您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:使用 Azure PowerShell 为 Azure 资源创建自定义角色Tutorial: Create a custom role for Azure resources using Azure PowerShell

如果 Azure 资源的内置角色不能满足组织的特定需求,则可以创建你自己的自定义角色。If the built-in roles for Azure resources don't meet the specific needs of your organization, you can create your own custom roles. 对于本教程,你将使用 Azure PowerShell 创建名为 Reader Support Tickets 的自定义角色。For this tutorial, you create a custom role named Reader Support Tickets using Azure PowerShell. 该自定义角色允许用户在订阅的管理平面中查看所有内容,以及创建支持票证。The custom role allows the user to view everything in the management plane of a subscription and also open support tickets.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建自定义角色Create a custom role
  • 列出自定义角色List custom roles
  • 更新自定义角色Update a custom role
  • 删除自定义角色Delete a custom role

如果没有 Azure 订阅,请在开始之前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

要完成本教程,需要:To complete this tutorial, you will need:

登录到 Azure PowerShellSign in to Azure PowerShell

登录到 Azure PowerShellSign in to Azure PowerShell.

创建自定义角色Create a custom role

创建自定义角色的最简单方法是从内置角色着手,对其进行编辑,然后创建新角色。The easiest way to create a custom role is to start with a built-in role, edit it, and then create a new role.

  1. 在 PowerShell 中,使用 Get-AzProviderOperation 命令获取适用于 Microsoft.Support 资源提供程序的操作列表。In PowerShell, use the Get-AzProviderOperation command to get the list of operations for the Microsoft.Support resource provider. 这有助于了解可用来创建你的权限的操作。It's helpful to know the operations that are available to create your permissions. 还可以在 Azure 资源管理器资源提供程序操作中查看所有操作的列表。You can also see a list of all the operations at Azure Resource Manager resource provider operations.

    Get-AzProviderOperation "Microsoft.Support/*" | FT Operation, Description -AutoSize
    
    Operation                              Description
    ---------                              -----------
    Microsoft.Support/register/action      Registers to Support Resource Provider
    Microsoft.Support/supportTickets/read  Gets Support Ticket details (including status, severity, contact ...
    Microsoft.Support/supportTickets/write Creates or Updates a Support Ticket. You can create a Support Tic...
    
  2. 使用 Get-AzRoleDefinition 命令以 JSON 格式输出 Reader 角色。Use the Get-AzRoleDefinition command to output the Reader role in JSON format.

    Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json | Out-File C:\CustomRoles\ReaderSupportRole.json
    
  3. 在编辑器中打开 ReaderSupportRole.json 文件。Open the ReaderSupportRole.json file in an editor.

    下面显示了 JSON 输出。The following shows the JSON output. 有关不同属性的信息,请参阅自定义角色For information about the different properties, see Custom roles.

    {
      "Name": "Reader",
      "Id": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
      "IsCustom": false,
      "Description": "Lets you view everything, but not make any changes.",
      "Actions": [
        "*/read"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": [
        "/"
      ]
    }
    
  4. 编辑 JSON 文件来向 Actions 属性添加 "Microsoft.Support/*" 操作。Edit the JSON file to add the "Microsoft.Support/*" operation to the Actions property. 请确保在读取操作后包括一个逗号。Be sure to include a comma after the read operation. 此操作将允许用户创建支持票证。This action will allow the user to create support tickets.

  5. 使用 Get-AzSubscription 命令获取订阅的 ID。Get the ID of your subscription using the Get-AzSubscription command.

    Get-AzSubscription
    
  6. AssignableScopes 中,采用以下格式添加订阅 ID:"/subscriptions/00000000-0000-0000-0000-000000000000"In AssignableScopes, add your subscription ID with the following format: "/subscriptions/00000000-0000-0000-0000-000000000000"

    必须添加显式的订阅 ID,否则将不允许将角色导入到订阅中。You must add explicit subscription IDs, otherwise you won't be allowed to import the role into your subscription.

  7. 删除 Id 属性行并将 IsCustom 属性更改为 trueDelete the Id property line and change the IsCustom property to true.

  8. NameDescription 属性更改为 "Reader Support Tickets" 和 "View everything in the subscription and also open support tickets"。Change the Name and Description properties to "Reader Support Tickets" and "View everything in the subscription and also open support tickets."

    JSON 文件应如下所示:Your JSON file should look like the following:

    {
      "Name": "Reader Support Tickets",
      "IsCustom": true,
      "Description": "View everything in the subscription and also open support tickets.",
      "Actions": [
        "*/read",
        "Microsoft.Support/*"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000"
      ]
    }
    
  9. 若要新建自定义角色,请使用 New-AzRoleDefinition 命令,并指定 JSON 角色定义文件。To create the new custom role, use the New-AzRoleDefinition command and specify the JSON role definition file.

