快速入门:检查用户对 Azure 资源的访问权限Quickstart: Check access for a user to Azure resources

有时,需检查用户对一组 Azure 资源的访问权限。Sometimes you need to check what access a user has to a set of Azure resources. 可通过列出用户的分配来检查其拥有的访问权限。You check their access by listing their assignments. 使用访问控制 (IAM) 页上的“检查访问权限”功能可快速检查单个用户的访问权限 。A quick way to check the access for a single user is to use the Check access feature on the Access control (IAM) page.

步骤 1:打开 Azure 资源Step 1: Open the Azure resources

若要检查用户的访问权限,首先需打开要检查其访问权限的 Azure 资源。To check the access for a user, you first need to open the Azure resources you want to check access for. Azure 资源分为多个级别,这些级别通常称为范围。Azure resources are organized into levels that are typically called the scope. 在 Azure 中,可在从广义到狭义的四个级别指定范围:管理组、订阅、资源组或资源。In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource.

Azure RBAC 的范围级别

请按照以下步骤打开要检查其访问权限的 Azure 资源集。Follow these steps to open the set of Azure resources that you want to check access for.

  1. 打开 Azure 门户Open the Azure portal.

  2. 打开 Azure 资源集,例如管理组、订阅、资源组或特定资源 。Open the set of Azure resources, such as Management groups, Subscriptions, Resource groups, or a particular resource.

  3. 单击该范围内的特定资源。Click the specific resource in that scope.

    下面展示了一个示例资源组。The following shows an example resource group.

    资源组概述

步骤 2:查看用户的访问权限Step 2: Check access for a user

请按照以下步骤检查单个用户、组、服务主体或托管标识对先前选择的 Azure 资源的访问权限。Follow these steps to check the access for a single user, group, service principal, or managed identity to the previously selected Azure resources.

  1. 单击“访问控制(IAM)”。Click Access control (IAM).

    下面显示了资源组的“访问控制(IAM)”页的示例。The following shows an example of the Access control (IAM) page for a resource group.

    资源组访问控制 - “检查访问权限”选项卡

  2. 在“检查访问权限”选项卡上的“查找”列表中,选择要检查其访问权限的用户、组、服务主体或托管标识 。On the Check access tab, in the Find list, select the user, group, service principal, or managed identity you want to check access for.

  3. 在搜索框中,输入字符串以在目录中搜索显示名称、电子邮件地址或对象标识符。In the search box, enter a string to search the directory for display names, email addresses, or object identifiers.

    “检查访问权限”选择列表

  4. 单击安全主体以打开“分配”窗格。Click the security principal to open the assignments pane.

    在此窗格上,可以查看在此范围和继承到此范围的所选安全主体的访问权限。On this pane, you can see the access for the selected security principal at this scope and inherited to this scope. 未列出在子范围的分配。Assignments at child scopes are not listed. 你会看到以下分配:You see the following assignments:

    • 通过 Azure RBAC 添加的角色分配。Role assignments added with Azure RBAC.
    • 使用 Azure 蓝图或 Azure 托管应用添加的拒绝分配。Deny assignments added using Azure Blueprints or Azure managed apps.
    • 经典部署的经典服务管理员或共同管理员分配。Classic Service Administrator or Co-Administrator assignments for classic deployments.

    用户的角色和拒绝分配窗格

步骤 3:检查访问权限Step 3: Check your access

请按照以下步骤检查对先前选择的 Azure 资源的访问权限。Follow these steps to check your access to the previously selected Azure resources.

  1. 单击“访问控制(IAM)”。Click Access control (IAM).

  2. 在“检查访问权限”选项卡上,单击“查看我的访问权限”按钮 。On the Check access tab, click the View my access button.

    此时会出现“分配”窗格,其中列出了在此范围和继承到此范围的访问权限。An assignments pane appears that lists your access at this scope and inherited to this scope. 未列出在子范围的分配。Assignments at child scopes are not listed.

    角色和拒绝分配窗格

后续步骤Next steps