Edit

Mencantumkan definisi peran Azure

  • Bagaimana

Definisi peran adalah kumpulan izin yang dapat dilakukan, seperti membaca, menulis, dan menghapus. Definisi peran tersebut biasanya hanya disebut peran. Kontrol akses berbasis peran Azure (Azure RBAC) memiliki lebih dari 120 peran bawaan atau Anda dapat membuat peran kustom Anda sendiri. Artikel ini menjelaskan cara mencantumkan peran bawaan dan kustom yang dapat Anda gunakan untuk memberikan akses ke sumber daya Azure.

Untuk melihat daftar peran administrator untuk ID Microsoft Entra, lihat Izin peran administrator di ID Microsoft Entra.

Prasyarat

Tidak

portal Azure

Daftar semua peran

Ikuti langkah-langkah ini untuk mencantumkan semua peran di portal Microsoft Azure.

  1. Di portal Microsoft Azure, klik Semua layanan lalu pilih cakupan mana pun. Misalnya, Anda dapat memilih Grup manajemen, Langganan,Grup Sumber Daya, atau sumber daya.

  2. Klik sumber daya tertentu.

  3. Buka Kontrol akses (IAM).

  4. Klik tab Peran untuk melihat daftar semua peran bawaan dan kustom.

    Cuplikan layar yang menunjukkan daftar Peran menggunakan pengalaman baru.

  5. Untuk melihat izin untuk peran tertentu, di kolom Detail, klik tautan Tampilkan.

    Panel izin akan muncul.

  6. Klik tab Izin untuk menampilkan dan mencari izin untuk peran yang dipilih.

    Cuplikan layar yang menunjukkan izin peran menggunakan pengalaman baru.

Azure PowerShell

Daftar semua peran

Untuk mencantumkan semua peran di Azure PowerShell, gunakan Get-AzRoleDefinition.

Get-AzRoleDefinition | FT Name, Description

AcrImageSigner                                    acr image signer
AcrQuarantineReader                               acr quarantine data reader
AcrQuarantineWriter                               acr quarantine data writer
API Management Service Contributor                Can manage service and the APIs
API Management Service Operator Role              Can manage service but not the APIs
API Management Service Reader Role                Read-only access to service and APIs
Application Insights Component Contributor        Can manage Application Insights components
Application Insights Snapshot Debugger            Gives user permission to use Application Insights Snapshot Debugge...
Automation Job Operator                           Create and Manage Jobs using Automation Runbooks.
Automation Operator                               Automation Operators are able to start, stop, suspend, and resume ...
...

Mencantumkan definisi peran

Untuk mencantumkan detail peran tertentu, gunakan Get-AzRoleDefinition.

Get-AzRoleDefinition <role_name>

PS C:\> Get-AzRoleDefinition "Contributor"

Name             : Contributor
Id               : b24988ac-6180-42a0-ab88-20f7382dd24c
IsCustom         : False
Description      : Lets you manage everything except access to resources.
Actions          : {*}
NotActions       : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
                  Microsoft.Authorization/elevateAccess/Action}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/}

Mencantumkan definisi peran dalam format JSON

Untuk mencantumkan peran dalam format JSON, gunakan Get-AzRoleDefinition.

Get-AzRoleDefinition <role_name> | ConvertTo-Json

PS C:\> Get-AzRoleDefinition "Contributor" | ConvertTo-Json

{
  "Name": "Contributor",
  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "IsCustom": false,
  "Description": "Lets you manage everything except access to resources.",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Authorization/*/Delete",
    "Microsoft.Authorization/*/Write",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

Mencantumkan izin definisi peran

Untuk mencantumkan izin untuk peran tertentu, gunakan Get-AzRoleDefinition.

Get-AzRoleDefinition <role_name> | FL Actions, NotActions

PS C:\> Get-AzRoleDefinition "Contributor" | FL Actions, NotActions

Actions    : {*}
NotActions : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
            Microsoft.Authorization/elevateAccess/Action,
            Microsoft.Blueprint/blueprintAssignments/write...}

(Get-AzRoleDefinition <role_name>).Actions

PS C:\> (Get-AzRoleDefinition "Virtual Machine Contributor").Actions

Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
...

Azure CLI

Daftar semua peran

Untuk mencantumkan semua peran di Azure CLI, gunakan daftar definisi peran az.

az role definition list

Contoh berikut mencantumkan nama dan deskripsi semua definisi peran yang tersedia:

az role definition list --output json --query '[].{roleName:roleName, description:description}'

[
  {
    "description": "Can manage service and the APIs",
    "roleName": "API Management Service Contributor"
  },
  {
    "description": "Can manage service but not the APIs",
    "roleName": "API Management Service Operator Role"
  },
  {
    "description": "Read-only access to service and APIs",
    "roleName": "API Management Service Reader Role"
  },

  ...

