您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:使用 Azure CLI 为 Azure 资源创建自定义角色Tutorial: Create a custom role for Azure resources using Azure CLI

如果 Azure 资源的内置角色不能满足组织的特定需求,则可以创建自定义角色。If the built-in roles for Azure resources don't meet the specific needs of your organization, you can create your own custom roles. 对于本教程,你将使用 Azure CLI 创建名为 Reader Support Tickets 的自定义角色。For this tutorial, you create a custom role named Reader Support Tickets using Azure CLI. 该自定义角色允许用户在订阅的管理平面中查看所有内容,以及创建支持票证。The custom role allows the user to view everything in the management plane of a subscription and also open support tickets.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 创建自定义角色Create a custom role
  • 列出自定义角色List custom roles
  • 更新自定义角色Update a custom role
  • 删除自定义角色Delete a custom role

如果没有 Azure 订阅,请在开始之前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

必备条件Prerequisites

若要完成本教程,需要:To complete this tutorial, you will need:

登录 Azure CLISign in to Azure CLI

登录到 Azure CLISign in to Azure CLI.

创建自定义角色Create a custom role

创建自定义角色的最简单方法是从 JSON 模板着手,添加你的更改,然后创建新角色。The easiest way to create a custom role is to start with a JSON template, add your changes, and then create a new role.

  1. 查看适用于 Microsoft.Support 资源提供程序的操作列表。Review the list of operations for the Microsoft.Support resource provider. 这有助于了解可用来创建你的权限的操作。It's helpful to know the operations that are available to create your permissions.

    OperationOperation 说明Description
    Microsoft.Support/register/actionMicrosoft.Support/register/action 注册到支持资源提供程序Registers to Support Resource Provider
    Microsoft.Support/supportTickets/readMicrosoft.Support/supportTickets/read 获取支持票证详细信息(包括状态、严重性、联系详细信息和通信),或获取各个订阅中的支持票证列表。Gets Support Ticket details (including status, severity, contact details and communications) or gets the list of Support Tickets across subscriptions.
    Microsoft.Support/supportTickets/writeMicrosoft.Support/supportTickets/write 创建或更新支持票证。Creates or Updates a Support Ticket. 可以针对技术、计费、配额或订阅管理相关的问题创建支持票证。You can create a Support Ticket for Technical, Billing, Quotas or Subscription Management related issues. 可以更新现有支持票证的严重性、联系详细信息和通信。You can update severity, contact details and communications for existing support tickets.
  2. 创建一个名为 ReaderSupportRole.json 的新文件。Create a new file named ReaderSupportRole.json.

  3. 在编辑器中打开 ReaderSupportRole.json 并添加以下 JSON。Open ReaderSupportRole.json in an editor and add the following JSON.

    有关不同属性的信息,请参阅 Azure 资源的自定义角色For information about the different properties, see Custom roles for Azure resources.

    {
      "Name": "",
      "IsCustom": true,
      "Description": "",
      "Actions": [],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": [
        "/subscriptions/{subscriptionId1}"
      ]
    }
    
  4. 将以下将操作添加到 Actions 属性。Add the following operations to the Actions property. 这些操作允许用户查看订阅中的所有内容,以及创建支持票证。These actions allow the user to view everything in the subscription and create support tickets.

    "*/read",
    "Microsoft.Support/*"
    
  5. 使用 az account list 命令获取你的订阅 ID。Get the ID of your subscription using the az account list command.

    az account list --output table
    
  6. AssignableScopes 中,将 {subscriptionId1} 替换为你的订阅 ID。In AssignableScopes, replace {subscriptionId1} with your subscription ID.

    必须添加显式的订阅 ID,否则将不允许将角色导入到订阅中。You must add explicit subscription IDs, otherwise you won't be allowed to import the role into your subscription.

  7. NameDescription 属性更改为 "Reader Support Tickets" 和 "View everything in the subscription and also open support tickets"。Change the Name and Description properties to "Reader Support Tickets" and "View everything in the subscription and also open support tickets."

