为针对 Azure 认知搜索的管理访问权限设置 Azure 角色Set Azure roles for administrative access to Azure Cognitive Search

对于通过门户或 Resource Manager API 管理的所有服务,Azure 提供了基于全局角色的授权模型Azure provides a global role-based authorization model for all services managed through the portal or Resource Manager APIs. 所有者、参与者和读者角色根据分配给每个角色的 Active Directory 用户、组和安全主体的服务管理,确定服务管理的级别。Owner, Contributor, and Reader roles determine the level of service administration for Active Directory users, groups, and security principals assigned to each role.

备注

没有用于保护服务内容的 Azure 基于角色的访问控制 (Azure RBAC)。There is no Azure role-based access control (Azure RBAC) for securing content on the service. 对于对服务本身发出的经过身份验证的请求,可以使用管理 API 密钥或查询 API 密钥。You will either use an admin API key or query API key for authenticated requests to the service itself. 如果要实现针对搜索结果的、基于标识的访问,可创建安全筛选器按标识来细化结果,由此去除请求者不应具有访问权限的那些文档。For identity-based access over search results, you can create security filters to trim results by identity, removing documents for which the requestor should not have access. 有关详细信息,请参阅安全筛选器For more information, see Security filters.

按角色划分的管理任务Management tasks by role

对于 Azure 认知搜索,角色与支持以下管理任务的权限级别相关联:For Azure Cognitive Search, roles are associated with permission levels that support the following management tasks:

角色Role 任务Task
所有者Owner 创建或删除服务或者服务上的任何对象,包括 API 密钥、索引、索引器、索引器数据源和索引器计划。Create or delete the service or any object on the service, including api-keys, indexes, indexers, indexer data sources, and indexer schedules.

查看服务状态,包括计数和存储大小。View service status, including counts and storage size.

添加或删除角色成员身份(仅所有者才能管理角色成员身份)。Add or delete role membership (only an Owner can manage role membership).

订阅管理员和服务所有者拥有所有者角色的自动成员身份。Subscription administrators and service owners have automatic membership in the Owners role.

参与者Contributor 访问级别与所有者的访问级别相同,不包括 Azure 角色管理。Same level of access as Owner, minus Azure role management. 例如,参与者可创建或删除对象,或查看和重新生成 API 密钥,但不能修改角色成员身份。For example, a Contributor can create or delete objects, or view and regenerate api-keys, but cannot modify role memberships.

搜索服务参与者等效于通用的“参与者”内置角色。Search Service Contributor is equivalent to the generic Contributor built-in role.
读取器Reader 查看服务基本信息,如服务终结点、订阅、资源组、区域、层级和容量。View service essentials, such as service endpoint, subscription, resource group, region, tier, and capacity. 还可以在“监视”选项卡上查看服务指标,例如每秒平均查询数。此角色的成员无法查看索引、索引器、数据源或技能组信息。You can also view service metrics, such as average queries per second, on the Monitoring tab. Members of this role cannot view index, indexer, data source, or skillset information. 这包括这些对象的使用情况数据,如服务上存在多少个索引。This includes usage data for those objects, such as how many indexes exist on the service.

角色不授予对服务终结点的访问权限。Roles do not grant access rights to the service endpoint. 搜索服务操作(例如索引管理、索引填充和搜索数据的查询)可通过 API 密钥而非角色进行控制。Search service operations, such as index management, index population, and queries on search data, are controlled through api-keys, not roles. 有关详细信息,请参阅管理 API 密钥For more information, see Manage api-keys.

权限表Permissions table

下表概述了 Azure 认知搜索中允许的操作,以及哪个密钥可以解锁特定操作的访问。The following table summarizes the operations allowed in Azure Cognitive Search and which key unlocks access a particular operation.

Azure RBAC 权限适用于门户操作和服务管理(创建、删除或更改服务或其 API 密钥)。Azure RBAC permissions apply to portal operations and service management (create, delete, or change a service or its API keys). API 密钥是在服务存在后创建的,应用于服务上的内容操作。API keys are created after a service exists and apply to content operations on the service. 此外,对于门户中与内容相关的操作(如创建或删除对象),Azure RBAC 所有者或参与者使用隐含的管理 API 密钥与服务交互。Additionally, for content-related operations in the portal, such as creating or deleting objects, an Azure RBAC Owner or Contributor interact with the service with an implied admin API key.

操作Operation 控制者Controlled by
创建服务Create a service Azure RBAC 权限:所有者或参与者Azure RBAC permissions: Owner or Contributor
缩放服务Scale a service Azure RBAC 权限:所有者或参与者Azure RBAC permissions: Owner or Contributor
删除服务Delete a service Azure RBAC 权限:所有者或参与者Azure RBAC permissions: Owner or Contributor
管理管理员或查询密钥Manage admin or query keys Azure RBAC 权限:所有者或参与者Azure RBAC permissions: Owner or Contributor
在门户或管理 API 中查看服务信息View service information in the portal or a management API Azure RBAC 权限:所有者、参与者或读者Azure RBAC permissions: Owner, Contributor, or Reader
在门户或管理 API 中查看对象信息和指标View object information and metrics in the portal or a management API Azure RBAC 权限:所有者或参与者Azure RBAC permissions: Owner or Contributor
创建、修改、删除服务中的对象:Create, modify, delete objects on the service:
索引和组件部分(包括分析器定义、评分配置文件、CORS 选项)、索引器、数据源、同义词、建议器Indexes and component parts (including analyzer definitions, scoring profiles, CORS options), indexers, data sources, synonyms, suggesters
管理密钥(如果使用 API)、Azure RBAC 所有者或参与者(如果使用门户)Admin key if using an API, Azure RBAC Owner or Contributor if using the portal
查询索引Query an index 管理密钥或查询密钥(如果使用 API)、Azure RBAC 所有者或参与者(如果使用门户)Admin or query key if using an API, Azure RBAC Owner or Contributor if using the portal
查询有关对象的系统信息,例如返回统计信息、计数和对象列表Query system information about objects, such as returning statistics, counts, and lists of objects 管理密钥(如果使用 API)、Azure RBAC 所有者或参与者(如果使用门户)Admin key if using an API, Azure RBAC Owner or Contributor if using the portal

后续步骤Next steps