用于混合 + 多云的 Azure 内置角色

项目
03/16/2024

本文列出了混合 + 多云类别的 Azure 内置角色。

Azure 资源网桥部署角色

操作	说明
Microsoft.Authorization/roleassignments/read	获取有关角色分配的信息。
Microsoft.AzureStackHCI/Register/Action	注册 Azure Stack HCI 资源提供程序的订阅，允许创建 Azure Stack HCI 资源。
Microsoft.ResourceConnector/register/action	注册设备资源提供程序的订阅，并启用设备的创建。
Microsoft.ResourceConnector/appliances/read	获取设备资源
Microsoft.ResourceConnector/appliances/write	创建或更新设备资源
Microsoft.ResourceConnector/appliances/delete	删除设备资源
Microsoft.ResourceConnector/locations/operationresults/read	获取设备操作的结果
Microsoft.ResourceConnector/locations/operationsstatus/read	获取设备操作的结果
Microsoft.ResourceConnector/appliances/listClusterUserCredential/action	获取设备群集用户凭据
Microsoft.ResourceConnector/appliances/listKeys/action	获取设备群集客户用户密钥
Microsoft.ResourceConnector/appliances/upgradeGraphs/read	获取设备群集的升级图
Microsoft.ResourceConnector/telemetryconfig/read	获取设备 CLI 使用的设备遥测配置
Microsoft.ResourceConnector/operations/read	获取设备可用操作的列表
Microsoft.ExtendedLocation/register/action	注册自定义位置资源提供程序的订阅，并启用自定义位置的创建。
Microsoft.ExtendedLocation/customLocations/deploy/action	部署自定义位置资源的权限
Microsoft.ExtendedLocation/customLocations/read	获取自定义位置资源
Microsoft.ExtendedLocation/customLocations/write	创建或更新自定义位置资源
Microsoft.ExtendedLocation/customLocations/delete	删除自定义位置资源
Microsoft.HybridConnectivity/register/action	注册 Microsoft.HybridConnectivity 的订阅
Microsoft.Kubernetes/register/action	向 Microsoft.Kubernetes 资源提供程序注册订阅
Microsoft.KubernetesConfiguration/register/action	注册 Microsoft.KubernetesConfiguration 资源提供程序订阅。
Microsoft.KubernetesConfiguration/extensions/write	创建或更新扩展资源。
Microsoft.KubernetesConfiguration/extensions/read	获取扩展实例资源。
Microsoft.KubernetesConfiguration/extensions/delete	删除扩展实例资源。
Microsoft.KubernetesConfiguration/extensions/operations/read	获取异步操作状态。
Microsoft.KubernetesConfiguration/namespaces/read	获取命名空间资源
Microsoft.KubernetesConfiguration/operations/read	获取 Microsoft.KubernetesConfiguration 资源提供程序的可用操作。
Microsoft.GuestConfiguration/guestConfigurationAssignments/read	获取来宾配置分配。
Microsoft.HybridContainerService/register/action	注册 Microsoft.HybridContainerService 的订阅
Microsoft.HybridContainerService/kubernetesVersions/read	列出基础自定义位置中受支持的 kubernetes 版本
Microsoft.HybridContainerService/kubernetesVersions/write	放置 Kubernetes 版本资源类型
Microsoft.HybridContainerService/skus/read	列出基础自定义位置中受支持的 VM SKU
Microsoft.HybridContainerService/skus/write	放置 VM SKU 资源类型
Microsoft.Resources/subscriptions/resourceGroups/read	获取或列出资源组。
Microsoft.AzureStackHCI/StorageContainers/Write	创建/更新存储容器资源
Microsoft.AzureStackHCI/StorageContainers/Read	获取/列出存储容器资源
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Resource Bridge Deployment Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7b1f81f9-4196-4058-8aae-762e593270df",
  "name": "7b1f81f9-4196-4058-8aae-762e593270df",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleassignments/read",
        "Microsoft.AzureStackHCI/Register/Action",
        "Microsoft.ResourceConnector/register/action",
        "Microsoft.ResourceConnector/appliances/read",
        "Microsoft.ResourceConnector/appliances/write",
        "Microsoft.ResourceConnector/appliances/delete",
        "Microsoft.ResourceConnector/locations/operationresults/read",
        "Microsoft.ResourceConnector/locations/operationsstatus/read",
        "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
        "Microsoft.ResourceConnector/appliances/listKeys/action",
        "Microsoft.ResourceConnector/appliances/upgradeGraphs/read",
        "Microsoft.ResourceConnector/telemetryconfig/read",
        "Microsoft.ResourceConnector/operations/read",
        "Microsoft.ExtendedLocation/register/action",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.ExtendedLocation/customLocations/write",
        "Microsoft.ExtendedLocation/customLocations/delete",
        "Microsoft.HybridConnectivity/register/action",
        "Microsoft.Kubernetes/register/action",
        "Microsoft.KubernetesConfiguration/register/action",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.KubernetesConfiguration/namespaces/read",
        "Microsoft.KubernetesConfiguration/operations/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
        "Microsoft.HybridContainerService/register/action",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStackHCI/StorageContainers/Write",
        "Microsoft.AzureStackHCI/StorageContainers/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Resource Bridge Deployment Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI 管理员

