您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用基于角色的访问控制管理 Azure 备份恢复点Use Role-Based Access Control to manage Azure Backup recovery points

Azure 基于角色的访问控制 (RBAC) 可用于对 Azure 进行细致的访问管理。Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. 使用 RBAC,可以在团队中实现职责分离,仅向用户授予执行作业所需的访问权限。Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs.

重要

Azure 备份提供的角色仅限于执行可在 Azure 门户中执行的操作,或者通过 REST API 或恢复服务保管库 PowerShell 或 CLI cmdlet 执行的操作。Roles provided by Azure Backup are limited to actions that can be performed in Azure portal or via REST API or Recovery Services vault PowerShell or CLI cmdlets. 这些角色对在 Azure 备份代理客户端 UI、System Center Data Protection Manager UI 或 Azure 备份服务器 UI 中执行的操作不具有控制。Actions performed in Azure backup Agent Client UI or System center Data Protection Manager UI or Azure Backup Server UI are out of control of these roles.

Azure 备份提供了三种内置角色来控制备份管理操作。Azure Backup provides three built-in roles to control backup management operations. 详细了解 Azure RBAC 内置角色Learn more on Azure RBAC built-in roles

  • 备份参与者 - 此角色具有创建和管理备份的所有权限,但删除恢复服务保管库和授予其他人访问权限除外。Backup Contributor - This role has all permissions to create and manage backup except deleting Recovery Services vault and giving access to others. 可以把该角色想象成可执行每个备份管理操作的备份管理的管理员。Imagine this role as admin of backup management who can do every backup management operation.
  • 备份操作员 - 此角色具有除删除备份和管理备份策略之外的针对参与者操作的所有权限。Backup Operator - This role has permissions to everything a contributor does except removing backup and managing backup policies. 此角色等效于参与者,但它不能执行破坏性操作,例如通过删除数据或删除本地资源的注册来停止备份。This role is equivalent to contributor except it can't perform destructive operations such as stop backup with delete data or remove registration of on-premises resources.
  • 备份读取器 - 此角色具有查看所有备份管理操作的权限。Backup Reader - This role has permissions to view all backup management operations. 可以把该角色想象成一位监视者。Imagine this role to be a monitoring person.

若要定义自己的角色以便进一步控制,请参阅如何在 Azure RBAC 中 生成自定义角色If you're looking to define your own roles for even more control, see how to build Custom roles in Azure RBAC.

将备份内置角色映射到备份管理操作Mapping Backup built-in roles to backup management actions

下表包含了备份管理操作和执行这些操作所需的最低 RBAC 角色。The following table captures the Backup management actions and corresponding minimum RBAC role required to perform that operation.