]

Contoh berikut mencantumkan semua peran bawaan.

az role definition list --custom-role-only false --output json --query '[].{roleName:roleName, description:description, roleType:roleType}'

[
  {
    "description": "Can manage service and the APIs",
    "roleName": "API Management Service Contributor",
    "roleType": "BuiltInRole"
  },
  {
    "description": "Can manage service but not the APIs",
    "roleName": "API Management Service Operator Role",
    "roleType": "BuiltInRole"
  },
  {
    "description": "Read-only access to service and APIs",
    "roleName": "API Management Service Reader Role",
    "roleType": "BuiltInRole"
  },
  
  ...

]

Mencantumkan definisi peran

Untuk mencantumkan detail peran, gunakan daftar definisi peran az.

az role definition list --name {roleName}

Contoh berikut mencantumkan definisi peran Kontributor:

az role definition list --name "Contributor"

[
  {
    "assignableScopes": [
      "/"
    ],
    "description": "Lets you manage everything except access to resources.",
    "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "dataActions": [],
        "notActions": [
          "Microsoft.Authorization/*/Delete",
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action",
          "Microsoft.Blueprint/blueprintAssignments/write",
          "Microsoft.Blueprint/blueprintAssignments/delete"
        ],
        "notDataActions": []
      }
    ],
    "roleName": "Contributor",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

Mencantumkan izin definisi peran

Contoh berikut hanya mencantumkan tindakan dan bukanTindakan dari peran Kontributor.

az role definition list --name "Contributor" --output json --query '[].{actions:permissions[0].actions, notActions:permissions[0].notActions}'

[
  {
    "actions": [
      "*"
    ],
    "notActions": [
      "Microsoft.Authorization/*/Delete",
      "Microsoft.Authorization/*/Write",
      "Microsoft.Authorization/elevateAccess/Action",
      "Microsoft.Blueprint/blueprintAssignments/write",
      "Microsoft.Blueprint/blueprintAssignments/delete"
    ]
  }
]

The following example lists just the actions of the Virtual Machine Contributor role.

az role definition list --name "Virtual Machine Contributor" --output json --query '[].permissions[0].actions'

[
  [
    "Microsoft.Authorization/*/read",
    "Microsoft.Compute/availabilitySets/*",
    "Microsoft.Compute/locations/*",
    "Microsoft.Compute/virtualMachines/*",
    "Microsoft.Compute/virtualMachineScaleSets/*",
    "Microsoft.Compute/disks/write",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/disks/delete",
    "Microsoft.DevTestLab/schedules/*",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

    ...

    "Microsoft.Storage/storageAccounts/listKeys/action",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Support/*"
  ]
]

REST API

Prasyarat

Anda harus menggunakan versi berikut:

  • 2015-07-01 atau yang lebih baru

Untuk informasi selengkapnya, lihat API versi REST API Azure RBAC.

Mencantumkan semua definisi peran

Untuk mencantumkan definisi peran dalam penyewa, gunakan Definisi Peran - Daftar REST API.

  • Contoh berikut mencantumkan semua definisi peran dalam penyewa:

    Permintaan

    GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01

    Respons

    {
    "value": [
        {
            "properties": {
                "roleName": "Billing Reader Plus",
                "type": "CustomRole",
                "description": "Read billing data and download invoices",
                "assignableScopes": [
                    "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15"
                ],
                "permissions": [
                    {
                        "actions": [
                            "Microsoft.Authorization/*/read",
                            "Microsoft.Billing/*/read",
                            "Microsoft.Commerce/*/read",
                            "Microsoft.Consumption/*/read",
                            "Microsoft.Management/managementGroups/read",
                            "Microsoft.CostManagement/*/read",
                            "Microsoft.Billing/invoices/download/action",
                            "Microsoft.CostManagement/exports/*"
                        ],
                        "notActions": [
                            "Microsoft.CostManagement/exports/delete"
                        ],
                        "dataActions": [],
                        "notDataActions": []
                    }
                ],
                "createdOn": "2021-05-22T21:57:23.5764138Z",
                "updatedOn": "2021-05-22T21:57:23.5764138Z",
                "createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
                "updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
            },
            "id": "/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c",
            "type": "Microsoft.Authorization/roleDefinitions",
            "name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
        },
        {
            "properties": {
                "roleName": "AcrPush",
                "type": "BuiltInRole",
                "description": "acr push",
                "assignableScopes": [
                    "/"
                ],
                "permissions": [
                    {
                        "actions": [
                            "Microsoft.ContainerRegistry/registries/pull/read",
                            "Microsoft.ContainerRegistry/registries/push/write"
                        ],
                        "notActions": [],
                        "dataActions": [],
                        "notDataActions": []
                    }
                ],
                "createdOn": "2018-10-29T17:52:32.5201177Z",
                "updatedOn": "2021-11-11T20:13:07.4993029Z",
                "createdBy": null,
                "updatedBy": null
            },
            "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
            "type": "Microsoft.Authorization/roleDefinitions",
            "name": "8311e382-0749-4cb8-b61a-304f252e45ec"
        }
    ]
}