授予对群集及其资源的完全访问权限，包括注册 Azure Stack HCI 并将其他人分配为 Azure Arc HCI VM 参与者和/或 Azure Arc HCI VM 读者的权限

操作	说明
Microsoft.AzureStackHCI/register/action	注册 Azure Stack HCI 资源提供程序的订阅，允许创建 Azure Stack HCI 资源。
Microsoft.AzureStackHCI/Unregister/Action	取消注册 Azure Stack HCI 资源提供程序的订阅。
Microsoft.AzureStackHCI/clusters/*
Microsoft.HybridCompute/register/action	注册 Microsoft.HybridCompute 资源提供程序的订阅
Microsoft.GuestConfiguration/register/action	注册 Microsoft.GuestConfiguration 资源提供程序的订阅。
Microsoft.GuestConfiguration/guestConfigurationAssignments/read	获取来宾配置分配。
Microsoft.Resources/subscriptions/resourceGroups/write	创建或更新资源组。
Microsoft.Resources/subscriptions/resourceGroups/delete	删除资源组及其所有资源。
Microsoft.HybridConnectivity/register/action	注册 Microsoft.HybridConnectivity 的订阅
Microsoft.Authorization/roleAssignments/write	创建指定范围的角色分配。
Microsoft.Authorization/roleAssignments/delete	删除指定范围的角色分配。
Microsoft.Authorization/*/read	读取角色和角色分配
Microsoft.Resources/deployments/*	创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	获取或列出资源组。
Microsoft.Resources/subscriptions/read	获取订阅的列表。
Microsoft.Management/managementGroups/read	列出已通过身份验证的用户的管理组。
Microsoft.AzureStackHCI/*
Microsoft.Insights/AlertRules/Write	创建或更新经典指标警报
Microsoft.Insights/AlertRules/Delete	删除经典指标警报
Microsoft.Insights/AlertRules/Read	读取经典指标警报
Microsoft.Insights/AlertRules/Activated/Action	经典指标警报已激活
Microsoft.Insights/AlertRules/Resolved/Action	经典指标警报已解决
Microsoft.Insights/AlertRules/Throttled/Action	经典指标预警规则已中止
Microsoft.Insights/AlertRules/Incidents/Read	读取经典指标警报事件
Microsoft.Resources/subscriptions/resourcegroups/deployments/read	获取或列出部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/write	创建或更新部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read	获取或列出部署操作。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read	获取或列出部署操作状态。
Microsoft.ResourceHealth/availabilityStatuses/read	获取指定范围内所有资源的可用性状态
Microsoft.Resources/subscriptions/read	获取订阅的列表。
Microsoft.Resources/subscriptions/operationresults/read	获取订阅操作结果。
Microsoft.HybridCompute/machines/read	读取任何 Azure Arc 计算机
Microsoft.HybridCompute/machines/write	写入 Azure Arc 计算机
Microsoft.HybridCompute/machines/delete	删除 Azure Arc 计算机
Microsoft.HybridCompute/machines/UpgradeExtensions/action	升级 Azure Arc 计算机上的扩展
Microsoft.HybridCompute/machines/assessPatches/action	评估任何 Azure Arc 计算机以获取缺失的软件补丁
Microsoft.HybridCompute/machines/installPatches/action	在任何 Azure Arc 计算机上安装补丁
Microsoft.HybridCompute/machines/extensions/read	读取任何 Azure Arc 扩展
Microsoft.HybridCompute/machines/extensions/write	安装或更新 Azure Arc 扩展
Microsoft.HybridCompute/machines/extensions/delete	删除 Azure Arc 扩展
Microsoft.HybridCompute/operations/read	读取适用于服务器的 Azure Arc 的所有操作
Microsoft.HybridCompute/locations/operationresults/read	读取 Microsoft.HybridCompute 资源提供程序的操作状态
Microsoft.HybridCompute/locations/operationstatus/read	读取 Microsoft.HybridCompute 资源提供程序的操作状态
Microsoft.HybridCompute/machines/patchAssessmentResults/read	读取任何 Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read	读取任何 Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read	读取任何 Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read	读取任何 Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/locations/updateCenterOperationResults/read	在计算机上读取更新中心操作的状态
