用于特权的 Azure 内置角色
本文列出了“特权”类别中的 Azure 内置角色。
参与者
授予完全访问权限来管理所有资源,但不允许在 Azure RBAC 中分配角色或在 Azure 蓝图中管理分配,也不允许共享映像库。
| 操作 | 描述 |
|---|---|
| * | 创建和管理所有类型的资源 |
| 不操作 | |
| Microsoft.Authorization/*/Delete | 删除角色、策略分配、策略定义和策略集定义 |
| Microsoft.Authorization/*/Write | 创建角色、角色分配、策略分配、策略定义和策略集定义 |
| Microsoft.Authorization/elevateAccess/Action | 向调用方授予租户范围的“用户访问管理员”访问权限 |
| Microsoft.Blueprint/blueprintAssignments/write | 创建或更新任何蓝图分配 |
| Microsoft.Blueprint/blueprintAssignments/delete | 删除任何蓝图分配 |
| Microsoft.Compute/galleries/share/action | 将库共享到不同的范围 |
| Microsoft.Purview/consents/write | 创建或更新同意资源。 |
| Microsoft.Purview/consents/delete | 删除同意资源。 |
| Microsoft.Resources/deploymentStacks/manageDenySetting/action | 管理部署堆栈的 denySettings 属性。 |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Purview/consents/write",
"Microsoft.Purview/consents/delete",
"Microsoft.Resources/deploymentStacks/manageDenySetting/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
所有者
授予管理所有资源的完全访问权限,包括允许在 Azure RBAC 中分配角色。
| 操作 | 描述 |
|---|---|
| * | 创建和管理所有类型的资源 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"permissions": [
{
"actions": [
"*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
预留管理员
允许用户读取和管理租户中的所有预留
| 操作 | 说明 |
|---|---|
| Microsoft.Capacity/*/read | |
| Microsoft.Capacity/*/action | |
| Microsoft.Capacity/*/write | |
| Microsoft.Authorization/roleAssignments/read | 获取有关角色分配的信息。 |
| Microsoft.Authorization/roleDefinitions/read | 获取有关角色定义的信息。 |
| Microsoft.Authorization/roleAssignments/write | 创建指定范围的角色分配。 |
| Microsoft.Authorization/roleAssignments/delete | 删除指定范围的角色分配。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/providers/Microsoft.Capacity"
],
"description": "Lets one read and manage all the reservations in a tenant",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a8889054-8d42-49c9-bc1c-52486c10e7cd",
"name": "a8889054-8d42-49c9-bc1c-52486c10e7cd",
"permissions": [
{
"actions": [
"Microsoft.Capacity/*/read",
"Microsoft.Capacity/*/action",
"Microsoft.Capacity/*/write",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reservations Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
基于角色的访问控制管理员
通过使用 Azure RBAC 分配角色来管理对 Azure 资源的访问。 此角色不允许使用其他方式(如 Azure Policy)管理访问权限。
| 操作 | 说明 |
|---|---|
| Microsoft.Authorization/roleAssignments/write | 创建指定范围的角色分配。 |
| Microsoft.Authorization/roleAssignments/delete | 删除指定范围的角色分配。 |
| */read | 读取除密码外的所有类型的资源。 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Role Based Access Control Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
用户访问管理员
允许管理用户对 Azure 资源的访问权限。
| 操作 | 描述 |
|---|---|
| */read | 读取除密码外的所有类型的资源。 |
| Microsoft.Authorization/* | 管理授权 |
| 不操作 | |
| 无 | |
| DataActions | |
| 无 | |
| NotDataActions | |
| 无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage user access to Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Authorization/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "User Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}