什么是 Azure 资源的基于角色的访问控制 (RBAC)?What is role-based access control (RBAC) for Azure resources?

对于任何使用云的组织而言,云资源的访问权限管理都是一项重要功能。Access management for cloud resources is a critical function for any organization that is using the cloud. 基于角色的访问控制 (RBAC) 可帮助你管理谁有权访问 Azure 资源、他们可以对这些资源执行哪些操作以及他们有权访问哪些区域。Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

RBAC 是在 Azure 资源管理器基础上构建的授权系统,针对 Azure 资源提供精细的访问权限管理。RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

RBAC 的作用是什么?What can I do with RBAC?

下面是 RBAC 的作用的一些示例:Here are some examples of what you can do with RBAC:

  • 让一个用户管理订阅中的虚拟机,另一个用户管理虚拟网络Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
  • 让 DBA 组管理订阅中的 SQL 数据库Allow a DBA group to manage SQL databases in a subscription
  • 让某个用户管理资源组中的所有资源,例如虚拟机、网站和子网Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
  • 允许某个应用程序访问资源组中的所有资源Allow an application to access all resources in a resource group

使用 RBAC 的最佳做法Best practice for using RBAC

使用 RBAC,可以在团队中实现职责分离,仅向用户授予执行作业所需的访问权限。Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. 无需向每个人授予 Azure 订阅或资源的无限制权限,可以仅允许在特定的范围执行某些操作。Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.

规划访问控制策略时,最佳做法是授予用户完成工作所需的最低权限。When planning your access control strategy, it's a best practice to grant users the least privilege to get their work done. 下图显示了与 RBAC 使用有关的建议模式。The following diagram shows a suggested pattern for using RBAC.

RBAC 和最小特权

RBAC 的工作原理How RBAC works

使用 RBAC 控制资源访问权限的方式是创建角色分配。The way you control access to resources using RBAC is to create role assignments. 这是一个需要理解的重要概念 - 它涉及到如何强制实施权限。This is a key concept to understand - it’s how permissions are enforced. 角色分配包含三个要素:安全主体、角色订阅和范围。A role assignment consists of three elements: security principal, role definition, and scope.

安全主体Security principal

安全主体是一个对象,表示请求访问 Azure 资源的用户、组、服务主体或托管标识。 A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.


  • 用户 - 在 Azure Active Directory 中具有配置文件的人员。User - An individual who has a profile in Azure Active Directory.
  • 组 - 在 Azure Active Directory 中创建的一组用户。Group - A set of users created in Azure Active Directory. 将某个角色分配到某个组时,该组中的所有用户都拥有该角色。When you assign a role to a group, all users within that group have that role.
  • 服务主体 - 应用程序或服务用来访问特定 Azure 资源的安全标识。Service principal - A security identity used by applications or services to access specific Azure resources. 可将服务主体视为应用程序的用户标识(用户名和密码或证书)。 You can think of it as a user identity (username and password or certificate) for an application.
  • 托管标识 - Azure Active Directory 中由 Azure 自动托管的标识。Managed identity - An identity in Azure Active Directory that is automatically managed by Azure. 在开发云应用程序时,通常使用托管标识来管理用于向 Azure 服务进行身份验证的凭据。You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.

角色定义Role definition

角色定义是权限的集合。 A role definition is a collection of permissions. 它通常直接称为“角色”。 It's typically just called a role. 角色定义列出可以执行的操作,例如读取、写入和删除。A role definition lists the operations that can be performed, such as read, write, and delete. 角色可以是高级别的(例如所有者),也可以是特定的(例如虚拟机读取者)。Roles can be high-level, like owner, or specific, like virtual machine reader.


Azure 包含多个可用的内置角色Azure includes several built-in roles that you can use. 下面列出了四个基本的内置角色。The following lists four fundamental built-in roles. 前三个角色适用于所有资源类型。The first three apply to all resource types.

  • 所有者 - 拥有对所有资源的完全访问权限,包括将访问权限委派给其他用户的权限。Owner - Has full access to all resources including the right to delegate access to others.
  • 参与者 - 可以创建和管理所有类型的 Azure 资源,但无法将访问权限授予其他用户。Contributor - Can create and manage all types of Azure resources but can’t grant access to others.
  • 读取者 - 可以查看现有的 Azure 资源。Reader - Can view existing Azure resources.
  • 用户访问管理员 - 可以管理用户对 Azure 资源的访问。User Access Administrator - Lets you manage user access to Azure resources.

剩余的内置角色允许管理特定的 Azure 资源。The rest of the built-in roles allow management of specific Azure resources. 例如,虚拟机参与者角色允许用户创建和管理虚拟机。For example, the Virtual Machine Contributor role allows a user to create and manage virtual machines. 如果内置角色不能满足组织的特定需求,则可以为 Azure 资源创建你自己的自定义角色If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles for Azure resources.

Azure 具有数据操作,通过这些操作可以授予对对象内数据的访问权限。Azure has data operations that enable you to grant access to data within an object. 例如,如果某个用户对某个存储帐户拥有读取数据的访问权限,则该用户可以读取该存储帐户中的 Blob 或消息。For example, if a user has read data access to a storage account, then they can read the blobs or messages within that storage account. 有关详细信息,请参阅了解 Azure 资源的角色定义For more information, see Understand role definitions for Azure resources.


范围是访问权限适用于的资源集。 Scope is the set of resources that the access applies to. 分配角色时,可以通过定义范围来进一步限制允许的操作。When you assign a role, you can further limit the actions allowed by defining a scope. 如果你想要将某人分配为网站参与者,但只针对一个资源组执行此分配,则使用范围就很有帮助。This is helpful if you want to make someone a Website Contributor, but only for one resource group.

在 Azure 中,可在多个级别指定范围:管理组、订阅、资源组或资源。In Azure, you can specify a scope at multiple levels: management group, subscription, resource group, or resource. 范围采用父子关系结构。Scopes are structured in a parent-child relationship.


在父范围授予访问权限时,这些权限会继承到子范围。When you grant access at a parent scope, those permissions are inherited to the child scopes. 例如:For example:

  • 如果将所有者角色分配给管理组范围的用户,则该用户可以在管理组中管理所有订阅中的一切内容。If you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions in the management group.
  • 如果在订阅范围向某个组分配了读取者角色,则该组的成员可以查看订阅中的每个资源组和资源。If you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource in the subscription.
  • 如果在资源组范围向某个应用程序分配了参与者角色,则该应用程序可以管理该资源组中所有类型的资源,但不能管理订阅中的其他资源组资源。If you assign the Contributor role to an application at the resource group scope, it can manage resources of all types in that resource group, but not other resource groups in the subscription.

角色分配Role assignments

角色分配是出于授予访问权限的目的,将角色定义附加到特定范围内的用户、组、服务主体或托管标识的过程。 A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. 通过创建角色分配来授予访问权限,通过删除角色分配来撤销访问权限。Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

下图显示了角色分配的示例。The following diagram shows an example of a role assignment. 在此示例中,为“营销”组分配了医药销售资源组的参与者角色。In this example, the Marketing group has been assigned the Contributor role for the pharma-sales resource group. 这意味着,“营销”组中的用户可以在医药销售资源组中创建或管理任何 Azure 资源。This means that users in the Marketing group can create or manage any Azure resource in the pharma-sales resource group. “营销”用户无权访问医药销售资源组外部的资源,除非他们属于另一个角色分配。Marketing users do not have access to resources outside the pharma-sales resource group, unless they are part of another role assignment.


可以使用 Azure 门户、Azure CLI、Azure PowerShell、Azure SDK 或 REST API 创建角色分配。You can create role assignments using the Azure portal, Azure CLI, Azure PowerShell, Azure SDKs, or REST APIs. 每个订阅中最多可以有 2000 个角色分配,每个管理组中最多可以有 500 个角色分配。You can have up to 2000 role assignments in each subscription and 500 role assignments in each management group. 若要创建和删除角色分配,必须拥有 Microsoft.Authorization/roleAssignments/* 权限。To create and remove role assignments, you must have Microsoft.Authorization/roleAssignments/* permission. 此权限是通过所有者用户访问管理员角色授予的。This permission is granted through the Owner or User Access Administrator roles.