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read	读取任何 Azure Arc 计算机的混合标识元数据
Microsoft.HybridCompute/osType/agentVersions/read	读取所有可用的 Azure Connected Machine Agent 版本
Microsoft.HybridCompute/osType/agentVersions/latest/read	读取最新的 Azure Connected Machine Agent 版本
Microsoft.HybridCompute/machines/runcommands/read	读取任何 Azure Arc runcommand
Microsoft.HybridCompute/machines/runcommands/write	安装或更新 Azure Arc runcommand
Microsoft.HybridCompute/machines/runcommands/delete	删除任何 Azure Arc runcommand
Microsoft.HybridCompute/machines/licenseProfiles/read	读取任何 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write	安装或更新 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/delete	删除 Azure Arc licenseProfiles
Microsoft.HybridCompute/licenses/read	读取任何 Azure Arc 许可证
Microsoft.HybridCompute/licenses/write	安装或更新 Azure Arc 许可证
Microsoft.HybridCompute/licenses/delete	删除 Azure Arc 许可证
Microsoft.ResourceConnector/register/action	注册设备资源提供程序的订阅，并启用设备的创建。
Microsoft.ResourceConnector/appliances/read	获取设备资源
Microsoft.ResourceConnector/appliances/write	创建或更新设备资源
Microsoft.ResourceConnector/appliances/delete	删除设备资源
Microsoft.ResourceConnector/locations/operationresults/read	获取设备操作的结果
Microsoft.ResourceConnector/locations/operationsstatus/read	获取设备操作的结果
Microsoft.ResourceConnector/appliances/listClusterUserCredential/action	获取设备群集用户凭据
Microsoft.ResourceConnector/appliances/listKeys/action	获取设备群集客户用户密钥
Microsoft.ResourceConnector/operations/read	获取设备可用操作的列表
Microsoft.ExtendedLocation/register/action	注册自定义位置资源提供程序的订阅，并启用自定义位置的创建。
Microsoft.ExtendedLocation/customLocations/read	获取自定义位置资源
Microsoft.ExtendedLocation/customLocations/deploy/action	部署自定义位置资源的权限
Microsoft.ExtendedLocation/customLocations/write	创建或更新自定义位置资源
Microsoft.ExtendedLocation/customLocations/delete	删除自定义位置资源
Microsoft.EdgeMarketplace/offers/read	获取产品/服务
Microsoft.EdgeMarketplace/publishers/read	获取发布者
Microsoft.Kubernetes/register/action	向 Microsoft.Kubernetes 资源提供程序注册订阅
Microsoft.KubernetesConfiguration/register/action	注册 Microsoft.KubernetesConfiguration 资源提供程序订阅。
Microsoft.KubernetesConfiguration/extensions/write	创建或更新扩展资源。
Microsoft.KubernetesConfiguration/extensions/read	获取扩展实例资源。
Microsoft.KubernetesConfiguration/extensions/delete	删除扩展实例资源。
Microsoft.KubernetesConfiguration/extensions/operations/read	获取异步操作状态。
Microsoft.KubernetesConfiguration/namespaces/read	获取命名空间资源
Microsoft.KubernetesConfiguration/operations/read	获取 Microsoft.KubernetesConfiguration 资源提供程序的可用操作。
Microsoft.Resources/subscriptions/resourceGroups/read	获取或列出资源组。
Microsoft.AzureStackHCI/StorageContainers/Write	创建/更新存储容器资源
Microsoft.AzureStackHCI/StorageContainers/Read	获取/列出存储容器资源
Microsoft.HybridContainerService/register/action	注册 Microsoft.HybridContainerService 的订阅
不操作
无
DataActions
无
NotDataActions
无
条件
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6}))	添加或移除以下角色的角色分配： Azure Connected Machine 资源管理员 Azure Connected Machine 资源管理员 Azure Connected Machine 加入 Azure Stack HCI VM 读者 Azure Stack HCI VM 参与者 Azure Stack HCI 设备管理角色 Azure 资源网桥部署角色 Key Vault 机密用户

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06",
  "name": "bda0d508-adf1-4af0-9c28-88919fc3ae06",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/register/action",
        "Microsoft.AzureStackHCI/Unregister/Action",
        "Microsoft.AzureStackHCI/clusters/*",
        "Microsoft.HybridCompute/register/action",
        "Microsoft.GuestConfiguration/register/action",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.HybridConnectivity/register/action",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.AzureStackHCI/*",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/assessPatches/action",
        "Microsoft.HybridCompute/machines/installPatches/action",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.HybridCompute/locations/operationresults/read",
        "Microsoft.HybridCompute/locations/operationstatus/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
        "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
        "Microsoft.HybridCompute/osType/agentVersions/read",
        "Microsoft.HybridCompute/osType/agentVersions/latest/read",
        "Microsoft.HybridCompute/machines/runcommands/read",
        "Microsoft.HybridCompute/machines/runcommands/write",
        "Microsoft.HybridCompute/machines/runcommands/delete",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/write",
        "Microsoft.HybridCompute/machines/licenseProfiles/delete",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/licenses/write",
        "Microsoft.HybridCompute/licenses/delete",
        "Microsoft.ResourceConnector/register/action",
        "Microsoft.ResourceConnector/appliances/read",
        "Microsoft.ResourceConnector/appliances/write",
        "Microsoft.ResourceConnector/appliances/delete",
        "Microsoft.ResourceConnector/locations/operationresults/read",
        "Microsoft.ResourceConnector/locations/operationsstatus/read",
        "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
        "Microsoft.ResourceConnector/appliances/listKeys/action",
        "Microsoft.ResourceConnector/operations/read",
        "Microsoft.ExtendedLocation/register/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/write",
        "Microsoft.ExtendedLocation/customLocations/delete",
        "Microsoft.EdgeMarketplace/offers/read",
        "Microsoft.EdgeMarketplace/publishers/read",
        "Microsoft.Kubernetes/register/action",
        "Microsoft.KubernetesConfiguration/register/action",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.KubernetesConfiguration/namespaces/read",
        "Microsoft.KubernetesConfiguration/operations/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStackHCI/StorageContainers/Write",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.HybridContainerService/register/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6}))"
    }
  ],
  "roleName": "Azure Stack HCI Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI 设备管理角色

