使用 Azure 门户创建 Azure 自定义角色Create or update Azure custom roles using the Azure portal

如果 Azure 内置角色不能满足组织的具体需求,你可以创建自己的 Azure 自定义角色。If the Azure built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles. 与内置角色一样,可将自定义角色分配到订阅和资源组范围内的用户、组与服务主体。Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription and resource group scopes. 自定义角色存储在 Azure Active Directory (Azure AD) 目录中,可以在订阅之间共享。Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. 每个目录最多可以有 5000 个自定义角色。Each directory can have up to 5000 custom roles. 可以使用 Azure 门户、Azure PowerShell、Azure CLI 或 REST API 创建自定义角色。Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API. 本文介绍如何使用 Azure 门户创建自定义角色。This article describes how to create custom roles using the Azure portal.

先决条件Prerequisites

若要创建自定义角色,需要具备以下条件:To create custom roles, you need:

步骤 1:确定所需的权限Step 1: Determine the permissions you need

Azure 具有数千个权限,你可将这些权限包含在自定义角色中。Azure has thousands of permissions that you can potentially include in your custom role. 可通过以下四种方法来确定要添加到自定义角色的权限:Here are four ways that you can determine the permissions you will want to add to your custom role:

方法Method 说明Description
查看现有角色Look at existing roles 可以查看现有的角色,以了解正在使用哪些权限。You can look at existing roles to see what permissions are being used. 有关详细信息,请参阅 Azure 内置角色For more information, see Azure built-in roles.
按关键字搜索权限Search for permissions by keyword 使用 Azure 门户创建自定义角色时,可以按关键字搜索权限。When you create a custom role using the Azure portal, you can search for permissions by keyword. 例如,可以搜索“虚拟机”或“计费”权限。 For example, you can search for virtual machine or billing permissions. 有关此搜索功能的介绍,请参阅后面的步骤 4:权限”。This search functionality is described more later in Step 4: Permissions.
下载所有权限Download all permissions 使用 Azure 门户创建自定义角色时,可将所有权限作为 CSV 文件下载,然后搜索此文件。When you create a custom role using the Azure portal, you can download all of the permissions as a CSV file and then search this file. 在“添加权限”窗格中,单击“下载所有权限”按钮下载所有权限。 On the Add permissions pane, click the Download all permissions button to download all of the permissions. 有关“添加权限”窗格的详细信息,请参阅步骤 4:权限”。For more information about the Add permissions pane, see Step 4: Permissions.
查看文档中的权限View the permissions in the docs 可以在 Azure 资源管理器资源提供程序操作中查看可用的权限。You can view the available permissions in Azure Resource Manager resource provider operations.

步骤 2:选择如何开始Step 2: Choose how to start

可通过三种方法开始创建自定义角色。There are three ways that you can start to create a custom role. 可以克隆现有角色、从头开始创建或者从 JSON 文件开始。You can clone an existing role, start from scratch, or start with a JSON file. 最简单的方法是找到拥有大部分所需权限的现有角色,然后根据自己的方案克隆并修改该角色。The easiest way is to find an existing role that has most of the permissions you need and then clone and modify it for your scenario.

克隆角色Clone a role

如果现有角色并非恰好拥有你所需的全部权限,你可以克隆该角色,然后修改权限。If an existing role does not quite have the permissions you need, you can clone it and then modify the permissions. 遵循以下步骤开始克隆角色。Follow these steps to start cloning a role.

  1. 在 Azure 门户中,打开你希望可在其中分配自定义角色的订阅或资源组,然后打开“访问控制(IAM)”。In the Azure portal, open a subscription or resource group where you want the custom role to be assignable and then open Access control (IAM).

    以下屏幕截图显示了针对订阅打开的“访问控制(IAM)”页。The following screenshot shows the Access control (IAM) page opened for a subscription.

    订阅的“访问控制(IAM)”页

  2. 单击“角色”选项卡以查看包含所有内置角色和自定义角色的列表。Click the Roles tab to see a list of all the built-in and custom roles.

