Azure 资源的自定义角色Custom roles for Azure resources

Important

将管理组添加到 AssignableScopes 的功能目前处于预览状态。Adding a management group to AssignableScopes is currently in preview. 此预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

如果 Azure 资源的内置角色不能满足组织的特定需求,则可以创建自定义角色。If the built-in roles for Azure resources don't meet the specific needs of your organization, you can create your own custom roles. 与内置角色一样,可将自定义角色分配到管理组、订阅和资源组范围内的用户、组与服务主体。Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.

自定义角色可在信任同一 Azure AD 目录的订阅之间共享。Custom roles can be shared between subscriptions that trust the same Azure AD directory. 每个目录都有 5,000 个自定义角色的限制。There is a limit of 5,000 custom roles per directory. (Azure 中国世纪互联的限制为 2,000 个自定义角色。)可以使用 Azure 门户(预览版)、Azure PowerShell、Azure CLI 或 REST API 创建自定义角色。(For Azure China 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal (Preview), Azure PowerShell, Azure CLI, or the REST API.

自定义角色示例Custom role example

下面展示了以 JSON 格式显示的自定义角色的样子。The following shows what a custom role looks like as displayed in JSON format. 自定义角色可以用于监视和重新启动虚拟机。This custom role can be used for monitoring and restarting virtual machines.

{
  "Name": "Virtual Machine Operator",
  "Id": "88888888-8888-8888-8888-888888888888",
  "IsCustom": true,
  "Description": "Can monitor and restart virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}",
    "/providers/Microsoft.Management/managementGroups/{groupId1}"
  ]
}

创建自定义角色后,该角色会显示在 Azure 门户中,并带有一个橙色资源图标。When you create a custom role, it appears in the Azure portal with an orange resource icon.

自定义角色图标

创建自定义角色的步骤Steps to create a custom role

  1. 确定如何创建自定义角色Decide how you want to create the custom role

    可以使用 Azure 门户(预览版)、Azure PowerShellAzure CLIREST API 创建自定义角色。You can create custom roles using Azure portal (Preview), Azure PowerShell, Azure CLI, or the REST API.

  2. 确定所需的权限Determine the permissions you need

    创建自定义角色时,需要知道可用于定义权限的资源提供程序操作。When you create a custom role, you need to know the resource provider operations that are available to define your permissions. 若要查看操作列表,请参阅 Azure 资源管理器资源提供程序操作To view the list of operations, see the Azure Resource Manager resource provider operations. 你将操作添加到角色定义ActionsNotActions 属性。You will add the operations to the Actions or NotActions properties of the role definition. 如果有数据操作,请将这些操作添加到 DataActionsNotDataActions 属性。If you have data operations, you will add those to the DataActions or NotDataActions properties.

  3. 创建自定义角色Create the custom role

    通常,我们会从一个现有的内置角色着手,并根据需要对其进行修改。Typically, you start with an existing built-in role and then modify it for your needs. 然后,使用 New-AzRoleDefinitionaz role definition create 命令创建自定义角色。Then you use the New-AzRoleDefinition or az role definition create commands to create the custom role. 若要创建自定义角色,必须拥有所有 AssignableScopesMicrosoft.Authorization/roleDefinitions/write 权限,例如所有者用户访问权限管理员To create a custom role, you must have the Microsoft.Authorization/roleDefinitions/write permission on all AssignableScopes, such as Owner or User Access Administrator.

  4. 测试自定义角色Test the custom role

    创建自定义角色后,必须对其进行测试,以验证它是否按预期工作。Once you have your custom role, you have to test it to verify that it works as you expect. 如果以后需要进行调整,可以更新自定义角色。If you need to make adjustments later, you can update the custom role.

自定义角色属性Custom role properties

自定义角色具有以下属性。A custom role has the following properties.

