本文列出了迁移类别中的 Azure 内置角色。
Azure Migrate 策略规划专家
授予对 Azure Migrate 项目的受限访问权限,以仅执行计划作,包括基于设备的发现、管理清单、识别服务器依赖项、创建业务案例和评估报告。
| 行动 | Description |
|---|---|
| Microsoft.Resources/订阅/资源组/读取 | 获取或列出资源组。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/subscriptions/locations/read | 获取支持的位置列表。 |
| Microsoft.Resources/checkResourceName/action | 检查资源名称的有效性。 |
| Microsoft.Resources/deploymentScripts/write | 创建或更新部署脚本 |
| Microsoft.Resources/deploymentScripts/read | 获取或列出部署脚本 |
| Microsoft.Resources/links/write | 创建或更新资源链接。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Authorization/锁/写入 | 添加指定范围的锁。 |
| Microsoft.Authorization/locks/delete (用于删除锁的操作路径) | 删除指定范围的锁。 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Migrate/* | |
| Microsoft.ApplicationMigration/* | |
| Microsoft.OffAzure/* | |
| Microsoft.MySQLDiscovery/* | |
| Microsoft.DependencyMap/* | |
| Microsoft.KeyVault/vaults/* | |
| Microsoft.KeyVault/checkNameAvailability/read | 检查 Key Vault 名称是否有效且未被使用 |
| Microsoft.HybridCompute/machines/read | 读取任何 Azure Arc 计算机 |
| Microsoft.HybridCompute/machines/write | 写入 Azure Arc 计算机 |
| Microsoft.HybridCompute/machines/delete | 删除 Azure Arc 计算机 |
| Microsoft.HybridCompute/register/action | 注册 Microsoft.HybridCompute 资源提供程序的订阅 |
| Microsoft.Network/虚拟网络/子网/写入 | 创建虚拟网络子网,或更新现有的虚拟网络子网 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。 不可发出警报。 |
| Microsoft.Network/networkSecurityGroups/join/action | 加入网络安全组。 不可发出警报。 |
| Microsoft.Network/virtualNetworks/join/action | 加入虚拟网络。 不可发出警报。 |
| Microsoft.Network/privateEndpoints/read | 获取专用终结点资源。 |
| Microsoft.Network/privateEndpoints/write | 创建新的专用终结点,或更新现有的专用终结点。 |
| Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write | 放置专用 DNS 区域组 |
| Microsoft.Network/privateDnsZones/write | 在资源组中创建或更新专用 DNS 区域。 请注意,无法使用此命令在区域中创建或者更新虚拟网络链接或记录集。 |
| Microsoft.Network/privateDnsZones/virtualNetworkLinks/write | 创建或更新专用 DNS 区域与虚拟网络之间的链接。 |
| Microsoft.Network/privateDnsZones/join/action | 加入专用 DNS 区域 |
| Microsoft.Network/privateDnsZones/A/write | 在专用 DNS 区域中创建或更新“A”类型的记录集。 指定的记录将替换记录集中的当前记录。 |
| Microsoft.Network/register/action | 注册订阅 |
| Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
| Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read | 获取专用 DNS 区域组 |
| Microsoft.Storage/storageAccounts/*/read | |
| Microsoft.Storage/storageAccounts/*/write | |
| Microsoft.Storage/storageAccounts/listKeys/action | 返回指定存储帐户的访问密钥。 |
| Microsoft.GuestConfiguration/register/action | 注册 Microsoft.GuestConfiguration 资源提供程序的订阅。 |
| Microsoft.HybridConnectivity/register/action | 注册 Microsoft.HybridConnectivity 的订阅 |
| Microsoft.DataReplication/*/read | |
| Microsoft.DataReplication/register/action | 注册 Microsoft.DataReplication 资源提供程序的订阅 |
| Microsoft.DataReplication/replicationVaults/write | 更新任何保管库 |
| Microsoft.RecoveryServices/vaults/* | |
| Microsoft.RecoveryServices/register/action | 注册给定资源提供程序的订阅 |
| Microsoft.KeyVault/register/action | 注册订阅 |
| Microsoft.AzureArcData/register/action | 注册 Microsoft.AzureArcData 的订阅 |
| Microsoft.Resources/links/read | 获取或列出资源链接。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants restricted access on Azure Migrate project to only perform planning operations including appliance-based discovery, managing inventory, identifying server dependencies, creation of business case & assessment reports.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7859c0b0-0bb9-4994-bd12-cd529af7d646",
"name": "7859c0b0-0bb9-4994-bd12-cd529af7d646",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/checkResourceName/action",
"Microsoft.Resources/deploymentScripts/write",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/links/write",
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Insights/alertRules/*",
"Microsoft.Migrate/*",
"Microsoft.ApplicationMigration/*",
"Microsoft.OffAzure/*",
"Microsoft.MySQLDiscovery/*",
"Microsoft.DependencyMap/*",
"Microsoft.KeyVault/vaults/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/register/action",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
"Microsoft.Network/privateDnsZones/write",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
