Azure 自定义角色Azure custom roles

重要

将管理组添加到 AssignableScopes 的功能目前为预览版。Adding a management group to AssignableScopes is currently in preview. 此预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

如果 Azure 内置角色不满足组织的特定需求,你可以创建自己的自定义角色。If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. 与内置角色一样,可将自定义角色分配到管理组、订阅和资源组范围内的用户、组与服务主体。Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.

自定义角色可在信任同一 Azure AD 目录的订阅之间共享。Custom roles can be shared between subscriptions that trust the same Azure AD directory. 每个目录都有 5,000 个自定义角色的限制。There is a limit of 5,000 custom roles per directory. (Azure 中国世纪互联的限制为 2,000 个自定义角色。)可以使用 Azure 门户、Azure PowerShell、Azure CLI 或 REST API 创建自定义角色。(For Azure China 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.

自定义角色示例Custom role example

下面展示了使用 Azure PowerShell 以 JSON 格式显示的自定义角色。The following shows what a custom role looks like as displayed using Azure PowerShell in JSON format. 自定义角色可以用于监视和重新启动虚拟机。This custom role can be used for monitoring and restarting virtual machines.

{
  "Name": "Virtual Machine Operator",
  "Id": "88888888-8888-8888-8888-888888888888",
  "IsCustom": true,
  "Description": "Can monitor and restart virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}",
    "/providers/Microsoft.Management/managementGroups/{groupId1}"
  ]
}

下面展示了使用 Azure CLI 显示的相同自定义角色。The following shows the same custom role as displayed using Azure CLI.

[
  {
    "assignableScopes": [
      "/subscriptions/{subscriptionId1}",
      "/subscriptions/{subscriptionId2}",
      "/providers/Microsoft.Management/managementGroups/{groupId1}"
    ],
    "description": "Can monitor and restart virtual machines.",
    "id": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/88888888-8888-8888-8888-888888888888",
    "name": "88888888-8888-8888-8888-888888888888",
    "permissions": [
      {
        "actions": [
          "Microsoft.Storage/*/read",
          "Microsoft.Network/*/read",
          "Microsoft.Compute/*/read",
          "Microsoft.Compute/virtualMachines/start/action",
          "Microsoft.Compute/virtualMachines/restart/action",
          "Microsoft.Authorization/*/read",
          "Microsoft.ResourceHealth/availabilityStatuses/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Insights/diagnosticSettings/*"
        ],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "Virtual Machine Operator",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

创建自定义角色后,该角色会显示在 Azure 门户中,并带有一个橙色资源图标。When you create a custom role, it appears in the Azure portal with an orange resource icon.

自定义角色图标

自定义角色属性Custom role properties

下表说明了自定义角色属性的含义。The following table describes what the custom role properties mean.

属性Property 必须Required 类型Type 说明Description
Name
roleName
Yes StringString 自定义角色的显示名称。The display name of the custom role. 虽然角色定义是管理组或订阅级资源,但角色定义可以在共享同一 Azure AD 目录的多个订阅中使用。While a role definition is a management group or subscription-level resource, a role definition can be used in multiple subscriptions that share the same Azure AD directory. 此显示名称在 Azure AD 目录范围内必须是唯一的。This display name must be unique at the scope of the Azure AD directory. 可以包含字母、数字、空格和特殊字符。Can include letters, numbers, spaces, and special characters. 最多包含 128 个字符。Maximum number of characters is 128.
Id
name
Yes StringString 自定义角色的唯一 ID。The unique ID of the custom role. 如果使用 Azure PowerShell 和 Azure CLI,在创建新角色时会自动生成此 ID。For Azure PowerShell and Azure CLI, this ID is automatically generated when you create a new role.
IsCustom
roleType
Yes StringString 指示此角色是否为自定义角色。Indicates whether this is a custom role. 对于自定义角色,设置为 trueCustomRoleSet to true or CustomRole for custom roles. 对于内置角色,设置为 falseBuiltInRoleSet to false or BuiltInRole for built-in roles.
Description
description
Yes StringString 自定义角色的说明。The description of the custom role. 可以包含字母、数字、空格和特殊字符。Can include letters, numbers, spaces, and special characters. 最多包含 1024 个字符。Maximum number of characters is 1024.
Actions
actions
Yes String[]String[] 一个字符串数组,指定该角色允许执行的管理操作。An array of strings that specifies the management operations that the role allows to be performed. 有关详细信息,请参阅 ActionsFor more information, see Actions.
NotActions
notActions
No String[]String[] 一个字符串数组,指定要从允许的 Actions 中排除的管理操作。An array of strings that specifies the management operations that are excluded from the allowed Actions. 有关详细信息,请参阅 NotActionsFor more information, see NotActions.
DataActions
dataActions
No String[]String[] 一个字符串数组,指定该角色允许对该对象中的数据执行的数据操作。An array of strings that specifies the data operations that the role allows to be performed to your data within that object. 如果使用 DataActions 来创建自定义角色,则无法在管理组范围内分配该角色。If you create a custom role with DataActions, that role cannot be assigned at the management group scope. 有关详细信息,请参阅 DataActionsFor more information, see DataActions.
NotDataActions
notDataActions
No String[]String[] 一个字符串数组,指定要从允许的 DataActions 中排除的数据操作。An array of strings that specifies the data operations that are excluded from the allowed DataActions. 有关详细信息,请参阅 NotDataActionsFor more information, see NotDataActions.
AssignableScopes
assignableScopes
Yes String[]String[] 一个字符串数组,指定自定义角色的可分配范围。An array of strings that specifies the scopes that the custom role is available for assignment. 只能在自定义角色的 AssignableScopes 中定义一个管理组。You can only define one management group in AssignableScopes of a custom role. 将管理组添加到 AssignableScopes 的功能目前处于预览状态。Adding a management group to AssignableScopes is currently in preview. 有关详细信息,请参阅 AssignableScopesFor more information, see AssignableScopes.

