用于 Web 和移动的 Azure 内置角色

本文列出了 Web 和移动类别的 Azure 内置角色。

Azure Maps 数据参与者

从 Azure Maps 帐户中授予地图相关数据的读取、写入和删除权限。

操作 描述
不操作
DataActions
Microsoft.Maps/accounts/*/read
Microsoft.Maps/accounts/*/write
Microsoft.Maps/accounts/*/delete
Microsoft.Maps/accounts/*/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read, write, and delete access to map related data from an Azure maps account.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
  "name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read",
        "Microsoft.Maps/accounts/*/write",
        "Microsoft.Maps/accounts/*/delete",
        "Microsoft.Maps/accounts/*/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Maps Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Maps 数据读取器

授予从 Azure Maps 帐户中读取地图相关数据的权限。

操作 描述
不操作
DataActions
Microsoft.Maps/accounts/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read map related data from an Azure maps account.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
  "name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Maps Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps 应用程序配置服务配置文件模式读取者角色

读取 Azure Spring Apps 中应用程序配置服务的配置文件模式的内容

操作 说明
Microsoft.AppPlatform/Spring/read 获取 Azure Spring Apps 服务实例
Microsoft.AppPlatform/Spring/configurationServices/read 获取特定 Azure Spring Apps 服务实例的应用程序配置服务
不操作
DataActions
Microsoft.AppPlatform/Spring/ApplicationConfigurationService/read 读取应用程序配置服务为特定 Azure Spring Apps 服务实例拉取的配置内容(例如 application-prod.yaml)
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read content of config file pattern for Application Configuration Service in Azure Spring Apps",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/25211fc6-dc78-40b6-b205-e4ac934fd9fd",
  "name": "25211fc6-dc78-40b6-b205-e4ac934fd9fd",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppPlatform/Spring/read",
        "Microsoft.AppPlatform/Spring/configurationServices/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/ApplicationConfigurationService/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Apps Application Configuration Service Config File Pattern Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps 应用程序配置服务日志读取者角色

读取 Azure Spring Apps 中应用程序配置服务的实时日志

操作 说明
Microsoft.AppPlatform/Spring/read 获取 Azure Spring Apps 服务实例
Microsoft.AppPlatform/Spring/configurationServices/read 获取特定 Azure Spring Apps 服务实例的应用程序配置服务
不操作
DataActions
Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/action 从特定的 Azure Spring Apps 服务实例中读取应用程序配置服务中所有子组件的流式处理日志
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read real-time logs for Application Configuration Service in Azure Spring Apps",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6593e776-2a30-40f9-8a32-4fe28b77655d",
  "name": "6593e776-2a30-40f9-8a32-4fe28b77655d",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppPlatform/Spring/read",
        "Microsoft.AppPlatform/Spring/configurationServices/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Apps Application Configuration Service Log Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps 连接角色

Azure Spring Apps 连接角色

了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/apps/deployments/connect/action 连接到特定应用程序的实例
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Spring Apps Connect Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-4c0f-b32d-e5094b036b0b",
  "name": "80558df3-64f9-4c0f-b32d-e5094b036b0b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/apps/deployments/connect/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Apps Connect Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps 作业日志读取者角色

读取 Azure Spring Apps 中作业的实时日志

了解详细信息

操作 说明
Microsoft.AppPlatform/Spring/read 获取 Azure Spring Apps 服务实例
Microsoft.AppPlatform/Spring/jobs/read 获取特定 Azure Spring Apps 服务实例的作业
Microsoft.AppPlatform/Spring/jobs/executions/read 获取特定 Azure Spring Apps 服务实例的作业执行
不操作
DataActions
Microsoft.AppPlatform/Spring/jobs/executions/logstream/action 获取特定 Azure Spring Apps 服务实例的作业执行的流式处理日志
Microsoft.AppPlatform/Spring/jobs/executions/listInstances/action 列出特定 Azure Spring Apps 服务实例的特定作业执行的实例
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read real-time logs for jobs in Azure Spring Apps",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b459aa1d-e3c8-436f-ae21-c0531140f43e",
  "name": "b459aa1d-e3c8-436f-ae21-c0531140f43e",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppPlatform/Spring/read",
        "Microsoft.AppPlatform/Spring/jobs/read",
        "Microsoft.AppPlatform/Spring/jobs/executions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/jobs/executions/logstream/action",
        "Microsoft.AppPlatform/Spring/jobs/executions/listInstances/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Apps Job Log Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps 远程调试角色