"Microsoft.Network/privateDnsZones/join/action",
"Microsoft.Network/privateDnsZones/A/write",
"Microsoft.Network/register/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",
"Microsoft.Storage/storageAccounts/*/read",
"Microsoft.Storage/storageAccounts/*/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.GuestConfiguration/register/action",
"Microsoft.HybridConnectivity/register/action",
"Microsoft.DataReplication/*/read",
"Microsoft.DataReplication/register/action",
"Microsoft.DataReplication/replicationVaults/write",
"Microsoft.RecoveryServices/vaults/*",
"Microsoft.RecoveryServices/register/action",
"Microsoft.KeyVault/register/action",
"Microsoft.AzureArcData/register/action",
"Microsoft.Resources/links/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Migrate Decide and Plan Expert",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Migrate 执行专家
授予对 Azure Migrate 项目的受限访问权限,以仅执行迁移相关作,包括复制、测试迁移的执行、跟踪和监视迁移进度,以及启动无代理和基于代理的迁移。
包括 ABAC 条件用于约束角色分配。
| 行动 | Description |
|---|---|
| Microsoft.Resources/订阅/资源组/读取 | 获取或列出资源组。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/订阅/资源组/写入 | 创建或更新资源组。 |
| Microsoft.Resources/subscriptions/locations/read | 获取支持的位置列表。 |
| Microsoft.Resources/checkResourceName/action | 检查资源名称的有效性。 |
| Microsoft.Resources/deploymentScripts/write | 创建或更新部署脚本 |
| Microsoft.Resources/deploymentScripts/read | 获取或列出部署脚本 |
| Microsoft.Resources/links/write | 创建或更新资源链接。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Authorization/锁/写入 | 添加指定范围的锁。 |
| Microsoft.Authorization/locks/delete (用于删除锁的操作路径) | 删除指定范围的锁。 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Migrate/*/read | |
| Microsoft.ApplicationMigration/*/read | |
| Microsoft.OffAzure/*/read | |
| Microsoft.MySQLDiscovery/*/read | |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Network/networkInterfaces/write | 创建网络接口,或更新现有的网络接口。 |
| Microsoft.Network/网络接口/删除 | 删除网络接口 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
| Microsoft.Storage/storageAccounts/*/read | |
| Microsoft.Storage/storageAccounts/*/write | |
| Microsoft.Storage/storageAccounts/listKeys/action | 返回指定存储帐户的访问密钥。 |
| Microsoft.Compute/register/action | 将订阅注册到 Microsoft.Compute 资源提供程序 |
| Microsoft.Compute/availabilitySets/read | 获取可用性集的属性 |
| Microsoft.Compute/availabilitySets/vmSizes/read | 列出可在可用性集中创建或更新的虚拟机大小 |
| Microsoft.Compute/diskEncryptionSets/read | 获取磁盘加密集的属性 |
| Microsoft.Compute/skus/read | 获取订阅可用的 Microsoft.Compute SKU 列表 |
| Microsoft.Compute/disks/read | 获取磁盘的属性 |
| Microsoft.Compute/disks/write | 创建新的磁盘,或更新现有的磁盘 |
| Microsoft.Compute/disks/delete | 删除磁盘 |
| Microsoft.Compute/virtualMachines/read | 获取虚拟机的属性 |
| Microsoft.Compute/virtualMachines/write | 创建新的虚拟机,或更新现有的虚拟机 |
| Microsoft.Compute/虚拟机/删除 | 删除虚拟机 |
| Microsoft.RecoveryServices/vaults/* | |
| Microsoft.RecoveryServices/register/action | 注册给定资源提供程序的订阅 |
| Microsoft.RecoveryServices/operations/read | 操作返回资源提供程序的操作列表 |
| Microsoft.Resources/links/read | 获取或列出资源链接。 |
| Microsoft.DependencyMap/*/read | |
| Microsoft.DependencyMap/maps/*/action | |
| 不操作 | |
| Microsoft.OffAzure/hypervSites/machines/inventoryinsights/pendingupdates/* | |
| Microsoft.OffAzure/hypervSites/machines/inventoryinsights/vulnerabilities/* | |
| Microsoft.OffAzure/serverSites/machines/inventoryinsights/pendingupdates/* | |
| Microsoft.OffAzure/serverSites/machines/inventoryinsights/vulnerabilities/* | |
| Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/vulnerabilities/* | |
| Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/pendingupdates/* | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 | |
| 行动 | |
| Microsoft.Authorization/roleAssignments/write | 创建指定范围的角色分配。 |
| Microsoft.Authorization/roleAssignments/delete | 删除指定范围的角色分配。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 | |
| 条件 | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe})和(!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})或(@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe}) | 添加或移除以下角色的角色分配: 存储帐户参与者 存储 Blob 数据参与者 |
{
"assignableScopes": [
"/"
],