    New-AzRoleDefinition -InputFile "C:\CustomRoles\ReaderSupportRole.json"
    
    Name             : Reader Support Tickets
    Id               : 22222222-2222-2222-2222-222222222222
    IsCustom         : True
    Description      : View everything in the subscription and also open support tickets.
    Actions          : {*/read, Microsoft.Support/*}
    NotActions       : {}
    DataActions      : {}
    NotDataActions   : {}
    AssignableScopes : {/subscriptions/00000000-0000-0000-0000-000000000000}
    

    现在,新的自定义角色在 Azure 门户中可用,并可分配给用户、组或服务主体,就像内置角色一样。The new custom role is now available in the Azure portal and can be assigned to users, groups, or service principals just like built-in roles.

列出自定义角色List custom roles

  • 若要列出所有自定义角色,请使用 Get-AzRoleDefinition 命令。To list all your custom roles, use the Get-AzRoleDefinition command.

    Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom
    
    Name                   IsCustom
    ----                   --------
    Reader Support Tickets     True
    

    还可以在 Azure 门户中查看自定义角色。You can also see the custom role in the Azure portal.

    Azure 门户中导入的自定义角色屏幕截图

更新自定义角色Update a custom role

若要更新自定义角色,可以更新 JSON 文件或使用 PSRoleDefinition 对象。To update the custom role, you can update the JSON file or use the PSRoleDefinition object.

  1. 若要更新 JSON 文件,请使用 Get-AzRoleDefinition 命令以 JSON 格式输出自定义角色。To update the JSON file, use the Get-AzRoleDefinition command to output the custom role in JSON format.

    Get-AzRoleDefinition -Name "Reader Support Tickets" | ConvertTo-Json | Out-File C:\CustomRoles\ReaderSupportRole2.json
    
  2. 在编辑器中打开该文件。Open the file in an editor.

  3. Actions 中,添加用于创建和管理资源组部署 "Microsoft.Resources/deployments/*" 的操作。In Actions, add the operation to create and manage resource group deployments "Microsoft.Resources/deployments/*".

    更新后的 JSON 文件应如下所示:Your updated JSON file should look like the following:

    {
      "Name": "Reader Support Tickets",
      "Id": "22222222-2222-2222-2222-222222222222",
      "IsCustom": true,
      "Description": "View everything in the subscription and also open support tickets.",
      "Actions": [
        "*/read",
        "Microsoft.Support/*",
        "Microsoft.Resources/deployments/*"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": [
        "/subscriptions/00000000-0000-0000-0000-000000000000"
      ]
    }
    
  4. 若要更新自定义角色,请使用 Set-AzRoleDefinition 命令并指定更新后的 JSON 文件。To update the custom role, use the Set-AzRoleDefinition command and specify the updated JSON file.

    Set-AzRoleDefinition -InputFile "C:\CustomRoles\ReaderSupportRole2.json"
    
    Name             : Reader Support Tickets
    Id               : 22222222-2222-2222-2222-222222222222
    IsCustom         : True
    Description      : View everything in the subscription and also open support tickets.
    Actions          : {*/read, Microsoft.Support/*, Microsoft.Resources/deployments/*}
    NotActions       : {}
    DataActions      : {}
    NotDataActions   : {}
    AssignableScopes : {/subscriptions/00000000-0000-0000-0000-000000000000}
    
  5. 若要使用 PSRoleDefintion 对象更新你的自定义角色,请首先使用 Get-AzRoleDefinition 命令来获取该角色。To use the PSRoleDefintion object to update your custom role, first use the Get-AzRoleDefinition command to get the role.

    $role = Get-AzRoleDefinition "Reader Support Tickets"
    
  6. 调用 Add 方法来添加用于读取诊断设置的操作。Call the Add method to add the operation to read diagnostic settings.

    $role.Actions.Add("Microsoft.Insights/diagnosticSettings/*/read")
    
  7. 使用 Set-AzRoleDefinition 来更新角色。Use the Set-AzRoleDefinition to update the role.

    Set-AzRoleDefinition -Role $role
    
    Name             : Reader Support Tickets
    Id               : 22222222-2222-2222-2222-222222222222
    IsCustom         : True
    Description      : View everything in the subscription and also open support tickets.
    Actions          : {*/read, Microsoft.Support/*, Microsoft.Resources/deployments/*,
                       Microsoft.Insights/diagnosticSettings/*/read}
    NotActions       : {}
    DataActions      : {}
    NotDataActions   : {}
    AssignableScopes : {/subscriptions/00000000-0000-0000-0000-000000000000}
    

删除自定义角色Delete a custom role

  1. 使用 Get-AzRoleDefinition 命令获取自定义角色的 ID。Use the Get-AzRoleDefinition command to get the ID of the custom role.

    Get-AzRoleDefinition "Reader Support Tickets"
    
  2. 使用 Remove-AzRoleDefinition 命令并指定角色 ID 来删除自定义角色。Use the Remove-AzRoleDefinition command and specify the role ID to delete the custom role.

    Remove-AzRoleDefinition -Id "22222222-2222-2222-2222-222222222222"
    
    Confirm
    Are you sure you want to remove role definition with id '22222222-2222-2222-2222-222222222222'.
    [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"):
    
  3. 系统要求确认时,请键入“Y”。When asked to confirm, type Y.

后续步骤Next steps