Microsoft.AzureStackHCI 设备管理角色

操作	说明
Microsoft.AzureStackHCI/Clusters/*
Microsoft.AzureStackHCI/EdgeDevices/*
Microsoft.Resources/subscriptions/resourceGroups/read	获取或列出资源组。
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft.AzureStackHCI Device Management Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
  "name": "865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/Clusters/*",
        "Microsoft.AzureStackHCI/EdgeDevices/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI Device Management Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI VM 参与者

授予执行所有 VM 操作的权限

操作	说明
Microsoft.AzureStackHCI/VirtualMachines/*
Microsoft.AzureStackHCI/virtualMachineInstances/*
Microsoft.AzureStackHCI/NetworkInterfaces/*
Microsoft.AzureStackHCI/VirtualHardDisks/*
Microsoft.AzureStackHCI/VirtualNetworks/Read	获取/列出虚拟网络资源
Microsoft.AzureStackHCI/VirtualNetworks/join/action	联接虚拟网络资源
Microsoft.AzureStackHCI/LogicalNetworks/Read	获取/列出逻辑网络资源
Microsoft.AzureStackHCI/LogicalNetworks/join/action	联接逻辑网络资源
Microsoft.AzureStackHCI/GalleryImages/Read	获取/列出库映像资源
Microsoft.AzureStackHCI/GalleryImages/deploy/action	部署库映像资源
Microsoft.AzureStackHCI/StorageContainers/Read	获取/列出存储容器资源
Microsoft.AzureStackHCI/StorageContainers/deploy/action	部署存储容器资源
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read	获取/列出市场库映像资源
Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action	部署市场库映像资源
Microsoft.AzureStackHCI/Clusters/Read	获取群集
Microsoft.AzureStackHCI/Clusters/ArcSettings/Read	获取 HCI 群集的 Arc 资源
Microsoft.Insights/AlertRules/Write	创建或更新经典指标警报
Microsoft.Insights/AlertRules/Delete	删除经典指标警报
Microsoft.Insights/AlertRules/Read	读取经典指标警报
Microsoft.Insights/AlertRules/Activated/Action	经典指标警报已激活
Microsoft.Insights/AlertRules/Resolved/Action	经典指标警报已解决
Microsoft.Insights/AlertRules/Throttled/Action	经典指标预警规则已中止
Microsoft.Insights/AlertRules/Incidents/Read	读取经典指标警报事件
Microsoft.Resources/deployments/read	获取或列出部署。
Microsoft.Resources/deployments/write	创建或更新部署。
Microsoft.Resources/deployments/delete	删除部署。
Microsoft.Resources/deployments/cancel/action	取消部署。
Microsoft.Resources/deployments/validate/action	验证部署。
Microsoft.Resources/deployments/whatIf/action	预测模板部署更改。
Microsoft.Resources/deployments/exportTemplate/action	导出部署的模板
Microsoft.Resources/deployments/operations/read	获取或列出部署操作。
Microsoft.Resources/deployments/operationstatuses/read	获取或列出部署操作状态。
Microsoft.Resources/subscriptions/resourcegroups/deployments/read	获取或列出部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/write	创建或更新部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read	获取或列出部署操作。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read	获取或列出部署操作状态。
Microsoft.ResourceHealth/availabilityStatuses/read	获取指定范围内所有资源的可用性状态
Microsoft.Authorization/*/read	读取角色和角色分配
Microsoft.Resources/subscriptions/read	获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read	获取或列出资源组。
Microsoft.Resources/subscriptions/operationresults/read	获取订阅操作结果。
Microsoft.HybridCompute/machines/read	读取任何 Azure Arc 计算机
Microsoft.HybridCompute/machines/write	写入 Azure Arc 计算机
Microsoft.HybridCompute/machines/delete	删除 Azure Arc 计算机
Microsoft.HybridCompute/machines/UpgradeExtensions/action	升级 Azure Arc 计算机上的扩展
Microsoft.HybridCompute/machines/assessPatches/action	评估任何 Azure Arc 计算机以获取缺失的软件补丁
Microsoft.HybridCompute/machines/installPatches/action	在任何 Azure Arc 计算机上安装补丁
Microsoft.HybridCompute/machines/extensions/read	读取任何 Azure Arc 扩展
Microsoft.HybridCompute/machines/extensions/write	安装或更新 Azure Arc 扩展
Microsoft.HybridCompute/machines/extensions/delete	删除 Azure Arc 扩展
Microsoft.HybridCompute/operations/read	读取适用于服务器的 Azure Arc 的所有操作
Microsoft.HybridCompute/locations/operationresults/read	读取 Microsoft.HybridCompute 资源提供程序的操作状态
Microsoft.HybridCompute/locations/operationstatus/read	读取 Microsoft.HybridCompute 资源提供程序的操作状态
