使用 Azure 门户添加或删除 Azure 角色分配Add or remove Azure role assignments using the Azure portal

Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文介绍如何使用 Azure 门户分配角色。Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.

如需在 Azure Active Directory 中分配管理员角色,请参阅在 Azure Active Directory 中查看和分配管理员角色If you need to assign administrator roles in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

先决条件Prerequisites

若要添加或删除角色分配,必须拥有以下权限:To add or remove role assignments, you must have:

访问控制 (IAM)Access control (IAM)

“访问控制(IAM)”是一个页面,通常用于分配角色以授予对 Azure 资源的访问权限。Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. 该功能也称为标识和访问管理,会显示在 Azure 门户中的多个位置。It's also known as identity and access management and appears in several locations in the Azure portal. 下面显示了订阅的“访问控制(IAM)”页面的示例。The following shows an example of the Access control (IAM) page for a subscription.

订阅的“访问控制(IAM)”页

为了以最有效的方式使用访问控制 (IAM) 页,最好按以下步骤来分配一个角色。To be the most effective with the Access control (IAM) page, it helps to follow these steps to assign a role.

  1. 确定哪一用户需要访问权限。Determine who needs access. 可以将角色分配到用户、组、服务主体或托管标识。You can assign a role to a user, group, service principal, or managed identity.

  2. 查找适当的角色。Find the appropriate role. 权限组合成角色。Permissions are grouped together into roles. 可以从包含多个 Azure 内置角色的列表中选择,也可以使用自己的自定义角色。You can select from a list of several Azure built-in roles or you can use your own custom roles.

  3. 识别所需的范围。Identify the needed scope. Azure 提供四个级别的范围:管理组、订阅、资源组和资源。Azure provides four levels of scope: management group, subscription, resource group, and resource. 有关范围的详细信息,请参阅了解范围For more information about scope, see Understand scope.

  4. 执行以下某一部分中的步骤来分配角色。Perform the steps in one of the following sections to assign a role.

添加角色分配Add a role assignment

在 Azure RBAC 中,若要授予对 Azure 资源的访问权限,请添加角色分配。In Azure RBAC, to grant access to an Azure resource, you add a role assignment. 遵循以下步骤分配角色。Follow these steps to assign a role.

  1. 在 Azure 门户中单击“所有服务”,然后选择要授予访问权限的范围。In the Azure portal, click All services and then select the scope that you want to grant access to. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。For example, you can select Management groups , Subscriptions , Resource groups , or a resource.

  2. 单击该范围的特定资源。Click the specific resource for that scope.

  3. 单击“访问控制(IAM)”。Click Access control (IAM).

  4. 单击“角色分配”选项卡以查看在此范围内的角色分配。Click the Role assignments tab to view the role assignments at this scope.

    “访问控制(IAM)”和“角色分配”选项卡

  5. 单击“添加” > “角色分配”。Click Add > Add role assignment.

    如果没有分配角色的权限,则将禁用“添加角色分配”选项。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    “添加角色分配”菜单

    此时会打开“添加角色分配”窗格。The Add role assignment pane opens.

    “添加角色分配”窗格

  6. 在“角色”下拉列表中选择一个角色,例如“虚拟机参与者”。In the Role drop-down list, select a role such as Virtual Machine Contributor.

  7. 在“选择”列表中,选择用户、组、服务主体或托管标识。In the Select list, select a user, group, service principal, or managed identity. 如果没有在列表中看到安全主体,则可在“选择”框中键入相应内容,以便在目录中搜索显示名称、电子邮件地址和对象标识符。If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

  8. 单击“保存”以分配该角色。Click Save to assign the role.

    片刻之后,会在所选范围内为安全主体分配角色。After a few moments, the security principal is assigned the role at the selected scope.

    添加角色分配 - 保存

将用户分配为订阅的管理员Assign a user as an administrator of a subscription

若要使某个用户成为 Azure 订阅的管理员,请在订阅范围内为其分配所有者角色。To make a user an administrator of an Azure subscription, assign them the Owner role at the subscription scope. “所有者”角色授予用户对订阅中所有资源的完全访问权限,包括将访问权限授予其他用户的权限。The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. 这些步骤与任何其他角色分配是相同的。These steps are the same as any other role assignment.

  1. 在 Azure 门户中,依次单击“所有服务”、“订阅” 。In the Azure portal, click All services and then Subscriptions.

  2. 单击要授予访问权限的订阅。Click the subscription where you want to grant access.

  3. 单击“访问控制(IAM)”。Click Access control (IAM).

  4. 单击“角色分配”选项卡以查看此订阅的角色分配。Click the Role assignments tab to view the role assignments for this subscription.

    “访问控制(IAM)”和“角色分配”选项卡

  5. 单击“添加” > “角色分配”。Click Add > Add role assignment.

    如果没有分配角色的权限,则将禁用“添加角色分配”选项。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    订阅的“添加角色分配”菜单

    此时会打开“添加角色分配”窗格。The Add role assignment pane opens.

    订阅的“添加角色分配”窗格

  6. 在“角色”下拉列表中,选择“所有者”角色。In the Role drop-down list, select the Owner role.

  7. 在“选择”列表中,选择用户。In the Select list, select a user. 如果没有在列表中看到用户,则可在“选择”框中键入相应内容,以便在目录中搜索显示名称和电子邮件地址。If you don't see the user in the list, you can type in the Select box to search the directory for display names and email addresses.

  8. 单击“保存”以分配该角色。Click Save to assign the role.

    片刻之后,会在订阅范围内为该用户分配“所有者”角色。After a few moments, the user is assigned the Owner role at the subscription scope.

