Azure 资源的自定义角色Custom roles for Azure resources

如果 Azure 资源的内置角色不能满足组织的特定需求,则可以创建自定义角色。If the built-in roles for Azure resources don't meet the specific needs of your organization, you can create your own custom roles. 与内置角色一样,可以将自定义角色分配到订阅、资源组和资源范围内的用户、组和服务主体。Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.

自定义角色存储在 Azure Active Directory (Azure AD) 目录中,可以在订阅之间共享。Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. 每个目录最多可以有 5000 个自定义角色。Each directory can have up to 5000 custom roles. (对于 Azure 中国世纪互联等专用云,限制为 2000 个自定义角色。)可以使用 Azure PowerShell、Azure CLI 或 REST API 创建自定义角色。(For specialized clouds, such as Azure China 21Vianet, the limit is 2000 custom roles.) Custom roles can be created using Azure PowerShell, Azure CLI, or the REST API.

自定义角色示例Custom role example

下面展示了以 JSON 格式显示的自定义角色的样子。The following shows what a custom role looks like as displayed in JSON format. 自定义角色可以用于监视和重新启动虚拟机。This custom role can be used for monitoring and restarting virtual machines.

{
  "Name": "Virtual Machine Operator",
  "Id": "88888888-8888-8888-8888-888888888888",
  "IsCustom": true,
  "Description": "Can monitor and restart virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*",
    "Microsoft.Support/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}",
    "/subscriptions/{subscriptionId3}"
  ]
}

创建自定义角色后,该角色会显示在 Azure 门户中,并带有一个橙色资源图标。When you create a custom role, it appears in the Azure portal with an orange resource icon.

自定义角色图标

创建自定义角色的步骤Steps to create a custom role

  1. 确定如何创建自定义角色Decide how you want to create the custom role

    可以使用 Azure PowerShellAzure CLIREST API 创建自定义角色。You can create custom roles using Azure PowerShell, Azure CLI, or the REST API.

  2. 确定所需的权限Determine the permissions you need

    创建自定义角色时,需要知道可用于定义权限的资源提供程序操作。When you create a custom role, you need to know the resource provider operations that are available to define your permissions. 若要查看操作列表,请参阅 Azure 资源管理器资源提供程序操作To view the list of operations, see the Azure Resource Manager resource provider operations. 你将操作添加到角色定义ActionsNotActions 属性。You will add the operations to the Actions or NotActions properties of the role definition. 如果有数据操作,请将这些操作添加到 DataActionsNotDataActions 属性。If you have data operations, you will add those to the DataActions or NotDataActions properties.

  3. 创建自定义角色Create the custom role

    通常,我们会从一个现有的内置角色着手,并根据需要对其进行修改。Typically, you start with an existing built-in role and then modify it for your needs. 然后,使用 New-AzRoleDefinitionaz role definition create 命令创建自定义角色。Then you use the New-AzRoleDefinition or az role definition create commands to create the custom role. 若要创建自定义角色,必须拥有所有 AssignableScopesMicrosoft.Authorization/roleDefinitions/write 权限,例如所有者用户访问权限管理员To create a custom role, you must have the Microsoft.Authorization/roleDefinitions/write permission on all AssignableScopes, such as Owner or User Access Administrator.

  4. 测试自定义角色Test the custom role

    创建自定义角色后,必须对其进行测试,以验证它是否按预期工作。Once you have your custom role, you have to test it to verify that it works as you expect. 如果以后需要进行调整,可以更新自定义角色。If you need to make adjustments later, you can update the custom role.

有关如何创建自定义角色的分步教程,请参阅教程:使用 Azure PowerShell 创建自定义角色教程:使用 Azure CLI 创建自定义角色For a step-by-step tutorial on how to create a custom role, see Tutorial: Create a custom role using Azure PowerShell or Tutorial: Create a custom role using Azure CLI.

自定义角色属性Custom role properties

自定义角色具有以下属性。A custom role has the following properties.

