用于管理和治理的 Azure 内置角色

本文列出了管理和治理类别的 Azure 内置角色。

顾问建议参与者(评估和评审)

查看评估建议,接受评审建议,管理建议生命周期(将建议标记为已完成、推迟或取消、进行中或未开始)。

了解详细信息

操作 说明
Microsoft.Advisor/recommendations/read 读取建议
Microsoft.Advisor/recommendations/write 写入建议
Microsoft.Advisor/recommendations/available/action Microsoft 顾问中提供了新建议
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started).",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6b534d80-e337-47c4-864f-140f5c7f593d",
  "name": "6b534d80-e337-47c4-864f-140f5c7f593d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Advisor/recommendations/read",
        "Microsoft.Advisor/recommendations/write",
        "Microsoft.Advisor/recommendations/available/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Advisor Recommendations Contributor (Assessments and Reviews)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

顾问评审参与者

查看针对工作负荷的评审并会审与之关联的建议。

了解详细信息

操作 说明
Microsoft.Advisor/resiliencyReviews/read 读取 resiliencyReviews
Microsoft.Advisor/triageRecommendations/read 读取 triageRecommendations
Microsoft.Advisor/triageRecommendations/approve/action 批准 triageRecommendations
Microsoft.Advisor/triageRecommendations/reject/action 拒绝 triageRecommendations
Microsoft.Advisor/triageRecommendations/reset/action 重置 triageRecommendations
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "View reviews for a workload and triage recommendations linked to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8aac15f0-d885-4138-8afa-bfb5872f7d13",
  "name": "8aac15f0-d885-4138-8afa-bfb5872f7d13",
  "permissions": [
    {
      "actions": [
        "Microsoft.Advisor/resiliencyReviews/read",
        "Microsoft.Advisor/triageRecommendations/read",
        "Microsoft.Advisor/triageRecommendations/approve/action",
        "Microsoft.Advisor/triageRecommendations/reject/action",
        "Microsoft.Advisor/triageRecommendations/reset/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Advisor Reviews Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

顾问评审读者

查看针对工作负荷的评审以及与之关联的建议。

了解详细信息

操作 说明
Microsoft.Advisor/resiliencyReviews/read 读取 resiliencyReviews
Microsoft.Advisor/triageRecommendations/read 读取 triageRecommendations
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "View reviews for a workload and recommendations linked to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c64499e0-74c3-47ad-921c-13865957895c",
  "name": "c64499e0-74c3-47ad-921c-13865957895c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Advisor/resiliencyReviews/read",
        "Microsoft.Advisor/triageRecommendations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Advisor Reviews Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

自动化参与者

使用 Azure 自动化管理 Azure 自动化资源和其他资源。

了解详细信息

操作 描述
Microsoft.Automation/automationAccounts/*
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/ActionGroups/*
Microsoft.Insights/ActivityLogAlerts/*
Microsoft.Insights/MetricAlerts/*
Microsoft.Insights/ScheduledQueryRules/*
Microsoft.Insights/diagnosticSettings/* 创建、更新或读取 Analysis Server 的诊断设置
Microsoft.OperationalInsights/workspaces/sharedKeys/action 检索工作区的共享密钥。 这些密钥用于将 Microsoft Operational Insights 代理连接到工作区。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage azure automation resources and other resources using azure automation.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867",
  "name": "f353d9bd-d4a6-484e-a77a-8050b599b867",
  "permissions": [
    {
      "actions": [
        "Microsoft.Automation/automationAccounts/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/ActionGroups/*",
        "Microsoft.Insights/ActivityLogAlerts/*",
        "Microsoft.Insights/MetricAlerts/*",
        "Microsoft.Insights/ScheduledQueryRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.OperationalInsights/workspaces/sharedKeys/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

自动化作业操作员

使用自动化 Runbook 创建和管理作业。

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read 读取混合 Runbook 辅助角色组
Microsoft.Automation/automationAccounts/jobs/read 获取 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobs/resume/action 恢复 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobs/stop/action 停止 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobs/streams/read 获取 Azure 自动化作业流
Microsoft.Automation/automationAccounts/jobs/suspend/action 暂停 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobs/write 创建 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobs/output/read 获取作业的输出
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create and Manage Jobs using Automation Runbooks.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f",
  "name": "4fe576fe-1146-4730-92eb-48519fa6bf9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
        "Microsoft.Automation/automationAccounts/jobs/read",
        "Microsoft.Automation/automationAccounts/jobs/resume/action",
        "Microsoft.Automation/automationAccounts/jobs/stop/action",
        "Microsoft.Automation/automationAccounts/jobs/streams/read",
        "Microsoft.Automation/automationAccounts/jobs/suspend/action",
        "Microsoft.Automation/automationAccounts/jobs/write",
        "Microsoft.Automation/automationAccounts/jobs/output/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Job Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

