使用 RBAC 和 REST API 管理对 Azure 资源的访问权限Manage access to Azure resources using RBAC and the REST API

可以通过基于角色的访问控制 (RBAC) 管理对 Azure 资源的访问权限。Role-based access control (RBAC) is the way that you manage access to Azure resources. 本文介绍如何使用 RBAC 和 REST API 来管理用户、组和应用程序的访问权限。This article describes how you manage access for users, groups, and applications using RBAC and the REST API.

列出访问权限List access

在 RBAC 中,若要列出访问权限,请列出角色分配。In RBAC, to list access, you list the role assignments. 若要列出角色分配,可以使用其中一个角色分配 - List REST API。To list role assignments, use one of the Role Assignments - List REST APIs. 若要优化结果,请指定一个范围和可选的筛选器。To refine your results, you specify a scope and an optional filter.

  1. 从下面的请求开始:Start with the following request:

    GET https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter={filter}
    
  2. 在 URI 中,将“{scope}” 替换为要列出角色分配的范围。Within the URI, replace {scope} with the scope for which you want to list the role assignments.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/ providers/Microsoft.Web/sites/mysite1 ResourceResource

    在前面的示例中,microsoft.web 是引用应用服务实例的资源提供程序。In the previous example, microsoft.web is a resource provider that refers to an App Service instance. 同样,可以使用任何其他资源提供程序并指定范围。Similarly, you can use any other resource providers and specify the scope. 有关详细信息,请参阅 Azure 资源提供程序和类型和支持的 Azure 资源管理器资源提供程序操作For more information, see Azure Resource providers and types and supported Azure Resource Manager resource provider operations.

  3. 将“{filter}” 替换为筛选角色分配列表时要应用的条件。Replace {filter} with the condition that you want to apply to filter the role assignment list.

    筛选器Filter 说明Description
    $filter=atScope() 只列出指定范围内的角色分配,而不包括子范围内的角色分配。Lists role assignments for only the specified scope, not including the role assignments at subscopes.
    $filter=principalId%20eq%20'{objectId}' 列出指定用户、组或服务主体的角色分配。Lists role assignments for a specified user, group, or service principal.
    $filter=assignedTo('{objectId}') 列出指定用户或服务主体的角色分配。Lists role assignments for a specified user or service principal. 如果用户是具有角色分配的组的成员,则该角色分配也会列出。If the user is a member of a group that has a role assignment, that role assignment is also listed. 此筛选器对于组是可传递的,这意味着如果用户是组的成员,并且该组是具有角色分配的另一个组的成员,则该角色分配也会列出。This filter is transitive for groups which means that if the user is a member of a group and that group is a member of another group that has a role assignment, that role assignment is also listed. 此筛选器仅接受用户或服务主体的对象 ID。This filter only accepts an object ID for a user or a service principal. 不能传递组的对象 ID。You cannot pass an object ID for a group.

授予访问权限Grant access

在 RBAC 中,若要授予访问权限,请创建角色分配。In RBAC, to grant access, you create a role assignment. 若要创建角色分配,请使用角色分配 - Create REST API 并指定安全主体、角色定义和范围。To create a role assignment, use the Role Assignments - Create REST API and specify the security principal, role definition, and scope. 若要调用此 API,必须具有对 Microsoft.Authorization/roleAssignments/write 操作的访问权限。To call this API, you must have access to the Microsoft.Authorization/roleAssignments/write operation. 在内置角色中,只有所有者用户访问管理员具有对此操作的访问权限。Of the built-in roles, only Owner and User Access Administrator are granted access to this operation.

  1. 使用角色定义 - List REST API 或参阅内置角色,获取你想要分配的角色定义的标识符。Use the Role Definitions - List REST API or see Built-in roles to get the identifier for the role definition you want to assign.

  2. 使用 GUID 工具生成将用于角色分配标识符的唯一标识符。Use a GUID tool to generate a unique identifier that will be used for the role assignment identifier. 标识符的格式为:00000000-0000-0000-0000-000000000000The identifier has the format: 00000000-0000-0000-0000-000000000000

  3. 从以下请求和正文开始:Start with the following request and body:

    PUT https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2015-07-01
    
    {
      "properties": {
        "roleDefinitionId": "/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}",
        "principalId": "{principalId}"
      }
    }
    
  4. 在 URI 内,将“{scope}” 替换为角色分配的范围。Within the URI, replace {scope} with the scope for the role assignment.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/ providers/microsoft.web/sites/mysite1 ResourceResource
  5. 将“{roleAssignmentName}” 替换为角色分配的 GUID 标识符。Replace {roleAssignmentName} with the GUID identifier of the role assignment.

  6. 在请求正文中,将 {scope} 替换为角色分配的范围。Within the request body, replace {scope} with the scope for the role assignment.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/ providers/microsoft.web/sites/mysite1 ResourceResource
  7. 将“{roleDefinitionId}” 替换为角色定义标识符。Replace {roleDefinitionId} with the role definition identifier.

  8. 将“{principalId}” 替换为将分配有角色的用户、组或服务主体的对象标识符。Replace {principalId} with the object identifier of the user, group, or service principal that will be assigned the role.

删除访问权限Remove access

在 RBAC 中,若要删除访问权限,请删除角色分配。In RBAC, to remove access, you remove a role assignment. 若要删除角色分配,请使用角色分配 - Delete REST API。To remove a role assignment, use the Role Assignments - Delete REST API. 若要调用此 API,必须具有对 Microsoft.Authorization/roleAssignments/delete 操作的访问权限。To call this API, you must have access to the Microsoft.Authorization/roleAssignments/delete operation. 在内置角色中,只有所有者用户访问管理员具有对此操作的访问权限。Of the built-in roles, only Owner and User Access Administrator are granted access to this operation.

  1. 获取角色分配标识符 (GUID)。Get the role assignment identifier (GUID). 首次创建角色分配时将返回此标识符,也可以通过列出角色分配来获取它。This identifier is returned when you first create the role assignment or you can get it by listing the role assignments.

  2. 从下面的请求开始:Start with the following request:

    DELETE https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2015-07-01
    
  3. 在 URI 内,将“{scope}” 替换为删除角色分配的范围。Within the URI, replace {scope} with the scope for removing the role assignment.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/ providers/microsoft.web/sites/mysite1 ResourceResource
  4. 将“{roleAssignmentName}” 替换为角色分配的 GUID 标识符。Replace {roleAssignmentName} with the GUID identifier of the role assignment.

后续步骤Next steps