Azure Spring Apps 远程调试角色

了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action 特定应用程序的远程调试应用实例
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Spring Apps Remote Debugging Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-4c22-a57b-c9b3caa1c054",
  "name": "a99b0159-1064-4c22-a57b-c9b3caa1c054",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Apps Remote Debugging Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps Spring Cloud Gateway 日志读取者角色

读取 Azure Spring Apps 中 Spring Cloud Gateway 的实时日志

操作 说明
Microsoft.AppPlatform/Spring/read 获取 Azure Spring Apps 服务实例
Microsoft.AppPlatform/Spring/gateways/read 获取特定 Azure Spring Apps 服务实例的 Spring Cloud 网关
不操作
DataActions
Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action 从特定的 Azure Spring Apps 服务实例中读取 Spring Cloud 网关的流式处理日志
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read real-time logs for Spring Cloud Gateway in Azure Spring Apps",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4301dc2a-25a9-44b0-ae63-3636cf7f2bd2",
  "name": "4301dc2a-25a9-44b0-ae63-3636cf7f2bd2",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppPlatform/Spring/read",
        "Microsoft.AppPlatform/Spring/gateways/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Apps Spring Cloud Gateway Log Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Config Server 参与者

允许对 Azure Spring Cloud Config Server 进行读取、写入和删除访问

了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/configService/read 读取特定的 Azure Spring Apps 服务实例的配置内容(例如 application.yaml)
Microsoft.AppPlatform/Spring/configService/write 写入特定的 Azure Spring Apps 服务实例的配置服务器内容
Microsoft.AppPlatform/Spring/configService/delete 删除特定的 Azure Spring Apps 服务实例的配置服务器内容
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read, write and delete access to Azure Spring Cloud Config Server",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
  "name": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/configService/read",
        "Microsoft.AppPlatform/Spring/configService/write",
        "Microsoft.AppPlatform/Spring/configService/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Config Server Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Config Server 读者

允许对 Azure Spring Cloud Config Server 进行读取访问

了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/configService/read 读取特定的 Azure Spring Apps 服务实例的配置内容(例如 application.yaml)
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Config Server",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7",
  "name": "d04c6db6-4947-4782-9e91-30a88feb7be7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/configService/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Config Server Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud 数据读取者

允许对 Azure Spring Cloud 进行读取访问

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c",
  "name": "b5537268-8956-4941-a8f0-646150406f0c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud 服务注册表参与者

允许对 Azure Spring Cloud 服务注册表进行读取、写入和删除访问

了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/eurekaService/read 读取特定的 Azure Spring Apps 服务实例的用户应用注册信息
Microsoft.AppPlatform/Spring/eurekaService/write 写入特定的 Azure Spring Apps 服务实例的用户应用注册信息
Microsoft.AppPlatform/Spring/eurekaService/delete 删除特定的 Azure Spring Apps 服务实例的用户应用注册信息
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read, write and delete access to Azure Spring Cloud Service Registry",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1",
  "name": "f5880b48-c26d-48be-b172-7927bfa1c8f1",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/eurekaService/read",
        "Microsoft.AppPlatform/Spring/eurekaService/write",
        "Microsoft.AppPlatform/Spring/eurekaService/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Service Registry Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud 服务注册表读者

允许对 Azure Spring Cloud 服务注册表进行读取访问

了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/eurekaService/read 读取特定的 Azure Spring Apps 服务实例的用户应用注册信息
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Service Registry",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65",
  "name": "cff1b556-2399-4e7e-856d-a8f754be7b65",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/eurekaService/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Service Registry Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务帐户管理员

创建、读取、修改和删除媒体服务帐户;对其他媒体服务资源的只读访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/listStreamingLocators/action 列出资产的流式处理定位符
Microsoft.Media/mediaservices/streamingLocators/listPaths/action 列出路径
Microsoft.Media/mediaservices/write 创建或更新任何媒体服务帐户
Microsoft.Media/mediaservices/delete 删除任何媒体服务帐户
Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action 审批专用终结点连接
Microsoft.Media/mediaservices/privateEndpointConnections/*
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466",
  "name": "054126f8-9a2b-4f1c-a9ad-eca461f08466",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/write",
        "Microsoft.Media/mediaservices/delete",
        "Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action",
        "Microsoft.Media/mediaservices/privateEndpointConnections/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Account Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务实时事件管理员

