了解 Azure 资源的角色定义Understand role definitions for Azure resources

如果想要了解角色的工作原理,或者要创建自己的 Azure 资源自定义角色,那么了解角色的定义方法会很有帮助。If you are trying to understand how a role works or if you are creating your own custom role for Azure resources, it's helpful to understand how roles are defined. 本文介绍角色定义的详细信息,并提供了一些示例。This article describes the details of role definitions and provides some examples.

角色定义结构Role definition structure

角色定义是权限的集合。A role definition is a collection of permissions. 它有时简称为“角色” 。It's sometimes just called a role. 角色定义列出可以执行的操作,例如读取、写入和删除。A role definition lists the operations that can be performed, such as read, write, and delete. 它还可以列出不能执行的操作,或者与基础数据相关的操作。It can also list the operations that can't be performed or operations related to underlying data. 角色定义具有以下结构:A role definition has the following structure:

Name
Id
IsCustom
Description
Actions []
NotActions []
DataActions []
NotDataActions []
AssignableScopes []

使用以下格式的字符串指定操作:Operations are specified with strings that have the following format:

  • {Company}.{ProviderName}/{resourceType}/{action}

操作字符串的 {action} 部分指定可以对某个资源类型执行的操作类型。The {action} portion of an operation string specifies the type of operations you can perform on a resource type. 例如,将在 {action} 中看到以下子字符串:For example, you will see the following substrings in {action}:

操作子字符串Action substring 说明Description
* 通配符授予对与字符串匹配的所有操作的访问权限。The wildcard character grants access to all operations that match the string.
read 允许读取操作 (GET)。Enables read operations (GET).
write 允许写入操作(PUT 或 PATCH)。Enables write operations (PUT or PATCH).
action 允许自定义操作,如重启虚拟机 (POST)。Enables custom operations like restart virtual machines (POST).
delete 允许删除操作 (DELETE)。Enables delete operations (DELETE).

下面是 JSON 格式的参与者角色定义。Here's the Contributor role definition in JSON format. Actions 下的通配符 (*) 操作表示分配给此角色的主体可以执行所有操作,换句话说,它可以管理所有内容。The wildcard (*) operation under Actions indicates that the principal assigned to this role can perform all actions, or in other words, it can manage everything. 这包括将来定义的操作,因为 Azure 会添加新的资源类型。This includes actions defined in the future, as Azure adds new resource types. NotActions 下的操作会从 Actions 中减去。The operations under NotActions are subtracted from Actions. 参与者角色而言,NotActions 去除了此角色管理资源访问权限以及分配资源访问权限的能力。In the case of the Contributor role, NotActions removes this role's ability to manage access to resources and also assign access to resources.

{
  "Name": "Contributor",
  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "IsCustom": false,
  "Description": "Lets you manage everything except access to resources.",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Authorization/*/Delete",
    "Microsoft.Authorization/*/Write",
    "Microsoft.Authorization/elevateAccess/Action"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

管理和数据操作Management and data operations

管理操作的基于角色的访问控制在角色定义的 ActionsNotActions 属性中指定。Role-based access control for management operations is specified in the Actions and NotActions properties of a role definition. 下面是 Azure 中管理操作的一些示例:Here are some examples of management operations in Azure:

  • 管理存储帐户的访问权限Manage access to a storage account
  • 创建、更新或删除 blob 容器Create, update, or delete a blob container
  • 删除资源组及其所有资源Delete a resource group and all of its resources

如果容器身份验证方法设置为“Azure AD 用户帐户”而不是“访问密钥”,则不会继承数据的管理访问权限。Management access is not inherited to your data provided that the container authentication method is set to "Azure AD User Account" and not "Access Key". 此分隔可防止带通配符 (*) 的角色无限制地访问数据。This separation prevents roles with wildcards (*) from having unrestricted access to your data. 例如,如果用户对订阅具有读取者角色,则他们可以查看存储帐户,但他们默认无法查看基础数据。For example, if a user has a Reader role on a subscription, then they can view the storage account, but by default they can't view the underlying data.

以前,基于角色的访问控制不用于数据操作。Previously, role-based access control was not used for data operations. 数据操作的授权根据资源提供程序的不同而异。Authorization for data operations varied across resource providers. 用于管理操作的同一基于角色的访问控制授权模型已扩展到数据操作。The same role-based access control authorization model used for management operations has been extended to data operations.

为了支持数据操作,已将新的数据属性添加到角色定义结构。To support data operations, new data properties have been added to the role definition structure. 数据操作在 DataActionsNotDataActions 属性中指定。Data operations are specified in the DataActions and NotDataActions properties. 通过添加这些数据属性,可在管理与数据之间保持隔离。By adding these data properties, the separation between management and data is maintained. 这可以防止包含通配符 (*) 的当前角色分配突然访问数据。This prevents current role assignments with wildcards (*) from suddenly having accessing to data. 下面是可在 DataActionsNotDataActions 中指定的一些数据操作:Here are some data operations that can be specified in DataActions and NotDataActions:

  • 读取容器中的 Blob 列表Read a list of blobs in a container
  • 在容器中写入存储 BlobWrite a storage blob in a container
  • 删除队列中的消息Delete a message in a queue

下面是存储 Blob 数据读取者角色定义,其中包含 ActionsDataActions 属性中的操作。Here's the Storage Blob Data Reader role definition, which includes operations in both the Actions and DataActions properties. 使用此角色可以读取 Blob 容器以及基础 Blob 数据。This role allows you to read the blob container and also the underlying blob data.

{
  "Name": "Storage Blob Data Reader",
  "Id": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "IsCustom": false,
  "Description": "Allows for read access to Azure Storage blob containers and data",
  "Actions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/read"
  ],
  "NotActions": [],
  "DataActions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
  ],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

只能将数据操作添加到 DataActionsNotDataActions 属性。Only data operations can be added to the DataActions and NotDataActions properties. 资源提供程序通过将 isDataAction 属性设置为 true,来识别哪些操作是数据操作。Resource providers identify which operations are data operations, by setting the isDataAction property to true. 若要查看 isDataActiontrue 的操作列表,请参阅资源提供程序操作To see a list of the operations where isDataAction is true, see Resource provider operations. 没有数据操作的角色不需要在角色定义中包含 DataActionsNotDataActions 属性。Roles that do not have data operations are not required to have DataActions and NotDataActions properties within the role definition.

所有管理操作 API 调用的授权由 Azure 资源管理器处理。Authorization for all management operation API calls is handled by Azure Resource Manager. 数据操作 API 调用的授权由资源提供程序或 Azure 资源管理器处理。Authorization for data operation API calls is handled by either a resource provider or Azure Resource Manager.

数据操作示例Data operations example

为了更好地了解管理和数据操作的工作原理,让我们考虑一个具体的示例。To better understand how management and data operations work, let's consider a specific example. 在订阅范围为 Alice 分配了所有者角色。Alice has been assigned the Owner role at the subscription scope. 在存储帐户范围为 Bob 分配了存储 Blob 数据参与者角色。Bob has been assigned the Storage Blob Data Contributor role at a storage account scope. 下图演示了此示例。The following diagram shows this example.

基于角色的访问控制已得到扩展,支持管理和数据操作

Alice 的所有者角色和 Bob 的存储 Blob 数据参与者角色具有以下操作:The Owner role for Alice and the Storage Blob Data Contributor role for Bob have the following actions:

所有者Owner

    操作    Actions
    *    *

存储 Blob 数据参与者Storage Blob Data Contributor

    操作    Actions
    Microsoft.Storage/storageAccounts/blobServices/containers/delete    Microsoft.Storage/storageAccounts/blobServices/containers/delete
    Microsoft.Storage/storageAccounts/blobServices/containers/read    Microsoft.Storage/storageAccounts/blobServices/containers/read
    Microsoft.Storage/storageAccounts/blobServices/containers/write    Microsoft.Storage/storageAccounts/blobServices/containers/write
    DataActions    DataActions
    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write

由于 Alice 具有订阅范围的通配符 (*) 操作,其权限将向下继承,使其可以执行所有管理操作。Since Alice has a wildcard (*) action at a subscription scope, their permissions inherit down to enable them to perform all management actions. Alice 可以读取、写入和删除容器。Alice can read, write, and delete containers. 但是,Alice 在不采取其他步骤的情况下无法执行数据操作。However, Alice cannot perform data operations without taking additional steps. 例如,默认情况下,Alice 无法读取容器内的 blob。For example, by default, Alice cannot read the blobs inside a container. 若要读取 blob,Alice 必须检索存储访问密钥并使用它们来访问 blob。To read the blobs, Alice would have to retrieve the storage access keys and use them to access the blobs.

