Peran bawaan Azure untuk Database
Artikel ini mencantumkan peran bawaan Azure dalam kategori Database.
Onboarding SQL Server yang Terhubung ke Azure
Memungkinkan untuk membaca dan menulis akses ke sumber daya Azure untuk SQL Server pada server arc-enabled.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.AzureArcData/sqlServerInstances/read | Mengambil sumber daya Instans SQL Server |
| Microsoft.AzureArcData/sqlServerInstances/write | Memperbarui sumber daya Instans SQL Server |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508",
"name": "e8113dce-c529-4d33-91fa-e9b972617508",
"permissions": [
{
"actions": [
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected SQL Server Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Peran Cosmos DB Account Reader
Dapat membaca data Akun Azure Cosmos DB. Lihat Kontributor Akun DocumentDB untuk mengelola akun Azure Cosmos DB.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.DocumentDB/*/baca | Baca koleksi apa pun |
| Microsoft.DocumentDB/databaseAccounts/readonlykeys/tindakan | Membaca akun database dengan mudah. |
| Microsoft.Insights/MetricDefinitions/baca | Baca definisi metrik |
| Microsoft.Insights/Metrics/baca | Membaca metrik |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operator Cosmos DB
Memungkinkan Anda mengelola akun Azure Cosmos DB, tetapi tidak mengakses data di dalamnya. Mencegah akses ke kunci akun dan string koneksi.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.DocumentDb/databaseAccounts/* | |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.ResourceHealth/availabilityStatuses/baca | Mendapatkan status ketersediaan untuk semua sumber daya dalam lingkup yang ditentukan |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/tindakan | Menggabungkan sumber daya seperti akun penyimpanan atau database SQL ke subnet. Tidak dapat diberi tahu. |
| NotActions | |
| Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/* | |
| Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/regenerateKey/* | |
| Microsoft.DocumentDB/databaseAccounts/listKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* | |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/tulis | Membuat atau memperbarui Definisi Peran SQL |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/hapus | Menghapus Definisi Peran SQL |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/tulis | Membuat atau memperbarui Penetapan Peran SQL |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/hapus | Menghapus Penetapan Peran SQL |
| Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write | Membuat atau memperbarui Definisi Peran Mongo |
| Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete | Menghapus Definisi Peran MongoDB |
| Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write | Membuat atau memperbarui Definisi Pengguna MongoDB |
| Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete | Menghapus Definisi Pengguna MongoDB |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
"name": "230815da-be43-4aae-9cb4-875f7bd000aa",
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [
"Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*",
"Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
"Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
"Microsoft.DocumentDB/databaseAccounts/listKeys/*",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosBackupOperator
Dapat mengirim permintaan pemulihan untuk database Cosmos DB atau kontainer untuk akun
| Tindakan | Deskripsi |
|---|---|
| Microsoft.DocumentDB/databaseAccounts/backup/tindakan | Kirim permintaan untuk mengonfigurasi pencadangan |
| Microsoft.DocumentDB/databaseAccounts/backup/tindakan | Mengirimkan permintaan pemulihan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Can submit restore request for a Cosmos DB database or a container for an account",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/databaseAccounts/backup/action",
"Microsoft.DocumentDB/databaseAccounts/restore/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosBackupOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosRestoreOperator
Dapat melakukan tindakan pemulihan untuk akun database Cosmos DB dengan mode pencadangan kontinu
| Tindakan | Deskripsi |
|---|---|
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/pemulihan/tindakan | Mengirimkan permintaan pemulihan |
| Microsoft.DocumentDB/lokasi/restorableDatabaseAccounts/pulihkan/tindakan | |
| Microsoft.DocumentDB/lokasi/restorableDatabaseAccounts/baca | Membaca akun database yang dapat dipulihkan atau Mencantumkan semua akun database yang dapat dipulihkan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosRestoreOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Akun DocumentDB
Dapat mengelola akun Azure Cosmos DB. Azure Cosmos DB sebelumnya dikenal sebagai DocumentDB.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.DocumentDb/databaseAccounts/* | Membuat dan mengelola akun Azure Cosmos DB |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.ResourceHealth/availabilityStatuses/baca | Mendapatkan status ketersediaan untuk semua sumber daya dalam lingkup yang ditentukan |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/tindakan | Menggabungkan sumber daya seperti akun penyimpanan atau database SQL ke subnet. Tidak dapat diberi tahu. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DocumentDB accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
"name": "5bd9cd88-fe45-4216-938b-f97437e15450",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DocumentDB Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Redis Cache
Memungkinkan Anda mengelola Redis cache, tetapi tidak dapat mengaksesnya.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Cache/register/action | Mendaftarkan penyedia sumber 'Microsoft.Cache' dengan langganan |
| Microsoft.Cache/redis/* | Membuat dan mengelola singgahan Redis |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.ResourceHealth/availabilityStatuses/baca | Mendapatkan status ketersediaan untuk semua sumber daya dalam lingkup yang ditentukan |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Redis caches, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
"name": "e0f68234-74aa-48ed-b826-c38b57376e17",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/register/action",
"Microsoft.Cache/redis/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Redis Cache Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor DB SQL
Memungkinkan Anda mengelola database SQL, tetapi tidak mengaksesnya. Selain itu, Anda tidak dapat mengelola kebijakan terkait keamanan atau server SQL induk mereka.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.ResourceHealth/availabilityStatuses/baca | Mendapatkan status ketersediaan untuk semua sumber daya dalam lingkup yang ditentukan |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Sql/lokasi/*/baca | |
| Microsoft.Sql/servers/databases/* | Membuat dan mengelola database SQL |
| Microsoft.Sql/servers/baca | Mengembalikan daftar server atau mendapatkan properti untuk server yang ditentukan. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.Insights/metrik/baca | Membaca metrik |
| Microsoft.Insights/metricDefinitions/baca | Baca definisi metrik |
| NotActions | |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/write | Mengaktifkan pengunggahan hash ledger |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action | Menonaktifkan pengunggahan hash ledger |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.SQL/servers/databases/auditingSettings/* | Mengedit pengaturan audit |
| Microsoft.SQL/servers/databases/auditRecords/baca | Mengambil catatan audit blob database |
| Microsoft.Sql/server/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/server/database/dataMaskingPolicies/* | Mengedit kebijakan masking data |
| Microsoft.SQL/servers/extendedAuditingSettings/* | |
| Microsoft.Sql/server/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/server/database/skema/tabel/kolom/sensitivitasLabels/* | |
| Microsoft.Sql/server/databases/securityAlertPolicies/* | Mengedit kebijakan pemberitahuan keamanan |
| Microsoft.Sql/server/database/securityMetrics/* | Mengedit metrik keamanan |
| Microsoft.Sql/server/database/sensitivitasLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/server/database/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/server/database/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/server/vulnerabilityAssessments/* | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL DB Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor SQL Managed Instance
Memungkinkan Anda mengelola SQL Managed Instances dan konfigurasi jaringan yang diperlukan, tetapi tidak dapat memberikan akses kepada orang lain.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.ResourceHealth/availabilityStatuses/baca | Mendapatkan status ketersediaan untuk semua sumber daya dalam lingkup yang ditentukan |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Network/networkSecurityGroups/* | |
| Microsoft.Network/routeTables/* | |
| Microsoft.Sql/lokasi/*/baca | |
| Microsoft.Sql/lokasi/instanceFailoverGroups/* | |
| Microsoft.Sql/managedInstances/* | |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.Network/virtualNetworks/subnets/* | |
| Microsoft.Network/virtualNetworks/* | |
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Insights/metrik/baca | Membaca metrik |
| Microsoft.Insights/metricDefinitions/baca | Baca definisi metrik |
| NotActions | |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/hapus | Menghapus server terkelola tertentu Azure Active Directory hanya objek autentikasi |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/tulis | Menambahkan atau memperbarui objek autentikasi khusus server terkelola Azure Active Directory |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"permissions": [
{
"actions": [
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/locations/instanceFailoverGroups/*",
"Microsoft.Sql/managedInstances/*",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Managed Instance Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pengelola Keamanan SQL
Memungkinkan Anda mengelola kebijakan terkait keamanan dari server dan database SQL, tetapi tidak dapat mengaksesnya.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/tindakan | Menggabungkan sumber daya seperti akun penyimpanan atau database SQL ke subnet. Tidak dapat diberi tahu. |
| Microsoft.ResourceHealth/availabilityStatuses/baca | Mendapatkan status ketersediaan untuk semua sumber daya dalam lingkup yang ditentukan |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Sql/locations/administratorAzureAsyncOperation/baca | Mendapatkan hasil operasi administrator azure async instans terkelola. |
| Microsoft.Sql/managedInstances/advancedThreatProtection Pengaturan/read | Mengambil daftar pengaturan Perlindungan Ancaman Tingkat Lanjut instans terkelola yang dikonfigurasi untuk instans tertentu |
| Microsoft.Sql/managedInstances/advancedThreatProtection Pengaturan/write | Mengubah pengaturan Advanced Threat Protection instans terkelola untuk instans terkelola tertentu |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtection Pengaturan/read | Mengambil daftar pengaturan Perlindungan Ancaman Tingkat Lanjut database terkelola yang dikonfigurasi untuk database terkelola tertentu |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtection Pengaturan/write | Mengubah pengaturan Perlindungan Ancaman Tingkat Lanjut database untuk database terkelola tertentu |
| Microsoft.Sql/managedInstances/advancedThreatProtection Pengaturan/read | Mengambil daftar pengaturan Perlindungan Ancaman Tingkat Lanjut instans terkelola yang dikonfigurasi untuk instans tertentu |
| Microsoft.Sql/managedInstances/advancedThreatProtection Pengaturan/write | Mengubah pengaturan Advanced Threat Protection instans terkelola untuk instans terkelola tertentu |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtection Pengaturan/read | Mengambil daftar pengaturan Perlindungan Ancaman Tingkat Lanjut database terkelola yang dikonfigurasi untuk database terkelola tertentu |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtection Pengaturan/write | Mengubah pengaturan Perlindungan Ancaman Tingkat Lanjut database untuk database terkelola tertentu |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/advancedThreatProtection Pengaturan/read | Mengambil daftar pengaturan Perlindungan Ancaman Tingkat Lanjut server yang dikonfigurasi untuk server tertentu |
| Microsoft.Sql/servers/advancedThreatProtection Pengaturan/write | Mengubah pengaturan Perlindungan Ancaman Tingkat Lanjut server untuk server tertentu |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/serverConfigurationOptions/read | Mendapatkan properti untuk Opsi Konfigurasi Server Azure SQL Managed Instance yang ditentukan. |
| Microsoft.Sql/managedInstances/serverConfigurationOptions/write | Memperbarui properti Opsi Konfigurasi Server Azure SQL Managed Instance untuk instans yang ditentukan. |
| Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read | Mendapatkan status operasi Azure SQL Managed Instance Server Configuration Option Azure async. |
| Microsoft.Sql/servers/advancedThreatProtection Pengaturan/read | Mengambil daftar pengaturan Perlindungan Ancaman Tingkat Lanjut server yang dikonfigurasi untuk server tertentu |
| Microsoft.Sql/servers/advancedThreatProtection Pengaturan/write | Mengubah pengaturan Perlindungan Ancaman Tingkat Lanjut server untuk server tertentu |
| Microsoft.SQL/server/auditingSettings/* | Membuat dan mengelola pengaturan audit server SQL |
| Microsoft.Sql/servers/extendedAuditingSettings/baca | Mengambil detail kebijakan audit gumpalan server yang diperluas yang dikonfigurasi pada server tertentu |
| Microsoft.Sql/servers/databases/advancedThreatProtection Pengaturan/read | Mengambil daftar pengaturan Perlindungan Ancaman Tingkat Lanjut database yang dikonfigurasi untuk database tertentu |
| Microsoft.Sql/servers/databases/advancedThreatProtection Pengaturan/write | Mengubah pengaturan Perlindungan Ancaman Tingkat Lanjut database untuk database tertentu |
| Microsoft.Sql/servers/databases/advancedThreatProtection Pengaturan/read | Mengambil daftar pengaturan Perlindungan Ancaman Tingkat Lanjut database yang dikonfigurasi untuk database tertentu |
| Microsoft.Sql/servers/databases/advancedThreatProtection Pengaturan/write | Mengubah pengaturan Perlindungan Ancaman Tingkat Lanjut database untuk database tertentu |
| Microsoft.SQL/servers/databases/auditingSettings/* | Membuat dan mengelola pengaturan audit database server SQL |
| Microsoft.SQL/servers/databases/auditRecords/baca | Mengambil catatan audit blob database |
| Microsoft.Sql/server/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/server/database/dataMaskingPolicies/* | Membuat dan mengelola kebijakan masking data database server SQL |
| Microsoft.Sql/server/databases/extendedAuditingSettings/baca | Mengambil detail kebijakan audit blob yang diperluas yang dikonfigurasi pada database yang diberikan |
| Microsoft.Sql/server/databases/baca | Kembalikan daftar server atau dapatkan properti untuk server yang ditentukan. |
| Microsoft.Sql/server/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/server/database/skema/read | Mendapatkan skema database. |
| Microsoft.Sql/server/database/skema/tabel/kolom/baca | Mendapatkan kolom database. |
| Microsoft.Sql/server/database/skema/tabel/kolom/sensitivitasLabels/* | |
| Microsoft.Sql/server/database/skema/tabel/kolom/baca | Mendapatkan tabel database. |
| Microsoft.Sql/server/databases/securityAlertPolicies/* | Membuat dan mengelola kebijakan pemberitahuan keamanan database server SQL |
| Microsoft.Sql/server/database/securityMetrics/* | Membuat dan mengelola metrik keamanan database server SQL |