通配符权限Wildcard permissions

ActionsNotActionsDataActionsNotDataActions 支持使用通配符 (*) 来定义权限。Actions, NotActions, DataActions, and NotDataActions support wildcards (*) to define permissions. 通配符 (*) 将权限扩展到与所提供的操作字符串匹配的所有内容。A wildcard (*) extends a permission to everything that matches the action string you provide. 例如,假设你要添加与 Azure 成本管理和导出相关的所有权限。For example, suppose that you wanted to add all the permissions related to Azure Cost Management and exports. 可以添加所有这些操作字符串:You could add all of these action strings:

Microsoft.CostManagement/exports/action
Microsoft.CostManagement/exports/read
Microsoft.CostManagement/exports/write
Microsoft.CostManagement/exports/delete
Microsoft.CostManagement/exports/run/action

也可以不添加所有这些字符串,而只需添加一个通配符字符串。Instead of adding all of these strings, you could just add a wildcard string. 例如,以下通配符字符串等效于上面的五个字符串。For example, the following wildcard string is equivalent to the previous five strings. 此通配符权限还包括将来可能要添加的任何导出权限。This would also include any future export permissions that might be added.

Microsoft.CostManagement/exports/*

还可以在一个字符串中包含多个通配符。You can also have multiple wildcards in a string. 例如,以下字符串表示对成本管理的所有查询权限。For example, the following string represents all query permissions for Cost Management.

Microsoft.CostManagement/*/query/*

创建自定义角色的步骤Steps to create a custom role

要创建自定义角色,请遵循以下基本步骤。To create a custom role, here are basics steps you should follow.

  1. 确定如何创建自定义角色。Decide how you want to create the custom role.

    可以使用 Azure 门户、Azure PowerShell、Azure CLI 或 REST API 创建自定义角色。You can create custom roles using Azure portal, Azure PowerShell, Azure CLI, or the REST API.

  2. 确定所需的权限。Determine the permissions you need.

    创建自定义角色时,需要清楚可以执行的操作以定义权限。When you create a custom role, you need to know the operations that are available to define your permissions. 若要查看操作列表,请参阅 Azure 资源管理器资源提供程序操作To view the list of operations, see the Azure Resource Manager resource provider operations. 你将操作添加到角色定义ActionsNotActions 属性。You will add the operations to the Actions or NotActions properties of the role definition. 如果有数据操作,请将这些操作添加到 DataActionsNotDataActions 属性。If you have data operations, you will add those to the DataActions or NotDataActions properties.

  3. 创建自定义角色。Create the custom role.

    通常,我们会从一个现有的内置角色着手,并根据需要对其进行修改。Typically, you start with an existing built-in role and then modify it for your needs. 最简单的方法是使用 Azure 门户。The easiest way is to use the Azure portal. 要查看使用 Azure 门户创建自定义角色的步骤,请参阅使用 Azure 门户创建或更新 Azure 自定义角色For steps on how to create a custom role using the Azure portal, see Create or update Azure custom roles using the Azure portal.

  4. 测试自定义角色。Test the custom role.

    创建自定义角色后,必须对其进行测试,以验证它是否按预期工作。Once you have your custom role, you have to test it to verify that it works as you expect. 如果以后需要进行调整,可以更新自定义角色。If you need to make adjustments later, you can update the custom role.

谁可以创建、删除、更新或查看自定义角色Who can create, delete, update, or view a custom role

与在内置角色中一样,AssignableScopes 属性指定角色的可配置范围。Just like built-in roles, the AssignableScopes property specifies the scopes that the role is available for assignment. 自定义角色的 AssignableScopes 属性还控制谁可以创建、删除、更新或查看自定义角色。The AssignableScopes property for a custom role also controls who can create, delete, update, or view the custom role.