Bob 的权限限制为存储 Blob 数据参与者角色中指定的 ActionsDataActionsBob's permissions are restricted to just the Actions and DataActions specified in the Storage Blob Data Contributor role. Bob 可以基于角色执行管理和数据操作。Based on the role, Bob can perform both management and data operations. 例如,Bob 可以读取、写入和删除指定存储帐户中的容器,并可以读取、写入和删除 Blob。For example, Bob can read, write, and delete containers in the specified storage account and can also read, write, and delete the blobs.

有关存储的管理和数据平面安全性的详细信息,请参阅 Azure 存储安全指南For more information about management and data plane security for storage, see the Azure Storage security guide.

哪些工具支持使用 RBAC 进行数据操作?What tools support using RBAC for data operations?

若要查看和处理数据操作,必须安装正确版本的工具或 SDK:To view and work with data operations, you must have the correct versions of the tools or SDKs:

工具Tool 版本Version
Azure PowerShellAzure PowerShell 1.1.0 或更高版本1.1.0 or later
Azure CLIAzure CLI 2.0.30 或更高版本2.0.30 or later
Azure for .NETAzure for .NET 2.8.0-preview 或更高版本2.8.0-preview or later
Azure SDK for GoAzure SDK for Go 15.0.0 或更高版本15.0.0 or later
Azure for JavaAzure for Java 1.9.0 或更高版本1.9.0 or later
Azure for PythonAzure for Python 0.40.0 或更高版本0.40.0 or later
用于 Ruby 的 Azure SDKAzure SDK for Ruby 0.17.1 或更高版本0.17.1 or later

若要查看和使用 REST API 中的数据操作,必须将 api-version 参数设置为以下版本或更高版本:To view and use the data operations in the REST API, you must set the api-version parameter to the following version or later:

  • 2018-07-012018-07-01

操作Actions

Actions 权限指定该角色允许执行的管理操作。The Actions permission specifies the management operations that the role allows to be performed. 它是操作字符串的集合,可标识 Azure 资源提供程序的安全对象操作。It is a collection of operation strings that identify securable operations of Azure resource providers. 下面是一些可以在 Actions 中使用的管理操作的示例。Here are some examples of management operations that can be used in Actions.

操作字符串Operation string 说明Description
*/read 向所有 Azure 资源提供程序的所有资源类型的读取操作授予访问权限。Grants access to read operations for all resource types of all Azure resource providers.
Microsoft.Compute/* 向 Microsoft.Compute 资源提供程序中的所有资源类型的所有操作授予访问权限。Grants access to all operations for all resource types in the Microsoft.Compute resource provider.
Microsoft.Network/*/read 向 Microsoft.Network 资源提供程序中的所有资源类型的读取操作授予访问权限。Grants access to read operations for all resource types in the Microsoft.Network resource provider.
Microsoft.Compute/virtualMachines/* 向虚拟机及其子资源类型的所有操作授予访问权限。Grants access to all operations of virtual machines and its child resource types.
microsoft.web/sites/restart/Action 授予重启 Web 应用的访问权限。Grants access to restart a web app.

NotActionsNotActions

NotActions 权限指定从允许的 Actions 中排除的管理操作。The NotActions permission specifies the management operations that are excluded from the allowed Actions. 如果排除受限制的操作可以更方便地定义希望允许的操作集,则使用 NotActions 权限。Use the NotActions permission if the set of operations that you want to allow is more easily defined by excluding restricted operations. 通过从 Actions 操作中减去 NotActions 操作可以计算出角色授予的访问权限(有效权限)。The access granted by a role (effective permissions) is computed by subtracting the NotActions operations from the Actions operations.

