使用 Azure CLI 创建或更新 Azure 自定义角色Create or update Azure custom roles using Azure CLI

重要

将管理组添加到 AssignableScopes 的功能目前为预览版。Adding a management group to AssignableScopes is currently in preview. 此预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

如果 Azure 内置角色不满足组织的特定需求,你可以创建自己的自定义角色。If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. 本文介绍如何使用 Azure CLI 列出、创建、更新或删除自定义角色。This article describes how to list, create, update, or delete custom roles using Azure CLI.

先决条件Prerequisites

若要创建自定义角色,需要具备以下条件:To create custom roles, you need:

列出自定义角色List custom roles

若要列出可用于分配的自定义角色,请使用 az role definition listTo list custom roles that are available for assignment, use az role definition list. 以下示例列出了当前订阅中的所有自定义角色。The following example lists all the custom roles in the current subscription.

az role definition list --custom-role-only true --output json --query '[].{roleName:roleName, roleType:roleType}'
[
  {
    "roleName": "My Management Contributor",
    "type": "CustomRole"
  },
  {
    "roleName": "My Service Reader Role",
    "type": "CustomRole"
  },
  {
    "roleName": "Virtual Machine Operator",
    "type": "CustomRole"
  }
]

列出自定义角色定义List a custom role definition

若要列出自定义角色定义,请使用 az role definition listTo list a custom role definition, use az role definition list. 这与用于内置角色的命令相同。This is the same command you would use for a built-in role.

az role definition list --name {roleName}

以下示例列出了“虚拟机操作员”角色定义:The following example lists the Virtual Machine Operator role definition:

az role definition list --name "Virtual Machine Operator"
[
  {
    "assignableScopes": [
      "/subscriptions/{subscriptionId}"
    ],
    "description": "Can monitor and restart virtual machines.",
    "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
    "name": "00000000-0000-0000-0000-000000000000",
    "permissions": [
      {
        "actions": [
          "Microsoft.Storage/*/read",
          "Microsoft.Network/*/read",
          "Microsoft.Compute/*/read",
          "Microsoft.Compute/virtualMachines/start/action",
          "Microsoft.Compute/virtualMachines/restart/action",
          "Microsoft.Authorization/*/read",
          "Microsoft.ResourceHealth/availabilityStatuses/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Insights/diagnosticSettings/*"
        ],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "Virtual Machine Operator",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

以下示例仅列出了“虚拟机操作员”角色的 actions:The following example lists just the actions of the Virtual Machine Operator role:

az role definition list --name "Virtual Machine Operator" --output json --query '[].permissions[0].actions'
[
  [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*"
  ]
]

创建自定义角色Create a custom role

若要创建自定义角色,请使用 az role definition createTo create a custom role, use az role definition create. 角色定义可以是 JSON 说明,也可以是包含 JSON 说明的文件的路径。The role definition can be a JSON description or a path to a file containing a JSON description.

az role definition create --role-definition {roleDefinition}

以下示例创建名为“虚拟机操作员”的自定义角色。The following example creates a custom role named Virtual Machine Operator. 该自定义角色分配访问 Microsoft.ComputeMicrosoft.StorageMicrosoft.Network 资源提供程序的所有读取操作的权限,并分配访问虚拟机启动、重启和监视操作的权限。This custom role assigns access to all read operations of Microsoft.Compute, Microsoft.Storage, and Microsoft.Network resource providers and assigns access to start, restart, and monitor virtual machines. 该自定义角色可以在两个订阅中使用。This custom role can be used in two subscriptions. 此示例将 JSON 文件用作输入。This example uses a JSON file as an input.

vmoperator.jsonvmoperator.json

{
  "Name": "Virtual Machine Operator",
  "IsCustom": true,
  "Description": "Can monitor and restart virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*"
  ],
  "NotActions": [

  ],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}"
  ]
}
az role definition create --role-definition ~/roles/vmoperator.json

更新自定义角色Update a custom role

若要更新自定义角色,请首先使用 az role definition list 检索角色定义。To update a custom role, first use az role definition list to retrieve the role definition. 然后,对角色定义做出所需更改。Second, make the desired changes to the role definition. 最后,使用 az role definition update 保存更新的角色定义。Finally, use az role definition update to save the updated role definition.

az role definition update --role-definition {roleDefinition}

以下示例将“Microsoft.Insights/diagnosticSettings/”操作添加到 Actions,并将管理组添加到“虚拟机操作员”自定义角色的 AssignableScopesThe following example adds the Microsoft.Insights/diagnosticSettings/ operation to Actions and adds a management group to AssignableScopes for the Virtual Machine Operator custom role. 将管理组添加到 AssignableScopes 的功能目前处于预览状态。Adding a management group to AssignableScopes is currently in preview.

vmoperator.jsonvmoperator.json

{
  "Name": "Virtual Machine Operator",
  "IsCustom": true,
  "Description": "Can monitor and restart virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*"
  ],
  "NotActions": [

  ],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}",
    "/providers/Microsoft.Management/managementGroups/marketing-group"
  ]
}
az role definition update --role-definition ~/roles/vmoperator.json

删除自定义角色Delete a custom role

若要删除自定义角色,请使用 az role definition deleteTo delete a custom role, use az role definition delete. 若要指定要删除的角色,请使用角色名称或角色 ID。To specify the role to delete, use the role name or the role ID. 若要确定角色 ID,请使用 az role definition listTo determine the role ID, use az role definition list.

az role definition delete --name {roleNameOrId}

以下示例删除了“虚拟机操作员”自定义角色。The following example deletes the Virtual Machine Operator custom role.

az role definition delete --name "Virtual Machine Operator"

后续步骤Next steps