Mencantumkan definisi peran

Untuk mencantumkan definisi peran, gunakan REST API Definisi Peran - Daftar. Untuk menyempurnakan hasil, Anda menentukan cakupan dan filter opsional.

  1. Mulai dengan permintaan berikut:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?$filter={$filter}&api-version=2022-04-01

    Untuk cakupan tingkat penyewa, Anda dapat menggunakan permintaan ini:

    GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?filter={$filter}&api-version=2022-04-01

  2. Di dalam URI, ganti {scope} dengan cakupan yang ingin Anda cantumkan definisi perannya.

    Cakupan Jenis
    providers/Microsoft.Management/managementGroups/{groupId1} Grup manajemen
    subscriptions/{subscriptionId1} Langganan
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 Grup sumber daya
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 Sumber daya

    Dalam contoh sebelumnya, microsoft.web adalah penyedia sumber daya yang merujuk ke instans App Service. Demikian pula, Anda dapat menggunakan penyedia sumber daya lain dan menentukan cakupannya. Untuk mengetahui informasi selengkapnya, lihat Penyedia sumber daya Azure dan jenis serta operasi penyedia sumber daya Azure yang didukung.

  3. Ganti {filter} dengan kondisi yang ingin Anda terapkan pada filter daftar definisi peran.

    Filter Deskripsi
    $filter=type+eq+'{type}' Mencantumkan definisi peran jenis tertentu. Jenis peran bisa berupa CustomRole atau BuiltInRole.

    Contoh berikut mencantumkan semua peran kustom dalam penyewa:

    Permintaan

    GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?$filter=type+eq+'CustomRole'&api-version=2022-04-01

    Respons

    {
    "value": [
        {
            "properties": {
                "roleName": "Billing Reader Plus",
                "type": "CustomRole",
                "description": "Read billing data and download invoices",
                "assignableScopes": [
                    "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15"
                ],
                "permissions": [
                    {
                        "actions": [
                            "Microsoft.Authorization/*/read",
                            "Microsoft.Billing/*/read",
                            "Microsoft.Commerce/*/read",
                            "Microsoft.Consumption/*/read",
                            "Microsoft.Management/managementGroups/read",
                            "Microsoft.CostManagement/*/read",
                            "Microsoft.Billing/invoices/download/action",
                            "Microsoft.CostManagement/exports/*"
                        ],
                        "notActions": [
                            "Microsoft.CostManagement/exports/delete"
                        ],
                        "dataActions": [],
                        "notDataActions": []
                    }
                ],
                "createdOn": "2021-05-22T21:57:23.5764138Z",
                "updatedOn": "2021-05-22T21:57:23.5764138Z",
                "createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
                "updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
            },
            "id": "/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c",
            "type": "Microsoft.Authorization/roleDefinitions",
            "name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
        }
    ]
}

Mencantumkan definisi peran

Untuk mencantumkan detail peran tertentu, gunakan Definisi Peran - Dapatkan atau Definisi Peran - Get By ID REST API.

  1. Mulai dengan permintaan berikut:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01

    Untuk definisi peran tingkat penyewa, Anda dapat menggunakan permintaan ini:

    GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01

  2. Di dalam URI, ganti {scope} dengan cakupan yang ingin Anda cantumkan definisi perannya.

    Cakupan Jenis
    providers/Microsoft.Management/managementGroups/{groupId1} Grup manajemen
    subscriptions/{subscriptionId1} Langganan
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 Grup sumber daya
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 Sumber daya

  3. Ganti {roleDefinitionId} dengan pengidentifikasi definisi peran.

    Contoh berikut mencantumkan definisi peran Pembaca :

Request

GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7?api-version=2022-04-01

Response

{
    "properties": {
        "roleName": "Reader",
        "type": "BuiltInRole",
        "description": "View all resources, but does not allow you to make any changes.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2021-11-11T20:13:47.8628684Z",
        "createdBy": null,
        "updatedBy": null
    },
    "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7"
}

Konten terkait