自动化运算符

自动化操作员能够启动、停止、暂停和恢复作业

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read 读取混合 Runbook 辅助角色组
Microsoft.Automation/automationAccounts/jobs/read 获取 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobs/resume/action 恢复 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobs/stop/action 停止 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobs/streams/read 获取 Azure 自动化作业流
Microsoft.Automation/automationAccounts/jobs/suspend/action 暂停 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobs/write 创建 Azure 自动化作业
Microsoft.Automation/automationAccounts/jobSchedules/read 获取 Azure 自动化作业计划
Microsoft.Automation/automationAccounts/jobSchedules/write 创建 Azure 自动化作业计划
Microsoft.Automation/automationAccounts/linkedWorkspace/read 获取链接到自动化帐户的工作区
Microsoft.Automation/automationAccounts/read 获取 Azure 自动化帐户
Microsoft.Automation/automationAccounts/runbooks/read 获取 Azure 自动化 Runbook
Microsoft.Automation/automationAccounts/schedules/read 获取 Azure 自动化计划资产
Microsoft.Automation/automationAccounts/schedules/write 创建或更新 Azure 自动化计划资产
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Automation/automationAccounts/jobs/output/read 获取作业的输出
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Automation Operators are able to start, stop, suspend, and resume jobs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404",
  "name": "d3881f73-407a-4167-8283-e981cbba0404",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
        "Microsoft.Automation/automationAccounts/jobs/read",
        "Microsoft.Automation/automationAccounts/jobs/resume/action",
        "Microsoft.Automation/automationAccounts/jobs/stop/action",
        "Microsoft.Automation/automationAccounts/jobs/streams/read",
        "Microsoft.Automation/automationAccounts/jobs/suspend/action",
        "Microsoft.Automation/automationAccounts/jobs/write",
        "Microsoft.Automation/automationAccounts/jobSchedules/read",
        "Microsoft.Automation/automationAccounts/jobSchedules/write",
        "Microsoft.Automation/automationAccounts/linkedWorkspace/read",
        "Microsoft.Automation/automationAccounts/read",
        "Microsoft.Automation/automationAccounts/runbooks/read",
        "Microsoft.Automation/automationAccounts/schedules/read",
        "Microsoft.Automation/automationAccounts/schedules/write",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Automation/automationAccounts/jobs/output/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

自动化 Runbook 操作员

读取 Runbook 属性 - 以能够创建 runbook 的作业。

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Automation/automationAccounts/runbooks/read 获取 Azure 自动化 Runbook
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read Runbook properties - to be able to create Jobs of the runbook.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5",
  "name": "5fb5aef8-1081-4b8e-bb16-9d5d0385bab5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/runbooks/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Runbook Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine 加入

可以加入 Azure Connected Machine。

了解详细信息

操作 描述
Microsoft.HybridCompute/machines/read 读取任何 Azure Arc 计算机
Microsoft.HybridCompute/machines/write 写入 Azure Arc 计算机
Microsoft.HybridCompute/privateLinkScopes/read 读取任何 Azure Arc privateLinkScopes
Microsoft.GuestConfiguration/guestConfigurationAssignments/read 获取来宾配置分配。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can onboard Azure Connected Machines.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7",
  "name": "b64e21ea-ac4e-4cdf-9dc9-5b892992bee7",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/privateLinkScopes/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Connected Machine Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine 资源管理员

可以读取、写入、删除和重新加入 Azure Connected Machine。

了解详细信息

操作 说明
Microsoft.HybridCompute/machines/*
Microsoft.HybridCompute/machines/extensions/*
Microsoft.HybridCompute/machines/licenseProfiles/*
Microsoft.HybridCompute/machines/runCommands/*
Microsoft.HybridCompute/machines/UpgradeExtensions/action 升级 Azure Arc 计算机上的扩展
Microsoft.HybridCompute/privateLinkScopes/*
Microsoft.HybridCompute/licenses/*
Microsoft.HybridCompute/locations/*
Microsoft.HybridCompute/*/read
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read, write, delete and re-onboard Azure Connected Machines.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302",
  "name": "cd570a14-e51a-42ad-bac8-bafd67325302",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/*",
        "Microsoft.HybridCompute/machines/extensions/*",
        "Microsoft.HybridCompute/machines/licenseProfiles/*",
        "Microsoft.HybridCompute/machines/runCommands/*",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/privateLinkScopes/*",
        "Microsoft.HybridCompute/licenses/*",
        "Microsoft.HybridCompute/locations/*",
        "Microsoft.HybridCompute/*/read",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Connected Machine Resource Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine 资源管理员