属性Property 必须Required 类型Type 说明Description
Name Yes StringString 自定义角色的显示名称。The display name of the custom role. 虽然角色定义是管理组或订阅级资源,但角色定义可以在共享同一 Azure AD 目录的多个订阅中使用。While a role definition is a management group or subscription-level resource, a role definition can be used in multiple subscriptions that share the same Azure AD directory. 此显示名称在 Azure AD 目录范围内必须是唯一的。This display name must be unique at the scope of the Azure AD directory. 可以包含字母、数字、空格和特殊字符。Can include letters, numbers, spaces, and special characters. 最多包含 128 个字符。Maximum number of characters is 128.
Id Yes StringString 自定义角色的唯一 ID。The unique ID of the custom role. 如果使用 Azure PowerShell 和 Azure CLI,在创建新角色时会自动生成此 ID。For Azure PowerShell and Azure CLI, this ID is automatically generated when you create a new role.
IsCustom Yes StringString 指示此角色是否为自定义角色。Indicates whether this is a custom role. 设置为 true 表示是自定义角色。Set to true for custom roles.
Description Yes StringString 自定义角色的说明。The description of the custom role. 可以包含字母、数字、空格和特殊字符。Can include letters, numbers, spaces, and special characters. 最多包含 1024 个字符。Maximum number of characters is 1024.
Actions Yes String[]String[] 一个字符串数组,指定该角色允许执行的管理操作。An array of strings that specifies the management operations that the role allows to be performed. 有关详细信息,请参阅 ActionsFor more information, see Actions.
NotActions No String[]String[] 一个字符串数组,指定要从允许的 Actions 中排除的管理操作。An array of strings that specifies the management operations that are excluded from the allowed Actions. 有关详细信息,请参阅 NotActionsFor more information, see NotActions.
DataActions No String[]String[] 一个字符串数组,指定该角色允许对该对象中的数据执行的数据操作。An array of strings that specifies the data operations that the role allows to be performed to your data within that object. 如果使用 DataActions 来创建自定义角色,则无法在管理组范围内分配该角色。If you create a custom role with DataActions, that role cannot be assigned at the management group scope. 有关详细信息,请参阅 DataActionsFor more information, see DataActions.
NotDataActions No String[]String[] 一个字符串数组,指定要从允许的 DataActions 中排除的数据操作。An array of strings that specifies the data operations that are excluded from the allowed DataActions. 有关详细信息,请参阅 NotDataActionsFor more information, see NotDataActions.
AssignableScopes Yes String[]String[] 一个字符串数组,指定自定义角色的可分配范围。An array of strings that specifies the scopes that the custom role is available for assignment. 只能在自定义角色的 AssignableScopes 中定义一个管理组。You can only define one management group in AssignableScopes of a custom role. 将管理组添加到 AssignableScopes 的功能目前处于预览状态。Adding a management group to AssignableScopes is currently in preview. 有关详细信息,请参阅 AssignableScopesFor more information, see AssignableScopes.

谁可以创建、删除、更新或查看自定义角色Who can create, delete, update, or view a custom role

与在内置角色中一样,AssignableScopes 属性指定角色的可配置范围。Just like built-in roles, the AssignableScopes property specifies the scopes that the role is available for assignment. 自定义角色的 AssignableScopes 属性还控制谁可以创建、删除、更新或查看自定义角色。The AssignableScopes property for a custom role also controls who can create, delete, update, or view the custom role.

任务Task 操作Operation 说明Description
创建/删除自定义角色Create/delete a custom role Microsoft.Authorization/ roleDefinitions/write 在自定义角色的所有 AssignableScopes 上被允许此操作的用户可以创建(或删除)用于这些范围的自定义角色。Users that are granted this operation on all the AssignableScopes of the custom role can create (or delete) custom roles for use in those scopes. 例如,管理组、订阅和资源组的所有者用户访问管理员For example, Owners and User Access Administrators of management groups, subscriptions, and resource groups.
更新自定义角色Update a custom role Microsoft.Authorization/ roleDefinitions/write 被授权在自定义角色的所有 AssignableScopes 上执行此操作的用户可以更新这些范围中的自定义角色。Users that are granted this operation on all the AssignableScopes of the custom role can update custom roles in those scopes. 例如,管理组、订阅和资源组的所有者用户访问管理员For example, Owners and User Access Administrators of management groups, subscriptions, and resource groups.
查看自定义角色View a custom role Microsoft.Authorization/ roleDefinitions/read 在某个范围内被允许此操作的用户可以查看可在该范围内分配的自定义角色。Users that are granted this operation at a scope can view the custom roles that are available for assignment at that scope. 所有内置角色都允许自定义角色可用于分配。All built-in roles allow custom roles to be available for assignment.

自定义角色限制Custom role limits

以下列表描述了对自定义角色的限制。The following list describes the limits for custom roles.

  • 每个目录最多可以有 5000 个自定义角色。Each directory can have up to 5000 custom roles.
  • Azure 德国和 Azure 中国世纪互联的每个目录最多可以有 2000 个自定义角色。Azure Germany and Azure China 21Vianet can have up to 2000 custom roles for each directory.
  • 不能将 AssignableScopes 设置为根范围 ("/")。You cannot set AssignableScopes to the root scope ("/").
  • 只能在自定义角色的 AssignableScopes 中定义一个管理组。You can only define one management group in AssignableScopes of a custom role. 将管理组添加到 AssignableScopes 的功能目前处于预览状态。Adding a management group to AssignableScopes is currently in preview.
  • 无法在管理组范围内分配具有 DataActions 的自定义角色。Custom roles with DataActions cannot be assigned at the management group scope.
  • Azure 资源管理器不验证管理组是否存在于角色定义的可分配范围中。Azure Resource Manager doesn't validate the management group's existence in the role definition's assignable scope.

若要详细了解自定义角色和管理组,请参阅使用 Azure 管理组整理资源For more information about custom roles and management groups, see Organize your resources with Azure management groups.

后续步骤Next steps