为针对 Azure 认知搜索的管理访问权限设置 Azure 角色Set Azure roles for administrative access to Azure Cognitive Search

对于通过门户或 Resource Manager API 管理的所有服务,Azure 提供了基于全局角色的授权模型Azure provides a global role-based authorization model for all services managed through the portal or Resource Manager APIs. 所有者、参与者和读者角色根据分配给每个角色的 Active Directory 用户、组和安全主体的服务管理,确定服务管理的级别。Owner, Contributor, and Reader roles determine the level of service administration for Active Directory users, groups, and security principals assigned to each role.

备注

不存在用于保护文档索引或文档子集且基于角色的访问控制 (RBAC)。There is no role-based access control (RBAC) for securing portions of an index or a subset of documents. 如果要实现针对搜索结果的、基于标识的访问,可创建安全筛选器按标识来细化结果,由此去除请求者不应具有访问权限的那些文档。For identity-based access over search results, you can create security filters to trim results by identity, removing documents for which the requestor should not have access. 有关详细信息,请参阅安全筛选器使用 Active Directory 进行保护For more information, see Security filters and Secure with Active Directory.

按角色划分的管理任务Management tasks by role

对于 Azure 认知搜索,角色与支持以下管理任务的权限级别相关联:For Azure Cognitive Search, roles are associated with permission levels that support the following management tasks:

角色Role 任务Task
所有者Owner 创建或删除服务或者服务上的任何对象,包括 API 密钥、索引、索引器、索引器数据源和索引器计划。Create or delete the service or any object on the service, including api-keys, indexes, indexers, indexer data sources, and indexer schedules.

查看服务状态,包括计数和存储大小。View service status, including counts and storage size.

添加或删除角色成员身份(仅所有者才能管理角色成员身份)。Add or delete role membership (only an Owner can manage role membership).

订阅管理员和服务所有者拥有所有者角色的自动成员身份。Subscription administrators and service owners have automatic membership in the Owners role.

参与者Contributor 访问级别与所有者的访问级别相同,不包括 Azure 角色管理。Same level of access as Owner, minus Azure role management. 例如,参与者可创建或删除对象,或查看和重新生成 API 密钥,但不能修改角色成员身份。For example, a Contributor can create or delete objects, or view and regenerate api-keys, but cannot modify role memberships.
搜索服务参与者内置角色Search Service Contributor built-in role 等效于参与者角色。Equivalent to the Contributor role.
读取器Reader 查看服务概要和指标。View service essentials and metrics. 此角色的成员无法查看索引、索引器、数据源或密钥信息。Members of this role cannot view index, indexer, data source, or key information.

角色不授予对服务终结点的访问权限。Roles do not grant access rights to the service endpoint. 搜索服务操作(例如索引管理、索引填充和搜索数据的查询)可通过 API 密钥而非角色进行控制。Search service operations, such as index management, index population, and queries on search data, are controlled through api-keys, not roles. 有关详细信息,请参阅管理 API 密钥For more information, see Manage api-keys.

权限表Permissions table

下表概述了 Azure 认知搜索中允许的操作,以及哪个密钥可以解锁特定操作的访问。The following table summarizes the operations allowed in Azure Cognitive Search and which key unlocks access a particular operation.

操作Operation 权限Permissions
创建服务Create a service Azure 订阅持有者Azure subscription holder
缩放服务Scale a service 资源中的管理密钥、RBAC 所有者或参与者Admin key, RBAC Owner, or Contributor on the resource
删除服务Delete a service 资源中的管理密钥、RBAC 所有者或参与者Admin key, RBAC Owner, or Contributor on the resource
创建、修改、删除服务中的对象:Create, modify, delete objects on the service:
索引和组件部分(包括分析器定义、评分配置文件、CORS 选项)、索引器、数据源、同义词、建议器Indexes and component parts (including analyzer definitions, scoring profiles, CORS options), indexers, data sources, synonyms, suggesters
资源中的管理密钥、RBAC 所有者或参与者Admin key, RBAC Owner, or Contributor on the resource
查询索引Query an index 管理密钥或查询密钥(RBAC 不适用)Admin or query key (RBAC not applicable)
查询系统信息,例如返回统计信息、计数和对象列表Query system information, such as returning statistics, counts, and lists of objects 管理密钥,资源的 RBAC(所有者、参与者、读取者)Admin key, RBAC on the resource (Owner, Contributor, Reader)
管理管理密钥Manage admin keys 管理密钥,资源中的 RBAC 所有者或参与者Admin key, RBAC Owner or Contributor on the resource
管理查询密钥Manage query keys 管理密钥,资源中的 RBAC 所有者或参与者Admin key, RBAC Owner or Contributor on the resource

另请参阅See also