    JSON 文件应如下所示:Your JSON file should look like the following:

    {
      "Name": "Reader Support Tickets",
      "IsCustom": true,
      "Description": "View everything in the subscription and also open support tickets.",
      "Actions": [
        "*/read",
        "Microsoft.Support/*"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000"
      ]
    }
    
  8. 若要新建自定义角色,请使用 az role definition create 命令,并指定 JSON 角色定义文件。To create the new custom role, use the az role definition create command and specify the JSON role definition file.

    az role definition create --role-definition "~/CustomRoles/ReaderSupportRole.json"
    
    {
      "additionalProperties": {},
      "assignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000"
      ],
      "description": "View everything in the subscription and also open support tickets.",
      "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222-2222-2222-2222-222222222222",
      "name": "22222222-2222-2222-2222-222222222222",
      "permissions": [
        {
          "actions": [
            "*/read",
            "Microsoft.Support/*"
          ],
          "additionalProperties": {},
          "dataActions": [],
          "notActions": [],
          "notDataActions": []
        }
      ],
      "roleName": "Reader Support Tickets",
      "roleType": "CustomRole",
      "type": "Microsoft.Authorization/roleDefinitions"
    }
    

    现在,新的自定义角色可用,并可分配给用户、组或服务主体,就像内置角色一样。The new custom role is now available and can be assigned to users, groups, or service principals just like built-in roles.

列出自定义角色List custom roles

  • 若要列出所有自定义角色,请使用 az role definition list 命令及 --custom-role-only 参数。To list all your custom roles, use the az role definition list command with the --custom-role-only parameter.

    az role definition list --custom-role-only true
    
    [
      {
        "additionalProperties": {},
        "assignableScopes": [
          "/subscriptions/00000000-0000-0000-0000-000000000000"
        ],
        "description": "View everything in the subscription and also open support tickets.",
        "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222-2222-2222-2222-222222222222",
        "name": "22222222-2222-2222-2222-222222222222",
        "permissions": [
          {
            "actions": [
              "*/read",
              "Microsoft.Support/*",
              "Microsoft.Resources/deployments/*",
              "Microsoft.Insights/diagnosticSettings/*/read"
            ],
            "additionalProperties": {},
            "dataActions": [],
            "notActions": [],
            "notDataActions": []
          }
        ],
        "roleName": "Reader Support Tickets",
        "roleType": "CustomRole",
        "type": "Microsoft.Authorization/roleDefinitions"
      }
    ]
    

    还可以在 Azure 门户中查看自定义角色。You can also see the custom role in the Azure portal.

    Azure 门户中导入的自定义角色屏幕截图

更新自定义角色Update a custom role

若要更新自定义角色,请更新 JSON 文件,然后更新自定义角色。To update the custom role, update the JSON file and then update the custom role.

  1. 打开 ReaderSupportRole.json 文件。Open the ReaderSupportRole.json file.

  2. Actions 中,添加用于创建和管理资源组部署 "Microsoft.Resources/deployments/*" 的操作。In Actions, add the operation to create and manage resource group deployments "Microsoft.Resources/deployments/*". 请确保在上一操作后包括一个逗号。Be sure to include a comma after the previous operation.

    更新后的 JSON 文件应如下所示:Your updated JSON file should look like the following:

    {
      "Name": "Reader Support Tickets",
      "IsCustom": true,
      "Description": "View everything in the subscription and also open support tickets.",
      "Actions": [
        "*/read",
        "Microsoft.Support/*",
        "Microsoft.Resources/deployments/*"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000"
      ]
    }
    
  3. 若要更新自定义角色,请使用 az role definition update 命令并指定更新后的 JSON 文件。To update the custom role, use the az role definition update command and specify the updated JSON file.

    az role definition update --role-definition "~/CustomRoles/ReaderSupportRole.json"
    
    {
      "additionalProperties": {},
      "assignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000"
      ],
      "description": "View everything in the subscription and also open support tickets.",
      "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222-2222-2222-2222-222222222222",
      "name": "22222222-2222-2222-2222-222222222222",
      "permissions": [
        {
          "actions": [
            "*/read",
            "Microsoft.Support/*",
            "Microsoft.Resources/deployments/*"
          ],
          "additionalProperties": {},
          "dataActions": [],
          "notActions": [],
          "notDataActions": []
        }
      ],
      "roleName": "Reader Support Tickets",
      "roleType": "CustomRole",
      "type": "Microsoft.Authorization/roleDefinitions"
    }
    

删除自定义角色Delete a custom role

  • 使用 az role definition delete 命令并指定角色名称或角色 ID 来删除自定义角色。Use the az role definition delete command and specify the role name or role ID to delete the custom role.

    az role definition delete --name "Reader Support Tickets"
    

后续步骤Next steps