  3. 搜索要克隆的角色,例如“计费读取者”角色。Search for a role you want to clone such as the Billing Reader role.

  4. 单击行尾的省略号 ( ... ),然后单击“克隆”。At the end of the row, click the ellipsis (...) and then click Clone.

    “克隆”上下文菜单

    此时会打开自定义角色编辑器,其中已选择“克隆角色”选项。This opens the custom roles editor with the Clone a role option selected.

  5. 转到步骤 3:基本信息Proceed to Step 3: Basics.

从头开始Start from scratch

如果需要,可以遵循以下步骤从头开始创建自定义角色。If you prefer, you can follow these steps to start a custom role from scratch.

  1. 在 Azure 门户中,打开你希望可在其中分配自定义角色的订阅或资源组,然后打开“访问控制(IAM)”。In the Azure portal, open a subscription or resource group where you want the custom role to be assignable and then open Access control (IAM).

  2. 依次单击“添加”、“添加自定义角色”。 Click Add and then click Add custom role.

    “添加自定义角色”菜单

    此时会打开自定义角色编辑器,其中已选择“从头开始”选项。This opens the custom roles editor with the Start from scratch option selected.

  3. 转到步骤 3:基本信息Proceed to Step 3: Basics.

从 JSON 开始Start from JSON

如果需要,可以在 JSON 文件中指定大部分自定义角色值。If you prefer, you can specify most of your custom role values in a JSON file. 可以在自定义角色编辑器中打开该文件,进行其他更改,然后创建自定义角色。You can open the file in the custom roles editor, make additional changes, and then create the custom role. 遵循以下步骤从 JSON 文件开始创建。Follow these steps to start with a JSON file.

  1. 创建采用以下格式的 JSON 文件:Create a JSON file that has the following format:

    {
        "properties": {
            "roleName": "",
            "description": "",
            "assignableScopes": [],
            "permissions": [
                {
                    "actions": [],
                    "notActions": [],
                    "dataActions": [],
                    "notDataActions": []
                }
            ]
        }
    }
    
  2. 在该 JSON 文件中指定各个属性的值。In the JSON file, specify values for the various properties. 下面是添加了一些值的示例。Here's an example with some values added. 有关不同属性的信息,请参阅了解 Azure 角色定义For information about the different properties, see Understand Azure role definitions.

    {
        "properties": {
            "roleName": "Billing Reader Plus",
            "description": "Read billing data and download invoices",
            "assignableScopes": [
                "/subscriptions/11111111-1111-1111-1111-111111111111"
            ],
            "permissions": [
                {
                    "actions": [
                        "Microsoft.Authorization/*/read",
                        "Microsoft.Billing/*/read",
                        "Microsoft.Commerce/*/read",
                        "Microsoft.Consumption/*/read",
                        "Microsoft.Management/managementGroups/read",
                        "Microsoft.CostManagement/*/read"
                    ],
                    "notActions": [],
                    "dataActions": [],
                    "notDataActions": []
                }
            ]
        }
    }
    
  3. 在 Azure 门户中,打开“访问控制(IAM)”页。In the Azure portal, open the Access control (IAM) page.

  4. 依次单击“添加”、“添加自定义角色”。 Click Add and then click Add custom role.

    “添加自定义角色”菜单

    此时会打开自定义角色编辑器。This opens the custom roles editor.

  5. 在“基本信息”选项卡上的“基线权限”中,选择“从 JSON 开始”。 On the Basics tab, in Baseline permissions, select Start from JSON.

  6. 在“选择文件”框的旁边,单击文件夹按钮打开“打开”对话框。Next to the Select a file box, click the folder button to open the Open dialog box.

  7. 选择你的 JSON 文件,然后单击“打开”。Select your JSON file and then click Open.

  8. 转到步骤 3:基本信息Proceed to Step 3: Basics.

步骤 3:基础知识Step 3: Basics

在“基本信息”选项卡上,指定自定义角色的名称、说明和基线权限。On the Basics tab, you specify the name, description, and baseline permissions for your custom role.