"description": "Grants restricted access on an Azure Migrate project to only perform migration related operations, including replication, execution of test migrations, tracking and monitoring of migration progress, and initiation of agentless and agent-based migrations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1cfa4eac-9a23-481c-a793-bfb6958e836b",
"name": "1cfa4eac-9a23-481c-a793-bfb6958e836b",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/checkResourceName/action",
"Microsoft.Resources/deploymentScripts/write",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/links/write",
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Insights/alertRules/*",
"Microsoft.Migrate/*/read",
"Microsoft.ApplicationMigration/*/read",
"Microsoft.OffAzure/*/read",
"Microsoft.MySQLDiscovery/*/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Storage/storageAccounts/*/read",
"Microsoft.Storage/storageAccounts/*/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Compute/register/action",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.RecoveryServices/vaults/*",
"Microsoft.RecoveryServices/register/action",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.Resources/links/read",
"Microsoft.DependencyMap/*/read",
"Microsoft.DependencyMap/maps/*/action"
],
"notActions": [
"Microsoft.OffAzure/hypervSites/machines/inventoryinsights/pendingupdates/*",
"Microsoft.OffAzure/hypervSites/machines/inventoryinsights/vulnerabilities/*",
"Microsoft.OffAzure/serverSites/machines/inventoryinsights/pendingupdates/*",
"Microsoft.OffAzure/serverSites/machines/inventoryinsights/vulnerabilities/*",
"Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/vulnerabilities/*",
"Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/pendingupdates/*"
],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe}))"
}
],
"roleName": "Azure Migrate Execute Expert",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Migrate 所有者
授予创建和管理 Azure Migrate 项目的完整访问权限,包括基于设备的发现、创建业务案例和评估报告和执行迁移;此外,还授予在 Azure RBAC 中分配 Azure Migrate 特定角色的能力。
包括 ABAC 条件用于约束角色分配。
| 行动 | Description |
|---|---|
| Microsoft.Resources/订阅/资源组/读取 | 获取或列出资源组。 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.Resources/订阅/资源组/写入 | 创建或更新资源组。 |
| Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
| Microsoft.Resources/subscriptions/locations/read | 获取支持的位置列表。 |
| Microsoft.Resources/checkResourceName/action | 检查资源名称的有效性。 |
| Microsoft.Resources/deploymentScripts/write | 创建或更新部署脚本 |
| Microsoft.Resources/deploymentScripts/read | 获取或列出部署脚本 |
| Microsoft.Resources/links/write | 创建或更新资源链接。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Authorization/锁/写入 | 添加指定范围的锁。 |
| Microsoft.Authorization/locks/delete (用于删除锁的操作路径) | 删除指定范围的锁。 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Migrate/* | |
| Microsoft.ApplicationMigration/* | |
| Microsoft.OffAzure/* | |
| Microsoft.MySQLDiscovery/* | |
| Microsoft.DependencyMap/* | |
| Microsoft.KeyVault/vaults/* | |
| Microsoft.KeyVault/checkNameAvailability/read | 检查 Key Vault 名称是否有效且未被使用 |
| Microsoft.HybridCompute/machines/read | 读取任何 Azure Arc 计算机 |
| Microsoft.HybridCompute/machines/write | 写入 Azure Arc 计算机 |
| Microsoft.HybridCompute/machines/delete | 删除 Azure Arc 计算机 |
| Microsoft.HybridCompute/register/action | 注册 Microsoft.HybridCompute 资源提供程序的订阅 |
| Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
| Microsoft.Network/networkInterfaces/write | 创建网络接口,或更新现有的网络接口。 |
| Microsoft.Network/网络接口/删除 | 删除网络接口 |
| Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
| Microsoft.Network/虚拟网络/子网/写入 | 创建虚拟网络子网,或更新现有的虚拟网络子网 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。 不可发出警报。 |
| Microsoft.Network/networkSecurityGroups/join/action | 加入网络安全组。 不可发出警报。 |
| Microsoft.Network/virtualNetworks/join/action | 加入虚拟网络。 不可发出警报。 |
| Microsoft.Network/privateEndpoints/read | 获取专用终结点资源。 |
| Microsoft.Network/privateEndpoints/write | 创建新的专用终结点,或更新现有的专用终结点。 |
| Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write | 放置专用 DNS 区域组 |
| Microsoft.Network/privateDnsZones/write | 在资源组中创建或更新专用 DNS 区域。 请注意,无法使用此命令在区域中创建或者更新虚拟网络链接或记录集。 |
