何 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/patchAssessmentResults/read 读取任何 Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read 读取任何 Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read 读取任何 Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read 读取任何 Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/machines/read 读取任何 Azure Arc 计算机
Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read 读取任何 Azure Arc networkSecurityPerimeterConfigurations
Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read 读取任何 Azure Arc privateEndpointConnections
Microsoft.HybridCompute/privateLinkScopes/read 读取任何 Azure Arc privateLinkScopes
Microsoft.Insights/AlertRules/Write 创建或更新经典指标警报
Microsoft.Insights/AlertRules/Delete 删除经典指标警报
Microsoft.Insights/AlertRules/Read 读取经典指标警报
Microsoft.Insights/AlertRules/Activated/Action 经典指标警报已激活
Microsoft.Insights/AlertRules/Resolved/Action 经典指标警报已解决
Microsoft.Insights/AlertRules/Throttled/Action 经典指标预警规则已中止
Microsoft.Insights/AlertRules/Incidents/Read 读取经典指标警报事件
Microsoft.Resources/deployments/read 获取或列出部署。
Microsoft.Resources/deployments/exportTemplate/action 导出部署的模板
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/deployments/operationstatuses/read 获取或列出部署操作状态。
Microsoft.Resources/subscriptions/resourcegroups/deployments/read 获取或列出部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read 获取或列出部署操作状态。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permissions to view VMs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
  "name": "4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/VirtualMachines/Read",
        "Microsoft.AzureStackHCI/virtualMachineInstances/Read",
        "Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read",
        "Microsoft.AzureStackHCI/VirtualNetworks/Read",
        "Microsoft.AzureStackHCI/LogicalNetworks/Read",
        "Microsoft.AzureStackHCI/NetworkInterfaces/Read",
        "Microsoft.AzureStackHCI/VirtualHardDisks/Read",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.AzureStackHCI/GalleryImages/Read",
        "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read",
        "Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read",
        "Microsoft.HybridCompute/privateLinkScopes/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/operationresults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI VM Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack 注册所有者

允许管理 Azure Stack 注册。

操作 描述
Microsoft.AzureStack/edgeSubscriptions/read
Microsoft.AzureStack/registrations/products/*/action
Microsoft.AzureStack/registrations/products/read 获取 Azure Stack 市场产品的属性
Microsoft.AzureStack/registrations/read 获取 Azure Stack 注册的属性
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Stack registrations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStack/edgeSubscriptions/read",
        "Microsoft.AzureStack/registrations/products/*/action",
        "Microsoft.AzureStack/registrations/products/read",
        "Microsoft.AzureStack/registrations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack Registration Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

后续步骤