  1. 在“自定义角色名称”框中,指定自定义角色的名称。In the Custom role name box, specify a name for the custom role. 该名称必须在 Azure AD 目录中唯一。The name must be unique for the Azure AD directory. 该名称可以包含字母、数字、空格和特殊字符。The name can include letters, numbers, spaces, and special characters.

  2. 在“说明”框中,指定自定义角色的可选说明。In the Description box, specify an optional description for the custom role. 此说明将用作该自定义角色的工具提示。This will become the tooltip for the custom role.

    此时应该已根据上一步骤设置了“基线权限”选项,不过可对其进行更改。The Baseline permissions option should already be set based on the previous step, but you can change.

    已指定了值的“基本信息”选项卡

步骤 4:权限Step 4: Permissions

在“权限”选项卡上,指定自定义角色的权限。On the Permissions tab, you specify the permissions for your custom role. 根据你是克隆了角色还是从 JSON 开始创建,“权限”选项卡可能已列出了一些权限。Depending on whether you cloned a role or if you started with JSON, the Permissions tab might already list some permissions.

创建自定义角色时的“权限”选项卡

添加或删除权限Add or remove permissions

遵循以下步骤为自定义角色添加或删除权限。Follow these steps to add or remove permissions for your custom role.

  1. 若要添加权限,请单击“添加权限”打开“添加权限”窗格。To add permissions, click Add permissions to open the Add permissions pane.

    此窗格将列出所有可用权限,这些权限以卡片格式分组成不同的类别。This pane lists all available permissions grouped into different categories in a card format. 每个类别代表一个资源提供程序(提供 Azure 资源的服务)。Each category represents a resource provider, which is a service that supplies Azure resources.

  2. 在“搜索权限”框中,键入一个字符串以搜索权限。In the Search for a permission box, type a string to search for permissions. 例如,搜索“发票”可以查找与发票相关的权限。For example, search for invoice to find permissions related to invoice.

    系统会根据搜索字符串显示资源提供程序卡片的列表。A list of resource provider cards will be displayed based on your search string. 有关资源提供程序到 Azure 服务的映射列表,请参阅 Azure 服务的资源提供程序For a list of how resource providers map to Azure services, see Resource providers for Azure services.

    包含资源提供程序的“添加权限”窗格

  3. 单击可能包含你要添加到自定义角色的权限的资源提供程序卡片,例如“Microsoft 计费”。Click a resource provider card that might have the permissions you want to add to your custom role, such as Microsoft Billing.

    系统会根据搜索字符串显示该资源提供程序的管理权限列表。A list of the management permissions for that resource provider is displayed based on your search string.

    “添加权限”列表

  4. 若要查找适用于数据平面的权限,请单击“数据操作”。If you are looking for permissions that apply to the data plane, click Data Actions. 否则,请将操作切换开关保持设置为“操作”,以列出适用于管理平面的权限。Otherwise, leave the actions toggle set to Actions to list permissions that apply to the management plane. 有关管理平面与数据平面之间的差异的详细信息,请参阅管理和数据操作For more information, about the differences between the management plane and data plane, see Management and data operations.

  5. 如有需要,请更新搜索字符串以进一步具体化搜索。If necessary, update the search string to further refine your search.

  6. 找到要添加到自定义角色的一个或多个权限后,请在这些权限旁边添加复选标记。Once you find one or more permissions you want to add to your custom role, add a check mark next to the permissions. 例如,在“其他:下载发票”旁边添加复选标记可添加用于下载发票的权限。For example, add a check mark next to Other : Download Invoice to add the permission to download invoices.

  7. 单击“添加”,以将权限添加到权限列表。Click Add to add the permission to your permission list.

    权限将作为 ActionsDataActions 添加。The permission gets added as an Actions or a DataActions.

    已添加权限

  8. 若要删除权限,请单击行尾的删除图标。To remove permissions, click the delete icon at the end of the row. 在此示例中,由于用户不需要获得创建支持票证的功能,因此可以删除 Microsoft.Support/* 权限。In this example, since a user will not need the ability to create support tickets, the Microsoft.Support/* permission can be deleted.