Microsoft.HybridCompute/machines/patchAssessmentResults/read	读取任何 Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read	读取任何 Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read	读取任何 Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read	读取任何 Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/locations/updateCenterOperationResults/read	在计算机上读取更新中心操作的状态
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read	读取任何 Azure Arc 计算机的混合标识元数据
Microsoft.HybridCompute/osType/agentVersions/read	读取所有可用的 Azure Connected Machine Agent 版本
Microsoft.HybridCompute/osType/agentVersions/latest/read	读取最新的 Azure Connected Machine Agent 版本
Microsoft.HybridCompute/machines/runcommands/read	读取任何 Azure Arc runcommand
Microsoft.HybridCompute/machines/runcommands/write	安装或更新 Azure Arc runcommand
Microsoft.HybridCompute/machines/runcommands/delete	删除任何 Azure Arc runcommand
Microsoft.HybridCompute/machines/licenseProfiles/read	读取任何 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write	安装或更新 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/delete	删除 Azure Arc licenseProfiles
Microsoft.HybridCompute/licenses/read	读取任何 Azure Arc 许可证
Microsoft.HybridCompute/licenses/write	安装或更新 Azure Arc 许可证
Microsoft.HybridCompute/licenses/delete	删除 Azure Arc 许可证
Microsoft.ExtendedLocation/customLocations/Read	获取自定义位置资源
Microsoft.ExtendedLocation/customLocations/deploy/action	部署自定义位置资源的权限
Microsoft.KubernetesConfiguration/extensions/read	获取扩展实例资源。
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permissions to perform all VM actions",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/874d1c73-6003-4e60-a13a-cb31ea190a85",
  "name": "874d1c73-6003-4e60-a13a-cb31ea190a85",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/VirtualMachines/*",
        "Microsoft.AzureStackHCI/virtualMachineInstances/*",
        "Microsoft.AzureStackHCI/NetworkInterfaces/*",
        "Microsoft.AzureStackHCI/VirtualHardDisks/*",
        "Microsoft.AzureStackHCI/VirtualNetworks/Read",
        "Microsoft.AzureStackHCI/VirtualNetworks/join/action",
        "Microsoft.AzureStackHCI/LogicalNetworks/Read",
        "Microsoft.AzureStackHCI/LogicalNetworks/join/action",
        "Microsoft.AzureStackHCI/GalleryImages/Read",
        "Microsoft.AzureStackHCI/GalleryImages/deploy/action",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.AzureStackHCI/StorageContainers/deploy/action",
        "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
        "Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action",
        "Microsoft.AzureStackHCI/Clusters/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/deployments/whatIf/action",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/assessPatches/action",
        "Microsoft.HybridCompute/machines/installPatches/action",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.HybridCompute/locations/operationresults/read",
        "Microsoft.HybridCompute/locations/operationstatus/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
        "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
        "Microsoft.HybridCompute/osType/agentVersions/read",
        "Microsoft.HybridCompute/osType/agentVersions/latest/read",
        "Microsoft.HybridCompute/machines/runcommands/read",
        "Microsoft.HybridCompute/machines/runcommands/write",
        "Microsoft.HybridCompute/machines/runcommands/delete",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/write",
        "Microsoft.HybridCompute/machines/licenseProfiles/delete",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/licenses/write",
        "Microsoft.HybridCompute/licenses/delete",
        "Microsoft.ExtendedLocation/customLocations/Read",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.KubernetesConfiguration/extensions/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI VM Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI VM 读者

