您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 RBAC 和 Azure 门户管理对 Azure 资源的访问权限Manage access to Azure resources using RBAC and the Azure portal

可以通过基于角色的访问控制 (RBAC) 管理对 Azure 资源的访问权限。Role-based access control (RBAC) is the way that you manage access to Azure resources. 本文介绍如何使用 Azure 门户管理访问权限。This article describes how you manage access using the Azure portal. 如需管理对 Azure Active Directory 的访问权限,请参阅在 Azure Active Directory 中查看和分配管理员角色If you need to manage access to Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

必备组件Prerequisites

若要添加和删除角色分配,必须具有:To add and remove role assignments, you must have:

“访问控制(IAM)”概述Overview of Access control (IAM)

使用“访问控制(IAM)”边栏选项卡可以管理对 Azure 资源的访问权限。 Access control (IAM) is the blade that you use to manage access to Azure resources. 该功能也称为标识和访问管理,会显示在 Azure 门户中的多个位置。It's also known as identity and access management and appears in several locations in the Azure portal. 下面显示了订阅的“访问控制(IAM)”边栏选项卡的示例。The following shows an example of the Access control (IAM) blade for a subscription.

订阅的“访问控制(IAM)”边栏选项卡

下表描述了一些元素的用途:The following table describes what some of the elements are use for:

# 元素Element 用途What you use it for
1 在其中打开访问控制 (IAM) 的资源Resource where Access control (IAM) is opened 标识范围(在本示例中为订阅)Identify scope (subscription in this example)
22 “添加”按钮 Add button 添加角色分配Add role assignments
33 “检查访问权限”选项卡 Check access tab 查看单个用户的角色分配View the role assignments for a single user
44 “角色分配”选项卡 Role assignments tab 查看当前范围的角色分配View the role assignments at the current scope
55 “角色”选项卡 Roles tab 查看所有角色和权限View all roles and permissions

如果在尝试管理访问权限时能够回答以下三个问题,则可以最有效地利用“访问控制(IAM)”边栏选项卡:To be the most effective with the Access control (IAM) blade, it helps if you can answer the following three questions when you are trying to manage access:

  1. 谁需要访问权限?Who needs access?

    谁是指用户、 组、 服务主体或托管的标识。Who refers to a user, group, service principal, or managed identity. 这也称为安全主体This is also called a security principal.

  2. 他们需要哪些权限?What permissions do they need?

    权限组合成角色。Permissions are grouped together into roles. 可以从多个内置角色的列表中选择。You can select from a list of several built-in roles.

  3. 他们在何处需要访问权限?Where do they need access?

    “何处”是指访问权限应用到的资源集。Where refers to the set of resources that the access applies to. “何处”可以是管理组、订阅、资源组或单个资源,例如存储帐户。Where can be a management group, subscription, resource group, or a single resource such as a storage account. 这称为“范围”。 This is called the scope.

打开访问控制 (IAM)Open Access control (IAM)

需要确定的第一件事是在何处打开“访问控制(IAM)”边栏选项卡。The first thing you need to decide is where to open the Access control (IAM) blade. 这取决于要管理哪些资源的访问权限。It depends on what resources you want to manage access for. 是要管理管理组中所有对象、订阅中所有对象、资源组中所有对象还是单个资源的访问权限?Do you want to manage access for everything in a management group, everything in a subscription, everything in a resource group, or a single resource?

  1. 在 Azure 门户中单击“所有服务”,然后选择范围。 In the Azure portal, click All services and then select the scope. 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. 单击特定的资源。Click the specific resource.

  3. 单击“访问控制(IAM)” 。Click Access control (IAM).

    下面显示了订阅的“访问控制(IAM)”边栏选项卡的示例。The following shows an example of the Access control (IAM) blade for a subscription. 如果在此处进行任何访问控制更改,这些更改将应用到整个订阅。If you make any access control changes here, they would apply to the entire subscription.