管理操作Management Operation 所需的最低 RBAC 角色Minimum RBAC role required 所需的范围Scope Required
创建恢复服务保管库Create Recovery Services vault 备份参与者Backup Contributor 包含保管库的资源组Resource group containing the vault
启用 Azure VM 备份Enable backup of Azure VMs 备份操作员Backup Operator 包含保管库的资源组Resource group containing the vault
虚拟机参与者Virtual Machine Contributor VM 资源VM resource
按需 VM 备份On-demand backup of VM 备份操作员Backup Operator 恢复保管库资源Recovery vault resource
还原 VMRestore VM 备份操作员Backup Operator 恢复服务保存库Recovery Services vault
参与者Contributor 将在其中部署 VM 的资源组Resource group in which VM will be deployed
虚拟机参与者Virtual Machine Contributor 得到备份的源 VMSource VM which got backed up
还原非托管磁盘 VM 备份Restore unmanaged disks VM backup 备份操作员Backup Operator 恢复保管库资源Recovery vault resource
虚拟机参与者Virtual Machine Contributor 得到备份的源 VMSource VM which got backed up
存储帐户参与者Storage Account Contributor 要还原磁盘的存储帐户资源Storage account resource where disks are going to be restored
从 VM 备份还原托管磁盘Restore managed disks from VM backup 备份操作员Backup Operator 恢复保管库资源Recovery vault resource
虚拟机参与者Virtual Machine Contributor 得到备份的源 VMSource VM which got backed up
存储帐户参与者Storage Account Contributor 在还原过程中选择的临时存储帐户,用于在将保管库转换为托管磁盘之前保存保管库中的数据Temporary Storage account selected as part of restore to hold data from vault before converting them to managed disks
参与者Contributor 托管磁盘将还原到的资源组Resource group to which managed disk(s) will be restored
从 VM 备份还原单个文件Restore individual files from VM backup 备份操作员Backup Operator 恢复保管库资源Recovery vault resource
虚拟机参与者Virtual Machine Contributor 得到备份的源 VMSource VM which got backed up
创建 Azure VM 备份的备份策略Create backup policy for Azure VM backup 备份参与者Backup Contributor 恢复保管库资源Recovery vault resource
修改 Azure VM 备份的备份策略Modify backup policy of Azure VM backup 备份参与者Backup Contributor 恢复保管库资源Recovery vault resource
删除 Azure VM 备份的备份策略Delete backup policy of Azure VM backup 备份参与者Backup Contributor 恢复保管库资源Recovery vault resource
停止在 VM 备份上备份(通过保留数据或删除数据)Stop backup (with retain data or delete data) on VM backup 备份参与者Backup Contributor 恢复保管库资源Recovery vault resource
注册本地 Windows Server/客户端/SCDPM 或 Azure 备份服务器Register on-premises Windows Server/client/SCDPM or Azure Backup Server 备份操作员Backup Operator 恢复保管库资源Recovery vault resource
删除已注册的本地 Windows Server/客户端/SCDPM 或 Azure 备份服务器Delete registered on-premises Windows Server/client/SCDPM or Azure Backup Server 备份参与者Backup Contributor 恢复保管库资源Recovery vault resource

重要

如果在 VM 资源范围内指定 VM 参与者并单击“备份”作为 VM 设置的一部分,则即使已经备份 VM,它也将打开“启用备份”屏幕,因为验证备份状态的调用仅在订阅级别起作用。If you specify VM Contributor at a VM resource scope and click on Backup as part of VM settings, it will open 'Enable Backup' screen even though VM is already backed up as the call to verify backup status works only at subscription level. 若要避免此问题,请转到保管库并打开 VM 的备份项视图,或者在订阅级别指定“VM 参与者”角色。To avoid this, either go to vault and open the backup item view of the VM or specify VM Contributor role at a subscription level.

Azure 文件共享备份的最低角色要求Minimum role requirements for the Azure File share backup

下表列出了备份管理操作以及执行 Azure 文件共享操作所需的相应角色。The following table captures the Backup management actions and corresponding role required to perform Azure File share operation.

管理操作Management Operation 所需的角色Role Required 资源Resources
启用 Azure 文件共享的备份Enable backup of Azure File shares 备份参与者Backup Contributor 恢复服务保存库Recovery Services vault
存储帐户Storage Account 参与者存储帐户资源Contributor Storage account resource
按需 VM 备份On-demand backup of VM 备份操作员Backup Operator 恢复服务保存库Recovery Services vault
还原文件共享Restore File share 备份操作员Backup Operator 恢复服务保存库Recovery Services vault
存储帐户参与者Storage Account Contributor 存在还原源和目标文件共享的存储帐户资源Storage account resources where restore source and Target file shares are present
还原单个文件Restore Individual Files 备份操作员Backup Operator 恢复服务保存库Recovery Services vault
存储帐户参与者Storage Account Contributor 存在还原源和目标文件共享的存储帐户资源Storage account resources where restore source and Target file shares are present
停止保护Stop protection 备份参与者Backup Contributor 恢复服务保存库Recovery Services vault
从保管库中注销存储帐户Unregister storage account from vault 备份参与者Backup Contributor 恢复服务保存库Recovery Services vault
存储帐户参与者Storage Account Contributor 存储帐户名称Storage account resource

后续步骤Next steps