| Microsoft.Network/privateDnsZones/virtualNetworkLinks/write | 创建或更新专用 DNS 区域与虚拟网络之间的链接。 |
| Microsoft.Network/privateDnsZones/join/action | 加入专用 DNS 区域 |
| Microsoft.Network/privateDnsZones/A/write | 在专用 DNS 区域中创建或更新“A”类型的记录集。 指定的记录将替换记录集中的当前记录。 |
| Microsoft.Network/register/action | 注册订阅 |
| Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
| Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read | 获取专用 DNS 区域组 |
| Microsoft.Storage/storageAccounts/* | 创建和管理存储帐户 |
| Microsoft.GuestConfiguration/register/action | 注册 Microsoft.GuestConfiguration 资源提供程序的订阅。 |
| Microsoft.Compute/register/action | 将订阅注册到 Microsoft.Compute 资源提供程序 |
| Microsoft.Compute/availabilitySets/read | 获取可用性集的属性 |
| Microsoft.Compute/availabilitySets/vmSizes/read | 列出可在可用性集中创建或更新的虚拟机大小 |
| Microsoft.Compute/diskEncryptionSets/read | 获取磁盘加密集的属性 |
| Microsoft.Compute/skus/read | 获取订阅可用的 Microsoft.Compute SKU 列表 |
| Microsoft.Compute/disks/read | 获取磁盘的属性 |
| Microsoft.Compute/disks/write | 创建新的磁盘,或更新现有的磁盘 |
| Microsoft.Compute/disks/delete | 删除磁盘 |
| Microsoft.Compute/virtualMachines/read | 获取虚拟机的属性 |
| Microsoft.Compute/virtualMachines/write | 创建新的虚拟机,或更新现有的虚拟机 |
| Microsoft.Compute/虚拟机/删除 | 删除虚拟机 |
| Microsoft.HybridConnectivity/register/action | 注册 Microsoft.HybridConnectivity 的订阅 |
| Microsoft.RecoveryServices/vaults/* | |
| Microsoft.RecoveryServices/register/action | 注册给定资源提供程序的订阅 |
| Microsoft.RecoveryServices/operations/read | 操作返回资源提供程序的操作列表 |
| Microsoft.DataReplication/*/read | |
| Microsoft.DataReplication/register/action | 注册 Microsoft.DataReplication 资源提供程序的订阅 |
| Microsoft.DataReplication/replicationVaults/write | 更新任何保管库 |
| Microsoft.KeyVault/register/action | 注册订阅 |
| Microsoft.AzureArcData/register/action | 注册 Microsoft.AzureArcData 的订阅 |
| Microsoft.Resources/links/read | 获取或列出资源链接。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 | |
| 行动 | |
| Microsoft.Authorization/roleAssignments/write | 创建指定范围的角色分配。 |
| Microsoft.Authorization/roleAssignments/delete | 删除指定范围的角色分配。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 | |
| 条件 | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7859c0b0-0bb9-4994-bd12-cd529af7d646, 1cfa4eac-9a23-481c-a793-bfb6958e836b, 17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe, ba480ccd-6499-4709-b581-8f38bb215c63})AND (!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})或(@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7859c0b0-0bb9-4994-bd12-cd529af7d646, 1cfa4eac-9a23-481c-a793-bfb6958e836b, 17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe, ba480ccd-6499-4709-b581-8f38bb215c63})) | 添加或移除以下角色的角色分配: Azure Migrate 策略规划专家 Azure Migrate 执行专家 存储帐户参与者 存储 Blob 数据参与者 Azure Migrate 服务读取器 |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to create and manage Azure Migrate projects including appliance-based discovery, creation of business case & assessment report and execution of migrations; Also grants ability to assign Azure Migrate specific roles in Azure RBAC.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd8ea4d5-6509-4db0-bada-356ab233b4fa",
"name": "fd8ea4d5-6509-4db0-bada-356ab233b4fa",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Resources/checkResourceName/action",
"Microsoft.Resources/deploymentScripts/write",
"Microsoft.Resources/deploymentScripts/read",
"Microsoft.Resources/links/write",
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Insights/alertRules/*",
"Microsoft.Migrate/*",
"Microsoft.ApplicationMigration/*",
"Microsoft.OffAzure/*",
"Microsoft.MySQLDiscovery/*",
"Microsoft.DependencyMap/*",
"Microsoft.KeyVault/vaults/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/register/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write",
"Microsoft.Network/privateDnsZones/write",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
"Microsoft.Network/privateDnsZones/join/action",
"Microsoft.Network/privateDnsZones/A/write",
"Microsoft.Network/register/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.GuestConfiguration/register/action",
"Microsoft.Compute/register/action",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.HybridConnectivity/register/action",