属性Property 必须Required 类型Type 说明Description
Name Yes StringString 自定义角色的显示名称。The display name of the custom role. 虽然角色定义是订阅级资源,但角色定义可以在共享同一 Azure AD 目录的多个订阅中使用。While a role definition is a subscription-level resource, a role definition can be used in multiple subscriptions that share the same Azure AD directory. 此显示名称在 Azure AD 目录范围内必须是唯一的。This display name must be unique at the scope of the Azure AD directory. 可以包含字母、数字、空格和特殊字符。Can include letters, numbers, spaces, and special characters. 最多包含 128 个字符。Maximum number of characters is 128.
Id Yes StringString 自定义角色的唯一 ID。The unique ID of the custom role. 如果使用 Azure PowerShell 和 Azure CLI,在创建新角色时会自动生成此 ID。For Azure PowerShell and Azure CLI, this ID is automatically generated when you create a new role.
IsCustom Yes StringString 指示此角色是否为自定义角色。Indicates whether this is a custom role. 设置为 true 表示是自定义角色。Set to true for custom roles.
Description Yes StringString 自定义角色的说明。The description of the custom role. 可以包含字母、数字、空格和特殊字符。Can include letters, numbers, spaces, and special characters. 最多包含 1024 个字符。Maximum number of characters is 1024.
Actions Yes String[]String[] 一个字符串数组,指定该角色允许执行的管理操作。An array of strings that specifies the management operations that the role allows to be performed. 有关详细信息,请参阅 ActionsFor more information, see Actions.
NotActions No String[]String[] 一个字符串数组,指定要从允许的 Actions 中排除的管理操作。An array of strings that specifies the management operations that are excluded from the allowed Actions. 有关详细信息,请参阅 NotActionsFor more information, see NotActions.
DataActions No String[]String[] 一个字符串数组,指定该角色允许对该对象中的数据执行的数据操作。An array of strings that specifies the data operations that the role allows to be performed to your data within that object. 有关详细信息,请参阅 DataActions(预览)For more information, see DataActions (Preview).
NotDataActions No String[]String[] 一个字符串数组,指定要从允许的 DataActions 中排除的数据操作。An array of strings that specifies the data operations that are excluded from the allowed DataActions. 有关详细信息,请参阅 NotDataActions(预览)For more information, see NotDataActions (Preview).
AssignableScopes Yes String[]String[] 一个字符串数组,指定自定义角色的可分配范围。An array of strings that specifies the scopes that the custom role is available for assignment. 当前不能设置为根范围 ("/") 或管理组范围。Currently cannot be set to the root scope ("/") or a management group scope. 有关详细信息,请参阅 AssignableScopes使用 Azure 管理组来组织资源For more information, see AssignableScopes and Organize your resources with Azure management groups.

谁可以创建、删除、更新或查看自定义角色Who can create, delete, update, or view a custom role

与在内置角色中一样,AssignableScopes 属性指定角色的可配置范围。Just like built-in roles, the AssignableScopes property specifies the scopes that the role is available for assignment. 自定义角色的 AssignableScopes 属性还控制谁可以创建、删除、更新或查看自定义角色。The AssignableScopes property for a custom role also controls who can create, delete, update, or view the custom role.

任务Task 操作Operation 说明Description
创建/删除自定义角色Create/delete a custom role Microsoft.Authorization/ roleDefinitions/write 在自定义角色的所有 AssignableScopes 上被允许此操作的用户可以创建(或删除)用于这些范围的自定义角色。Users that are granted this operation on all the AssignableScopes of the custom role can create (or delete) custom roles for use in those scopes. 例如,订阅、资源组和资源的所有者用户访问管理员For example, Owners and User Access Administrators of subscriptions, resource groups, and resources.
更新自定义角色Update a custom role Microsoft.Authorization/ roleDefinitions/write 被授权在自定义角色的所有 AssignableScopes 上执行此操作的用户可以更新这些范围中的自定义角色。Users that are granted this operation on all the AssignableScopes of the custom role can update custom roles in those scopes. 例如,订阅、资源组和资源的所有者用户访问管理员For example, Owners and User Access Administrators of subscriptions, resource groups, and resources.
查看自定义角色View a custom role Microsoft.Authorization/ roleDefinitions/read 在某个范围内被允许此操作的用户可以查看可在该范围内分配的自定义角色。Users that are granted this operation at a scope can view the custom roles that are available for assignment at that scope. 所有内置角色都允许自定义角色可用于分配。All built-in roles allow custom roles to be available for assignment.

后续步骤Next steps