Note

如果用户分配到的一个角色排除了 NotActions 中的一个操作,而分配到的第二个角色向同一操作授予访问权限,则用户可以执行该操作。If a user is assigned a role that excludes an operation in NotActions, and is assigned a second role that grants access to the same operation, the user is allowed to perform that operation. NotActions 不是拒绝规则 - 它只是一个简便方法,可在需要排除特定操作时创建一组允许的操作。NotActions is not a deny rule - it is simply a convenient way to create a set of allowed operations when specific operations need to be excluded.

DataActionsDataActions

DataActions 权限指定该角色允许对该对象中的数据执行的数据操作。The DataActions permission specifies the data operations that the role allows to be performed to your data within that object. 例如,如果某个用户对某个存储帐户拥有读取 Blob 数据的访问权限,则该用户可以读取该存储帐户中的 Blob。For example, if a user has read blob data access to a storage account, then they can read the blobs within that storage account. 下面是可在 DataActions 中使用的一些数据操作的示例。Here are some examples of data operations that can be used in DataActions.

操作字符串Operation string 说明Description
Microsoft.Storage/storageAccounts/ blobServices/containers/blobs/read 返回 Blob 或 Blob 列表。Returns a blob or a list of blobs.
Microsoft.Storage/storageAccounts/ blobServices/containers/blobs/write 返回写入 Blob 的结果。Returns the result of writing a blob.
Microsoft.Storage/storageAccounts/ queueServices/queues/messages/read 返回消息。Returns a message.
Microsoft.Storage/storageAccounts/ queueServices/queues/messages/* 返回消息,或返回写入或删除消息的结果。Returns a message or the result of writing or deleting a message.

NotDataActionsNotDataActions

NotDataActions 权限指定从允许的 DataActions 中排除的数据操作。The NotDataActions permission specifies the data operations that are excluded from the allowed DataActions. 通过从 DataActions 操作中减去 NotDataActions 操作可以计算出角色授予的访问权限(有效权限)。The access granted by a role (effective permissions) is computed by subtracting the NotDataActions operations from the DataActions operations. 每个资源提供程序提供相应的一组 API 用于实现数据操作。Each resource provider provides its respective set of APIs to fulfill data operations.

Note

如果用户分配到的一个角色排除了 NotDataActions 中的某个数据操作,而分配到的第二个角色向同一数据操作授予访问权限,则该用户可以执行该数据操作。If a user is assigned a role that excludes a data operation in NotDataActions, and is assigned a second role that grants access to the same data operation, the user is allowed to perform that data operation. NotDataActions 不是拒绝规则 - 它只是一个简便方法,可在需要排除特定数据操作时创建一组允许的数据操作。NotDataActions is not a deny rule - it is simply a convenient way to create a set of allowed data operations when specific data operations need to be excluded.

AssignableScopesAssignableScopes

AssignableScopes 属性指定可使用此角色定义的范围(管理组、订阅、资源组或资源)。The AssignableScopes property specifies the scopes (management groups, subscriptions, resource groups, or resources) that have this role definition available. 只能在需要此角色的管理组、订阅或资源组中分配此角色。You can make the role available for assignment in only the management groups, subscriptions, or resource groups that require it. 必须使用至少一个管理组、订阅、资源组或资源 ID。You must use at least one management group, subscription, resource group, or resource ID.

内置角色已将 AssignableScopes 设置为根范围 ("/")。Built-in roles have AssignableScopes set to the root scope ("/"). 根范围指示角色可供在所有范围中进行分配。The root scope indicates that the role is available for assignment in all scopes. 有效的可分配范围的示例包括:Examples of valid assignable scopes include:

角色可供分配Role is available for assignment 示例Example
一个订阅One subscription "/subscriptions/{subscriptionId1}"
两个订阅Two subscriptions "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}"
网络资源组Network resource group "/subscriptions/{subscriptionId1}/resourceGroups/Network"
一个管理组One management group "/providers/Microsoft.Management/managementGroups/{groupId1}"
管理组和订阅Management group and a subscription "/providers/Microsoft.Management/managementGroups/{groupId1}", /subscriptions/{subscriptionId1}",
所有范围(仅适用于内置角色)All scopes (applies only to built-in roles) "/"

有关自定义角色的 AssignableScopes 的信息,请参阅 Azure 资源的自定义角色For information about AssignableScopes for custom roles, see Custom roles for Azure resources.

后续步骤Next steps