了解 Azure RBAC 的范围Understand scope for Azure RBAC

范围是访问权限应用到的资源集。Scope is the set of resources that access applies to. 在分配角色时,请了解范围,以便为安全主体授予它真正需要的最低访问权限,这一点很重要。When you assign a role, it's important to understand scope so that you can grant a security principal just the access that it really needs. 通过限制范围,可以限制在安全主体受到入侵的情况下会有哪些资源面临风险。By limiting the scope, you limit what resources are at risk if the security principal is ever compromised.

范围级别Scope levels

在 Azure 中,可以在四个级别指定范围:管理组、订阅、资源组和资源。In Azure, you can specify a scope at four levels: management group, subscription, resource group, and resource. 范围采用父子关系结构。Scopes are structured in a parent-child relationship. 层次结构的每个级别都会使范围更具针对性。Each level of hierarchy makes the scope more specific. 可以在其中任何一个范围级别分配角色。You can assign roles at any of these levels of scope. 所选级别决定了角色的应用广泛程度。The level you select determines how widely the role is applied. 较低级别继承较高级别的角色权限。Lower levels inherit role permissions from higher levels.

角色分配的范围

管理组是高于订阅的范围级别,但管理组支持更复杂的层次结构。Management groups are a level of scope above subscriptions, but management groups support more complex hierarchies. 下图显示了可以定义的管理组和订阅的层次结构的示例。The following diagram shows an example of a hierarchy of management groups and subscriptions that you can define. 有关管理组的详细信息,请参阅什么是 Azure 管理组?For more information about management groups, see What are Azure management groups?.

管理组和订阅层次结构

范围格式Scope format

如果使用命令行分配角色,则需要指定范围。If you assign roles using the command line, you'll need to specify the scope. 对于命令行工具,范围是一个可能会很长的字符串,用于标识角色分配的确切范围。For command-line tools, scope is a potentially long string that identifies the exact scope of the role assignment. 在 Azure 门户中,此范围通常作为 资源 ID 列出。In the Azure portal, this scope is typically listed as the resource ID.

范围由一系列标识符组成,标识符之间用斜杠 (/) 字符分隔。The scope consists of a series of identifiers separated by the slash (/) character. 可以将此字符串视为表示以下层次结构,其中没有占位符的文本 ({}) 是固定标识符:You can think of this string as expressing the following hierarchy, where text without placeholders ({}) are fixed identifiers:

/subscriptions
    /{subscriptionId}
        /resourcegroups
            /{resourceGroupName}
                /providers
                    /{providerName}
                        /{resourceType}
                            /{resourceSubType1}
                                /{resourceSubType2}
                                    /{resourceName}
  • {subscriptionId} 是要使用的订阅的 ID (GUID)。{subscriptionId} is the ID of the subscription to use (a GUID).
  • {resourcesGroupName} 是包含资源组的名称。{resourcesGroupName} is the name of the containing resource group.
  • {providerName} 是处理资源的资源提供程序的名称,{resourceType}{resourceSubType*} 标识该资源提供程序内更多的级别。{providerName} is the name of the resource provider that handles the resource, then {resourceType} and {resourceSubType*} identify further levels within that resource provider.
  • {resourceName} 是标识特定资源的字符串的最后一部分。{resourceName} is the last part of the string that identifies a specific resource.

管理组是高于订阅的级别,并且具有最广泛(针对性最低)的范围。Management groups are a level above subscriptions and have the broadest (least specific) scope. 此级别的角色分配会应用于该管理组内的订阅。Role assignments at this level apply to subscriptions within the management group. 管理组的范围具有以下格式:The scope for a management group has the following format:

/providers
    /Microsoft.Management
        /managementGroups
            /{managmentGroupName}

范围示例Scope examples

范围Scope 示例Example
管理组Management group /providers/Microsoft.Management/managementGroups/marketing-group
订阅Subscription /subscriptions/00000000-0000-0000-0000-000000000000
资源组Resource group /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Example-Storage-rg
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
资源Resource /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/Example-Storage-rg/providers/Microsoft.Storage/storageAccounts/azurestorage12345/blobServices/default/containers/blob-container-01
/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyVirtualNetworkResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVirtualNetwork12345

如何确定资源的范围How to determine the scope for a resource

确定管理组、订阅或资源组的范围是相当简单的。It's fairly simple to determine the scope for a management group, subscription, or resource group. 只需知道名称和订阅 ID。You just need to know the name and the subscription ID. 不过,确定资源范围时所需完成的工作会稍多一些。However, determining the scope for a resource takes a little more work. 以下是几种确定资源范围的方法。Here are a couple ways that you can determine the scope for a resource.

  • 在 Azure 门户中,打开资源,然后查看属性。In the Azure portal, open the resource and then look at the properties. 该资源应该会列出可用于确定范围的 资源 IDThe resource should list the Resource ID where you can determine the scope. 例如,以下是某个存储帐户的资源 ID。For example, here are the resource IDs for a storage account.

    Azure 门户中存储帐户的资源 ID

  • 另一种方法是,使用 Azure 门户在资源范围临时分配一个角色,然后使用 Azure PowerShellAzure CLI 来列出角色分配。Another way is to use the Azure portal to assign a role temporarily at the resource scope and then use Azure PowerShell or Azure CLI to list the role assignment. 在输出中,该范围将会作为属性列出。In the output, the scope will be listed as a property.

    RoleAssignmentId   : /subscriptions/<subscriptionId>/resourceGroups/test-rg/providers/Microsoft.Storage/storageAccounts/azurestorage12345/blobServices/default/containers/blob-container-01/pro
                         viders/Microsoft.Authorization/roleAssignments/<roleAssignmentId>
    Scope              : /subscriptions/<subscriptionId>/resourceGroups/test-rg/providers/Microsoft.Storage/storageAccounts/azurestorage12345/blobServices/default/containers/blob-container-01
    DisplayName        : User
    SignInName         : user@contoso.com
    RoleDefinitionName : Storage Blob Data Reader
    RoleDefinitionId   : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
    ObjectId           : <principalId>
    ObjectType         : User
    CanDelegate        : False
    Description        :
    ConditionVersion   :
    Condition          :
    
    {
        "canDelegate": null,
        "condition": null,
        "conditionVersion": null,
        "description": null,
        "id": "/subscriptions/{subscriptionId}/resourceGroups/Example-Storage-rg/providers/Microsoft.Storage/storageAccounts/azurestorage12345/blobServices/default/containers/blob-container-01/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
        "name": "{roleAssignmentId}",
        "principalId": "{principalId}",
        "principalName": "user@contoso.com",
        "principalType": "User",
        "resourceGroup": "test-rg",
        "roleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
        "roleDefinitionName": "Storage Blob Data Reader",
        "scope": "/subscriptions/{subscriptionId}/resourceGroups/Example-Storage-rg/providers/Microsoft.Storage/storageAccounts/azurestorage12345/blobServices/default/containers/blob-container-01",
        "type": "Microsoft.Authorization/roleAssignments"
      }
    

后续步骤Next steps