任务Task 操作Operation 说明Description
创建/删除自定义角色Create/delete a custom role Microsoft.Authorization/ roleDefinitions/write 在自定义角色的所有 AssignableScopes 上被允许此操作的用户可以创建(或删除)用于这些范围的自定义角色。Users that are granted this operation on all the AssignableScopes of the custom role can create (or delete) custom roles for use in those scopes. 例如,管理组、订阅和资源组的所有者用户访问管理员For example, Owners and User Access Administrators of management groups, subscriptions, and resource groups.
更新自定义角色Update a custom role Microsoft.Authorization/ roleDefinitions/write 被授权在自定义角色的所有 AssignableScopes 上执行此操作的用户可以更新这些范围中的自定义角色。Users that are granted this operation on all the AssignableScopes of the custom role can update custom roles in those scopes. 例如,管理组、订阅和资源组的所有者用户访问管理员For example, Owners and User Access Administrators of management groups, subscriptions, and resource groups.
查看自定义角色View a custom role Microsoft.Authorization/ roleDefinitions/read 在某个范围内被允许此操作的用户可以查看可在该范围内分配的自定义角色。Users that are granted this operation at a scope can view the custom roles that are available for assignment at that scope. 所有内置角色都允许自定义角色可用于分配。All built-in roles allow custom roles to be available for assignment.

自定义角色限制Custom role limits

以下列表描述了对自定义角色的限制。The following list describes the limits for custom roles.

  • 每个目录最多可以有 5000 个自定义角色。Each directory can have up to 5000 custom roles.
  • Azure 德国和 Azure 中国世纪互联的每个目录最多可以有 2000 个自定义角色。Azure Germany and Azure China 21Vianet can have up to 2000 custom roles for each directory.
  • 不能将 AssignableScopes 设置为根范围 ("/")。You cannot set AssignableScopes to the root scope ("/").
  • 只能在自定义角色的 AssignableScopes 中定义一个管理组。You can only define one management group in AssignableScopes of a custom role. 将管理组添加到 AssignableScopes 的功能目前为预览版。Adding a management group to AssignableScopes is currently in preview.
  • 无法在管理组范围内分配具有 DataActions 的自定义角色。Custom roles with DataActions cannot be assigned at the management group scope.
  • Azure 资源管理器不验证管理组是否存在于角色定义的可分配范围中。Azure Resource Manager doesn't validate the management group's existence in the role definition's assignable scope.

若要详细了解自定义角色和管理组,请参阅使用 Azure 管理组来组织资源For more information about custom roles and management groups, see Organize your resources with Azure management groups.

输入和输出格式Input and output formats

要使用命令行创建自定义角色,通常使用 JSON 来指定自定义角色的属性。To create a custom role using the command line, you typically use JSON to specify the properties you want for the custom role. 根据所使用的工具,输入和输出格式看起来会稍有不同。Depending on the tools you use, the input and output formats will look slightly different. 本部分列出了不同工具的输入和输出格式。This section lists the input and output formats depending on the tool.

Azure PowerShellAzure PowerShell

要使用 Azure PowerShell 创建自定义角色,必须提供以下输入。To create a custom role using Azure PowerShell, you must provide following input.

{
  "Name": "",
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

要使用 Azure PowerShell 更新自定义角色,必须提供以下输入。To update a custom role using Azure PowerShell, you must provide the following input. 请注意,已添加 Id 属性。Note that the Id property has been added.

{
  "Name": "",
  "Id": "",
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

下面显示了使用 Azure PowerShell 和 ConvertTo-Json 命令列出自定义角色时的输出示例。The following shows an example of the output when you list a custom role using Azure PowerShell and the ConvertTo-Json command.

{
  "Name": "",
  "Id": "",
  "IsCustom": true,
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

Azure CLIAzure CLI

要使用 Azure CLI 创建或更新自定义角色,必须提供以下输入。To create or update a custom role using Azure CLI, you must provide following input. 此格式与使用 Azure PowerShell 创建自定义角色时生成的格式相同。This format is the same format when you create a custom role using Azure PowerShell.

{
  "Name": "",
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

下面显示了使用 Azure CLI 列出自定义角色时的输出示例。The following shows an example of the output when you list a custom role using Azure CLI.

[
  {
    "assignableScopes": [],
    "description": "",
    "id": "",
    "name": "",
    "permissions": [
      {
        "actions": [],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

REST APIREST API

要使用 REST API 创建或更新自定义角色,必须提供以下输入。To create or update a custom role using the REST API, you must provide following input. 此格式与使用 Azure 门户创建自定义角色时生成的格式相同。This format is the same format that gets generated when you create a custom role using the Azure portal.

{
  "properties": {
    "roleName": "",
    "description": "",
    "assignableScopes": [],
    "permissions": [
      {
        "actions": [],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

下面显示了使用 REST API 列出自定义角色时的输出示例。The following shows an example of the output when you list a custom role using the REST API.

{
    "properties": {
        "roleName": "",
        "type": "CustomRole",
        "description": "",
        "assignableScopes": [],
        "permissions": [
            {
                "actions": [],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ],
        "createdOn": "",
        "updatedOn": "",
        "createdBy": "",
        "updatedBy": ""
    },
    "id": "",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": ""
}

后续步骤Next steps