使用基于角色的访问控制 (RBAC) 管理 Site Recovery 访问Manage Site Recovery access with role-based access control (RBAC)

Azure 基于角色的访问控制 (RBAC) 可用于对 Azure 进行细致的访问管理。Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. 通过 RBAC 可分离团队中的职责,并根据需要仅向用户授予执行特定作业的特定访问权限。Using RBAC, you can segregate responsibilities within your team and grant only specific access permissions to users as needed to perform specific jobs.

Azure Site Recovery 提供了 3 个用于控制 Site Recovery 管理操作的内置角色。Azure Site Recovery provides 3 built-in roles to control Site Recovery management operations. 详细了解 Azure RBAC 内置角色Learn more on Azure RBAC built-in roles

  • Site Recovery 参与者 - 此角色拥有管理恢复服务保管库中的 Azure Site Recovery 操作所需的所有权限。Site Recovery Contributor - This role has all permissions required to manage Azure Site Recovery operations in a Recovery Services vault. 不过,拥有此角色的用户既无法创建或删除恢复服务保管库,也无法向其他用户分配访问权限。A user with this role, however, can't create or delete a Recovery Services vault or assign access rights to other users. 此角色最适合分配给灾难恢复管理员,这样他们就可以为应用程序或整个组织(视情况而定)启用和管理灾难恢复。This role is best suited for disaster recovery administrators who can enable and manage disaster recovery for applications or entire organizations, as the case may be.
  • Site Recovery 操作员 - 此角色有权执行和管理故障转移和故障回复操作。Site Recovery Operator - This role has permissions to execute and manage Failover and Failback operations. 拥有此角色的用户无法启用或禁用复制、无法创建或删除保管库,也无法注册新的基础结构或向其他用户分配访问权限。A user with this role can't enable or disable replication, create or delete vaults, register new infrastructure or assign access rights to other users. 此角色最适合分配给灾难恢复操作员,这样他们就可以在实际或模拟灾难情形(如 DR 钻取)下,遵循应用程序所有者或 IT 管理员的指示,对虚拟机或应用程序进行故障转移。This role is best suited for a disaster recovery operator who can failover virtual machines or applications when instructed by application owners and IT administrators in an actual or simulated disaster situation such as a DR drill. 灾难解决后,DR 操作员可以重新保护和故障回复虚拟机。Post resolution of the disaster, the DR operator can re-protect and failback the virtual machines.
  • Site Recovery 读者 - 此角色有权查看所有 Site Recovery 管理操作。Site Recovery Reader - This role has permissions to view all Site Recovery management operations. 此角色最适合分配给 IT 监视主管,这样他们就可以在需要时监视当前保护状态并创建支持票证。This role is best suited for an IT monitoring executive who can monitor the current state of protection and raise support tickets if required.

若要定义自己的角色以便实现进一步控制,请参阅如何在 Azure 中生成自定义角色If you're looking to define your own roles for even more control, see how to build Custom roles in Azure.

为新虚拟机启用复制所需的权限Permissions required to enable replication for new virtual machines

使用 Azure Site Recovery 将新虚拟机复制到 Azure 时,会验证相关用户的访问级别,确保用户具有使用提供给 Site Recovery 的 Azure 资源所需的权限。When a new Virtual Machine is replicated to Azure using Azure Site Recovery, the associated user's access levels are validated to ensure that the user has the required permissions to use the Azure resources provided to Site Recovery.

若要为新虚拟机启用复制,用户必须具有:To enable replication for a new virtual machine, a user must have:

  • 在所选资源组中创建虚拟机的权限Permission to create a virtual machine in the selected resource group
  • 在所选虚拟网络中创建虚拟机的权限Permission to create a virtual machine in the selected virtual network
  • 写入所选存储帐户的权限Permission to write to the selected Storage account

用户需要以下权限来完成新虚拟机的复制。A user needs the following permissions to complete replication of a new virtual machine.

重要

确保根据用于资源部署的部署模型(Resource Manager/经典)添加相关权限。Ensure that relevant permissions are added per the deployment model (Resource Manager/ Classic) used for resource deployment.

资源类型Resource Type 部署模型 Deployment Model 权限 Permission
计算Compute Resource ManagerResource Manager Microsoft.Compute/availabilitySets/readMicrosoft.Compute/availabilitySets/read
Microsoft.Compute/virtualMachines/readMicrosoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/writeMicrosoft.Compute/virtualMachines/write
Microsoft.Compute/virtualMachines/deleteMicrosoft.Compute/virtualMachines/delete
经典Classic Microsoft.ClassicCompute/domainNames/readMicrosoft.ClassicCompute/domainNames/read
Microsoft.ClassicCompute/domainNames/writeMicrosoft.ClassicCompute/domainNames/write
Microsoft.ClassicCompute/domainNames/deleteMicrosoft.ClassicCompute/domainNames/delete
Microsoft.ClassicCompute/virtualMachines/readMicrosoft.ClassicCompute/virtualMachines/read
Microsoft.ClassicCompute/virtualMachines/writeMicrosoft.ClassicCompute/virtualMachines/write
Microsoft.ClassicCompute/virtualMachines/deleteMicrosoft.ClassicCompute/virtualMachines/delete
网络Network Resource ManagerResource Manager Microsoft.Network/networkInterfaces/readMicrosoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/writeMicrosoft.Network/networkInterfaces/write
Microsoft.Network/networkInterfaces/deleteMicrosoft.Network/networkInterfaces/delete
Microsoft.Network/networkInterfaces/join/actionMicrosoft.Network/networkInterfaces/join/action
Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/join/action
经典Classic Microsoft.ClassicNetwork/virtualNetworks/readMicrosoft.ClassicNetwork/virtualNetworks/read
Microsoft.ClassicNetwork/virtualNetworks/join/actionMicrosoft.ClassicNetwork/virtualNetworks/join/action
存储Storage Resource ManagerResource Manager Microsoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/listkeys/actionMicrosoft.Storage/storageAccounts/listkeys/action
经典Classic Microsoft.ClassicStorage/storageAccounts/readMicrosoft.ClassicStorage/storageAccounts/read
Microsoft.ClassicStorage/storageAccounts/listKeys/actionMicrosoft.ClassicStorage/storageAccounts/listKeys/action
资源组Resource Group Resource ManagerResource Manager Microsoft.Resources/deployments/*Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/readMicrosoft.Resources/subscriptions/resourceGroups/read

考虑分别为 Resource Manager 和经典部署模型使用内置角色“虚拟机参与者”和“经典虚拟机参与者”。Consider using the 'Virtual Machine Contributor' and 'Classic Virtual Machine Contributor' built-in roles for Resource Manager and Classic deployment models respectively.

后续步骤Next steps