使用 REST API 列出 Azure 角色分配List Azure role assignments using the REST API

Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. 本文介绍如何使用 REST API 列出角色分配。Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要确定用户、组、服务主体或托管标识有权访问的资源,请列出其角色分配。To determine what resources users, groups, service principals, or managed identities have access to, you list their role assignments. This article describes how to list role assignments using the REST API.

列出角色分配List role assignments

在 Azure RBAC 中,若要列出访问权限,请列出角色分配。In Azure RBAC, to list access, you list the role assignments. 若要列出角色分配,可以使用其中一个角色分配 - List REST API。To list role assignments, use one of the Role Assignments - List REST APIs. 若要优化结果,请指定一个范围和可选的筛选器。To refine your results, you specify a scope and an optional filter.

  1. 从下面的请求开始:Start with the following request:

    GET https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter={filter}
    
  2. 在 URI 中,将“{scope}”替换为要列出角色分配的范围。Within the URI, replace {scope} with the scope for which you want to list the role assignments.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 资源Resource

    在前面的示例中,microsoft.web 是引用应用服务实例的资源提供程序。In the previous example, microsoft.web is a resource provider that refers to an App Service instance. 同样,可以使用任何其他资源提供程序并指定范围。Similarly, you can use any other resource providers and specify the scope. 有关详细信息,请参阅 Azure 资源提供程序和类型和支持的 Azure 资源提供程序操作For more information, see Azure Resource providers and types and supported Azure resource provider operations.

  3. 将“{filter}”替换为筛选角色分配列表时要应用的条件。Replace {filter} with the condition that you want to apply to filter the role assignment list.

    筛选器Filter 说明Description
    $filter=atScope() 只列出指定范围内的角色分配,而不包括子范围内的角色分配。Lists role assignments for only the specified scope, not including the role assignments at subscopes.
    $filter=assignedTo('{objectId}') 列出指定用户或服务主体的角色分配。Lists role assignments for a specified user or service principal.
    如果用户是具有角色分配的组的成员,则该角色分配也会列出。If the user is a member of a group that has a role assignment, that role assignment is also listed. 此筛选器对于组是可传递的,这意味着如果用户是组的成员,并且该组是具有角色分配的另一个组的成员,则该角色分配也会列出。This filter is transitive for groups which means that if the user is a member of a group and that group is a member of another group that has a role assignment, that role assignment is also listed.
    此筛选器仅接受用户或服务主体的对象 ID。This filter only accepts an object ID for a user or a service principal. 不能传递组的对象 ID。You cannot pass an object ID for a group.
    $filter=atScope()+and+assignedTo('{objectId}') 列出指定范围内指定用户或服务主体的角色分配。Lists role assignments for the specified user or service principal and at the specified scope.
    $filter=principalId+eq+'{objectId}' 列出指定用户、组或服务主体的角色分配。Lists role assignments for a specified user, group, or service principal.

以下请求列出订阅范围中指定用户的所有角色分配:The following request lists all role assignments for the specified user at subscription scope:

GET https://management.chinacloudapi.cn/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter=atScope()+and+assignedTo('{objectId1}')

下面显示了输出示例:The following shows an example of the output:

{
    "value": [
        {
            "properties": {
                "roleDefinitionId": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
                "principalId": "{objectId1}",
                "scope": "/subscriptions/{subscriptionId1}",
                "createdOn": "2019-01-15T21:08:45.4904312Z",
                "updatedOn": "2019-01-15T21:08:45.4904312Z",
                "createdBy": "{createdByObjectId1}",
                "updatedBy": "{updatedByObjectId1}"
            },
            "id": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId1}",
            "type": "Microsoft.Authorization/roleAssignments",
            "name": "{roleAssignmentId1}"
        }
    ]
}

后续步骤Next steps