使用 REST API 添加或删除 Azure 角色分配Add or remove Azure role assignments using the REST API

Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文介绍如何使用 REST API 分配角色。Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the REST API.

先决条件Prerequisites

若要添加或删除角色分配,必须拥有以下权限:To add or remove role assignments, you must have:

添加角色分配Add a role assignment

在 Azure RBAC 中,要授予访问权限,请添加角色分配。In Azure RBAC, to grant access, you add a role assignment. 若要添加角色分配,请使用角色分配 - Create REST API 并指定安全主体、角色定义和范围。To add a role assignment, use the Role Assignments - Create REST API and specify the security principal, role definition, and scope. 若要调用此 API,必须具有对 Microsoft.Authorization/roleAssignments/write 操作的访问权限。To call this API, you must have access to the Microsoft.Authorization/roleAssignments/write operation. 在内置角色中,只有所有者用户访问管理员具有对此操作的访问权限。Of the built-in roles, only Owner and User Access Administrator are granted access to this operation.

  1. 使用角色定义 - List REST API 或参阅内置角色,获取你想要分配的角色定义的标识符。Use the Role Definitions - List REST API or see Built-in roles to get the identifier for the role definition you want to assign.

  2. 使用 GUID 工具生成将用于角色分配标识符的唯一标识符。Use a GUID tool to generate a unique identifier that will be used for the role assignment identifier. 标识符的格式为:00000000-0000-0000-0000-000000000000The identifier has the format: 00000000-0000-0000-0000-000000000000

  3. 从以下请求和正文开始:Start with the following request and body:

    PUT https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}?api-version=2015-07-01
    
    {
      "properties": {
        "roleDefinitionId": "/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}",
        "principalId": "{principalId}"
      }
    }
    
  4. 在 URI 内,将“{scope}”替换为角色分配的范围。Within the URI, replace {scope} with the scope for the role assignment.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/microsoft.web/sites/mysite1 资源Resource

    在前面的示例中,microsoft.web 是引用应用服务实例的资源提供程序。In the previous example, microsoft.web is a resource provider that refers to an App Service instance. 同样,可以使用任何其他资源提供程序并指定范围。Similarly, you can use any other resource providers and specify the scope. 有关详细信息,请参阅 Azure 资源提供程序和类型和支持的 Azure 资源管理器资源提供程序操作For more information, see Azure Resource providers and types and supported Azure Resource Manager resource provider operations.

  5. 将“{roleAssignmentId}”替换为角色分配的 GUID 标识符。Replace {roleAssignmentId} with the GUID identifier of the role assignment.

  6. 在请求正文中,将 {scope} 替换为角色分配的范围。Within the request body, replace {scope} with the scope for the role assignment.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/microsoft.web/sites/mysite1 资源Resource
  7. 将“{roleDefinitionId}”替换为角色定义标识符。Replace {roleDefinitionId} with the role definition identifier.

  8. 将“{principalId}”替换为将分配有角色的用户、组或服务主体的对象标识符。Replace {principalId} with the object identifier of the user, group, or service principal that will be assigned the role.

以下请求和正文将备份读取者角色分配给订阅范围内的用户:The following request and body assigns the Backup Reader role to a user at subscription scope:

PUT https://management.chinacloudapi.cn/subscriptions/{subscriptionId1}/providers/microsoft.authorization/roleassignments/{roleAssignmentId1}?api-version=2015-07-01
{
  "properties": {
    "roleDefinitionId": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
    "principalId": "{objectId1}"
  }
}

下面显示了输出示例:The following shows an example of the output:

{
    "properties": {
        "roleDefinitionId": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
        "principalId": "{objectId1}",
        "scope": "/subscriptions/{subscriptionId1}",
        "createdOn": "2020-05-06T23:55:23.7679147Z",
        "updatedOn": "2020-05-06T23:55:23.7679147Z",
        "createdBy": null,
        "updatedBy": "{updatedByObjectId1}"
    },
    "id": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId1}",
    "type": "Microsoft.Authorization/roleAssignments",
    "name": "{roleAssignmentId1}"
}

删除角色分配Remove a role assignment

在 Azure RBAC 中,若要删除访问权限,请删除角色分配。In Azure RBAC, to remove access, you remove a role assignment. 若要删除角色分配,请使用角色分配 - Delete REST API。To remove a role assignment, use the Role Assignments - Delete REST API. 若要调用此 API,必须具有对 Microsoft.Authorization/roleAssignments/delete 操作的访问权限。To call this API, you must have access to the Microsoft.Authorization/roleAssignments/delete operation. 在内置角色中,只有所有者用户访问管理员具有对此操作的访问权限。Of the built-in roles, only Owner and User Access Administrator are granted access to this operation.

  1. 获取角色分配标识符 (GUID)。Get the role assignment identifier (GUID). 首次创建角色分配时将返回此标识符,也可以通过列出角色分配来获取它。This identifier is returned when you first create the role assignment or you can get it by listing the role assignments.

  2. 从下面的请求开始:Start with the following request:

    DELETE https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}?api-version=2015-07-01
    
  3. 在 URI 内,将“{scope}”替换为删除角色分配的范围。Within the URI, replace {scope} with the scope for removing the role assignment.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/microsoft.web/sites/mysite1 资源Resource
  4. 将“{roleAssignmentId}”替换为角色分配的 GUID 标识符。Replace {roleAssignmentId} with the GUID identifier of the role assignment.

以下请求在订阅范围内删除指定的角色分配:The following request removes the specified role assignment at subscription scope:

DELETE https://management.chinacloudapi.cn/subscriptions/{subscriptionId1}/providers/microsoft.authorization/roleassignments/{roleAssignmentId1}?api-version=2015-07-01

下面显示了输出示例:The following shows an example of the output:

{
    "properties": {
        "roleDefinitionId": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
        "principalId": "{objectId1}",
        "scope": "/subscriptions/{subscriptionId1}",
        "createdOn": "2020-05-06T23:55:24.5379478Z",
        "updatedOn": "2020-05-06T23:55:24.5379478Z",
        "createdBy": "{createdByObjectId1}",
        "updatedBy": "{updatedByObjectId1}"
    },
    "id": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId1}",
    "type": "Microsoft.Authorization/roleAssignments",
    "name": "{roleAssignmentId1}"
}

后续步骤Next steps