    订阅的“访问控制(IAM)”边栏选项卡

查看角色和权限View roles and permissions

角色定义是用于角色分配的权限的集合。A role definition is a collection of permissions that you use for role assignments. Azure 提供超过 70 个 Azure 资源的内置角色Azure has over 70 built-in roles for Azure resources. 遵循以下步骤查看可用的角色和权限。Follow these steps to view the available roles and permissions.

  1. 在任一范围打开“访问控制(IAM)”。 Open Access control (IAM) at any scope.

  2. 单击“角色”选项卡以查看包含所有内置角色和自定义角色的列表 。Click the Roles tab to see a list of all the built-in and custom roles.

    可以看到在当前范围分配到每个角色的用户和组的数目。You can see the number of users and groups that are assigned to each role at the current scope.

    角色列表

  3. 单击某个角色以查看分配到该角色的人员,还可以查看该角色的权限。Click an individual role to see who has been assigned this role and also view the permissions for the role.

    角色分配

查看角色分配View role assignments

管理访问权限时,需要了解谁拥有访问权限、其权限是什么,以及权限范围是什么。When managing access, you want to know who has access, what are their permissions, and at what scope. 若要列出某个用户、组、服务主体或托管标识的访问权限,请查看其角色分配。To list access for a user, group, service principal, or managed identity, you view their role assignments.

查看单个用户的角色分配View role assignments for a single user

请按照以下步骤查看特定范围内单个用户、组、服务主体或托管标识的访问权限。Follow these steps to view the access for a single user, group, service principal, or managed identity at a particular scope.

  1. 在要查看权限的范围(例如管理组、订阅、资源组或资源)内打开“访问控制(IAM)” 。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to view access.

  2. 单击“访问权限检查”选项卡 。Click the Check access tab.

    “访问控制”-“检查访问权限”选项卡

  3. 在“查找”列表中,选择要检查访问权限的安全主体类型 。In the Find list, select the type of security principal you want to check access for.

  4. 在搜索框中,输入字符串以在目录中搜索显示名称、电子邮件地址或对象标识符。In the search box, enter a string to search the directory for display names, email addresses, or object identifiers.

    “检查访问权限”选择列表

  5. 单击安全主体以打开“分配”窗格 。Click the security principal to open the assignments pane.

    分配窗格

    在此窗格中,可以看到分配给所选安全主体和范围的角色。On this pane, you can see the roles assigned to the selected security principal and the scope. 如果此范围内有任何拒绝分配或继承到此范围的角色,则会将其列出。If there are any deny assignments at this scope or inherited to this scope, they will be listed.

查看某个范围内的所有角色分配View all role assignments at a scope

  1. 在要查看权限的范围(例如管理组、订阅、资源组或资源)内打开“访问控制(IAM)” 。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to view access.

  2. 单击“角色分配”选项卡以查看在此范围内的所有角色分配 。Click the Role assignments tab to view all the role assignments at this scope.

    “访问控制”-“角色分配”选项卡

    在“角色分配”选项卡上,可以看到谁有权访问此范围。On the Role assignments tab, you can see who has access at this scope. 请注意,有些角色的权限范围已划归到此资源,还有一些角色是从另一范围 (继承的)Notice that some roles are scoped to This resource while others are (Inherited) from another scope. 访问权限可以专门分配给此资源,也可以从父作用域的分配继承。Access is either assigned specifically to this resource or inherited from an assignment to the parent scope.

添加角色分配Add a role assignment

在 RBAC 中,要授予访问权限,请为用户、组、服务主体或托管标识分配角色。In RBAC, to grant access, you assign a role to a user, group, service principal, or managed identity. 通过以下步骤在不同的范围授予访问权限。Follow these steps to grant access at different scopes.

在范围内分配角色Assign a role at a scope

  1. 在要授予访问权限的范围(例如管理组、订阅、资源组或资源)内打开“访问控制 (IAM)” 。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to grant access.

  2. 单击“角色分配”选项卡以查看在此范围内的所有角色分配 。Click the Role assignments tab to view all the role assignments at this scope.

  3. 单击“添加” > “添加角色分配”以打开“添加角色分配”窗格。 Click Add > Add role assignment to open the Add role assignment pane.