为托管标识添加角色分配(预览版)Add a role assignment for a managed identity (Preview)

如本文前面所述,可以通过使用 访问控制 (IAM) 页为托管标识添加角色分配。You can add role assignments for a managed identity by using the Access control (IAM) page as described earlier in this article. 在使用访问控制 (IAM) 页时,先从范围开始,然后选择托管标识和角色。When you use the Access control (IAM) page, you start with the scope and then select the managed identity and role. 本部分介绍了为托管标识添加角色分配的替代方法。This section describes an alternate way to add role assignments for a managed identity. 使用这些步骤时,先从托管标识开始,然后选择范围和角色。Using these steps, you start with the managed identity and then select the scope and role.

重要

使用这些替代步骤为托管标识添加角色分配的功能目前以预览版提供。Adding a role assignment for a managed identity using these alternate steps is currently in preview. 此预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

系统分配的托管标识System-assigned managed identity

按照以下步骤,从系统分配的托管标识开始,将角色分配到该托管标识。Follow these steps to assign a role to a system-assigned managed identity by starting with the managed identity.

  1. 在 Azure 门户中,打开系统分配的托管标识。In the Azure portal, open a system-assigned managed identity.

  2. 在左侧菜单中,单击“标识”。In the left menu, click Identity.

    系统分配的托管标识

  3. 在“权限”下,单击“Azure 角色分配” 。Under Permissions , click Azure role assignments.

    如果已将角色分配到所选的系统分配托管标识,则会看到角色分配的列表。If roles are already assigned to the selected system-assigned managed identity, you see the list of role assignments. 此列表包括你有权读取的所有角色分配。This list includes all role assignments you have permission to read.

    系统分配的托管标识的角色分配

  4. 若要更改订阅,请单击“订阅”列表。To change the subscription, click the Subscription list.

  5. 单击“添加角色分配(预览版)”。Click Add role assignment (Preview).

  6. 使用下拉列表来选择角色分配应用到的资源集,如订阅、资源组或资源 。Use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription , Resource group , or resource.

    如果你对所选范围没有角色分配写入权限,将会显示一条内联消息。If you don't have role assignment write permissions for the selected scope, an inline message will be displayed.

  7. 在“角色”下拉列表中选择一个角色,例如“虚拟机参与者”。In the Role drop-down list, select a role such as Virtual Machine Contributor.

    系统分配的托管标识的“添加角色分配”窗格

  8. 单击“保存”以分配该角色。Click Save to assign the role.

    片刻之后,就会在所选范围为托管标识分配角色。After a few moments, the managed identity is assigned the role at the selected scope.

用户分配的托管标识User-assigned managed identity

按照以下步骤,从用户分配的托管标识开始,将角色分配到该托管标识。Follow these steps to assign a role to a user-assigned managed identity by starting with the managed identity.

  1. 在 Azure 门户中,打开用户分配的托管标识。In the Azure portal, open a user-assigned managed identity.

  2. 在左侧菜单中,单击“Azure 角色分配”。In the left menu, click Azure role assignments.

    如果已将角色分配到所选的用户分配托管标识,则会看到角色分配的列表。If roles are already assigned to the selected user-assigned managed identity, you see the list of role assignments. 此列表包括你有权读取的所有角色分配。This list includes all role assignments you have permission to read.

    用户分配的托管标识的角色分配

  3. 若要更改订阅,请单击“订阅”列表。To change the subscription, click the Subscription list.

  4. 单击“添加角色分配(预览版)”。Click Add role assignment (Preview).

  5. 使用下拉列表来选择角色分配应用到的资源集,如订阅、资源组或资源 。Use the drop-down lists to select the set of resources that the role assignment applies to such as Subscription , Resource group , or resource.

    如果你对所选范围没有角色分配写入权限,将会显示一条内联消息。If you don't have role assignment write permissions for the selected scope, an inline message will be displayed.

  6. 在“角色”下拉列表中选择一个角色,例如“虚拟机参与者”。In the Role drop-down list, select a role such as Virtual Machine Contributor.

    用户分配的托管标识的“添加角色分配”窗格

  7. 单击“保存”以分配该角色。Click Save to assign the role.

    片刻之后,就会在所选范围为托管标识分配角色。After a few moments, the managed identity is assigned the role at the selected scope.

删除角色分配Remove a role assignment

在 Azure RBAC 中,若要从 Azure 资源删除访问权限,请删除角色分配。In Azure RBAC, to remove access from an Azure resource, you remove a role assignment. 通过以下步骤删除角色分配。Follow these steps to remove a role assignment.

  1. 在要删除访问权限的范围(例如管理组、订阅、资源组或资源)内打开“访问控制(IAM)”。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

  2. 单击“角色分配”选项卡以查看此订阅的所有角色分配。Click the Role assignments tab to view all the role assignments for this subscription.

  3. 在角色分配列表中,在需删除其角色分配的安全主体旁边添加复选标记。In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.

    已选中要删除的角色分配

  4. 单击 “删除”Click Remove.

    “删除角色分配”消息

  5. 在显示的“删除角色分配”消息中,单击“是”。In the remove role assignment message that appears, click Yes.

    此时会显示一条消息,指出无法删除继承的角色分配,而你正在尝试删除子范围的角色分配。If you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child scope. 应在角色的分配范围打开“访问控制(IAM)”,然后重试。You should open Access control (IAM) at the scope where the role was assigned and try again. 在正确的范围打开“访问控制(IAM)”的快捷方法是查看“范围”列,然后单击“(继承)”旁边的链接。A quick way to open Access control (IAM) at the correct scope is to look at the Scope column and click the link next to (Inherited).

    继承的角色分配的“删除角色分配”消息

后续步骤Next steps