AzureStackHCI RP 的自定义角色,负责管理资源组中的混合计算机和混合连接终结点

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read
Microsoft.GuestConfiguration/guestConfigurationAssignments/read 获取来宾配置分配。
Microsoft.GuestConfiguration/guestConfigurationAssignments/write 创建新的来宾配置分配。
Microsoft.HybridCompute/machines/read 读取任何 Azure Arc 计算机
Microsoft.HybridCompute/machines/extensions/read 读取任何 Azure Arc 扩展
Microsoft.HybridCompute/*/read
Microsoft.HybridCompute/machines/delete 删除 Azure Arc 计算机
Microsoft.HybridCompute/machines/extensions/delete 删除 Azure Arc 扩展
Microsoft.HybridCompute/machines/extensions/write 安装或更新 Azure Arc 扩展
Microsoft.HybridCompute/machines/licenseProfiles/delete 删除 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/read 读取任何 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write 安装或更新 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/UpgradeExtensions/action 升级 Azure Arc 计算机上的扩展
Microsoft.HybridCompute/machines/write 写入 Azure Arc 计算机
Microsoft.HybridConnectivity/endpoints/read 获取或列出目标资源的终结点。
Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read 获取或列出终结点资源的 serviceConfigurations。
Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write 为终结点资源创建或更新 serviceConfigurations。
Microsoft.HybridConnectivity/endpoints/write 创建或更新目标资源的终结点。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.EdgeMarketplace/locations/operationStatuses/read 读取 OperationStatuses
Microsoft.EdgeMarketPlace/offers/getAccessToken/action 获取访问令牌。
Microsoft.EdgeMarketPlace/offers/generateAccessToken/action 一个长时间运行的操作。
Microsoft.EdgeMarketplace/publishers/read 获取发布者
Microsoft.EdgeMarketplace/offers/read 获取产品/服务
Microsoft.ExtendedLocation/customLocations/read 获取自定义位置资源
Microsoft.Attestation/attestationProviders/write 添加证明服务。
Microsoft.Attestation/attestationProviders/read 获取证明服务状态。
Microsoft.Attestation/attestationProviders/delete 删除证明服务。
Microsoft.Attestation/attestationProviders/attestation/read 获取证明服务状态。
Microsoft.Attestation/attestationProviders/attestation/write 添加证明服务。
Microsoft.Attestation/attestationProviders/attestation/delete 删除证明服务。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-4d82-ac66-4fec3cbf3f4c",
  "name": "f5819b54-e033-4d82-ac66-4fec3cbf3f4c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/write",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/*/read",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/licenseProfiles/delete",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/write",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridConnectivity/endpoints/read",
        "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read",
        "Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write",
        "Microsoft.HybridConnectivity/endpoints/write",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.EdgeMarketplace/locations/operationStatuses/read",
        "Microsoft.EdgeMarketPlace/offers/getAccessToken/action",
        "Microsoft.EdgeMarketPlace/offers/generateAccessToken/action",
        "Microsoft.EdgeMarketplace/publishers/read",
        "Microsoft.EdgeMarketplace/offers/read",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.Attestation/attestationProviders/write",
        "Microsoft.Attestation/attestationProviders/read",
        "Microsoft.Attestation/attestationProviders/delete",
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/attestation/write",
        "Microsoft.Attestation/attestationProviders/attestation/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Connected Machine Resource Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 客户密码箱的订阅审批者

当订阅所在的租户启用了 Azure 客户密码箱时,可以批准 Microsoft 支持请求,以访问订阅中包含的特定资源或订阅本身。

操作 说明
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.CustomerLockbox/requests/UpdateApproval/action 更新审批 Microsoft.CustomerLockbox
Microsoft.CustomerLockbox/requests/read 读取密码箱请求
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/eventtypes/values/read 读取活动日志事件
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Azure is enabled on the tenant where the subscription resides.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4dae6930-7baf-46f5-909e-0383bc931c46",
  "name": "4dae6930-7baf-46f5-909e-0383bc931c46",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.CustomerLockbox/requests/UpdateApproval/action",
        "Microsoft.CustomerLockbox/requests/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/eventtypes/values/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Customer Lockbox Approver for Subscription",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

计费读者

允许对帐单数据进行读取访问

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Billing/*/read 读取计费信息
Microsoft.Consumption/*/read
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read access to billing data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64",
  "name": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Billing/*/read",
        "Microsoft.Consumption/*/read",
        "Microsoft.Management/managementGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Billing Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

蓝图参与者

可以管理蓝图定义,但不能对其进行分配。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Blueprint/blueprints/* 创建和管理蓝图定义或蓝图项目。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage blueprint definitions, but not assign them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4",
  "name": "41077137-e803-4205-871c-5a86e6a753b4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Blueprint/blueprints/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Blueprint Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

蓝图操作员

可以指定现有已发布的蓝图,但不能创建新的蓝图。 请注意:仅当使用用户分配的托管标识完成分配时,此分配才有效。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Blueprint/blueprintAssignments/* 创建和管理蓝图分配。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090",
  "name": "437d2ced-4a38-4302-8479-ed2bcb43d090",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Blueprint/blueprintAssignments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Blueprint Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