添加通配符权限Add wildcard permissions

根据所选的开始创建角色的方式,权限列表中可能存在包含通配符 (*) 的权限。Depending on how you chose to start, you might have permissions with wildcards (*) in your list of permissions. 通配符 (*) 将权限扩展到与所提供的操作字符串匹配的所有内容。A wildcard (*) extends a permission to everything that matches the action string you provide. 例如,以下通配符字符串添加了与 Azure 成本管理和导出相关的所有权限。For example, the following wildcard string adds all permissions related to Azure Cost Management and exports. 此通配符权限还包括将来可能要添加的任何导出权限。This would also include any future export permissions that might be added.

Microsoft.CostManagement/exports/*

不能使用“添加权限”窗格添加新的通配符权限。If you want to add a new wildcard permission, you can't add it using the Add permissions pane. 若要添加通配符权限,必须使用“JSON”选项卡手动添加。有关详细信息,请参阅步骤 6:JSONTo add a wildcard permission, you have to add it manually using the JSON tab. For more information, see Step 6: JSON.

排除权限Exclude permissions

如果角色拥有通配符 (*) 权限,而你想要从该通配符权限中排除或减去特定的权限,你可以排除权限。If your role has a wildcard (*) permission and you want to exclude or subtract specific permissions from that wildcard permission, you can exclude them. 例如,假设你有以下通配符权限:For example, let's say that you have the following wildcard permission:

Microsoft.CostManagement/exports/*

如果你不希望允许删除导出权限,可以排除以下删除权限:If you don't want to allow an export to be deleted, you could exclude the following delete permission:

Microsoft.CostManagement/exports/delete

排除某个权限时,它将作为 NotActionsNotDataActions 添加。When you exclude a permission, it is added as a NotActions or NotDataActions. 有效的管理权限是通过累加所有 Actions,然后减去所有 NotActions 计算得出的。The effective management permissions are computed by adding all of the Actions and then subtracting all of the NotActions. 有效的数据权限是通过累加所有 DataActions,然后减去所有 NotDataActions 计算得出的。The effective data permissions are computed by adding all of the DataActions and then subtracting all of the NotDataActions.

备注

排除权限不同于“拒绝”。Excluding a permission is not the same as a deny. 排除权限只是一种从通配符权限中减去权限的简便方法。Excluding permissions is simply a convenient way to subtract permissions from a wildcard permission.

  1. 若要从允许的通配符权限中排除或减去权限,请单击“排除权限”打开“排除权限”窗格。To exclude or subtract a permission from an allowed wildcard permission, click Exclude permissions to open the Exclude permissions pane.

    在此窗格中,指定要排除或减去的管理权限或数据权限。On this pane, you specify the management or data permissions that are excluded or subtracted.

  2. 找到一个或多个要排除的权限后,在这些权限旁边添加复选标记,然后单击“添加”按钮。Once you find one or more permissions that you want to exclude, add a check mark next to the permissions and then click the Add button.

    “排除权限”窗格 - 已选定权限

    权限将作为 NotActionsNotDataActions 添加。The permission gets added as a NotActions or NotDataActions.

    已排除权限

步骤 5:可分配范围Step 5: Assignable scopes

在“可分配范围”选项卡上,指定自定义角色在何处可供分配,例如订阅或资源组。On the Assignable scopes tab, you specify where your custom role is available for assignment, such as subscription or resource group. 根据所选的开始创建角色的方式,此选项卡可能会列出你打开“访问控制(IAM)”页时所处的范围。Depending on how you chose to start, this tab might list the scope where you opened the Access control (IAM) page. 不支持将可分配范围设置为根范围(“/”)。Setting assignable scope to root scope ("/") is not supported. 目前无法将管理组添加为可分配范围。Currently, you cannot add a management group as an assignable scope.

  1. 单击“添加可分配范围”打开“添加可分配范围”窗格。Click Add assignable scopes to open the Add assignable scopes pane.

    “可分配范围”选项卡

  2. 单击要使用的一个或多个范围(通常是你的订阅)。Click one or more scopes that you want to use, typically your subscription.

