您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

适用于简单工作负荷的治理设计Governance design for a simple workload

本指南旨在介绍在 Azure 中设计资源治理模型,以便为单个团队和简单工作负荷提供支持这一过程。The goal of this guidance is to help you learn the process for designing a resource governance model in Azure to support a single team and a simple workload. 其中探讨了一系列假设性的调控要求,然后详细讲解满足这些要求的几个示例实现。You'll look at a set of hypothetical governance requirements, then go through several example implementations that satisfy those requirements.

在基础采用阶段,我们的目标是将简单的工作负荷部署到 Azure。In the foundational adoption stage, our goal is to deploy a simple workload to Azure. 这可以满足以下要求:This results in the following requirements:

  • 由负责部署和维护简单工作负荷的 工作负荷所有者 进行标识管理。Identity management for a single workload owner who is responsible for deploying and maintaining the simple workload. 工作负荷所有者需要有权创建、读取、更新和删除资源,以及有权将这些权限委托给标识管理系统中的其他用户。The workload owner requires permission to create, read, update, and delete resources as well as permission to delegate these rights to other users in the identity management system.
  • 将简单工作负荷的所有资源作为单个管理单元进行管理。Manage all resources for the simple workload as a single management unit.

Azure 许可Azure licensing

在开始设计调控模型之前,必须了解 Azure 的许可方式。Before you begin designing our governance model, it's important to understand how Azure is licensed. 这是因为与 Azure 许可证关联的管理帐户具有对 Azure 资源的最高访问级别。This is because the administrative accounts associated with your Azure license have the highest level of access to your Azure resources. 这些管理帐户构成了调控模型的基础。These administrative accounts form the basis of your governance model.

备注

如果组织的某个现有 Microsoft 企业协议不包括 Azure,可以通过做出前期货币承诺来添加 Azure。If your organization has an existing Microsoft Enterprise Agreement that does not include Azure, Azure can be added by making an upfront monetary commitment. 有关详细信息,请参阅为 企业授权 AzureFor more information, see Licensing Azure for the enterprise.

将 Azure 添加到组织的企业协议时,系统已提示组织创建 Azure 帐户When Azure was added to your organization's Enterprise Agreement, your organization was prompted to create an Azure account. 在帐户创建过程中,已创建 Azure 帐户所有者,以及具有 全局管理员 帐户的 Azure Active Directory (Azure AD) 租户。During the account creation process, an Azure account owner was created, as well as an Azure Active Directory (Azure AD) tenant with a global administrator account. Azure AD 租户是一个逻辑构造,它代表 Azure AD 的安全专用实例。An Azure AD tenant is a logical construct that represents a secure, dedicated instance of Azure AD.

具有 azure 帐户所有者并 Azure AD 全局管理员的 azure 帐户 图1:具有 azure 帐户所有者和 Azure AD 全局管理员的 azure 帐户。Azure account with an Azure account owner and Azure AD global administrator Figure 1: An Azure account with an Azure account owner and Azure AD global administrator.

身份管理Identity management

Azure 只信任 Azure AD 进行用户身份验证以及授权用户访问资源,因此,Azure AD 是我们的标识管理系统。Azure only trusts Azure AD to authenticate users and authorize user access to resources, so Azure AD is our identity management system. Azure AD 全局管理员具有最高级别的权限,并且可以执行与标识相关的所有操作,包括创建用户和分配权限。The Azure AD Global Administrator has the highest level of permissions and can perform all actions related to identity, including creating users and assigning permissions.

我们的要求是由负责部署和维护简单工作负荷的 工作负荷所有者 进行标识管理。Our requirement is identity management for a single workload owner who is responsible for deploying and maintaining the simple workload. 工作负荷所有者需要有权创建、读取、更新和删除资源,以及有权将这些权限委托给标识管理系统中的其他用户。The workload owner requires permission to create, read, update, and delete resources as well as permission to delegate these rights to other users in the identity management system.

我们的 Azure AD 全局管理员将为工作负荷所有者创建 工作负荷所有者 帐户:Our Azure AD Global Administrator will create the workload owner account for the workload owner:

Azure AD 全局管理员创建工作负荷所有者帐户 图2: Azure AD 全局管理员创建工作负荷所有者用户帐户。The Azure AD global administrator creates the workload owner account Figure 2: The Azure AD global administrator creates the workload owner user account.