"Microsoft.RecoveryServices/vaults/*",
"Microsoft.RecoveryServices/register/action",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.DataReplication/*/read",
"Microsoft.DataReplication/register/action",
"Microsoft.DataReplication/replicationVaults/write",
"Microsoft.KeyVault/register/action",
"Microsoft.AzureArcData/register/action",
"Microsoft.Resources/links/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7859c0b0-0bb9-4994-bd12-cd529af7d646, 1cfa4eac-9a23-481c-a793-bfb6958e836b, 17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe, ba480ccd-6499-4709-b581-8f38bb215c63})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7859c0b0-0bb9-4994-bd12-cd529af7d646, 1cfa4eac-9a23-481c-a793-bfb6958e836b, 17d1049b-9a84-46fb-8f53-869881c3d3ab, ba92f5b4-2d11-453d-a403-e96b0029c9fe, ba480ccd-6499-4709-b581-8f38bb215c63}))"
}
],
"roleName": "Azure Migrate Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Migrate 服务读取器
授予对系统分配的 Azure Migrate 项目资源的托管标识的访问权限。
| 行动 | Description |
|---|---|
| Microsoft.Resources/订阅/资源组/读取 | 获取或列出资源组。 |
| Microsoft.Authorization/*/read | 读取角色和角色分配 |
| Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
| Microsoft.Resources/deployments/* | 创建和管理部署 |
| Microsoft.ApplicationMigration/*/read | |
| Microsoft.Migrate/*/read | |
| Microsoft.OffAzure/*/read | |
| Microsoft.MySQLDiscovery/*/read | |
| Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read | 读取任何可保护项 |
| Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read | 读取任何受保护项 |
| Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/read | 读取任何迁移项 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants required access to the system assigned managed identity of Azure Migrate project resource.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ba480ccd-6499-4709-b581-8f38bb215c63",
"name": "ba480ccd-6499-4709-b581-8f38bb215c63",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.ApplicationMigration/*/read",
"Microsoft.Migrate/*/read",
"Microsoft.OffAzure/*/read",
"Microsoft.MySQLDiscovery/*/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationMigrationItems/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Migrate Service Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
迁移 Arc 发现读取器 - 预览版
读取已启用 Azure Arc 的服务器资源和元数据的元数据、已启用 Arc 的 SQL Server 资源的性能和迁移适用性。 创建使用 Arc 资源发现的 Azure Migrate 项目的用户需要在项目的 Arc 范围内使用此角色。 若要启用定期同步,必须为此角色分配 Azure Migrate 项目托管标识。 此角色处于预览版阶段,可能会有所更改。
| 行动 | Description |
|---|---|
| Microsoft.Resources/订阅/资源组/读取 | 获取或列出资源组。 |
| Microsoft.AzureArcData/sqlServerInstances/read | 检索 SQL Server 实例资源 |
| Microsoft.AzureArcData/sqlServerInstances/databases/read | 读取数据库 |
| Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/read | 读取 availabilityGroups |
| Microsoft.AzureArcData/sqlServerInstances/getTelemetry/action | 检索 SQL Server 实例遥测 |
| Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/getDetailView/action | 检索可用性组的详细属性。 |
| Microsoft.HybridCompute/machines/read | 读取任何 Azure Arc 计算机 |
| Microsoft.HybridCompute/machines/extensions/read | 读取任何 Azure Arc 扩展 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of Azure Arc enabled server resources and metadata, performance and migration suitability of Arc enabled SQL server resources. Users creating Azure Migrate project that uses Arc resource discovery require this role on Arc scope of the project. To enable periodic sync, Azure Migrate project managed identity must be assigned this role. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d5dddae-e124-4753-972d-aae60b37deb4",
"name": "5d5dddae-e124-4753-972d-aae60b37deb4",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/databases/read",
"Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/read",
"Microsoft.AzureArcData/sqlServerInstances/getTelemetry/action",
"Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/getDetailView/action",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/extensions/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Migrate Arc Discovery Reader - Preview",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}