列出 Azure 角色定义List Azure role definitions

角色定义是可执行特权的集合,例如读取、写入和删除。A role definition is a collection of permissions that can be performed, such as read, write, and delete. 它通常直接称为“角色”。It's typically just called a role. Azure 基于角色的访问控制 (Azure RBAC) 具有超过 120 种内置角色,也可以创建自己的自定义角色。Azure role-based access control (Azure RBAC) has over 120 built-in roles or you can create your own custom roles. 本文介绍如何列出可用于授予 Azure 资源访问权限的内置角色和自定义角色。This article describes how to list the built-in and custom roles that you can use to grant access to Azure resources.

若要查看 Azure Active Directory 的管理员角色列表,请参阅 Azure Active Directory 中的管理员角色权限To see the list of administrator roles for Azure Active Directory, see Administrator role permissions in Azure Active Directory.

Azure 门户Azure portal

列出所有角色List all roles

按照以下步骤在 Azure 门户中列出所有角色。Follow these steps to list all roles in the Azure portal.

  1. 在 Azure 门户中单击“所有服务”,然后选择任意范围。In the Azure portal, click All services and then select any scope. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. 单击特定的资源。Click the specific resource.

  3. 单击“访问控制(IAM)”。Click Access control (IAM).

  4. 单击“角色”选项卡以查看包含所有内置角色和自定义角色的列表。Click the Roles tab to see a list of all the built-in and custom roles.

    可以看到在当前范围分配到每个角色的用户和组的数目。You can see the number of users and groups that are assigned to each role at the current scope.

    角色列表

Azure PowerShellAzure PowerShell

列出所有角色List all roles

若要列出 Azure PowerShell 中的所有角色,请使用 Get-AzRoleDefinitionTo list all roles in Azure PowerShell, use Get-AzRoleDefinition.

Get-AzRoleDefinition | FT Name, Description
AcrImageSigner                                    acr image signer
AcrQuarantineReader                               acr quarantine data reader
AcrQuarantineWriter                               acr quarantine data writer
API Management Service Contributor                Can manage service and the APIs
API Management Service Operator Role              Can manage service but not the APIs
API Management Service Reader Role                Read-only access to service and APIs
Application Insights Component Contributor        Can manage Application Insights components
Application Insights Snapshot Debugger            Gives user permission to use Application Insights Snapshot Debugge...
Automation Job Operator                           Create and Manage Jobs using Automation Runbooks.
Automation Operator                               Automation Operators are able to start, stop, suspend, and resume ...
...

列出角色定义List a role definition

若要列出特定角色的详细信息,请使用 Get-AzRoleDefinitionTo list the details of a specific role, use Get-AzRoleDefinition.

Get-AzRoleDefinition <role_name>
PS C:\> Get-AzRoleDefinition "Contributor"

Name             : Contributor
Id               : b24988ac-6180-42a0-ab88-20f7382dd24c
IsCustom         : False
Description      : Lets you manage everything except access to resources.
Actions          : {*}
NotActions       : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
                   Microsoft.Authorization/elevateAccess/Action}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/}

以 JSON 格式列出角色定义List a role definition in JSON format

若要以 JSON 格式列出角色,请使用 Get-AzRoleDefinitionTo list a role in JSON format, use Get-AzRoleDefinition.

Get-AzRoleDefinition <role_name> | ConvertTo-Json
PS C:\> Get-AzRoleDefinition "Contributor" | ConvertTo-Json

{
  "Name": "Contributor",
  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "IsCustom": false,
  "Description": "Lets you manage everything except access to resources.",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Authorization/*/Delete",
    "Microsoft.Authorization/*/Write",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

列出角色定义的特权List permissions of a role definition

若要列出特定角色的特权,请使用 Get-AzRoleDefinitionTo list the permissions for a specific role, use Get-AzRoleDefinition.

Get-AzRoleDefinition <role_name> | FL Actions, NotActions
PS C:\> Get-AzRoleDefinition "Contributor" | FL Actions, NotActions

Actions    : {*}
NotActions : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
             Microsoft.Authorization/elevateAccess/Action,
             Microsoft.Blueprint/blueprintAssignments/write...}
(Get-AzRoleDefinition <role_name>).Actions
PS C:\> (Get-AzRoleDefinition "Virtual Machine Contributor").Actions

Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
...

