使用 Azure RBAC 和 Azure 门户列出角色分配List role assignments using Azure RBAC and the Azure portal

Azure 基于角色的访问控制 (RBAC) 是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. 本文介绍如何使用 Azure 门户列出角色分配。Azure 基于角色的访问控制 (RBAC) 是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. This article describes how to list role assignments using the Azure portal.

列出用户或组的角色分配List role assignments for a user or group

要查看分配给订阅中的用户或组的角色,最简单的方法是使用“Azure 资源”窗格 。The easiest way to see the roles assigned to a user or group in a subscription is to use the Azure resources pane.

  1. 在 Azure 门户中单击“所有服务”,然后选择“用户”或“组” 。In the Azure portal, click All services and then select Users or Groups.

  2. 单击要列出其角色分配的用户或组。Click the user or group you want list the role assignments for.

  3. 单击“Azure 资源” 。Click Azure resources.

    随即将显示各种范围中分配给所选用户或组的角色列表,如管理组、订阅、资源组或资源。You see a list of roles assigned to the selected user or group at various scopes such as management group, subscription, resource group, or resource. 此列表包括你有权读取的所有角色分配。This list includes all role assignments you have permission to read.

    用户的角色分配

  4. 要更改订阅,请单击“订阅”列表 。To change the subscription, click the Subscriptions list.

列出订阅的所有者List owners of a subscription

已分配订阅的所有者角色的用户可以管理订阅中的所有内容。Users that have been assigned the Owner role for a subscription can manage everything in the subscription. 按照以下步骤列出订阅的所有者。Follow these steps to list the owners of a subscription.

  1. 在 Azure 门户中,依次单击“所有服务”、“订阅” 。In the Azure portal, click All services and then Subscriptions.

  2. 单击要列出其所有者的订阅。Click the subscription you want to list the owners of.

  3. 单击“访问控制(IAM)” 。Click Access control (IAM).

  4. 单击“角色分配”选项卡以查看此订阅的所有角色分配 。Click the Role assignments tab to view all the role assignments for this subscription.

  5. 滚动到“所有者” 部分,以查看已分配此订阅的“所有者”角色的所有用户。Scroll to the Owners section to see all the users that have been assigned the Owner role for this subscription.

    “订阅访问控制 - 角色分配”选项卡

列出某个范围内的角色分配List role assignments at a scope

  1. 在 Azure 门户中单击“所有服务”,然后选择范围。 In the Azure portal, click All services and then select the scope. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. 单击特定的资源。Click the specific resource.

  3. 单击“访问控制(IAM)” 。Click Access control (IAM).

  4. 单击“角色分配”选项卡以查看在此范围内的所有角色分配 。Click the Role assignments tab to view all the role assignments at this scope.

    “访问控制”-“角色分配”选项卡

    在“角色分配”选项卡上,可以看到谁有权访问此范围。On the Role assignments tab, you can see who has access at this scope. 请注意,有些角色的权限范围已划归到此资源,还有一些角色是从另一范围 (继承的)Notice that some roles are scoped to This resource while others are (Inherited) from another scope. 访问权限可以专门分配给此资源,也可以从父作用域的分配继承。Access is either assigned specifically to this resource or inherited from an assignment to the parent scope.

列出某个范围内某个角色的角色分配List role assignments for a user at a scope

若要列出某个用户、组、服务主体或托管标识的访问权限,请列出其角色分配。To list access for a user, group, service principal, or managed identity, you list their role assignments. 按照以下步骤列出特定范围内单个用户、组、服务主体或托管标识的角色分配。Follow these steps to list the role assignments for a single user, group, service principal, or managed identity at a particular scope.

  1. 在 Azure 门户中单击“所有服务”,然后选择范围。 In the Azure portal, click All services and then select the scope. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. 单击特定的资源。Click the specific resource.

  3. 单击“访问控制(IAM)” 。Click Access control (IAM).

  4. 单击“检查访问权限”选项卡 。Click the Check access tab.

    “访问控制”-“检查访问权限”选项卡

  5. 在“查找”列表中,选择要检查访问权限的安全主体类型 。In the Find list, select the type of security principal you want to check access for.

  6. 在搜索框中,输入字符串以在目录中搜索显示名称、电子邮件地址或对象标识符。In the search box, enter a string to search the directory for display names, email addresses, or object identifiers.

    “检查访问权限”选择列表

  7. 单击安全主体以打开“分配”窗格 。Click the security principal to open the assignments pane.

    分配窗格

    在此窗格中,可以看到分配给所选安全主体和范围的角色。On this pane, you can see the roles assigned to the selected security principal and the scope. 如果此范围内有任何拒绝分配或继承到此范围的角色,则会将其列出。If there are any deny assignments at this scope or inherited to this scope, they will be listed.

列出系统分配的托管标识的角色分配List role assignments for a system-assigned managed identity

  1. 在 Azure 门户中,打开系统分配的托管标识。In the Azure portal, open a system-assigned managed identity.

  2. 在左侧菜单中,单击“标识” 。In the left menu, click Identity.

    系统分配的托管标识

  3. 在“角色分配”下,单击“显示分配给此托管标识的 Azure RBAC 角色” 。Under Role assignments, click Show the Azure RBAC roles assigned to this managed identity.

    随即将显示各种范围中分配给所选系统分配的托管标识的角色列表,如管理组、订阅、资源组或资源。You see a list of roles assigned to the selected system-assigned managed identity at various scopes such as management group, subscription, resource group, or resource. 此列表包括你有权读取的所有角色分配。This list includes all role assignments you have permission to read.

    系统分配的托管标识的角色分配

列出用户分配的托管标识的角色分配List role assignments for a user-assigned managed identity

  1. 在 Azure 门户中,打开用户分配的托管标识。In the Azure portal, open a user-assigned managed identity.

  2. 单击“Azure 资源” 。Click Azure resources.

    随即将显示各种范围中分配给所选角色分配的托管标识的角色列表,如管理组、订阅、资源组或资源。You see a list of roles assigned to the selected user-assigned managed identity at various scopes such as management group, subscription, resource group, or resource. 此列表包括你有权读取的所有角色分配。This list includes all role assignments you have permission to read.

    系统分配的托管标识的角色分配

  3. 要更改订阅,请单击“订阅”列表 。To change the subscription, click the Subscriptions list.

列出角色分配数List number of role assignments

每个订阅中最多可以包含 2000 个角色分配。You can have up to 2000 role assignments in each subscription. 为了帮助你跟踪此限制,“角色分配” 选项卡包含一个图表,其中列出了当前订阅的角色分配数。To help you keep track of this limit, the Role assignments tab includes a chart that lists the number of role assignments for the current subscription.

访问控制 - 角色分配数目图表

如果在快要到达最大数量时尝试添加更多角色分配,则会在“添加角色分配” 窗格中看到一条警告。If you are getting close to the maximum number and you try to add more role assignments, you'll see a warning in the Add role assignment pane. 有关可减少角色分配数的方法,请参阅 Azure RBAC 故障排除For ways that you can reduce the number of role assignments, see Troubleshoot Azure RBAC.

访问控制 - 添加角色分配警告

后续步骤Next steps