您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

az role definition

Manage role definitions.

Commands

az role definition create Create a custom role definition.
az role definition delete Delete a role definition.
az role definition list List role definitions.
az role definition update Update a role definition.

az role definition create

Create a custom role definition.

az role definition create --role-definition
[--subscription]

Examples

Create a role with read-only access to storage and network resources, and the ability to start or restart VMs.

az role definition create --role-definition '{ \
    "Name": "Contoso On-call", \
    "Description": "Perform VM actions and read storage and network information.", \
    "Actions": [ \
        "Microsoft.Compute/*/read", \
            "Microsoft.Compute/virtualMachines/start/action", \
            "Microsoft.Compute/virtualMachines/restart/action", \
            "Microsoft.Network/*/read", \
        "Microsoft.Storage/*/read", \
            "Microsoft.Authorization/*/read", \
        "Microsoft.Resources/subscriptions/resourceGroups/read", \
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read", \
        "Microsoft.Insights/alertRules/*", \
            "Microsoft.Support/*" \
    ], \
    "DataActions": [ \
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*" \
    ], \
    "NotDataActions": [ \
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" \
    ], \
    "AssignableScopes": ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"] \
}'

Create a role from a file containing a JSON description.

az role definition create --role-definition @ad-role.json

Required Parameters

--role-definition

Description of a role as JSON, or a path to a file containing a JSON description.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az role definition delete

Delete a role definition.

az role definition delete --name
[--custom-role-only {false, true}]
[--resource-group]
[--scope]
[--subscription]

Examples

Delete a role definition. (autogenerated)

az role definition delete --name MyRole

Required Parameters

--name -n

The role's name.

Optional Parameters

--custom-role-only

Custom roles only(vs. build-in ones).

accepted values: false, true
--resource-group -g

Use it only if the role or assignment was added at the level of a resource group.

--scope

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az role definition list

List role definitions.

az role definition list [--custom-role-only {false, true}]
[--name]
[--resource-group]
[--scope]
[--subscription]

Optional Parameters

--custom-role-only

Custom roles only(vs. build-in ones).

accepted values: false, true
--name -n

The role's name.

--resource-group -g

Use it only if the role or assignment was added at the level of a resource group.

--scope

Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

az role definition update

Update a role definition.

az role definition update --role-definition
[--subscription]

Examples

Update a role using the output of "az role definition list"

az role definition update --role-definition '{ \
    "roleName": "Contoso On-call", \
    "Description": "Perform VM actions and read storage and network information.", \
    "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", \
    "roleType": "CustomRole", \
    "type": "Microsoft.Authorization/roleDefinitions", \
    "Actions": [ \
        "Microsoft.Compute/*/read", \
            "Microsoft.Compute/virtualMachines/start/action", \
            "Microsoft.Compute/virtualMachines/restart/action", \
            "Microsoft.Network/*/read", \
        "Microsoft.Storage/*/read", \
            "Microsoft.Authorization/*/read", \
        "Microsoft.Resources/subscriptions/resourceGroups/read", \
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read", \
        "Microsoft.Support/*" \
        ], \
        "DataActions": [ \
            "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*" \
    ], \
    "NotDataActions": [ \
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" \
    ], \
    "AssignableScopes": ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"] \
}'

Required Parameters

--role-definition

Description of an existing role as JSON, or a path to a file containing a JSON description.

Optional Parameters

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.