Azure CLIAzure CLI

列出所有角色List all roles

若要列出 Azure CLI 中的所有角色,请使用 az role definition listTo list all roles in Azure CLI, use az role definition list.

az role definition list

以下示例列出了所有可用的角色定义的名称和说明:The following example lists the name and description of all available role definitions:

az role definition list --output json --query '[].{roleName:roleName, description:description}'
[
  {
    "description": "Can manage service and the APIs",
    "roleName": "API Management Service Contributor"
  },
  {
    "description": "Can manage service but not the APIs",
    "roleName": "API Management Service Operator Role"
  },
  {
    "description": "Read-only access to service and APIs",
    "roleName": "API Management Service Reader Role"
  },

  ...

]

下面的示例列出了所有内置角色。The following example lists all of the built-in roles.

az role definition list --custom-role-only false --output json --query '[].{roleName:roleName, description:description, roleType:roleType}'
[
  {
    "description": "Can manage service and the APIs",
    "roleName": "API Management Service Contributor",
    "roleType": "BuiltInRole"
  },
  {
    "description": "Can manage service but not the APIs",
    "roleName": "API Management Service Operator Role",
    "roleType": "BuiltInRole"
  },
  {
    "description": "Read-only access to service and APIs",
    "roleName": "API Management Service Reader Role",
    "roleType": "BuiltInRole"
  },
  
  ...

]

列出角色定义List a role definition

若要列出角色的详细信息,请使用 az role definition listTo list details of a role, use az role definition list.

az role definition list --name {roleName}

下面的示例列出了“参与者”角色定义:The following example lists the Contributor role definition:

az role definition list --name "Contributor"
[
  {
    "assignableScopes": [
      "/"
    ],
    "description": "Lets you manage everything except access to resources.",
    "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "dataActions": [],
        "notActions": [
          "Microsoft.Authorization/*/Delete",
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action",
          "Microsoft.Blueprint/blueprintAssignments/write",
          "Microsoft.Blueprint/blueprintAssignments/delete"
        ],
        "notDataActions": []
      }
    ],
    "roleName": "Contributor",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

列出角色定义的特权List permissions of a role definition

以下示例仅列出“参与者”角色的“actions”和“notActions” 。The following example lists just the actions and notActions of the Contributor role.

az role definition list --name "Contributor" --output json --query '[].{actions:permissions[0].actions, notActions:permissions[0].notActions}'
[
  {
    "actions": [
      "*"
    ],
    "notActions": [
      "Microsoft.Authorization/*/Delete",
      "Microsoft.Authorization/*/Write",
      "Microsoft.Authorization/elevateAccess/Action",
      "Microsoft.Blueprint/blueprintAssignments/write",
      "Microsoft.Blueprint/blueprintAssignments/delete"
    ]
  }
]

以下示例仅列出了“虚拟机参与者”角色的“actions”。The following example lists just the actions of the Virtual Machine Contributor role.

az role definition list --name "Virtual Machine Contributor" --output json --query '[].permissions[0].actions'
[
  [
    "Microsoft.Authorization/*/read",
    "Microsoft.Compute/availabilitySets/*",
    "Microsoft.Compute/locations/*",
    "Microsoft.Compute/virtualMachines/*",
    "Microsoft.Compute/virtualMachineScaleSets/*",
    "Microsoft.Compute/disks/write",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/disks/delete",
    "Microsoft.DevTestLab/schedules/*",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

    ...

    "Microsoft.Storage/storageAccounts/listKeys/action",
    "Microsoft.Storage/storageAccounts/read"
  ]
]

REST APIREST API

列出角色定义List role definitions

若要列出角色定义,请使用角色定义 - 列出 REST API。To list role definitions, use the Role Definitions - List REST API. 若要优化结果,请指定一个范围和可选的筛选器。To refine your results, you specify a scope and an optional filter.