授予查看 VM 的权限

操作	说明
Microsoft.AzureStackHCI/VirtualMachines/Read	获取/列出虚拟机资源
Microsoft.AzureStackHCI/virtualMachineInstances/Read	获取/列出虚拟机实例资源
Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read	获取/列出虚拟机扩展资源
Microsoft.AzureStackHCI/VirtualNetworks/Read	获取/列出虚拟网络资源
Microsoft.AzureStackHCI/LogicalNetworks/Read	获取/列出逻辑网络资源
Microsoft.AzureStackHCI/NetworkInterfaces/Read	获取/列出网络接口资源
Microsoft.AzureStackHCI/VirtualHardDisks/Read	获取/列出虚拟硬盘资源
Microsoft.AzureStackHCI/StorageContainers/Read	获取/列出存储容器资源
Microsoft.AzureStackHCI/GalleryImages/Read	获取/列出库映像资源
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read	获取/列出市场库映像资源
Microsoft.Insights/AlertRules/Write	创建或更新经典指标警报
Microsoft.Insights/AlertRules/Delete	删除经典指标警报
Microsoft.Insights/AlertRules/Read	读取经典指标警报
Microsoft.Insights/AlertRules/Activated/Action	经典指标警报已激活
Microsoft.Insights/AlertRules/Resolved/Action	经典指标警报已解决
Microsoft.Insights/AlertRules/Throttled/Action	经典指标预警规则已中止
Microsoft.Insights/AlertRules/Incidents/Read	读取经典指标警报事件
Microsoft.Resources/deployments/read	获取或列出部署。
Microsoft.Resources/deployments/exportTemplate/action	导出部署的模板
Microsoft.Resources/deployments/operations/read	获取或列出部署操作。
Microsoft.Resources/deployments/operationstatuses/read	获取或列出部署操作状态。
Microsoft.Resources/subscriptions/resourcegroups/deployments/read	获取或列出部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read	获取或列出部署操作。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read	获取或列出部署操作状态。
Microsoft.ResourceHealth/availabilityStatuses/read	获取指定范围内所有资源的可用性状态
Microsoft.Authorization/*/read	读取角色和角色分配
Microsoft.Resources/subscriptions/read	获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read	获取或列出资源组。
Microsoft.Resources/subscriptions/operationresults/read	获取订阅操作结果。
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permissions to view VMs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
  "name": "4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/VirtualMachines/Read",
        "Microsoft.AzureStackHCI/virtualMachineInstances/Read",
        "Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read",
        "Microsoft.AzureStackHCI/VirtualNetworks/Read",
        "Microsoft.AzureStackHCI/LogicalNetworks/Read",
        "Microsoft.AzureStackHCI/NetworkInterfaces/Read",
        "Microsoft.AzureStackHCI/VirtualHardDisks/Read",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.AzureStackHCI/GalleryImages/Read",
        "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/operationresults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI VM Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack 注册所有者

允许管理 Azure Stack 注册。

操作	描述
Microsoft.AzureStack/edgeSubscriptions/read
Microsoft.AzureStack/registrations/products/*/action
Microsoft.AzureStack/registrations/products/read	获取 Azure Stack 市场产品的属性
Microsoft.AzureStack/registrations/read	获取 Azure Stack 注册的属性
不操作
无
DataActions
无
NotDataActions
无

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Stack registrations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStack/edgeSubscriptions/read",
        "Microsoft.AzureStack/registrations/products/*/action",
        "Microsoft.AzureStack/registrations/products/read",
        "Microsoft.AzureStack/registrations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack Registration Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

后续步骤

使用 Azure 门户分配 Azure 角色

用于混合 + 多云的 Azure 内置角色

Azure 资源网桥部署角色

Azure Stack HCI 管理员

Azure Stack HCI 设备管理角色

Azure Stack HCI VM 参与者

Azure Stack HCI VM 读者

Azure Stack 注册所有者

后续步骤

其他资源