使用 Azure 门户添加或删除 Azure 角色分配Add or remove Azure role assignments using the Azure portal

Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文介绍如何使用 Azure 门户分配角色。Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.

如需在 Azure Active Directory 中分配管理员角色,请参阅在 Azure Active Directory 中查看和分配管理员角色If you need to assign administrator roles in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

先决条件Prerequisites

若要添加或删除角色分配,必须拥有以下权限:To add or remove role assignments, you must have:

添加角色分配Add a role assignment

在 Azure RBAC 中,若要授予对 Azure 资源的访问权限,请添加角色分配。In Azure RBAC, to grant access to an Azure resource, you add a role assignment. 遵循以下步骤分配角色。Follow these steps to assign a role. 有关步骤的简要概述,请参阅添加角色分配的步骤For a high-level overview of steps, see Steps to add a role assignment.

步骤 1:识别所需的范围Step 1: Identify the needed scope

分配角色时,必须指定一个范围。When you assign roles, you must specify a scope. 范围是访问权限适用于的资源集。Scope is the set of resources the access applies to. 在 Azure 中,可在从广义到狭义的四个级别指定范围:管理组、订阅、资源组或资源。In Azure, you can specify a scope at four levels from broad to narrow: management group, subscription, resource group, and resource.

最佳做法是向安全主体授予执行作业所需的最少特权。It's a best practice to grant security principals the least privilege they need to perform their job. 即使最初看起来更方便,也应避免在更广泛的范围内分配更广泛的角色。Avoid assigning broader roles at broader scopes even if it initially seems more convenient. 通过限制角色和范围,可以对在安全主体受到入侵的情况下会面临风险的具体资源进行限制。By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. 有关范围的详细信息,请参阅了解范围最佳做法是向安全主体授予执行作业所需的最少特权。It's a best practice to grant security principals the least privilege they need to perform their job. 即使最初看起来更方便,也应避免在更广泛的范围内分配更广泛的角色。Avoid assigning broader roles at broader scopes even if it initially seems more convenient. 通过限制角色和范围,可以对在安全主体受到入侵的情况下会面临风险的具体资源进行限制。By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised. For more information about scope, see Understand scope.

Azure RBAC 的范围级别

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 在顶部的“搜索”框中,搜索要授予对其的访问权限的范围。In the Search box at the top, search for the scope you want to grant access to. 例如,搜索“管理组”、“订阅”、“资源组”或某个特定资源 。For example, search for Management groups, Subscriptions, Resource groups, or a specific resource.

    针对资源组的 Azure 门户搜索

  3. 单击该范围的特定资源。Click the specific resource for that scope.

    下面展示了一个示例资源组。The following shows an example resource group.

    资源组概述

步骤 2:打开“添加角色分配”窗格Step 2: Open the Add role assignment pane

“访问控制(IAM)”是一个页面,通常用于分配角色以授予对 Azure 资源的访问权限。Access control (IAM) is the page that you typically use to assign roles to grant access to Azure resources. 它也称为标识和访问管理 (IAM),会显示在 Azure 门户中的多个位置。It's also known as identity and access management (IAM) and appears in several locations in the Azure portal.

  1. 单击“访问控制(IAM)”。Click Access control (IAM).

    下面显示了资源组的“访问控制(IAM)”页的示例。The following shows an example of the Access control (IAM) page for a resource group.

    资源组的“访问控制(IAM)”页

  2. 单击“角色分配”选项卡以查看在此范围内的角色分配。Click the Role assignments tab to view the role assignments at this scope.

  3. 单击“添加” > “角色分配”。Click Add > Add role assignment. 如果没有分配角色的权限,则将禁用“添加角色分配”选项。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    “添加角色分配”菜单

    此时会打开“添加角色分配”窗格。The Add role assignment pane opens.

