使用 Azure RBAC 和 Azure 门户添加或删除角色分配Add or remove role assignments using Azure RBAC and the Azure portal

Azure 基于角色的访问控制 (RBAC) 是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文介绍如何使用 Azure 门户分配角色。Azure 基于角色的访问控制 (RBAC) 是用于管理对 Azure 资源的访问权限的授权系统。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.

如需在 Azure Active Directory 中分配管理员角色,请参阅在 Azure Active Directory 中查看和分配管理员角色If you need to assign administrator roles in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

先决条件Prerequisites

若要添加或删除角色分配,必须拥有以下权限:To add or remove role assignments, you must have:

“访问控制(IAM)”概述Overview of Access control (IAM)

使用“访问控制(标识和访问管理)”边栏选项卡可以分配角色。 Access control (IAM) is the blade that you use to assign roles. 该功能也称为标识和访问管理,会显示在 Azure 门户中的多个位置。It's also known as identity and access management and appears in several locations in the Azure portal. 下面显示了订阅的“访问控制(IAM)”边栏选项卡的示例。The following shows an example of the Access control (IAM) blade for a subscription.

订阅的“访问控制(IAM)”边栏选项卡

如果在尝试分配角色时能够回答以下三个问题,则可以最有效地利用“访问控制(标识和访问管理)”边栏选项卡:To be the most effective with the Access control (IAM) blade, it helps if you can answer the following three questions when you are trying to assign a role:

  1. 谁需要访问权限?Who needs access?

    谁指的是用户、组、服务主体或托管标识。Who refers to a user, group, service principal, or managed identity. 这也称为“安全主体” 。This is also called a security principal.

  2. 他们需要什么角色?What role do they need?

    权限组合成角色。Permissions are grouped together into roles. 可以从包含多个内置角色的列表中进行选择,也可以使用自己的自定义角色。You can select from a list of several built-in roles or you use your own custom roles.

  3. 他们在何处需要访问权限?Where do they need access?

    “何处”是指访问权限应用到的资源集。Where refers to the set of resources that the access applies to. “何处”可以是管理组、订阅、资源组或单个资源,例如存储帐户。Where can be a management group, subscription, resource group, or a single resource such as a storage account. 这称为“范围”。 This is called the scope.

添加角色分配Add a role assignment

通过以下步骤在不同的范围分配角色。Follow these steps to assign a role at different scopes.

  1. 在 Azure 门户中单击“所有服务”,然后选择范围。 In the Azure portal, click All services and then select the scope. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. 单击特定的资源。Click the specific resource.

  3. 单击“访问控制(IAM)” 。Click Access control (IAM).

  4. 单击“角色分配”选项卡以查看在此范围内的所有角色分配 。Click the Role assignments tab to view all the role assignments at this scope.

  5. 单击“添加” > “添加角色分配”以打开“添加角色分配”窗格。 Click Add > Add role assignment to open the Add role assignment pane.

    如果没有分配角色的权限,则将禁用“添加角色分配”选项。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    添加菜单

    “添加角色分配”窗格

  6. 在“角色”下拉列表中选择一个角色,例如“虚拟机参与者”。 In the Role drop-down list, select a role such as Virtual Machine Contributor.

  7. 在“选择”列表中,选择用户、组、服务主体或托管标识 。In the Select list, select a user, group, service principal, or managed identity. 如果没有在列表中看到安全主体,则可在“选择”框中键入相应内容,以便在目录中搜索显示名称、电子邮件地址和对象标识符 。If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

  8. 单击“保存”以分配该角色 。Click Save to assign the role.

    片刻之后,会在所选范围内为安全主体分配角色。After a few moments, the security principal is assigned the role at the selected scope.

将用户分配为订阅的管理员Assign a user as an administrator of a subscription

若要使某个用户成为 Azure 订阅的管理员,请在订阅范围内为其分配所有者角色。To make a user an administrator of an Azure subscription, assign them the Owner role at the subscription scope. “所有者”角色授予用户对订阅中所有资源的完全访问权限,包括将访问权限授予其他用户的权限。The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. 这些步骤与任何其他角色分配是相同的。These steps are the same as any other role assignment.

  1. 在 Azure 门户中,依次单击“所有服务”、“订阅” 。In the Azure portal, click All services and then Subscriptions.

  2. 单击要添加角色分配的订阅。Click the subscription where you want to add a role assignment.

  3. 单击“访问控制(IAM)” 。Click Access control (IAM).

  4. 单击“角色分配”选项卡以查看此订阅的所有角色分配 。Click the Role assignments tab to view all the role assignments for this subscription.

  5. 单击“添加” > “添加角色分配”以打开“添加角色分配”窗格。 Click Add > Add role assignment to open the Add role assignment pane.

    如果没有分配角色的权限,则将禁用“添加角色分配”选项。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    添加菜单

    “添加角色分配”窗格

  6. 在“角色” 下拉列表中,选择“所有者” 角色。In the Role drop-down list, select the Owner role.

  7. 在“选择” 列表中,选择一个用户。In the Select list, select a user. 如果没有在列表中看到用户,则可在“选择”框中键入相应内容,以便在目录中搜索显示名称和电子邮件地址。 If you don't see the user in the list, you can type in the Select box to search the directory for display names and email addresses.

  8. 单击“保存”以分配该角色 。Click Save to assign the role.

    片刻之后,会在订阅范围为用户分配“所有者”角色。After a few moments, the user is assigned the Owner role at the subscription scope.

删除角色分配Remove a role assignment

在 RBAC 中,若要删除访问权限,请删除角色分配。In RBAC, to remove access, you remove a role assignment. 通过以下步骤删除角色分配。Follow these steps to remove a role assignment.

  1. 在要删除访问权限的范围(例如管理组、订阅、资源组或资源)内打开“访问控制(IAM)” 。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

  2. 单击“角色分配”选项卡以查看此订阅的所有角色分配 。Click the Role assignments tab to view all the role assignments for this subscription.

  3. 在角色分配列表中,在需删除其角色分配的安全主体旁边添加复选标记。In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.

    “删除角色分配”消息

  4. 单击“删除”。 Click Remove.

    “删除角色分配”消息

  5. 在显示的“删除角色分配”消息中,单击“是”。 In the remove role assignment message that appears, click Yes.

    不能删除继承的角色分配。Inherited role assignments cannot be removed. 如果需要删除继承的角色分配,则必须在创建角色分配的作用域上进行操作。If you need to remove an inherited role assignment, you must do it at the scope where the role assignment was created. 在“作用域” 列的“(继承)” 旁,有一条链接指向分配了此角色的范围。In the Scope column, next to (Inherited) there is a link that takes you to the scope where this role was assigned. 请转到该处列出的范围以删除角色分配。Go to the scope listed there to remove the role assignment.

    “删除角色分配”消息

后续步骤Next steps