  1. 从下面的请求开始:Start with the following request:

    GET https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleDefinitions?$filter={$filter}&api-version=2015-07-01
    
  2. 在 URI 中,将“{scope}”替换为要列出角色定义的范围。Within the URI, replace {scope} with the scope for which you want to list the role definitions.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 资源Resource

    在前面的示例中,microsoft.web 是引用应用服务实例的资源提供程序。In the previous example, microsoft.web is a resource provider that refers to an App Service instance. 同样,可以使用任何其他资源提供程序并指定范围。Similarly, you can use any other resource providers and specify the scope. 有关详细信息,请参阅 Azure 资源提供程序和类型和支持的 Azure 资源提供程序操作For more information, see Azure Resource providers and types and supported Azure resource provider operations.

  3. {filter} 替换为筛选角色定义列表时要应用的条件。Replace {filter} with the condition that you want to apply to filter the role definition list.

    筛选器Filter 说明Description
    $filter=atScopeAndBelow() 列出指定范围和任何子范围的角色定义。Lists role definitions for the specified scope and any subscopes.
    $filter=type+eq+'{type}' 列出指定类型的角色定义。Lists role definitions of the specified type. 角色的类型可以是 CustomRoleBuiltInRoleType of role can be CustomRole or BuiltInRole.

以下请求列出了订阅范围内的自定义角色定义:The following request lists custom role definitions at subscription scope:

GET https://management.chinacloudapi.cn/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01&$filter=type+eq+'CustomRole'

下面显示了输出示例:The following shows an example of the output:

{
    "value": [
        {
            "properties": {
                "roleName": "Billing Reader Plus",
                "type": "CustomRole",
                "description": "Read billing data and download invoices",
                "assignableScopes": [
                    "/subscriptions/{subscriptionId1}"
                ],
                "permissions": [
                    {
                        "actions": [
                            "Microsoft.Authorization/*/read",
                            "Microsoft.Billing/*/read",
                            "Microsoft.Commerce/*/read",
                            "Microsoft.Consumption/*/read",
                            "Microsoft.Management/managementGroups/read",
                            "Microsoft.CostManagement/*/read",
                            "Microsoft.Billing/invoices/download/action",
                            "Microsoft.CostManagement/exports/*"
                        ],
                        "notActions": [
                            "Microsoft.CostManagement/exports/delete"
                        ]
                    }
                ],
                "createdOn": "2020-02-21T04:49:13.7679452Z",
                "updatedOn": "2020-02-21T04:49:13.7679452Z",
                "createdBy": "{createdByObjectId1}",
                "updatedBy": "{updatedByObjectId1}"
            },
            "id": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId1}",
            "type": "Microsoft.Authorization/roleDefinitions",
            "name": "{roleDefinitionId1}"
        }
    ]
}

列出角色定义List a role definition

若要列出特定角色的详细信息,请使用角色定义 - 获取角色定义 - 按 ID 获取 REST API。To list the details of a specific role, use the Role Definitions - Get or Role Definitions - Get By Id REST API.

  1. 从下面的请求开始:Start with the following request:

    GET https://management.chinacloudapi.cn/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2015-07-01
    

    对于目录级别的角色定义,可以使用以下请求:For a directory-level role definition, you can use this request:

    GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2015-07-01
    
  2. 在 URI 中,将“{scope}”替换为要列出角色定义的范围。Within the URI, replace {scope} with the scope for which you want to list the role definition.

    作用域Scope 类型Type
    providers/Microsoft.Management/managementGroups/{groupId1} 管理组Management group
    subscriptions/{subscriptionId1} 订阅Subscription
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 资源组Resource group
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 资源Resource
  3. 将“{roleDefinitionId}”替换为角色定义标识符。Replace {roleDefinitionId} with the role definition identifier.

以下请求列出了读取者 角色定义:The following request lists the Reader role definition:

GET https://management.chinacloudapi.cn/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7?api-version=2015-07-01

下面显示了输出示例:The following shows an example of the output:

{
    "properties": {
        "roleName": "Reader",
        "type": "BuiltInRole",
        "description": "Lets you view everything, but not make any changes.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read"
                ],
                "notActions": []
            }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2019-02-05T21:24:35.7424745Z",
        "createdBy": null,
        "updatedBy": null
    },
    "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7"
}

后续步骤Next steps