多角色分配Multiple role assignments

如果有多个重叠的角色分配,将会发生什么情况?So what happens if you have multiple overlapping role assignments? RBAC 是一个加法模型,因此,生效的权限是角色分配相加。RBAC is an additive model, so your effective permissions are the addition of your role assignments. 请考虑以下示例,其中在订阅范围内向用户授予了“参与者”角色,并且授予了对资源组的“读者”角色。Consider the following example where a user is granted the Contributor role at the subscription scope and the Reader role on a resource group. “参与者”权限与“读者”权限相加实际上是资源组的“参与者”角色。The addition of the Contributor permissions and the Reader permissions is effectively the Contributor role for the resource group. 因此,在这种情况下,“读者”角色分配没有任何影响。Therefore, in this case, the Reader role assignment has no impact.


拒绝分配Deny assignments

以前,RBAC 是一种仅允许模型,没有拒绝功能,但 RBAC 现在以有限方式支持拒绝分配。Previously, RBAC was an allow-only model with no deny, but now RBAC supports deny assignments in a limited way. 拒绝分配类似于角色分配,可将一组拒绝操作附加到特定范围内的用户、组、服务主体或托管标识,以便拒绝访问。Similar to a role assignment, a deny assignment attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. 角色分配定义了一组允许 的操作,而拒绝分配定义了一组不允许 的操作。A role assignment defines a set of actions that are allowed, while a deny assignment defines a set of actions that are not allowed. 换而言之,即使角色分配授予用户访问权限,拒绝分配也会阻止用户执行指定的操作。In other words, deny assignments block users from performing specified actions even if a role assignment grants them access. 拒绝分配优先于角色分配。Deny assignments take precedence over role assignments. 有关详细信息,请参阅了解 Azure 资源的拒绝分配For more information, see Understand deny assignments for Azure resources.

RBAC 如何确定用户是否有权访问资源How RBAC determines if a user has access to a resource

以下是 RBAC 用于确定你是否可以访问管理平面上的资源的高级步骤。The following are the high-level steps that RBAC uses to determine if you have access to a resource on the management plane. 如果正在尝试对访问问题进行故障排除,这有助于了解问题。This is helpful to understand if you are trying to troubleshoot an access issue.

  1. 用户(或服务主体)获取 Azure 资源管理器的令牌。A user (or service principal) acquires a token for Azure Resource Manager.

    令牌包含用户的组成员身份(包括可传递的组成员身份)。The token includes the user's group memberships (including transitive group memberships).

  2. 用户使用附加的令牌对 Azure 资源管理器发出 REST API 调用。The user makes a REST API call to Azure Resource Manager with the token attached.

  3. Azure 资源管理器检索适用于对其执行操作的资源的所有角色分配和拒绝分配。Azure Resource Manager retrieves all the role assignments and deny assignments that apply to the resource upon which the action is being taken.

  4. Azure 资源管理器缩小适用于此用户或其组的角色分配范围,并确定用户针对此资源拥有的角色。Azure Resource Manager narrows the role assignments that apply to this user or their group and determines what roles the user has for this resource.

  5. Azure 资源管理器确定 API 调用中的操作是否包含在用户针对此资源拥有的角色中。Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource.

  6. 如果用户在请求的范围内没有具有该操作的角色,则不授予访问权限。If the user doesn’t have a role with the action at the requested scope, access is not granted. 否则,Azure 资源管理器会检查是否适用拒绝分配。Otherwise, Azure Resource Manager checks if a deny assignment applies.

  7. 如果拒绝分配适用,则阻止访问。If a deny assignment applies, access is blocked. 否则授予访问权限。Otherwise access is granted.

后续步骤Next steps