    添加可分配范围

  3. 单击“添加”按钮添加可分配范围。Click the Add button to add your assignable scope.

步骤 6:JSONStep 6: JSON

在“JSON”选项卡上,可以看到 JSON 格式的自定义角色。On the JSON tab, you see your custom role formatted in JSON. 如果需要,可以直接编辑 JSON。If you want, you can directly edit the JSON. 若要添加通配符 (*) 权限,必须使用此选项卡。If you want to add a wildcard (*) permission, you must use this tab.

  1. 若要编辑 JSON,请单击“编辑”。To edit the JSON, click Edit.

    显示自定义角色的“JSON”选项卡

  2. 对 JSON 进行更改。Make changes to the JSON.

    如果 JSON 格式不正确,在竖槽中会显示红色的锯齿线和指示器。If the JSON is not formatted correctly, you will see a red jagged line and an indicator in the vertical gutter.

  3. 完成编辑后,单击“保存”。When finished editing, click Save.

步骤 7:查看 + 创建Step 7: Review + create

在“查看 + 创建”选项卡上,可以查看自定义角色设置。On the Review + create tab, you can review your custom role settings.

  1. 查看自定义角色设置。Review your custom role settings.

    “查看 + 创建”选项卡

  2. 单击“创建”以创建自定义角色。Click Create to create your custom role.

    片刻之后,会出现一个消息框,指出已成功创建自定义角色。After a few moments, a message box appears indicating your custom role was successfully created.

    “创建自定义角色”消息

    如果检测到任何错误,将显示一条消息。If any errors are detected, a message will be displayed.

    “查看 + 创建”中的错误

  3. 在“角色”列表中查看新的自定义角色。View your new custom role in the Roles list. 如果未看到你的自定义角色,请单击“刷新”。If you don't see your custom role, click Refresh.

    自定义角色可能需要几分钟的时间才能显示在每个位置。It can take a few minutes for your custom role to appear everywhere.

列出自定义角色List custom roles

遵循以下步骤查看自定义角色。Follow these steps to view your custom roles.

  1. 打开订阅或资源组,然后打开“访问控制(IAM)”。Open a subscription or resource group and then open Access control (IAM).

  2. 单击“角色”选项卡以查看包含所有内置角色和自定义角色的列表。Click the Roles tab to see a list of all the built-in and custom roles.

  3. 在“类型”列表中选择“CustomRole”,以便仅查看你的自定义角色。 In the Type list, select CustomRole to just see your custom roles.

    如果你刚刚创建了自定义角色,但在列表中未看到它,请单击“刷新”。If you just created your custom role and you don't see it in the list, click Refresh.

    自定义角色列表

更新自定义角色Update a custom role

  1. 如本文前面所述,打开自定义角色列表。As described earlier in this article, open your list of custom roles.

  2. 单击要更新的自定义角色对应的省略号 ( ... ),然后单击“编辑”。Click the ellipsis (...) for the custom role you want to update and then click Edit. 请注意,无法更新内置角色。Note that you can't update built-in roles.

    该自定义角色将在编辑器中打开。The custom role is opened in the editor.

    自定义角色菜单

  3. 使用不同的选项卡更新自定义角色。Use the different tabs to update the custom role.

  4. 完成更改后,单击“查看 + 创建”选项卡查看所做的更改。Once you are finished with your changes, click the Review + create tab to review your changes.

  5. 单击“更新”按钮以更新自定义角色。Click the Update button to update your custom role.

删除自定义角色Delete a custom role

  1. 如本文前面所述,打开自定义角色列表。As described earlier in this article, open your list of custom roles.

  2. 删除使用自定义角色的任何角色分配。Remove any role assignments that using the custom role.

  3. 单击要删除的自定义角色对应的省略号 ( ... ),然后单击“删除”。Click the ellipsis (...) for the custom role you want to delete and then click Delete.

    自定义角色菜单

    可能需要几分钟的时间才能完全删除你的自定义角色。It can take a few minutes for your custom role to be completely deleted.

后续步骤Next steps