    “添加角色分配”窗格

步骤 3:选择合适的角色Step 3: Select the appropriate role

  1. 在“角色”列表中,搜索或滚动查找要分配的角色。In the Role list, search or scroll to find the role that you want to assign.

    为了确定合适的角色,你可以将鼠标指针悬停在信息图标上,以显示角色的说明。To help you determine the appropriate role, you can hover over the info icon to display a description for the role. 有关更多信息,可以查看 Azure 内置角色一文。For additional information, you can view the Azure built-in roles article.

    在“添加角色分配”中选择角色

  2. 单击以选择角色。Click to select the role.

步骤 4:选择需要访问权限的人员Step 4: Select who needs access

  1. 在“将访问权限分配给”列表中,选择要为其分配访问权限的安全主体的类型。In the Assign access to list, select the type of security principal to assign access to.

    类型Type 说明Description
    用户、组或服务主体User, group, or service principal 如果要将角色分配给用户、组或服务主体(应用程序),请选择此类型。If you want to assign the role to a user, group, or service principal (application), select this type.
    用户分配的托管标识User assigned managed identity 如果要将角色分配给用户分配的托管标识,请选择此类型。If you want to assign the role to a user-assigned managed identity, select this type.
    系统分配托管标识System assigned managed identity 如果要将角色分配给系统分配的托管标识,请选择托管标识所在的 Azure 服务实例。If you want to assign the role to a system-assigned managed identity, select the Azure service instance where the managed identity is located.

    在“添加角色分配”中选择安全主体类型

  2. 如果你选择了用户分配的托管标识或系统分配的托管标识,请选择该托管标识所在的“订阅”。If you selected a user-assigned managed identity or a system-assigned managed identity, select the Subscription where the managed identity is located.

  3. 在“选择”部分,通过输入字符串或滚动浏览列表来搜索安全主体。In the Select section, search for the security principal by entering a string or scrolling through the list.

    在“添加角色分配”中选择用户

  4. 找到安全主体后,单击以将其选中。Once you have found the security principal, click to select it.

步骤 5:分配角色Step 5: Assign role

  1. 若要分配角色,请单击“保存”。To assign the role, click Save.

    片刻之后,会在所选范围内为安全主体分配角色。After a few moments, the security principal is assigned the role at the selected scope.

  2. 在“角色分配”选项卡上,验证列表是否显示了该角色分配。On the Role assignments tab, verify that you see the role assignment in the list.

    添加角色分配 - 保存

删除角色分配Remove a role assignment

在 Azure RBAC 中,若要从 Azure 资源删除访问权限,请删除角色分配。In Azure RBAC, to remove access from an Azure resource, you remove a role assignment. 通过以下步骤删除角色分配。Follow these steps to remove a role assignment.

  1. 在要删除访问权限的范围(例如管理组、订阅、资源组或资源)内打开“访问控制(IAM)”。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

  2. 单击“角色分配”选项卡以查看在此范围内的所有角色分配。Click the Role assignments tab to view all the role assignments at this scope.

  3. 在角色分配列表中,在需删除其角色分配的安全主体旁边添加复选标记。In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.

    已选中要删除的角色分配

  4. 单击 “删除”Click Remove.

    “删除角色分配”消息

  5. 在显示的“删除角色分配”消息中,单击“是”。In the remove role assignment message that appears, click Yes.

    此时会显示一条消息,指出无法删除继承的角色分配,而你正在尝试删除子范围的角色分配。If you see a message that inherited role assignments cannot be removed, you are trying to remove a role assignment at a child scope. 应在角色的分配范围打开“访问控制(IAM)”,然后重试。You should open Access control (IAM) at the scope where the role was assigned and try again. 在正确的范围打开“访问控制(IAM)”的快捷方法是查看“范围”列,然后单击“(继承)”旁边的链接。A quick way to open Access control (IAM) at the correct scope is to look at the Scope column and click the link next to (Inherited).

    继承的角色分配的“删除角色分配”消息

后续步骤Next steps