成本管理参与者

可以查看成本和管理成本配置(例如预算、导出)

了解详细信息

操作 说明
Microsoft.Consumption/*
Microsoft.Billing/billingPeriods/read
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Advisor/configurations/read 获取配置
Microsoft.Advisor/recommendations/read 读取建议
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.Billing/billingProperty/read 获取订阅的计费属性
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view costs and manage cost configuration (e.g. budgets, exports)",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430",
  "name": "434105ed-43f6-45c7-a02f-909b2ba83430",
  "permissions": [
    {
      "actions": [
        "Microsoft.Consumption/*",
        "Microsoft.Billing/billingPeriods/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Advisor/configurations/read",
        "Microsoft.Advisor/recommendations/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Billing/billingProperty/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cost Management Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

成本管理读者

可以查看成本数据和配置(例如预算、导出)

了解详细信息

操作 描述
Microsoft.Consumption/*/read
Microsoft.Billing/billingPeriods/read
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Advisor/configurations/read 获取配置
Microsoft.Advisor/recommendations/read 读取建议
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.Billing/billingProperty/read 获取订阅的计费属性
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view cost data and configuration (e.g. budgets, exports)",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3",
  "name": "72fafb9e-0641-4937-9268-a91bfd8191a3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Consumption/*/read",
        "Microsoft.Billing/billingPeriods/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Advisor/configurations/read",
        "Microsoft.Advisor/recommendations/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Billing/billingProperty/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cost Management Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

层次结构设置管理员

允许用户编辑和删除层次结构设置

操作 描述
Microsoft.Management/managementGroups/settings/write 创建或更新管理组层次结构设置。
Microsoft.Management/managementGroups/settings/delete 删除管理组层次结构设置。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows users to edit and delete Hierarchy Settings",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d",
  "name": "350f8d15-c687-4448-8ae1-157740a3936d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Management/managementGroups/settings/write",
        "Microsoft.Management/managementGroups/settings/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Hierarchy Settings Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管应用程序参与者角色

允许创建托管应用程序资源。

操作 描述
*/read 读取除密码外的所有类型的资源。
Microsoft.Solutions/applications/*
Microsoft.Solutions/register/action 注册 Microsoft.Solutions 的订阅
Microsoft.Resources/subscriptions/resourceGroups/*
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for creating managed application resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e",
  "name": "641177b8-a67a-45b9-a033-47bc880bb21e",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Solutions/applications/*",
        "Microsoft.Solutions/register/action",
        "Microsoft.Resources/subscriptions/resourceGroups/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Application Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管应用程序操作员角色

可让你在托管应用程序资源上读取和执行操作

操作 描述
*/read 读取除密码外的所有类型的资源。
Microsoft.Solutions/applications/read 列出订阅中的所有应用程序。
Microsoft.Solutions/*/action
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read and perform actions on Managed Application resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae",
  "name": "c7393b34-138c-406f-901b-d8cf2b17e6ae",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Solutions/applications/read",
        "Microsoft.Solutions/*/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Application Operator Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管应用程序读者

允许读取托管应用中的资源并请求 JIT 访问。

操作 描述
*/read 读取除密码外的所有类型的资源。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Solutions/jitRequests/*
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read resources in a managed app and request JIT access.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44",
  "name": "b9331d33-8a36-4f8c-b097-4f54124fdb44",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Solutions/jitRequests/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Applications Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管服务注册分配删除角色

托管服务注册分配删除角色允许管理租户用户删除分配给其租户的注册分配。

了解详细信息

操作 描述
Microsoft.ManagedServices/registrationAssignments/read 检索托管服务注册分配的列表。
Microsoft.ManagedServices/registrationAssignments/delete 删除托管服务注册分配。
Microsoft.ManagedServices/operationStatuses/read 读取资源的操作状态。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46",
  "name": "91c1777a-f3dc-4fae-b103-61d183457e46",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedServices/registrationAssignments/read",
        "Microsoft.ManagedServices/registrationAssignments/delete",
        "Microsoft.ManagedServices/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Services Registration assignment Delete Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

管理组参与者

管理组参与者角色

了解详细信息

操作 描述
Microsoft.Management/managementGroups/delete 删除管理组。
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.Management/managementGroups/subscriptions/delete 从管理组取消关联订阅。
Microsoft.Management/managementGroups/subscriptions/write 将现有订阅与管理组关联。
Microsoft.Management/managementGroups/write 创建或更新管理组。
Microsoft.Management/managementGroups/subscriptions/read 列出特定管理组下的订阅。
Microsoft.Authorization/*/read 读取角色和角色分配
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Management Group Contributor Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c",
  "name": "5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Management/managementGroups/delete",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Management/managementGroups/subscriptions/delete",
        "Microsoft.Management/managementGroups/subscriptions/write",
        "Microsoft.Management/managementGroups/write",
        "Microsoft.Management/managementGroups/subscriptions/read",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Management Group Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