创建、读取、修改和删除实时事件、资产、资产筛选器和流式处理定位符;对其他媒体服务资源的只读访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/*
Microsoft.Media/mediaservices/assets/assetfilters/*
Microsoft.Media/mediaservices/streamingLocators/*
Microsoft.Media/mediaservices/liveEvents/*
不操作
Microsoft.Media/mediaservices/assets/getEncryptionKey/action 获取资产加密密钥
Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action 列出内容密钥
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77",
  "name": "532bc159-b25e-42c0-969e-a1d439f60d77",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/*",
        "Microsoft.Media/mediaservices/assets/assetfilters/*",
        "Microsoft.Media/mediaservices/streamingLocators/*",
        "Microsoft.Media/mediaservices/liveEvents/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
        "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Live Events Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务媒体操作员

创建、读取、修改和删除资产、资产筛选器、流式处理定位符和作业;对其他媒体服务资源的只读访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/*
Microsoft.Media/mediaservices/assets/assetfilters/*
Microsoft.Media/mediaservices/streamingLocators/*
Microsoft.Media/mediaservices/transforms/jobs/*
不操作
Microsoft.Media/mediaservices/assets/getEncryptionKey/action 获取资产加密密钥
Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action 列出内容密钥
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c",
  "name": "e4395492-1534-4db2-bedf-88c14621589c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/*",
        "Microsoft.Media/mediaservices/assets/assetfilters/*",
        "Microsoft.Media/mediaservices/streamingLocators/*",
        "Microsoft.Media/mediaservices/transforms/jobs/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
        "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Media Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务策略管理员

创建、读取、修改和删除帐户筛选器、流式处理策略、内容密钥策略和转换;对其他媒体服务资源的只读访问权限。 不能创建作业、资产或流式处理资源。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/listStreamingLocators/action 列出资产的流式处理定位符
Microsoft.Media/mediaservices/streamingLocators/listPaths/action 列出路径
Microsoft.Media/mediaservices/accountFilters/*
Microsoft.Media/mediaservices/streamingPolicies/*
Microsoft.Media/mediaservices/contentKeyPolicies/*
Microsoft.Media/mediaservices/transforms/*
不操作
Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action 获取包含机密的策略属性
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae",
  "name": "c4bba371-dacd-4a26-b320-7250bca963ae",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/accountFilters/*",
        "Microsoft.Media/mediaservices/streamingPolicies/*",
        "Microsoft.Media/mediaservices/contentKeyPolicies/*",
        "Microsoft.Media/mediaservices/transforms/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Policy Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务流式处理终结点管理员

创建、读取、修改和删除流式处理终结点;对其他媒体服务资源的只读访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/listStreamingLocators/action 列出资产的流式处理定位符
Microsoft.Media/mediaservices/streamingLocators/listPaths/action 列出路径
Microsoft.Media/mediaservices/streamingEndpoints/*
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804",
  "name": "99dba123-b5fe-44d5-874c-ced7199a5804",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/streamingEndpoints/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Streaming Endpoints Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR AccessKey 读取者

读取 SignalR 服务访问密钥

操作 描述
Microsoft.SignalRService/*/read
Microsoft.SignalRService/SignalR/listkeys/action 通过管理门户或 API 查看 SignalR 访问密钥的值
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read SignalR Service Access Keys",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e",
  "name": "04165923-9d83-45d5-8227-78b77b0a687e",
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*/read",
        "Microsoft.SignalRService/SignalR/listkeys/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR AccessKey Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR 应用服务器

允许应用服务器使用 AAD 身份验证选项访问 SignalR 服务。

操作 描述
不操作
DataActions
Microsoft.SignalRService/SignalR/auth/accessKey/action 生成用于对 AccessTokens 进行签名的 AccessKey;默认情况下,此密钥将在 90 分钟后过期
Microsoft.SignalRService/SignalR/serverConnection/write 启动服务器连接
Microsoft.SignalRService/SignalR/clientConnection/write 关闭客户端连接
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets your app server access SignalR Service with AAD auth options.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7",
  "name": "420fcaa2-552c-430f-98ca-3264be4806c7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/accessKey/action",
        "Microsoft.SignalRService/SignalR/serverConnection/write",
        "Microsoft.SignalRService/SignalR/clientConnection/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR App Server",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR REST API 所有者