    如果没有分配角色的权限,则将禁用“添加角色分配”选项。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    添加菜单

    “添加角色分配”窗格

  4. 在“角色”下拉列表中选择一个角色,例如“虚拟机参与者”。 In the Role drop-down list, select a role such as Virtual Machine Contributor.

  5. 在“选择”列表中,选择用户、组、服务主体或托管标识 。In the Select list, select a user, group, service principal, or managed identity. 如果没有在列表中看到安全主体,则可在“选择”框中键入相应内容,以便在目录中搜索显示名称、电子邮件地址和对象标识符 。If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

  6. 单击“保存”以分配该角色 。Click Save to assign the role.

    片刻之后,会在所选范围内为安全主体分配角色。After a few moments, the security principal is assigned the role at the selected scope.

将用户分配为订阅的管理员Assign a user as an administrator of a subscription

要使用户成为 Azure 订阅的管理员,请在订阅范围为其分配所有者角色。To make a user an administrator of an Azure subscription, assign them the Owner role at the subscription scope. “所有者”角色会为该用户提供订阅中所有资源的完全访问权限,包括将访问权限委派给其他用户的权限。The Owner role gives the user full access to all resources in the subscription, including the right to delegate access to others. 这些步骤与任何其他角色分配相同。These steps are the same as any other role assignment.

  1. 在 Azure 门户中,依次单击“所有服务”、“订阅” 。In the Azure portal, click All services and then Subscriptions.

  2. 单击要授予访问权限的订阅。Click the subscription where you want to grant access.

  3. 单击“访问控制(IAM)” 。Click Access control (IAM).

  4. 单击“角色分配”选项卡以查看此订阅的所有角色分配 。Click the Role assignments tab to view all the role assignments for this subscription.

  5. 单击“添加” > “添加角色分配”以打开“添加角色分配”窗格。 Click Add > Add role assignment to open the Add role assignment pane.

    如果没有分配角色的权限,则将禁用“添加角色分配”选项。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    添加菜单

    “添加角色分配”窗格

  6. 在“角色” 下拉列表中,选择“所有者” 角色。In the Role drop-down list, select the Owner role.

  7. 在“选择” 列表中,选择用户。In the Select list, select a user. 如果没有在列表中看到用户,则可在“选择”框中键入相应内容,以便在目录中搜索显示名称和电子邮件地址。 If you don't see the user in the list, you can type in the Select box to search the directory for display names and email addresses.

  8. 单击“保存”以分配该角色 。Click Save to assign the role.

    片刻之后,会在订阅范围内为该用户分配“所有者”角色。After a few moments, the user is assigned the Owner role at the subscription scope.

删除角色分配Remove role assignments

在 RBAC 中,若要删除访问权限,请删除角色分配。In RBAC, to remove access, you remove a role assignment. 按这些步骤删除访问权限。Follow these steps to remove access.

  1. 在要删除访问权限的范围(例如管理组、订阅、资源组或资源)内打开“访问控制(IAM)” 。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

  2. 单击“角色分配”选项卡以查看此订阅的所有角色分配 。Click the Role assignments tab to view all the role assignments for this subscription.

  3. 在角色分配列表中,在需删除其角色分配的安全主体旁边添加复选标记。In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.

    “删除角色分配”消息

  4. 单击“删除”。 Click Remove.

    “删除角色分配”消息

  5. 在显示的“删除角色分配”消息中,单击“是”。 In the remove role assignment message that appears, click Yes.

    不能删除继承的角色分配。Inherited role assignments cannot be removed. 如果需要删除继承的角色分配,则必须在创建角色分配的作用域上进行操作。If you need to remove an inherited role assignment, you must do it at the scope where the role assignment was created. 在“作用域” 列的“(继承)” 旁,有一条链接指向分配了此角色的范围。In the Scope column, next to (Inherited) there is a link that takes you to the scope where this role was assigned. 请转到该处列出的范围以删除角色分配。Go to the scope listed there to remove the role assignment.

    “删除角色分配”消息

后续步骤Next steps