Azure 安全中心的权限Permissions in Azure Security Center

Azure 安全中心使用 Azure 基于角色的访问控制 (Azure RBAC) 提供可在 Azure 中分配给用户、组和服务的内置角色Azure Security Center uses Azure role-based access control (Azure RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure.

安全中心会评估资源的配置以识别安全问题和漏洞。Security Center assesses the configuration of your resources to identify security issues and vulnerabilities. 如果分配有资源所属的订阅或资源组的“所有者”、“参与者”或“读取者”角色,则仅可在安全中心看到与资源相关的信息。In Security Center, you only see information related to a resource when you are assigned the role of Owner, Contributor, or Reader for the subscription or resource group that a resource belongs to.

除这些角色外,还有两个特定的安全中心角色:In addition to these roles, there are two specific Security Center roles:

  • 安全读取者:属于此角色的用户对安全中心具有查看权限。Security Reader: A user that belongs to this role has viewing rights to Security Center. 该用户可查看建议、警报、安全策略和安全状态,但不能更改。The user can view recommendations, alerts, a security policy, and security states, but cannot make changes.
  • 安全管理员:属于此角色的用户具有与安全读取者相同的权限,此外,还可以更新安全策略、关闭警报和建议。Security Admin: A user that belongs to this role has the same rights as the Security Reader and can also update the security policy and dismiss alerts and recommendations.


安全角色(安全读取者和安全管理员)只能访问安全中心。The security roles, Security Reader and Security Admin, have access only in Security Center. 安全角色无权访问存储、Web 和移动或物联网等其他 Azure 服务区域。The security roles do not have access to other service areas of Azure such as Storage, Web & Mobile, or Internet of Things.

角色和允许的操作Roles and allowed actions

下表显示安全中心的角色和允许的操作。The following table displays roles and allowed actions in Security Center.

操作Action 安全读取者/Security Reader /
安全管理员Security Admin 资源组参与者/Resource Group Contributor /
资源组所有者Resource Group Owner
订阅参与者Subscription Contributor 订阅所有者Subscription Owner
编辑安全策略Edit security policy - - -
添加/分配计划(包括合规性标准)Add/assign initiatives (including) regulatory compliance standards) - - - -
启用/禁用 Azure DefenderEnable / disable Azure Defender - - -
启用/禁用自动预配Enable / disable auto-provisioning - -
应用资源的安全建议Apply security recommendations for a resource
(并使用快速修复!(and use Quick Fix!)
- -
消除警报Dismiss alerts - -
查看警报和建议View alerts and recommendations


对于需要完成任务的用户,建议尽可能为其分配权限最小的角色。We recommend that you assign the least permissive role needed for users to complete their tasks. 例如,将“读者”角色分配到只需查看有关资源的安全运行状况而不执行操作(例如应用建议或编辑策略)的用户。For example, assign the Reader role to users who only need to view information about the security health of a resource but not take action, such as applying recommendations or editing policies.

后续步骤Next steps

本文介绍安全中心如何使用 Azure RBAC 将权限分配给用户,并辨别每个角色允许的操作。This article explained how Security Center uses Azure RBAC to assign permissions to users and identified the allowed actions for each role. 现在,已熟悉监视订阅安全状态所需的角色分配,请编辑安全策略,并应用建议,了解如何:Now that you're familiar with the role assignments needed to monitor the security state of your subscription, edit security policies, and apply recommendations, learn how to: