Peran bawaan Azure untuk Keamanan
Artikel ini mencantumkan peran bawaan Azure dalam kategori Keamanan.
Administrator Otomatisasi Kepatuhan Aplikasi
Membuat, membaca, mengunduh, memodifikasi, dan menghapus objek laporan dan objek sumber daya terkait lainnya.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.AppComplianceAutomation/* | |
| Microsoft.Storage/storageAccounts/blobServices/write | Mengembalikan hasil dari properti layanan blob put |
| Microsoft.Storage/storageAccounts/fileservices/write | Menaruh properti layanan file |
| Microsoft.Storage/storageAccounts/listKeys/tindakan | Mengembalikan kunci akses untuk akun penyimpanan tertentu. |
| Microsoft.Storage/storageAccounts/tulis | Membuat akun penyimpanan dengan parameter yang ditentukan atau memperbarui properti atau tag atau menambahkan domain kustom untuk akun penyimpanan yang ditentukan. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/tindakan | Mengembalikan kunci delegasi pengguna untuk layanan blob |
| Microsoft.Storage/storageAccounts/baca | Mengembalikan daftar akun penyimpanan atau mendapatkan properti untuk akun penyimpanan tertentu. |
| Microsoft.Storage/storageAccounts/blobServices/containers/baca | Daftar kontainer yang diperbarui |
| Microsoft.Storage/storageAccounts/blobServices/containers/tulis | Mengembalikan hasil dari wadah blob put |
| Microsoft.Storage/storageAccounts/blobServices/read | Mengembalikan properti layanan blob atau statistik |
| Microsoft.PolicyInsights/policyStates/queryResults/action | Informasi kueri tentang status kebijakan. |
| Microsoft.PolicyInsights/policyStates/triggerEvaluation/action | Memicu evaluasi kepatuhan baru untuk cakupan yang dipilih. |
| Microsoft.Resources/resources/read | Mendapatkan daftar sumber daya berdasarkan filter. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan sumber daya untuk grup sumber daya. |
| Microsoft.Resources/langganan/sumber daya/baca | Mendapatkan sumber daya dari langganan. |
| Microsoft.Resources/subscriptions/resourceGroups/delete | Menghapus grup sumber daya dan semua sumber dayanya. |
| Microsoft.Resources/subscriptions/resourceGroups/write | Membuat atau memperbarui grup sumber daya. |
| Microsoft.Resources/tags/read | Mendapatkan semua tag pada sumber daya. |
| Microsoft.Resources/deployments/validate/action | Memvalidasi penyebaran. |
| Microsoft.Security/automations/read | Mendapatkan otomatisasi untuk cakupan |
| Microsoft.Resources/penyebaran/tulis | Membuat atau memperbarui penyebaran. |
| Microsoft.Security/automations/delete | Menghapus otomatisasi untuk cakupan |
| Microsoft.Security/automations/write | Membuat atau memperbarui otomatisasi untuk cakupan |
| Microsoft.Security/register/action | Mendaftarkan langganan untuk Azure Security Center |
| Microsoft.Security/unregister/action | Membatalkan pendaftaran langganan untuk Azure Security Center |
| */read | Membaca sumber daya dari semua jenis, kecuali rahasia. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Create, read, download, modify and delete reports objects and related other resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2",
"name": "0f37683f-2463-46b6-9ce7-9b788b988ba2",
"permissions": [
{
"actions": [
"Microsoft.AppComplianceAutomation/*",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/fileservices/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.PolicyInsights/policyStates/queryResults/action",
"Microsoft.PolicyInsights/policyStates/triggerEvaluation/action",
"Microsoft.Resources/resources/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/tags/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Security/automations/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Security/automations/delete",
"Microsoft.Security/automations/write",
"Microsoft.Security/register/action",
"Microsoft.Security/unregister/action",
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca Otomatisasi Kepatuhan Aplikasi
Baca, unduh objek laporan dan objek sumber daya lainnya terkait.
| Tindakan | Deskripsi |
|---|---|
| */read | Membaca sumber daya dari semua jenis, kecuali rahasia. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Read, download the reports objects and related other resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
"name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Attestation
Dapat membaca, menulis, atau menghapus contoh penyedia pengesahan
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Attestation/attestationProviders/attestation/read | Mendapatkan status layanan pengesahan. |
| Microsoft.Attestation/attestationProviders/pengesahan/tulis | Menambahkan layanan pengesahan. |
| Microsoft.Attestation/attestationProviders/pengesahan/hapus | Menghapus layanan pengesahan. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Can read write or delete the attestation provider instance",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/attestation/write",
"Microsoft.Attestation/attestationProviders/attestation/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca Pengesahan
Dapat membaca properti penyedia pengesahan
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Attestation/attestationProviders/attestation/read | Mendapatkan status layanan pengesahan. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Can read the attestation provider properties",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrator Key Vault
Lakukan semua operasi bidang data pada brankas kunci dan semua objek di dalamnya, termasuk sertifikat, kunci, dan rahasia. Tidak dapat mengelola sumber daya brankas kunci atau mengelola penetapan peran. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.KeyVault/checkNameAvailability/baca | Periksa bahwa nama key vault valid dan sedang tidak digunakan |
| Microsoft.KeyVault/deletedVaults/baca | Melihat properti brankas kunci yang dihapus sementara |
| Microsoft.KeyVault/lokasi/*/baca | |
| Microsoft.KeyVault/vaults/*/baca | |
| Microsoft.KeyVault/operasi/baca | Mencantumkan operasi yang tersedia di penyedia sumber daya Microsoft.KeyVault |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
"name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pengguna Sertifikat Key Vault
Membaca konten sertifikat. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Tidak ada | |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/certificates/read | Cantumkan sertifikat pada brankas kunci yang ditentukan, atau dapatkan informasi tentang sertifikat. |
| Microsoft.KeyVault/vaults/rahasia/getSecret/tindakan | Mendapatkan nilai rahasia. |
| Microsoft.KeyVault/vaults/rahasia/readMetadata/tindakan | Cantumkan atau tampilkan properti rahasia, tetapi bukan nilainya. |
| Microsoft.KeyVault/vaults/kunci/baca | Daftar kunci dalam kubah yang ditentukan, atau properti baca dan materi publik kunci. Untuk kunci asimetris, operasi ini memaparkan kunci publik dan mencakup kemampuan untuk menjalankan algoritma kunci publik seperti mengenkripsi dan memverifikasi tanda tangan. Kunci pribadi dan kunci simetris tidak pernah terekspos. |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
"name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificates/read",
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action",
"Microsoft.KeyVault/vaults/keys/read"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificate User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Petugas Sertifikat Key Vault
Lakukan tindakan apa pun pada sertifikat brankas kunci, kecuali izin kelola. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.KeyVault/checkNameAvailability/baca | Periksa bahwa nama key vault valid dan sedang tidak digunakan |
| Microsoft.KeyVault/deletedVaults/baca | Melihat properti brankas kunci yang dihapus sementara |
| Microsoft.KeyVault/lokasi/*/baca | |
| Microsoft.KeyVault/vaults/*/baca | |
| Microsoft.KeyVault/operasi/baca | Mencantumkan operasi yang tersedia di penyedia sumber daya Microsoft.KeyVault |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/certificatecas/* | |
| Microsoft.KeyVault/vaults/sertifikat/* | |
| Microsoft.KeyVault/vaults/certificatecontacts/write | Mengelola Kontak Sertifikat |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
"name": "a4417e6f-fecd-4de8-b567-7b0420556985",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificatecas/*",
"Microsoft.KeyVault/vaults/certificates/*",
"Microsoft.KeyVault/vaults/certificatecontacts/write"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificates Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Key Vault
Kelola kubah utama, tetapi tidak memungkinkan Anda untuk menetapkan peran di Azure RBAC, dan tidak memungkinkan Anda mengakses rahasia, kunci, atau sertifikat.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.KeyVault/* | |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Microsoft.KeyVault/lokasi/deletedVaults/hapus menyeluruh/tindakan | Hapus menyeluruh brankas kunci yang dihapus sementara |
| Microsoft.KeyVault/hsmPools/* | |
| Microsoft.KeyVault/managedHsms/* | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage key vaults, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
"name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.KeyVault/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.KeyVault/hsmPools/*",
"Microsoft.KeyVault/managedHsms/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Key Vault Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Petugas Kripto Key Vault
Lakukan tindakan apa pun pada kunci brankas kunci, kecuali izin kelola. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.KeyVault/checkNameAvailability/baca | Periksa bahwa nama key vault valid dan sedang tidak digunakan |
| Microsoft.KeyVault/deletedVaults/baca | Melihat properti brankas kunci yang dihapus sementara |
| Microsoft.KeyVault/lokasi/*/baca | |
| Microsoft.KeyVault/vaults/*/baca | |
| Microsoft.KeyVault/operasi/baca | Mencantumkan operasi yang tersedia di penyedia sumber daya Microsoft.KeyVault |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/kunci/* | |
| Microsoft.KeyVault/vaults/keyrotationpolicies/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/*",
"Microsoft.KeyVault/vaults/keyrotationpolicies/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pengguna Enkripsi Layanan Kripto Key Vault
Baca metadata kunci dan lakukan operasi bungkus/buka bungkus. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.EventGrid/eventSubscriptions/tulis | Membuat atau memperbarui kejadianSubscription |
| Microsoft.EventGrid/eventSubscriptions/baca | Membaca sebuah eventSubscription |
| Microsoft.EventGrid/eventSubscriptions/hapus | Membaca sebuah eventSubscription |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/kunci/baca | Daftar kunci dalam kubah yang ditentukan, atau properti baca dan materi publik kunci. Untuk kunci asimetris, operasi ini memaparkan kunci publik dan mencakup kemampuan untuk menjalankan algoritma kunci publik seperti mengenkripsi dan memverifikasi tanda tangan. Kunci pribadi dan kunci simetris tidak pernah terekspos. |
| Microsoft.KeyVault/vaults/keys/bungkus/tindakan | Membungkus kunci simetris dengan kunci Key Vault. Perhatikan bahwa jika kunci Key Vault asimetris, operasi ini dapat dilakukan oleh perwakilan dengan akses baca. |
| Microsoft.KeyVault/vaults/kunci/buka bungkus/tindakan | Membuka bungkus kunci simetris dengan kunci Key Vault. |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
"name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
"permissions": [
{
"actions": [
"Microsoft.EventGrid/eventSubscriptions/write",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/eventSubscriptions/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Encryption User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pengguna Rilis Layanan Kripto Key Vault
Kunci rilis. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Tidak ada | |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/keys/release/action | Rilis kunci menggunakan bagian publik KEK dari token pengesahan. |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08bbd89e-9f13-488c-ac41-acfcb10c90ab",
"name": "08bbd89e-9f13-488c-ac41-acfcb10c90ab",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/release/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Release User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pengguna Kripto Key Vault
Lakukan operasi kriptografi menggunakan kunci. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Tidak ada | |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/kunci/baca | Daftar kunci dalam kubah yang ditentukan, atau properti baca dan materi publik kunci. Untuk kunci asimetris, operasi ini memaparkan kunci publik dan mencakup kemampuan untuk menjalankan algoritma kunci publik seperti mengenkripsi dan memverifikasi tanda tangan. Kunci pribadi dan kunci simetris tidak pernah terekspos. |
| Microsoft.KeyVault/vaults/kunci/pembaruan/tindakan | Memperbarui atribut yang ditentukan dan terkait dengan kunci tertentu. |
| Microsoft.KeyVault/vaults/kunci/cadangan/tindakan | Membuat file cadangan kunci. File dapat digunakan untuk memulihkan kunci di Key Vault dengan langganan yang sama. Pembatasan mungkin berlaku. |
| Microsoft.KeyVault/vaults/kunci/enkripsi/tindakan | Mengenkripsi teks biasa dengan kunci. Perhatikan bahwa jika kunci Vault Kunci adalah asimetris, operasi ini dapat dilakukan oleh prinsipal dengan akses baca. |
| Microsoft.KeyVault/vaults/kunci/deinkripsi/tindakan | Mendekripsikan ciphertext dengan kunci. |
| Microsoft.KeyVault/vaults/keys/bungkus/tindakan | Membungkus kunci simetris dengan kunci Key Vault. Perhatikan bahwa jika kunci Key Vault asimetris, operasi ini dapat dilakukan oleh perwakilan dengan akses baca. |
| Microsoft.KeyVault/vaults/kunci/buka bungkus/tindakan | Membuka bungkus kunci simetris dengan kunci Key Vault. |
| Microsoft.KeyVault/vaults/kunci/tanda/tindakan | Menandai pesan yang dicerna (hash) dengan kunci. |
| Microsoft.KeyVault/vaults/keys/verifikasi/tindakan | Memverifikasi tanda tangan pesan yang dicerna (hash) dengan kunci. Perhatikan bahwa jika kunci Vault Kunci adalah asimetris, operasi ini dapat dilakukan oleh prinsipal dengan akses baca. |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
"name": "12338af0-0e69-4776-bea7-57ae8d297424",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/update/action",
"Microsoft.KeyVault/vaults/keys/backup/action",
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action",
"Microsoft.KeyVault/vaults/keys/sign/action",
"Microsoft.KeyVault/vaults/keys/verify/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrator Akses Data Key Vault
Kelola akses ke Azure Key Vault dengan menambahkan atau menghapus penetapan peran untuk Administrator Key Vault, Petugas Sertifikat Key Vault, Petugas Kripto Key Vault, Pengguna Enkripsi Layanan Kripto Key Vault, Pengguna Kripto Key Vault, Pembaca Key Vault, Petugas Rahasia Key Vault, atau Peran Pengguna Rahasia Key Vault. Menyertakan kondisi ABAC untuk membatasi penetapan peran.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/roleAssignments/write | Membuat penetapan peran pada cakupan yang ditentukan. |
| Microsoft.Authorization/roleAssignments/delete | Menghapus penetapan peran pada cakupan yang ditentukan. |
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Resources/langganan/baca | Mendapatkan daftar langganan. |
| Microsoft.Management/managementGroups/baca | Grup manajemen daftar untuk pengguna yang diautentikasi. |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.KeyVault/vaults/*/baca | |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada | |
| Kondisi | |
| ((! (ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!( ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) | Tambahkan atau hapus penetapan peran untuk peran berikut: Administrator Key Vault Petugas Sertifikat Key Vault Petugas Kripto Key Vault Pengguna Enkripsi Layanan Kripto Key Vault Pengguna Kripto Key Vault Pembaca Key Vault Petugas Rahasia Key Vault Pengguna Rahasia Key Vault |
{
"assignableScopes": [
"/"
],
"description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8",
"name": "8b54135c-b56d-4d72-a534-26097cfdc8d8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*",
"Microsoft.KeyVault/vaults/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))"
}
],
"roleName": "Key Vault Data Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca Key Vault
Baca metadata brankas kunci serta sertifikat, kunci, dan rahasianya. Tidak dapat membaca nilai sensitif seperti konten rahasia atau materi kunci. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.KeyVault/checkNameAvailability/baca | Periksa bahwa nama key vault valid dan sedang tidak digunakan |
| Microsoft.KeyVault/deletedVaults/baca | Melihat properti brankas kunci yang dihapus sementara |
| Microsoft.KeyVault/lokasi/*/baca | |
| Microsoft.KeyVault/vaults/*/baca | |
| Microsoft.KeyVault/operasi/baca | Mencantumkan operasi yang tersedia di penyedia sumber daya Microsoft.KeyVault |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/*/baca | |
| Microsoft.KeyVault/vaults/rahasia/readMetadata/tindakan | Cantumkan atau tampilkan properti rahasia, tetapi bukan nilainya. |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
"name": "21090545-7ca7-4776-b22c-e363652d74d2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Petugas Rahasia Key Vault
Lakukan tindakan apa pun pada rahasia brankas kunci, kecuali izin kelola. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| Microsoft.KeyVault/checkNameAvailability/baca | Periksa bahwa nama key vault valid dan sedang tidak digunakan |
| Microsoft.KeyVault/deletedVaults/baca | Melihat properti brankas kunci yang dihapus sementara |
| Microsoft.KeyVault/lokasi/*/baca | |
| Microsoft.KeyVault/vaults/*/baca | |
| Microsoft.KeyVault/operasi/baca | Mencantumkan operasi yang tersedia di penyedia sumber daya Microsoft.KeyVault |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/rahasia/* | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pengguna Rahasia Key Vault
Baca konten rahasia. Hanya berfungsi untuk brankas kunci yang menggunakan model izin 'kontrol akses berbasis peran Azure'.
| Tindakan | Deskripsi |
|---|---|
| Tidak ada | |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Microsoft.KeyVault/vaults/rahasia/getSecret/tindakan | Mendapatkan nilai rahasia. |
| Microsoft.KeyVault/vaults/rahasia/readMetadata/tindakan | Cantumkan atau tampilkan properti rahasia, tetapi bukan nilainya. |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
"name": "4633458b-17de-408a-b874-0445c86b69e6",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor HSM Terkelola
Memungkinkan Anda mengelola kumpulan HSM terkelola, tetapi tidak dapat mengaksesnya.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.KeyVault/managedHSMs/* | |
| Microsoft.KeyVault/deletedManagedHsms/read | Melihat properti hsm terkelola yang dihapus |
| Microsoft.KeyVault/locations/deletedManagedHsms/read | Melihat properti hsm terkelola yang dihapus |
| Microsoft.KeyVault/locations/deletedManagedHsms/purge/action | Menghapus menyeluruh HSM terkelola yang dihapus sementara |
| Microsoft.KeyVault/locations/managedHsmOperationResults/read | Memeriksa hasil operasi yang berjalan lama |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage managed HSM pools, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
"name": "18500a29-7fe2-46b2-a342-b16a415e101d",
"permissions": [
{
"actions": [
"Microsoft.KeyVault/managedHSMs/*",
"Microsoft.KeyVault/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
"Microsoft.KeyVault/locations/managedHsmOperationResults/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed HSM contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Automasi Microsoft Azure Sentinel
Kontributor Automasi Microsoft Azure Sentinel
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Logic/workflows/pemicu/baca | Membaca pemicu. |
| Microsoft.Logic/alur kerja/pemicu/listCallbackUrl/tindakan | Mendapatkan URL panggilan balik untuk pemicu. |
| Microsoft.Logic/alur kerja/berjalan/baca | Membaca alur kerja berjalan. |
| Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read | Cantumkan Pemicu Alur Kerja Hostruntime Web Apps. |
| Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | Dapatkan Uri Pemicu Alur Kerja Hostruntime Web Apps. |
| Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read | Mencantumkan Eksekusi Alur Kerja Hostruntime Web Apps. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Automation Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Logic/workflows/triggers/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Logic/workflows/runs/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Automation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Microsoft Azure Sentinel
Kontributor Microsoft Azure Sentinel
| Tindakan | Deskripsi |
|---|---|
| Microsoft.SecurityInsights/* | |
| Microsoft.OperationalInsights/ruang kerja/analitik/kueri/tindakan | Cari menggunakan mesin baru. |
| Microsoft.OperationalInsights/ruang kerja/*/baca | Menampilkan data analitik log |
| Microsoft.OperationalInsights/ruang kerja/savedSearches/* | |
| Microsoft.OperationsMenemanase/solusi/baca | Dapatkan solusi OMS yang ada |
| Microsoft.OperationalInsights/ruang kerja/kueri/baca | Menjalankan kueri atas data di ruang kerja |
| Microsoft.OperationalInsights/ruang kerja/kueri/*/baca | |
| Microsoft.OperationalInsights/ruang kerja/dataSources/baca | Dapatkan sumber data di bawah ruang kerja. |
| Microsoft.OperationalInsights/querypacks/*/read | |
| Microsoft.Insights/buku kerja/* | |
| Microsoft.Insights/buku kerja saya/baca | |
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
| Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
"name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/*",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel Playbook Operator
Microsoft Sentinel Playbook Operator
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Logic/workflows/read | Membaca alur kerja. |
| Microsoft.Logic/alur kerja/pemicu/listCallbackUrl/tindakan | Mendapatkan URL panggilan balik untuk pemicu. |
| Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | Dapatkan Uri Pemicu Alur Kerja Hostruntime Web Apps. |
| Microsoft.Web/sites/read | Mendapatkan properti Aplikasi Web |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Playbook Operator",
"id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5",
"name": "51d6186e-6489-4900-b93f-92e23144cca5",
"permissions": [
{
"actions": [
"Microsoft.Logic/workflows/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Playbook Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca Microsoft Azure Sentinel
Pembaca Microsoft Azure Sentinel
| Tindakan | Deskripsi |
|---|---|
| Microsoft.SecurityInsights/*/baca | |
| Microsoft.SecurityInsights/dataConnectorsCheckRequirements/tindakan | Periksa otorisasi dan lisensi pengguna |
| Microsoft.SecurityInsights/threatIntelligence/indikator/kueri/tindakan | Membuat Kueri Indikator Inteligensi Ancaman |
| Microsoft.SecurityInsights/threatIntelligence/queryIndicators/tindakan | Membuat Kueri Indikator Inteligensi Ancaman |
| Microsoft.OperationalInsights/ruang kerja/analitik/kueri/tindakan | Cari menggunakan mesin baru. |
| Microsoft.OperationalInsights/ruang kerja/*/baca | Menampilkan data analitik log |
| Microsoft.OperationalInsights/ruang kerja/LinkedServices/baca | Mendapatkan layanan tertaut di bagian ruang kerja tertentu. |
| Microsoft.OperationalInsights/ruang kerja/savedSearches/baca | Mendapatkan kueri pencarian tersimpan. |
| Microsoft.OperationsMenemanase/solusi/baca | Dapatkan solusi OMS yang ada |
| Microsoft.OperationalInsights/ruang kerja/kueri/baca | Menjalankan kueri atas data di ruang kerja |
| Microsoft.OperationalInsights/ruang kerja/kueri/*/baca | |
| Microsoft.OperationalInsights/querypacks/*/read | |
| Microsoft.OperationalInsights/ruang kerja/dataSources/baca | Dapatkan sumber data di bawah ruang kerja. |
| Microsoft.Insights/buku kerja/baca | Membaca buku kerja |
| Microsoft.Insights/buku kerja saya/baca | |
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Resources/templateSpecs/*/read | Mendapatkan atau mencantumkan spesifikasi templat dan versi spesifikasi templat |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
| Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/LinkedServices/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/templateSpecs/*/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Penanggap Microsoft Azure Sentinel
Penanggap Microsoft Azure Sentinel
| Tindakan | Deskripsi |
|---|---|
| Microsoft.SecurityInsights/*/baca | |
| Microsoft.SecurityInsights/dataConnectorsCheckRequirements/tindakan | Periksa otorisasi dan lisensi pengguna |
| Microsoft.SecurityInsights/automationRules/* | |
| Microsoft.SecurityInsights/kasus/* | |
| Microsoft.SecurityInsights/insiden/* | |
| Microsoft.SecurityInsights/entities/runPlaybook/action | Jalankan playbook pada entitas |
| Microsoft.SecurityInsights/threatIntelligence/indikator/appendTags/tindakan | Menambahkan tag ke Indikator Inteligensi Ancaman |
| Microsoft.SecurityInsights/threatIntelligence/indikator/kueri/tindakan | Membuat Kueri Indikator Inteligensi Ancaman |
| Microsoft.SecurityInsights/threatIntelligence/bulkTag/tindakan | Data Massal Kecerdasan Ancaman |
| Microsoft.SecurityInsights/threatIntelligence/indikator/appendTags/tindakan | Menambahkan tag ke Indikator Inteligensi Ancaman |
| Microsoft.SecurityInsights/threatIntelligence/indikator/replaceTags/tindakan | Mengganti Tag Indikator Inteligensi Ancaman |
| Microsoft.SecurityInsights/threatIntelligence/queryIndicators/tindakan | Membuat Kueri Indikator Inteligensi Ancaman |
| Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action | Membatalkan tindakan |
| Microsoft.OperationalInsights/ruang kerja/analitik/kueri/tindakan | Cari menggunakan mesin baru. |
| Microsoft.OperationalInsights/ruang kerja/*/baca | Menampilkan data analitik log |
| Microsoft.OperationalInsights/ruang kerja/dataSources/baca | Dapatkan sumber data di bawah ruang kerja. |
| Microsoft.OperationalInsights/ruang kerja/savedSearches/baca | Mendapatkan kueri pencarian tersimpan. |
| Microsoft.OperationsMenemanase/solusi/baca | Dapatkan solusi OMS yang ada |
| Microsoft.OperationalInsights/ruang kerja/kueri/baca | Menjalankan kueri atas data di ruang kerja |
| Microsoft.OperationalInsights/ruang kerja/kueri/*/baca | |
| Microsoft.OperationalInsights/ruang kerja/dataSources/baca | Dapatkan sumber data di bawah ruang kerja. |
| Microsoft.OperationalInsights/querypacks/*/read | |
| Microsoft.Insights/buku kerja/baca | Membaca buku kerja |
| Microsoft.Insights/buku kerja saya/baca | |
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Microsoft.SecurityInsights/kasus/*/Hapus | |
| Microsoft.SecurityInsights/incidents/*/Hapus | |
| Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
| Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Responder",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/automationRules/*",
"Microsoft.SecurityInsights/cases/*",
"Microsoft.SecurityInsights/incidents/*",
"Microsoft.SecurityInsights/entities/runPlaybook/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/cases/*/Delete",
"Microsoft.SecurityInsights/incidents/*/Delete",
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Responder",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Admin Keamanan
Menampilkan dan memperbarui izin untuk Microsoft Defender untuk Cloud. Izin yang sama dengan peran Pembaca Keamanan dan juga dapat memperbarui kebijakan keamanan dan menghilangkan peringatan dan rekomendasi.
Untuk Pertahanan Microsoft untuk IoT, lihat Peran pengguna Azure untuk pemantauan OT dan Enterprise IoT.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Authorization/policyAssignments/* | Membuat dan mengelola penetapan kebijakan |
| Microsoft.Authorization/policyDefinitions/* | Membuat dan mengelola definisi kebijakan |
| Microsoft.Authorization/policyExemptions/* | Membuat dan mengelola pembebasan kebijakan |
| Microsoft.Authorization/policySetDefinisi/* | Membuat dan mengelola rangkaian kebijakan |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.Management/managementGroups/baca | Grup manajemen daftar untuk pengguna yang diautentikasi. |
| Microsoft.operationalInsights/ruang kerja/*/baca | Menampilkan data analitik log |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Security/* | Membuat dan mengelola komponen dan kebijakan keamanan |
| Microsoft.IoTSecurity/* | |
| Microsoft.IoTFirmwareDefense/* | |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Security Admin Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
"name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Management/managementGroups/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.IoTSecurity/*",
"Microsoft.IoTFirmwareDefense/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kontributor Penilaian Keamanan
Memungkinkan Anda mendorong penilaian ke Microsoft Defender untuk Cloud
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Security/penilaian/tulis | Membuat atau memperbarui penilaian keamanan pada langganan Anda |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Lets you push assessments to Security Center",
"id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"permissions": [
{
"actions": [
"Microsoft.Security/assessments/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Assessment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pengelola Keamanan (Legasi)
Ini adalah peran legasi. Silakan gunakan Admin Keamanan sebagai gantinya.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.ClassicCompute/*/baca | Baca informasi konfigurasi mesin virtual klasik |
| Microsoft.ClassicCompute/virtualMachines/*/tulis | Konfigurasi tulis untuk mesin virtual klasik |
| Microsoft.ClassicNetwork/*/baca | Baca informasi konfigurasi tentang jaringan klasik |
| Microsoft.Insights/alertRules/* | Membuat dan mengelola pemberitahuan metrik klasik |
| Microsoft.ResourceHealth/availabilityStatuses/baca | Mendapatkan status ketersediaan untuk semua sumber daya dalam lingkup yang ditentukan |
| Microsoft.Resources/penyebaran/* | Membuat dan mengelola penyebaran |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Security/* | Membuat dan mengelola komponen dan kebijakan keamanan |
| Microsoft.Support/* | Membuat dan memperbarui tiket dukungan |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "This is a legacy role. Please use Security Administrator instead",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/*/read",
"Microsoft.ClassicCompute/virtualMachines/*/write",
"Microsoft.ClassicNetwork/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Manager (Legacy)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Pembaca Keamanan
Lihat izin untuk Microsoft Defender untuk Cloud. Pengguna dapat melihat rekomendasi, pemberitahuan, kebijakan keamanan, status keamanan, tetapi tidak dapat mengubahnya.
Untuk Pertahanan Microsoft untuk IoT, lihat Peran pengguna Azure untuk pemantauan OT dan Enterprise IoT.
| Tindakan | Deskripsi |
|---|---|
| Microsoft.Authorization/*/baca | Membaca peran dan penetapan peran |
| Microsoft.Insights/alertRules/baca | Membaca pemberitahuan metrik klasik |
| Microsoft.operationalInsights/ruang kerja/*/baca | Menampilkan data analitik log |
| Microsoft.Resources/penyebaran/*/baca | |
| Microsoft.Resources/langganan/resourceGroups/baca | Mendapatkan atau mencantumkan grup sumber daya. |
| Microsoft.Security/*/baca | Membaca komponen dan kebijakan keamanan |
| Microsoft.IoTSecurity/*/read | |
| Microsoft.Support/*/baca | |
| Microsoft.Security/iotDefenderSettings/packageDownloads/tindakan | Mendapatkan informasi paket IoT Defender yang dapat diunduh |
| Microsoft.Security/iotDefenderSettings/downloadManagerActivation/tindakan | Unduh file aktivasi manajer dengan data kuota langganan |
| Microsoft.Security/iotSensors/downloadResetPassword/tindakan | Unduhan reset file kata sandi untuk Sensor IoT |
| Microsoft.IoTSecurity/defenderSettings/packageDownloads/action | Mendapatkan informasi paket IoT Defender yang dapat diunduh |
| Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action | Unduh file aktivasi manajer |
| Microsoft.Management/managementGroups/baca | Grup manajemen daftar untuk pengguna yang diautentikasi. |
| NotActions | |
| Tidak ada | |
| DataActions | |
| Tidak ada | |
| NotDataActions | |
| Tidak ada |
{
"assignableScopes": [
"/"
],
"description": "Security Reader Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*/read",
"Microsoft.IoTSecurity/*/read",
"Microsoft.Support/*/read",
"Microsoft.Security/iotDefenderSettings/packageDownloads/action",
"Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
"Microsoft.Security/iotSensors/downloadResetPassword/action",
"Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
"Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
"Microsoft.Management/managementGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}