什么是 Azure 基于角色的访问控制 (Azure RBAC)?What is Azure role-based access control (Azure RBAC)?

对于任何使用云的组织而言,云资源的访问权限管理都是一项重要功能。Access management for cloud resources is a critical function for any organization that is using the cloud. Azure 基于角色的访问控制 (Azure RBAC) 可帮助你管理谁有权访问 Azure 资源、他们可以对这些资源执行哪些操作以及他们有权访问哪些区域。Azure role-based access control (Azure RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

Azure RBAC 是在 Azure 资源管理器基础上构建的授权系统,针对 Azure 资源提供精细的访问权限管理。Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

Azure RBAC 有什么用途?What can I do with Azure RBAC?

下面是 Azure RBAC 的用途的一些示例:Here are some examples of what you can do with Azure RBAC:

  • 让一个用户管理订阅中的虚拟机,另一个用户管理虚拟网络Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
  • 让 DBA 组管理订阅中的 SQL 数据库Allow a DBA group to manage SQL databases in a subscription
  • 让某个用户管理资源组中的所有资源,例如虚拟机、网站和子网Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
  • 允许某个应用程序访问资源组中的所有资源Allow an application to access all resources in a resource group

Azure RBAC 的工作原理How Azure RBAC works

使用 Azure RBAC 控制资源访问权限的方式是分配 Azure 角色。The way you control access to resources using Azure RBAC is to assign Azure roles. 这是一个需要理解的重要概念 - 它涉及到如何强制实施权限。This is a key concept to understand - it's how permissions are enforced. 角色分配包含三个要素:安全主体、角色订阅和范围。A role assignment consists of three elements: security principal, role definition, and scope.

安全主体Security principal

安全主体是一个对象,表示请求访问 Azure 资源的用户、组、服务主体或托管标识。A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources. 可以将角色分配给其中任何一个安全主体。You can assign a role to any of these security principals.


角色定义Role definition

角色定义是权限的集合。A role definition is a collection of permissions. 它通常直接称为“角色”。It's typically just called a role. 角色定义列出可以执行的操作,例如读取、写入和删除。A role definition lists the operations that can be performed, such as read, write, and delete. 角色可以是高级别的(例如所有者),也可以是特定的(例如虚拟机读取者)。Roles can be high-level, like owner, or specific, like virtual machine reader.


Azure 包含多个可用的内置角色Azure includes several built-in roles that you can use. 例如,虚拟机参与者角色允许用户创建和管理虚拟机。For example, the Virtual Machine Contributor role allows a user to create and manage virtual machines. 如果内置角色不能满足组织的特定需求,你可以创建自己的 Azure 自定义角色If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles.

Azure 具有数据操作,通过这些操作可以授予对对象内数据的访问权限。Azure has data operations that enable you to grant access to data within an object. 例如,如果某个用户对某个存储帐户拥有读取数据的访问权限,则该用户可以读取该存储帐户中的 Blob 或消息。For example, if a user has read data access to a storage account, then they can read the blobs or messages within that storage account.

有关详细信息,请参阅了解 Azure 角色定义For more information, see Understand Azure role definitions.


范围是访问权限适用于的资源集。Scope is the set of resources that the access applies to. 分配角色时,可以通过定义范围来进一步限制允许的操作。When you assign a role, you can further limit the actions allowed by defining a scope. 若要将某人分配为网站参与者,但只针对一个资源组执行此分配,则可使用范围。This is helpful if you want to make someone a Website Contributor, but only for one resource group.

在 Azure 中,可在四个级别指定范围:管理组、订阅、资源组或资源。In Azure, you can specify a scope at four levels: management group, subscription, resource group, or resource. 范围采用父子关系结构。Scopes are structured in a parent-child relationship. 可以在其中任何一个范围级别分配角色。You can assign roles at any of these levels of scope.


有关范围的详细信息,请参阅了解范围For more information about scope, see Understand scope.

角色分配Role assignments

角色分配是出于授予访问权限的目的,将角色定义附加到特定范围内的用户、组、服务主体或托管标识的过程。A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. 通过创建角色分配来授予访问权限,通过删除角色分配来撤销访问权限。Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

下图显示了角色分配的示例。The following diagram shows an example of a role assignment. 在此示例中,为“营销”组分配了医药销售资源组的参与者角色。In this example, the Marketing group has been assigned the Contributor role for the pharma-sales resource group. 这意味着,“营销”组中的用户可以在医药销售资源组中创建或管理任何 Azure 资源。This means that users in the Marketing group can create or manage any Azure resource in the pharma-sales resource group. “营销”用户无权访问医药销售资源组外部的资源,除非他们属于另一个角色分配。Marketing users do not have access to resources outside the pharma-sales resource group, unless they are part of another role assignment.