| Microsoft.Sql/server/database/sensitivitasLabels/* | |
| Microsoft.Sql/server/databases/transparentDataEncryption/* | |
| Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/server/database/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/server/database/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/devOpsAuditingSettings/* | |
| Microsoft.Sql/servers/firewallRules/* | |
| Microsoft.Sql/servers/baca | Mengembalikan daftar server atau mendapatkan properti untuk server yang ditentukan. |
| Microsoft.Sql/servers/securityAlertPolicies/* | Membuat dan mengelola kebijakan pemberitahuan keamanan database server SQL |
| Microsoft.Sql/servers/sqlvulnerabilityAssessments/* | |
| Microsoft.Sql/server/vulnerabilityAssessments/* | |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.Sql/server/azureADOnlyAuthentications/* | |
| Microsoft.Sql/managedInstances/baca | Mengembalikan daftar instans terkelola atau mendapatkan properti untuk instans terkelola yang ditentukan. |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* | |
| Microsoft.Security/sqlVulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/administrator/baca | Mendapatkan daftar administrator instans terkelola. |
| Microsoft.Sql/servers/administrators/baca | Mendapatkan objek administrator Azure Active Directory tertentu |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/* | |
| Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read | Mendapatkan operasi yang sedang berlangsung dari pengaturan pengunggahan hash ledger |
| Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read | Mendapatkan operasi yang sedang berlangsung dari pengaturan pengunggahan hash ledger |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/* | |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/read",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/write",
"Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/transparentDataEncryption/*",
"Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/firewallRules/*",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Support/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/*",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
"Microsoft.Security/sqlVulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/administrators/read",
"Microsoft.Sql/servers/administrators/read",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/*",
"Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read",
"Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Security Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor SQL Server
Memungkinkan Anda mengelola server dan database SQL, tetapi tidak dapat mengaksesnya, dan bukan kebijakan terkait keamanannya.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.ResourceHealth/availabilityStatuses/baca | Mendapatkan status ketersediaan untuk semua sumber daya dalam lingkup yang ditentukan |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Sql/lokasi/*/baca | |
| Microsoft.Sql/servers/* | Membuat dan mengelola server SQL |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.Insights/metrik/baca | Membaca metrik |
| Microsoft.Insights/metricDefinitions/baca | Baca definisi metrik |
| NotActions | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.SQL/server/auditingSettings/* | Mengedit pengaturan audit server SQL |
| Microsoft.SQL/servers/databases/auditingSettings/* | Mengedit pengaturan audit database server SQL |
| Microsoft.SQL/servers/databases/auditRecords/baca | Mengambil catatan audit blob database |
| Microsoft.Sql/server/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/server/database/dataMaskingPolicies/* | Mengedit kebijakan masking data database server SQL |
| Microsoft.SQL/servers/extendedAuditingSettings/* | |
| Microsoft.Sql/server/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/server/database/skema/tabel/kolom/sensitivitasLabels/* | |
| Microsoft.Sql/server/databases/securityAlertPolicies/* | Mengedit kebijakan pemberitahuan keamanan database server SQL |
| Microsoft.Sql/server/database/securityMetrics/* | Mengedit metrik keamanan database server SQL |
| Microsoft.Sql/server/database/sensitivitasLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/server/database/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/server/database/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/devOpsAuditingSettings/* | |
| Microsoft.SQL/servers/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/securityAlertPolicies/* | Mengedit kebijakan pemberitahuan keamanan database server SQL |
| Microsoft.Sql/server/vulnerabilityAssessments/* | |
| Microsoft.Sql/server/azureADOnlyAuthentications/hapus | Menghapus objek autentikasi khusus Azure Active Directory saja |
| Microsoft.Sql/server/azureADOnlyAuthentications/baca | Menambahkan atau memperbarui objek autentikasi hanya Azure Active Directory server tertentu |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete | Menghapus properti otorisasi berbasis kebijakan eksternal server tertentu |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write | Menambahkan atau memperbarui properti otorisasi berbasis kebijakan eksternal server tertentu |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}