管理组读取者

管理组读取者角色

操作 描述
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.Management/managementGroups/subscriptions/read 列出特定管理组下的订阅。
Microsoft.Authorization/*/read 读取角色和角色分配
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Management Group Reader Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d",
  "name": "ac63b705-f282-497d-ac71-919bf39d939d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Management/managementGroups/subscriptions/read",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Management Group Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

New elic APM 帐户参与者

允许管理 New Relic 应用程序性能管理帐户和应用程序,但不允许访问它们。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
NewRelic.APM/accounts/*
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage New Relic Application Performance Management accounts and applications, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237",
  "name": "5d28c62d-5b37-4476-8438-e587778df237",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "NewRelic.APM/accounts/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "New Relic APM Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

策略见解数据编写者(预览版)

允许对资源策略进行读取访问,并允许对资源组件策略事件进行写入访问。

了解详细信息

操作 描述
Microsoft.Authorization/policyassignments/read 获取有关策略分配的信息。
Microsoft.Authorization/policydefinitions/read 获取有关策略定义的信息。
Microsoft.Authorization/policyexemptions/read 获取有关策略豁免的信息。
Microsoft.Authorization/policysetdefinitions/read 获取有关策略集定义的信息。
不操作
DataActions
Microsoft.PolicyInsights/checkDataPolicyCompliance/action 参照数据策略检查给定组件的合规性状态。
Microsoft.PolicyInsights/policyEvents/logDataEvents/action 记录资源组件策略事件。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read access to resource policies and write access to resource component policy events.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84",
  "name": "66bb4e9e-b016-4a94-8249-4c0511c2be84",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/policyassignments/read",
        "Microsoft.Authorization/policydefinitions/read",
        "Microsoft.Authorization/policyexemptions/read",
        "Microsoft.Authorization/policysetdefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.PolicyInsights/checkDataPolicyCompliance/action",
        "Microsoft.PolicyInsights/policyEvents/logDataEvents/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Policy Insights Data Writer (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

配额请求操作员

读取和创建配额请求,获取配额请求状态并创建支持票证。

了解详细信息

操作 说明
Microsoft.Capacity/resourceProviders/locations/serviceLimits/read 获取指定资源和位置的当前服务限制或配额
Microsoft.Capacity/resourceProviders/locations/serviceLimits/write 为指定资源和位置创建服务限制或配额
Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read 获取指定资源和位置的任何服务限制请求
Microsoft.Capacity/register/action 注册容量资源提供程序,并启用容量资源的创建。
Microsoft.Quota/usages/read 获取资源提供程序的使用情况
Microsoft.Quota/quotas/read 获取指定资源的当前服务限制或配额
Microsoft.Quota/quotas/write 为指定资源创建服务限制或配额请求
Microsoft.Quota/quotaRequests/read 获取指定资源的任何服务限制请求
Microsoft.Quota/register/action 将订阅注册到 Microsoft.Quota 资源提供程序
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and create quota requests, get quota request status, and create support tickets.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125",
  "name": "0e5f05e5-9ab9-446b-b98d-1e2157c94125",
  "permissions": [
    {
      "actions": [
        "Microsoft.Capacity/resourceProviders/locations/serviceLimits/read",
        "Microsoft.Capacity/resourceProviders/locations/serviceLimits/write",
        "Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read",
        "Microsoft.Capacity/register/action",
        "Microsoft.Quota/usages/read",
        "Microsoft.Quota/quotas/read",
        "Microsoft.Quota/quotas/write",
        "Microsoft.Quota/quotaRequests/read",
        "Microsoft.Quota/register/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Quota Request Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

预留买方

允许你购买预留

了解详细信息

操作 说明
Microsoft.Authorization/roleAssignments/read 获取有关角色分配的信息。
Microsoft.Capacity/catalogs/read 读取预留目录
Microsoft.Capacity/register/action 注册容量资源提供程序,并启用容量资源的创建。
Microsoft.Compute/register/action 将订阅注册到 Microsoft.Compute 资源提供程序
Microsoft.Consumption/register/action 注册到消耗 RP
Microsoft.Consumption/reservationRecommendationDetails/read 列出预留建议详细信息
Microsoft.Consumption/reservationRecommendations/read 列出某个订阅的预留实例的单个或共享建议。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.SQL/register/action 注册 Microsoft SQL 数据库资源提供程序的订阅,并启用 Microsoft SQL 数据库的创建。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you purchase reservations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689",
  "name": "f7b75c60-3036-4b75-91c3-6b41c27c1689",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Capacity/catalogs/read",
        "Microsoft.Capacity/register/action",
        "Microsoft.Compute/register/action",
        "Microsoft.Consumption/register/action",
        "Microsoft.Consumption/reservationRecommendationDetails/read",
        "Microsoft.Consumption/reservationRecommendations/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.SQL/register/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reservation Purchaser",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

预留读者

允许用户读取租户中的所有预留

了解详细信息

操作 说明
Microsoft.Capacity/*/read
Microsoft.Authorization/roleAssignments/read 获取有关角色分配的信息。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/providers/Microsoft.Capacity"
  ],
  "description": "Lets one read all the reservations in a tenant",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/582fc458-8989-419f-a480-75249bc5db7e",
  "name": "582fc458-8989-419f-a480-75249bc5db7e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Capacity/*/read",
        "Microsoft.Authorization/roleAssignments/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reservations Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

资源策略参与者

有权创建/修改资源策略、创建支持票证和读取资源/层次结构的用户。

了解详细信息

操作 描述
*/read 读取除密码外的所有类型的资源。
Microsoft.Authorization/policyassignments/* 创建和管理策略分配
Microsoft.Authorization/policydefinitions/* 创建和管理策略定义
Microsoft.Authorization/policyexemptions/* 创建和管理策略豁免
Microsoft.Authorization/policysetdefinitions/* 创建和管理策略集
Microsoft.PolicyInsights/*
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608",
  "name": "36243c78-bf99-498c-9df9-86d9f8d28608",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/policyassignments/*",
        "Microsoft.Authorization/policydefinitions/*",
        "Microsoft.Authorization/policyexemptions/*",
        "Microsoft.Authorization/policysetdefinitions/*",
        "Microsoft.PolicyInsights/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Resource Policy Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

节省计划购买者

允许购买节省计划

了解详细信息

操作 说明
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Capacity/register/action 注册容量资源提供程序,并启用容量资源的创建。
Microsoft.Capacity/catalogs/read 读取预留目录
Microsoft.Authorization/roleAssignments/read 获取有关角色分配的信息。
Microsoft.BillingBenefits/savingsPlanOrders/write 创建节省计划订单
Microsoft.BIllingBenefits/register/action 注册 BillingBenefits 资源提供程序并启用 BillingBenefits 资源的创建。
Microsoft.Billing/billingProperty/read 获取订阅的计费属性
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you purchase savings plans",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74",
  "name": "3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Capacity/register/action",
        "Microsoft.Capacity/catalogs/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.BillingBenefits/savingsPlanOrders/write",
        "Microsoft.BIllingBenefits/register/action",
        "Microsoft.Billing/billingProperty/read",
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Savings plan Purchaser",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

计划修补参与者

提供访问权限以管理具有维护范围 InGuestPatch 和相应配置分配的维护配置

操作 说明
Microsoft.Maintenance/maintenanceConfigurations/read 读取维护配置。
Microsoft.Maintenance/maintenanceConfigurations/write 创建或更新维护配置。
Microsoft.Maintenance/maintenanceConfigurations/delete 删除维护配置。
Microsoft.Maintenance/configurationAssignments/read 读取维护配置分配。
Microsoft.Maintenance/configurationAssignments/write 创建或更新维护配置分配。
Microsoft.Maintenance/configurationAssignments/delete 删除维护配置分配。
Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/read 为 InGuestPatch 维护范围读取维护配置分配。
Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/write 为 InGuestPatch 维护范围创建或更新维护配置分配。
Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/delete 为 InGuestPatch 删除范围读取维护配置分配。
Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/read 为 InGuestPatch 维护范围读取维护配置。
Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/write 为 InGuestPatch 维护范围创建或更新维护配置。
Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/delete 为 InGuestPatch 维护范围删除维护配置。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cd08ab90-6b14-449c-ad9a-8f8e549482c6",
  "name": "cd08ab90-6b14-449c-ad9a-8f8e549482c6",
  "permissions": [
    {
      "actions": [
        "Microsoft.Maintenance/maintenanceConfigurations/read",
        "Microsoft.Maintenance/maintenanceConfigurations/write",
        "Microsoft.Maintenance/maintenanceConfigurations/delete",
        "Microsoft.Maintenance/configurationAssignments/read",
        "Microsoft.Maintenance/configurationAssignments/write",
        "Microsoft.Maintenance/configurationAssignments/delete",
        "Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/read",
        "Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/write",
        "Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/delete",
        "Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/read",
        "Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/write",
        "Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Scheduled Patching Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Site Recovery 参与者