在将此用户添加到 订阅 之前,你无法分配资源访问权限,因此你将在接下来的两个部分中执行此操作。You can't assign resource access permission until this user is added to a subscription, so you'll do that in the next two sections.

资源管理范围Resource management scope

随着组织部署的资源不断增多,调控这些资源的复杂性也会不断提高。As the number of resources deployed by your organization grows, the complexity of governing those resources grows as well. Azure 实施逻辑容器层次结构,使组织能够以不同的粒度级(称为 范围)管理管理组中的资源。Azure implements a logical container hierarchy to enable your organization to manage your resources in groups at various levels of granularity, also known as scope.

资源管理范围的最高层级是 订阅 级别。The top level of resource management scope is the subscription level. 订阅由建立资金承诺,并负责支付所有订阅相关 Azure 资源费用的 Azure 帐户所有者 创建:A subscription is created by the Azure account owner, who establishes the financial commitment and is responsible for paying for all Azure resources associated with the subscription:

Azure 帐户所有者创建订阅 图3: azure 帐户所有者创建订阅。The Azure account owner creates a subscription Figure 3: The Azure account owner creates a subscription.

创建订阅时,Azure 帐户所有者 会将 Azure AD 租户与订阅相关联,此 Azure AD 租户用于对用户进行身份验证和授权:When the subscription is created, the Azure account owner associates an Azure AD tenant with the subscription, and this Azure AD tenant is used for authenticating and authorizing users:

Azure 帐户所有者将 Azure AD 租户与订阅相关联 图4: Azure 帐户所有者将 Azure AD 租户与订阅相关联。The Azure account owner associates the Azure AD tenant with the subscription Figure 4: The Azure account owner associates the Azure AD tenant with the subscription.

你可能已注意到,目前没有任何用户与订阅相关联,这意味着,无人有权管理资源。You may have noticed that there is currently no user associated with the subscription, which means that no one has permission to manage resources. 实际上, 帐户所有者 是订阅的所有者,并且有权对订阅中的资源执行任何操作。In practice, the account owner is the owner of the subscription and has permission to take any action on a resource in the subscription. 在实际情况下, 帐户所有者 很可能是你组织中的财务人员,不负责创建、读取、更新和删除资源。In practical terms, the account owner is more than likely a finance person in your organization and is not responsible for creating, reading, updating, and deleting resources. 这些任务将由 工作负荷所有者 执行,因此你需要将 工作负荷所有者 添加到订阅并分配权限。Those tasks will be performed by the workload owner, so you need to add the workload owner to the subscription and assign permissions.

由于 帐户所有者 目前是唯一有权将 工作负荷所有者 添加到订阅的用户,因此他们需要将 工作负荷所有者 添加到订阅:Since the account owner is currently the only user with permission to add the workload owner to the subscription, they add the workload owner to the subscription:

Azure 帐户所有者将 * * 工作负荷所有者 * * 添加到订阅 图5: Azure 帐户所有者将工作负荷所有者添加到订阅。The Azure account owner adds the workload owner to the subscription Figure 5: The Azure account owner adds the workload owner to the subscription.

Azure 帐户所有者 通过分配 azure 角色工作负荷所有者 授予权限。The Azure account owner grants permissions to the workload owner by assigning an Azure role. Azure 角色指定 工作负荷所有者 针对单个资源类型或一组资源类型的权限集。The Azure role specifies a set of permissions that the workload owner has for an individual resource type or a set of resource types.

请注意,在此示例中,为 帐户所有者 分配了 内置的 所有者 角色Notice that in this example, the account owner has assigned the built-in owner role:

为 * * 工作负荷所有者 * * 分配了内置所有者角色 图6:为工作负荷所有者分配内置所有者角色。The workload owner was assigned the built-in owner role Figure 6: The workload owner was assigned the built-in Owner role.

内置的 所有者 角色在订阅范围向 工作负荷所有者 授予所有权限。The built-in owner role grants all permissions to the workload owner at the subscription scope.

