使用 REST API 分配 Azure 角色Assign Azure roles using the REST API

Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文介绍如何使用 REST API 分配角色。Azure 基于角色的访问控制 (Azure RBAC) 是用于管理 Azure 资源访问权限的授权系统。Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources. 若要授予访问权限,请将角色分配给特定范围内的用户、组、服务主体或托管标识。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the REST API.

先决条件Prerequisites

若要分配 Azure 角色,必须具有:To assign Azure roles, you must have:

分配 Azure 角色Assign an Azure role

若要分配角色,请使用角色分配 - Create REST API 并指定安全主体、角色定义和范围。To assign a role, use the Role Assignments - Create REST API and specify the security principal, role definition, and scope. 若要调用此 API,必须具有对 Microsoft.Authorization/roleAssignments/write 操作的访问权限。To call this API, you must have access to the Microsoft.Authorization/roleAssignments/write operation. 在内置角色中,只有所有者用户访问管理员具有对此操作的访问权限。Of the built-in roles, only Owner and User Access Administrator are granted access to this operation.

  1. 使用角色定义 - List REST API 或参阅内置角色,获取你想要分配的角色定义的标识符。Use the Role Definitions - List REST API or see Built-in roles to get the identifier for the role definition you want to assign.

  2. 使用 GUID 工具生成将用于角色分配标识符的唯一标识符。Use a GUID tool to generate a unique identifier that will be used for the role assignment identifier. 标识符的格式为:00000000-0000-0000-0000-000000000000The identifier has the format: 00000000-0000-0000-0000-000000000000

  3. 从以下请求和正文开始:Start with the following request and body:

    PUT https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}?api-version=2015-07-01
    
    {
      "properties": {
        "roleDefinitionId": "/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}",
        "principalId": "{principalId}"
      }
    }
    
  4. 在 URI 内,将“{scope}”替换为角色分配的范围。Within the URI, replace {scope} with the scope for the role assignment.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/microsoft.web/sites/mysite1 资源Resource

    在前面的示例中,microsoft.web 是引用应用服务实例的资源提供程序。In the previous example, microsoft.web is a resource provider that refers to an App Service instance. 同样,可以使用任何其他资源提供程序并指定范围。Similarly, you can use any other resource providers and specify the scope. 有关详细信息,请参阅 Azure 资源提供程序和类型和支持的 Azure 资源提供程序操作For more information, see Azure Resource providers and types and supported Azure resource provider operations.

  5. 将“{roleAssignmentId}”替换为角色分配的 GUID 标识符。Replace {roleAssignmentId} with the GUID identifier of the role assignment.

  6. 在请求正文中,将 {scope} 替换为角色分配的范围。Within the request body, replace {scope} with the scope for the role assignment.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/microsoft.web/sites/mysite1 资源Resource
  7. 将“{roleDefinitionId}”替换为角色定义标识符。Replace {roleDefinitionId} with the role definition identifier.

  8. 将“{principalId}”替换为将分配有角色的用户、组或服务主体的对象标识符。Replace {principalId} with the object identifier of the user, group, or service principal that will be assigned the role.

以下请求和正文将备份读取者角色分配给订阅范围内的用户:The following request and body assigns the Backup Reader role to a user at subscription scope:

PUT https://management.chinacloudapi.cn/subscriptions/{subscriptionId1}/providers/microsoft.authorization/roleassignments/{roleAssignmentId1}?api-version=2015-07-01
{
  "properties": {
    "roleDefinitionId": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
    "principalId": "{objectId1}"
  }
}

下面显示了输出示例:The following shows an example of the output:

{
    "properties": {
        "roleDefinitionId": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
        "principalId": "{objectId1}",
        "scope": "/subscriptions/{subscriptionId1}",
        "createdOn": "2020-05-06T23:55:23.7679147Z",
        "updatedOn": "2020-05-06T23:55:23.7679147Z",
        "createdBy": null,
        "updatedBy": "{updatedByObjectId1}"
    },
    "id": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId1}",
    "type": "Microsoft.Authorization/roleAssignments",
    "name": "{roleAssignmentId1}"
}

后续步骤Next steps