允许管理除保管库创建和角色分配外的 Site Recovery 服务

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp 是服务使用的内部操作
Microsoft.RecoveryServices/locations/allocateStamp/action AllocateStamp 是服务使用的内部操作
Microsoft.RecoveryServices/Vaults/certificates/write “更新资源证书”操作更新资源/保管库凭据证书。
Microsoft.RecoveryServices/Vaults/extendedInformation/* 创建和管理与保管库相关的扩展信息
Microsoft.RecoveryServices/Vaults/read “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象
Microsoft.RecoveryServices/Vaults/refreshContainers/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/* 创建和管理已注册标识
Microsoft.RecoveryServices/vaults/replicationAlertSettings/* 创建或更新复制警报设置
Microsoft.RecoveryServices/vaults/replicationEvents/read 读取任何事件
Microsoft.RecoveryServices/vaults/replicationFabrics/* 创建和管理复制结构
Microsoft.RecoveryServices/vaults/replicationJobs/* 创建和管理复制作业
Microsoft.RecoveryServices/vaults/replicationPolicies/* 创建和管理复制策略
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/* 创建和管理恢复计划
Microsoft.RecoveryServices/vaults/replicationVaultSettings/*
Microsoft.RecoveryServices/Vaults/storageConfig/* 创建和管理恢复服务保管库的存储配置
Microsoft.RecoveryServices/Vaults/tokenInfo/read
Microsoft.RecoveryServices/Vaults/usages/read 返回恢复服务保管库的使用情况详细信息。
Microsoft.RecoveryServices/Vaults/vaultTokens/read “保管库令牌”操作可用于获取保管库级后端操作的保管库令牌。
Microsoft.RecoveryServices/Vaults/monitoringAlerts/* 读取恢复服务保管库的警报
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
Microsoft.RecoveryServices/vaults/replicationOperationStatus/read 读取任何保管库复制操作状态
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Site Recovery service except vault creation and role assignment",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567",
  "name": "6670b86e-a3f7-4917-ac9b-5d6ab1be4567",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/locations/allocateStamp/action",
        "Microsoft.RecoveryServices/Vaults/certificates/write",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/refreshContainers/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
        "Microsoft.RecoveryServices/vaults/replicationAlertSettings/*",
        "Microsoft.RecoveryServices/vaults/replicationEvents/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/*",
        "Microsoft.RecoveryServices/vaults/replicationJobs/*",
        "Microsoft.RecoveryServices/vaults/replicationPolicies/*",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*",
        "Microsoft.RecoveryServices/vaults/replicationVaultSettings/*",
        "Microsoft.RecoveryServices/Vaults/storageConfig/*",
        "Microsoft.RecoveryServices/Vaults/tokenInfo/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/vaultTokens/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/vaults/replicationOperationStatus/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Site Recovery Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Site Recovery 操作员

允许进行故障转移和故障回复,但不允许执行其他 Site Recovery 管理操作

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp 是服务使用的内部操作
Microsoft.RecoveryServices/locations/allocateStamp/action AllocateStamp 是服务使用的内部操作
Microsoft.RecoveryServices/Vaults/extendedInformation/read “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息
Microsoft.RecoveryServices/Vaults/read “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象
Microsoft.RecoveryServices/Vaults/refreshContainers/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果
Microsoft.RecoveryServices/Vaults/registeredIdentities/read “获取容器”操作可用于获取针对资源注册的容器。
Microsoft.RecoveryServices/vaults/replicationAlertSettings/read 读取任何警报设置
Microsoft.RecoveryServices/vaults/replicationEvents/read 读取任何事件
Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action 检查结构的一致性
Microsoft.RecoveryServices/vaults/replicationFabrics/read 读取任何结构
Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action 重新关联网关
Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action 续订 Fabric 的证书
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read 读取任何网络
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read 读取任何网络映射
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read 读取任何保护容器
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read 读取任何可保护项
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action 应用还原点
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action 故障转移提交
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action 计划内故障转移
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read 读取任何受保护项
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read 读取任何复制恢复点
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action 修复复制
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action 重新保护受保护的项
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action 交换保护容器
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action 测试故障转移
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action 测试故障转移清理
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action 故障转移
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action 更新移动服务
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read 读取任何保护容器映射
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read 读取任何恢复服务提供程序
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action 刷新提供程序
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read 读取任何存储分类
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read 读取任何存储分类映射
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read 读取任何 vCenter
Microsoft.RecoveryServices/vaults/replicationJobs/* 创建和管理复制作业
Microsoft.RecoveryServices/vaults/replicationPolicies/read 读取任何策略
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action 故障转移提交恢复计划
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action 计划内故障转移恢复计划
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read 读取任何恢复计划
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action 重新保护恢复计划
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action 测试故障转移恢复计划
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action 测试故障转移清理恢复计划
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action 故障转移恢复计划
Microsoft.RecoveryServices/vaults/replicationVaultSettings/read 读取任何内容
Microsoft.RecoveryServices/Vaults/monitoringAlerts/* 读取恢复服务保管库的警报
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
Microsoft.RecoveryServices/Vaults/storageConfig/read
Microsoft.RecoveryServices/Vaults/tokenInfo/read
Microsoft.RecoveryServices/Vaults/usages/read 返回恢复服务保管库的使用情况详细信息。
Microsoft.RecoveryServices/Vaults/vaultTokens/read “保管库令牌”操作可用于获取保管库级后端操作的保管库令牌。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you failover and failback but not perform other Site Recovery management operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca",
  "name": "494ae006-db33-4328-bf46-533a6560a3ca",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/locations/allocateStamp/action",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/refreshContainers/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read",
        "Microsoft.RecoveryServices/vaults/replicationEvents/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read",
        "Microsoft.RecoveryServices/vaults/replicationJobs/*",
        "Microsoft.RecoveryServices/vaults/replicationPolicies/read",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationVaultSettings/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
        "Microsoft.RecoveryServices/Vaults/storageConfig/read",
        "Microsoft.RecoveryServices/Vaults/tokenInfo/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/vaultTokens/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Site Recovery Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Site Recovery 读取者