完全访问 Azure Signal 服务 REST API

操作 描述
不操作
DataActions
Microsoft.SignalRService/SignalR/auth/clientToken/action 生成供客户端连接 ASRS 的 AccessToken;默认情况下,该令牌将在 5 分钟后过期
Microsoft.SignalRService/SignalR/hub/*
Microsoft.SignalRService/SignalR/group/*
Microsoft.SignalRService/SignalR/clientConnection/*
Microsoft.SignalRService/SignalR/user/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to Azure SignalR Service REST APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521",
  "name": "fd53cd77-2268-407a-8f46-7e7863d0f521",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/clientToken/action",
        "Microsoft.SignalRService/SignalR/hub/*",
        "Microsoft.SignalRService/SignalR/group/*",
        "Microsoft.SignalRService/SignalR/clientConnection/*",
        "Microsoft.SignalRService/SignalR/user/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR REST API Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR REST API 读者

以只读方式访问 Azure Signal 服务 REST API

操作 描述
不操作
DataActions
Microsoft.SignalRService/SignalR/group/read 检查组是否存在或用户是否存在于组中
Microsoft.SignalRService/SignalR/clientConnection/read 检查客户端连接是否存在
Microsoft.SignalRService/SignalR/user/read 检查用户是否存在
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only access to Azure SignalR Service REST APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035",
  "name": "ddde6b66-c0df-4114-a159-3618637b3035",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/group/read",
        "Microsoft.SignalRService/SignalR/clientConnection/read",
        "Microsoft.SignalRService/SignalR/user/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR REST API Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR 服务所有者

完全访问 Azure Signal 服务 REST API

操作 描述
不操作
DataActions
Microsoft.SignalRService/SignalR/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to Azure SignalR Service REST APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
  "name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR Service Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR/Web PubSub 参与者

创建、读取、更新和删除 SignalR 服务资源

操作 说明
Microsoft.SignalRService/*
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete SignalR service resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
  "name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR/Web PubSub Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Web 计划参与者

管理网站的 web 计划。 不允许在 Azure RBAC 中分配角色。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Web/serverFarms/* 创建和管理服务器场
Microsoft.Web/hostingEnvironments/Join/Action 加入应用服务环境
Microsoft.Insights/autoscalesettings/*
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage the web plans for websites, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
  "name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Web/serverFarms/*",
        "Microsoft.Web/hostingEnvironments/Join/Action",
        "Microsoft.Insights/autoscalesettings/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Web Plan Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Web PubSub 服务所有者

对 Azure Web PubSub 服务 REST API 的完全访问权限

了解详细信息

操作 描述
不操作
DataActions
Microsoft.SignalRService/WebPubSub/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to Azure Web PubSub Service REST APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-43ae-8102-96cf46c7d9b4",
  "name": "12cf5a90-567b-43ae-8102-96cf46c7d9b4",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/WebPubSub/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Web PubSub Service Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Web PubSub 服务读取者

对 Azure Web PubSub 服务 REST API 的只读访问权限

了解详细信息

操作 描述
不操作
DataActions
Microsoft.SignalRService/WebPubSub/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only access to Azure Web PubSub Service REST APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf",
  "name": "bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/WebPubSub/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Web PubSub Service Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

网站参与者

管理网站,但不管理 web 计划。 不允许在 Azure RBAC 中分配角色。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/components/* 创建和管理 Insights 组件
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Web/certificates/* 创建和管理网站证书
Microsoft.Web/listSitesAssignedToHostName/read 获取分配给主机名的站点名称。
Microsoft.Web/register/action 注册订阅的 Microsoft.Web 资源提供程序。
Microsoft.Web/serverFarms/join/action 加入应用服务计划
Microsoft.Web/serverFarms/read 获取应用服务计划的属性
Microsoft.Web/sites/* 创建和管理网站(站点创建还需要对关联的应用服务计划有写入权限)
不操作
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage websites (not web plans), but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
  "name": "de139f84-1756-47ae-9be6-808fbbe84772",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Web/certificates/*",
        "Microsoft.Web/listSitesAssignedToHostName/read",
        "Microsoft.Web/register/action",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Website Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

后续步骤