重要

Azure 帐户所有者 负责与订阅相关联的财务承诺,但 工作负荷所有者 具有相同的权限。The Azure account owner is responsible for the financial commitment associated with the subscription, but the workload owner has the same permissions. 帐户所有者 必须信任 工作负荷所有者 部署订阅预算范围内的资源。The account owner must trust the workload owner to deploy resources that are within the subscription budget.

管理范围的下一个级别是 资源组 级别。The next level of management scope is the resource group level. 资源组是资源的逻辑容器。A resource group is a logical container for resources. 在资源组级别应用的操作将应用到组中的所有资源。Operations applied at the resource group level apply to all resources in a group. 另外,请务必注意,每个用户的权限都是从下一级别继承的,除非在该作用域中显式更改。Also, it's important to note that permissions for each user are inherited from the next level up unless they're explicitly changed at that scope.

为了演示这种继承方式,让我们看一下当 工作负荷所有者 创建资源组时会发生什么情况:To illustrate this, let's look at what happens when the workload owner creates a resource group:

* * 工作负荷所有者 * * 创建资源组 图7:工作负荷所有者创建资源组,并继承资源组作用域上的内置所有者角色。The workload owner creates a resource group Figure 7: The workload owner creates a resource group and inherits the built-in Owner role at the resource group scope.

同样,内置的 所有者 角色在资源组范围向 工作负荷所有者 授予所有权限。Again, the built-in owner role grants all permissions to the workload owner at the resource group scope. 如前所述,此角色继承自订阅级别。As discussed earlier, this role is inherited from the subscription level. 如果在此范围将不同的角色分配到此用户,则只会将此分配应用到此范围。If a different role is assigned to this user at this scope, it applies to this scope only.

管理范围的最低级别是 资源 级别。The lowest level of management scope is at the resource level. 在资源级别应用的操作只应用到资源本身。Operations applied at the resource level apply only to the resource itself. 同样,资源级别的权限继承自资源组作用域。Again, permissions at the resource level are inherited from resource group scope. 例如,让我们看一下当 工作负荷所有者 在资源组中部署 虚拟网络时会发生什么情况:For example, let's look at what happens if the workload owner deploys a virtual network into the resource group:

* * 工作负荷所有者 * * 创建资源 图8:工作负荷所有者创建资源并继承资源范围内的内置所有者角色。The workload owner creates a resource Figure 8: The workload owner creates a resource and inherits the built-in Owner role at the resource scope.

工作负荷所有者 继承资源范围中的 "所有者" 角色,这意味着工作负荷所有者具有对虚拟网络的所有权限。The workload owner inherits the Owner role at the resource scope, which means the workload owner has all permissions for the virtual network.

实现基本资源访问管理模型Implement the basic resource access management model

让我们继续学习,了解如何实现前面设计的治理模型。Let's move on to learn how to implement the governance model designed earlier.

若要开始,组织需要一个 Azure 帐户。To begin, your organization requires an Azure account. 如果组织的某个现有 Microsoft 企业协议不包括 Azure,可以通过做出前期货币承诺来添加 Azure。If your organization has an existing Microsoft Enterprise Agreement that does not include Azure, Azure can be added by making an upfront monetary commitment. 有关详细信息,请参阅为 企业授权 AzureFor more information, see Licensing Azure for the enterprise.

创建 Azure 帐户时,需将组织中的某人指定为 Azure 帐户所有者When your Azure account is created, you specify a person in your organization to be the Azure account owner. 然后,会默认创建一个 Azure Active Directory (Azure AD) 租户。An Azure Active Directory (Azure AD) tenant is then created by default. Azure 帐户所有者 必须为组织中的 工作负荷所有者创建用户帐户Your Azure account owner must create the user account for the person in your organization who is the workload owner.

接下来,Azure 帐户所有者 必须 创建一个订阅,并将其 关联到 Azure AD 租户Next, your Azure account owner must create a subscription and associate the Azure AD tenant with it.

最后,在创建订阅并将其关联到 Azure AD 租户后,可 工作负荷所有者 添加到具有内置 所有者 角色的订阅Finally, now that the subscription is created and your Azure AD tenant is associated with it, you can add the workload owner to the subscription with the built-in owner role.

后续步骤Next steps