允许查看 Site Recovery 状态,但不允许执行其他管理操作

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp 是服务使用的内部操作
Microsoft.RecoveryServices/Vaults/extendedInformation/read “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read 获取恢复服务保管库的警报。
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
Microsoft.RecoveryServices/Vaults/read “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象
Microsoft.RecoveryServices/Vaults/refreshContainers/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果
Microsoft.RecoveryServices/Vaults/registeredIdentities/read “获取容器”操作可用于获取针对资源注册的容器。
Microsoft.RecoveryServices/vaults/replicationAlertSettings/read 读取任何警报设置
Microsoft.RecoveryServices/vaults/replicationEvents/read 读取任何事件
Microsoft.RecoveryServices/vaults/replicationFabrics/read 读取任何结构
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read 读取任何网络
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read 读取任何网络映射
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read 读取任何保护容器
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read 读取任何可保护项
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read 读取任何受保护项
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read 读取任何复制恢复点
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read 读取任何保护容器映射
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read 读取任何恢复服务提供程序
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read 读取任何存储分类
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read 读取任何存储分类映射
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read 读取任何 vCenter
Microsoft.RecoveryServices/vaults/replicationJobs/rea 读取任何作业
Microsoft.RecoveryServices/vaults/replicationPolicies/read 读取任何策略
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read 读取任何恢复计划
Microsoft.RecoveryServices/vaults/replicationVaultSettings/read 读取任何内容
Microsoft.RecoveryServices/Vaults/storageConfig/read
Microsoft.RecoveryServices/Vaults/tokenInfo/read
Microsoft.RecoveryServices/Vaults/usages/read 返回恢复服务保管库的使用情况详细信息。
Microsoft.RecoveryServices/Vaults/vaultTokens/read “保管库令牌”操作可用于获取保管库级后端操作的保管库令牌。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view Site Recovery status but not perform other management operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149",
  "name": "dbaa88c4-0c30-4179-9fb3-46319faa6149",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/refreshContainers/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read",
        "Microsoft.RecoveryServices/vaults/replicationEvents/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read",
        "Microsoft.RecoveryServices/vaults/replicationJobs/read",
        "Microsoft.RecoveryServices/vaults/replicationPolicies/read",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read",
        "Microsoft.RecoveryServices/vaults/replicationVaultSettings/read",
        "Microsoft.RecoveryServices/Vaults/storageConfig/read",
        "Microsoft.RecoveryServices/Vaults/tokenInfo/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/vaultTokens/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Site Recovery Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

支持请求参与者

允许创建和管理支持请求

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you create and manage Support requests",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
  "name": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Support Request Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

标记参与者

允许你管理实体上的标记,而无需提供对实体本身的访问权限。

了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/subscriptions/resourceGroups/resources/read 获取资源组的资源。
Microsoft.Resources/subscriptions/resources/read 获取订阅的资源。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/tags/*
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage tags on entities, without providing access to the entities themselves.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f",
  "name": "4a9ae827-6dc8-4573-8ac7-8239d42aa03f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
        "Microsoft.Resources/subscriptions/resources/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/tags/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Tag Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

模板规格参与者

允许在分配的范围内对模板规格操作进行完全访问。

操作 说明
Microsoft.Resources/templateSpecs/* 创建和管理模板规格和模板规格版本
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows full access to Template Spec operations at the assigned scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b",
  "name": "1c9b6475-caf0-4164-b5a1-2142a7116f4b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/templateSpecs/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Template Spec Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

模板规格读取者

允许在分配的范围内对模板规格进行读取访问。

操作 说明
Microsoft.Resources/templateSpecs/*/read 获取或列出模板规格和模板规格版本
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read access to Template Specs at the assigned scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e",
  "name": "392ae280-861d-42bd-9ea5-08ee6d83b80e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/templateSpecs/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Template Spec Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

后续步骤