可使用 Azure 门户、Azure CLI、Azure PowerShell、Azure SDK 或 REST API 分配角色。You can assign roles using the Azure portal, Azure CLI, Azure PowerShell, Azure SDKs, or REST APIs.

有关详细信息,请参阅分配 Azure 角色的步骤For more information, see Steps to assign an Azure role.

多角色分配Multiple role assignments

如果有多个重叠的角色分配,将会发生什么情况?So what happens if you have multiple overlapping role assignments? Azure RBAC 是一个加法模型,因此有效权限是角色分配的总和。Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments. 请考虑以下示例,其中在订阅范围内向用户授予了“参与者”角色,并且授予了对资源组的“读者”角色。Consider the following example where a user is granted the Contributor role at the subscription scope and the Reader role on a resource group. “参与者”权限与“读者”权限的总和实际上是订阅的“参与者”角色。The sum of the Contributor permissions and the Reader permissions is effectively the Contributor role for the subscription. 因此,在这种情况下,“读者”角色分配没有任何影响。Therefore, in this case, the Reader role assignment has no impact.


拒绝分配Deny assignments

以前,Azure RBAC 是一种只能执行允许操作的模型,没有拒绝功能,但 Azure RBAC 现在以有限方式支持拒绝分配。Previously, Azure RBAC was an allow-only model with no deny, but now Azure RBAC supports deny assignments in a limited way. 拒绝分配 类似于角色分配,可将一组拒绝操作附加到特定范围内的用户、组、服务主体或托管标识,以便拒绝访问。Similar to a role assignment, a deny assignment attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. 角色分配定义了一组允许的操作,而拒绝分配定义了一组不允许的操作。A role assignment defines a set of actions that are allowed, while a deny assignment defines a set of actions that are not allowed. 换而言之,即使角色分配授予用户访问权限,拒绝分配也会阻止用户执行指定的操作。In other words, deny assignments block users from performing specified actions even if a role assignment grants them access. 拒绝分配优先于角色分配。Deny assignments take precedence over role assignments.

有关详细信息,请参阅了解 Azure 拒绝分配For more information, see Understand Azure deny assignments.

Azure RBAC 如何确定用户是否有权访问资源How Azure RBAC determines if a user has access to a resource

下面是 Azure RBAC 用于确定你是否可以访问管理平面上的资源的概要步骤。The following are the high-level steps that Azure RBAC uses to determine if you have access to a resource on the management plane. 如果正在尝试对访问问题进行故障排除,这有助于了解问题。This is helpful to understand if you are trying to troubleshoot an access issue.

  1. 用户(或服务主体)获取 Azure 资源管理器的令牌。A user (or service principal) acquires a token for Azure Resource Manager.

    令牌包含用户的组成员身份(包括可传递的组成员身份)。The token includes the user's group memberships (including transitive group memberships).

  2. 用户使用附加的令牌对 Azure 资源管理器发出 REST API 调用。The user makes a REST API call to Azure Resource Manager with the token attached.

  3. Azure 资源管理器检索适用于对其执行操作的资源的所有角色分配和拒绝分配。Azure Resource Manager retrieves all the role assignments and deny assignments that apply to the resource upon which the action is being taken.

  4. Azure 资源管理器缩小适用于此用户或其组的角色分配范围,并确定用户针对此资源拥有的角色。Azure Resource Manager narrows the role assignments that apply to this user or their group and determines what roles the user has for this resource.

  5. Azure 资源管理器确定 API 调用中的操作是否包含在用户针对此资源拥有的角色中。Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource.

  6. 如果用户在请求的范围内没有包含该操作的角色,则不授予访问权限。If the user doesn't have a role with the action at the requested scope, access is not granted. 否则,Azure 资源管理器会检查是否适用拒绝分配。Otherwise, Azure Resource Manager checks if a deny assignment applies.

  7. 如果拒绝分配适用,则阻止访问。If a deny assignment applies, access is blocked. 否则授予访问权限。Otherwise access is granted.

许可要求License requirements

此功能免费使用,并且包括在你的 Azure 订阅中。Using this feature is free and included in your Azure subscription.

后续步骤Next steps