您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用基于角色的访问控制管理 Azure 订阅资源的访问权限Use Role-Based Access Control to manage access to your Azure subscription resources

Azure 基于角色的访问控制 (RBAC) 可用于对 Azure 进行细致的访问管理。Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. 使用 RBAC,可以仅授予用户执行其作业所需的访问次数。Using RBAC, you can grant only the amount of access that users need to perform their jobs. 本文可帮助你在 Azure 门户中启动并运行 RBAC。This article helps you get up and running with RBAC in the Azure portal. 如果想要了解有关 RBAC 如何帮助你管理访问权限的详细信息,请参阅什么是基于角色的访问控制If you want more details about how RBAC helps you manage access, see What is Role-Based Access Control.

在每个订阅中,最多可以授予 2000 个角色分配。Within each subscription, you can grant up to 2000 role assignments.

查看访问权限View access

可在 Azure 门户中的主边栏选项卡上查看谁有权访问资源、资源组或订阅。You can see who has access to a resource, resource group, or subscription from its main blade in the Azure portal. 例如,我们想要查看谁有权访问其中一个资源组:For example, we want to see who has access to one of our resource groups:

  1. 在左侧的导航栏中选择“资源组” 。Select Resource groups in the navigation bar on the left.
    资源组 - 图标Resource groups - icon
  2. 在“资源组” 边栏选项卡上,选择资源组的名称。Select the name of the resource group from the Resource groups blade.
  3. 从左侧菜单中选择“访问控制 (IAM)”。Select Access control (IAM) from the left menu.
  4. “访问控制”边栏选项卡列出了授予该资源组访问权限的所有用户、组和应用程序。The Access control blade lists all users, groups, and applications that have been granted access to the resource group.

    用户边栏选项卡 - 继承的与分配的访问权限屏幕截图

请注意,有些角色的权限范围已划归到此资源,还有一些角色从另一个范围继承权限。Notice that some roles are scoped to This resource while others are Inherited it from another scope. 特定于资源组分配访问权限,或者从父订阅的分配继承访问权限。Access is either assigned specifically to the resource group or inherited from an assignment to the parent subscription.

备注

经典订阅管理员和协同管理员被视为新的 RBAC 模型中订阅的所有者。

添加访问权限Add Access

授予资源、资源组或订阅(即角色分配范围)内的访问权限。You grant access from within the resource, resource group, or subscription that is the scope of the role assignment.

  1. 在“访问控制”边栏选项卡上选择“添加”。Select Add on the Access control blade.
  2. 从“选择角色”边栏选项卡中选择你想要分配的角色。Select the role that you wish to assign from the Select a role blade.
  3. 在你想要授予访问权限的目录中选择用户、组或应用程序。Select the user, group, or application in your directory that you wish to grant access to. 可以通过显示名称、电子邮件地址和对象标识符搜索该目录。You can search the directory with display names, email addresses, and object identifiers.

    添加用户边栏选项卡 - 搜索屏幕截图

  4. 选择“确定” 以创建分配。Select OK to create the assignment. “添加用户” 弹出窗口跟踪进度。The Adding user popup tracks the progress.
    添加用户进度栏 - 屏幕截图Adding user progress bar - screenshot

成功添加角色分配后,该角色分配将出现在“用户”边栏选项卡上。After successfully adding a role assignment, it will appear on the Users blade.

删除访问权限Remove Access

  1. 将光标悬停在要删除的分配的名称上面。Hover your cursor over the name of the assignment that you want to remove. 该名称旁边会显示一个复选框。A check box appears next to the name.
  2. 使用复选框选择一个或多个角色分配。Use the check boxes to select one or more role assignments.
  3. 选择“删除”。Select Remove.
  4. 选择“是”确认删除。Select Yes to confirm the removal.

不能删除继承的分配。Inherited assignments cannot be removed. 如果需要删除继承的分配,则需要在创建角色分配的作用域上进行操作。If you need to remove an inherited assignment, you need to do it at the scope where the role assignment was created. 在“作用域”列的“继承”旁,有一条链接指向分配了此角色的资源。In the Scope column, next to Inherited there is a link that takes you to the resources where this role was assigned. 请转到该处列出的资源以删除角色分配。Go to the resource listed there to remove the role assignment.

用户边栏选项卡 - 继承的访问权限禁用删除按钮屏幕截图

管理访问权限的其他工具Other tools to manage access

可以使用 Azure 门户以外的工具中的 Azure RBAC 命令分配角色和管理访问权限。You can assign roles and manage access with Azure RBAC commands in tools other than the Azure portal. 依照该链接以了解有关先决条件和 Azure RBAC 命令入门的详细信息。Follow the links to learn more about the prerequisites and get started with the Azure RBAC commands.

后续步骤Next Steps