创建 governanceRoleAssignmentRequest
本文内容
命名空间:microsoft.graph
重要
Microsoft Graph /beta 版本下的 API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
创建角色分配请求以表示对角色分配所需的操作。 下表列出了这些操作。
操作
类型
分配角色分配
AdminAdd
激活符合条件的角色分配
UserAdd
停用已激活的角色分配
UserRemove
删除角色分配
AdminRemove
更新角色分配
AdminUpdate
请求扩展角色分配
UserExtend
扩展角色分配
AdminExtend
请求续订已过期的角色分配
UserRenew
续订过期的角色分配
AdminRenew
此 API 可用于以下国家级云部署 。
全局服务
美国政府 L4
美国政府 L5 (DOD)
由世纪互联运营的中国
✅
✅
✅
❌
权限
下表显示了对每种受支持的资源类型调用此 API 所需的最低特权权限。 请遵循 最佳做法 来请求最低特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型 。 要了解有关这些权限的详细信息,请参阅 权限参考 。
支持的资源
委派(工作或学校帐户)
委派(个人 Microsoft 帐户)
应用程序
Microsoft Entra ID
PrivilegedAccess.ReadWrite.AzureAD
不支持。
不支持。
Azure 资源
PrivilegedAccess.ReadWrite.AzureResources
不支持。
不支持。
组 PrivilegedAccess.ReadWrite.AzureADGroup
不支持。
不支持。
HTTP 请求
POST /privilegedAccess/azureResources/roleAssignmentRequests
名称
说明
Authorization
Bearer {code}
Content-type
application/json
请求正文
在请求正文中,提供 governanceRoleAssignmentRequest 对象的 JSON 表示形式。
属性
类型
说明
resourceId
String
与角色分配请求关联的 Azure 资源的唯一标识符。 Azure 资源可以包括订阅、资源组、虚拟机和 SQL 数据库。 必填。
roleDefinitionId
String
与角色分配请求关联的 Azure 角色定义的标识符。 必填。
subjectId
String
与角色分配请求关联的主体或使用者的唯一标识符。 主体可以是用户、组或服务主体。 必填。
assignmentState
String
赋值的状态。 该值可以是 Eligible 和 Active。 必填。
type
String
请求类型。 该值可以是 AdminAdd、、UserAdd、AdminUpdate、AdminRemoveUserExtendUserRemove、、 UserRenewAdminRenew和 。AdminExtend 必填。
reason
String
出于审核和评审目的,需要为角色分配请求提供原因。
schedule
governanceSchedule 角色分配请求的计划。 对于 、、 AdminUpdate和 AdminExtend的请求类型UserAddAdminAdd,它是必需的。
响应
如果成功,此方法在 201 Created 响应正文中返回响应代码和 governanceRoleAssignmentRequest 对象。
错误代码
此 API 返回标准 HTTP 错误代码。 此外,它还返回下表中列出的错误代码。
示例
以下示例演示如何使用此 API。
示例 1:管理员将用户分配到角色
在此示例中,管理员将用户 nawu@contoso.com 分配到“计费读取者”角色。
注意: 除了权限,此示例还要求请求者在资源上至少有一个 Active 管理员角色分配 (owner 或 user access administrator) 。
属性
类型
必需
值
resourceId
String
是
<resourceId>
roleDefinitionId
字符串
是
<roleDefinitionId>
subjectId
字符串
是
<subjectId>
assignmentState
字符串
是
符合条件的/活动
type
字符串
是
AdminAdd
reason
String
取决于角色设置
schedule
governanceSchedule 是
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Eligible",
"type": "AdminAdd",
"reason": "Assign an eligible role",
"schedule": {
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"type": "Once"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Eligible",
Type = "AdminAdd",
Reason = "Assign an eligible role",
Schedule = new GovernanceSchedule
{
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:37:43.356Z"),
EndDateTime = DateTimeOffset.Parse("2018-11-08T23:37:43.356Z"),
Type = "Once",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",\
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",\
"assignmentState": "Eligible",\
"type": "AdminAdd",\
"reason": "Assign an eligible role",\
"schedule": {\
"startDateTime": "2018-05-12T23:37:43.356Z",\
"endDateTime": "2018-11-08T23:37:43.356Z",\
"type": "Once"\
}\
}\
'
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminAdd"
requestBody.SetType(&type)
reason := "Assign an eligible role"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:37:43.356Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-11-08T23:37:43.356Z")
schedule.SetEndDateTime(&endDateTime)
type := "Once"
schedule.SetType(&type)
requestBody.SetSchedule(schedule)
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("ea48ad5e-e3b0-4d10-af54-39a45bbfe68d");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminAdd");
governanceRoleAssignmentRequest.setReason("Assign an eligible role");
GovernanceSchedule schedule = new GovernanceSchedule();
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:37:43.356Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-11-08T23:37:43.356Z");
schedule.setEndDateTime(endDateTime);
schedule.setType("Once");
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'ea48ad5e-e3b0-4d10-af54-39a45bbfe68d',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Eligible',
type: 'AdminAdd',
reason: 'Assign an eligible role',
schedule: {
startDateTime: '2018-05-12T23:37:43.356Z',
endDateTime: '2018-11-08T23:37:43.356Z',
type: 'Once'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('ea48ad5e-e3b0-4d10-af54-39a45bbfe68d');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminAdd');
$requestBody->setReason('Assign an eligible role');
$schedule = new GovernanceSchedule();
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:37:43.356Z'));
$schedule->setEndDateTime(new \DateTime('2018-11-08T23:37:43.356Z'));
$schedule->setType('Once');
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Eligible"
type = "AdminAdd"
reason = "Assign an eligible role"
schedule = @{
startDateTime = [System.DateTime]::Parse("2018-05-12T23:37:43.356Z")
endDateTime = [System.DateTime]::Parse("2018-11-08T23:37:43.356Z")
type = "Once"
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph.generated.models.governance_schedule import GovernanceSchedule
graph_client = GraphServiceClient(credentials, scopes)
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Eligible",
type = "AdminAdd",
reason = "Assign an eligible role",
schedule = GovernanceSchedule(
start_date_time = "2018-05-12T23:37:43.356Z",
end_date_time = "2018-11-08T23:37:43.356Z",
type = "Once",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "1232e4ea-741a-4be5-8044-5edabdd61672",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminAdd",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate Only",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"duration": "PT0S"
}
}
示例 2:用户激活符合条件的角色
在此示例中,用户 nawu@contoso.com 激活符合条件的计费读取者角色。
属性
类型
必需
值
resourceId
String
是
<resourceId>
roleDefinitionId
字符串
是
<roleDefinitionId>
subjectId
字符串
是
<subjectId>
assignmentState
字符串
是
活动
type
字符串
是
UserAdd
reason
String
取决于角色设置
schedule
governanceSchedule 是
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserAdd",
"reason": "Activate the owner role",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"duration": "PT9H"
},
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserAdd",
Reason = "Activate the owner role",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:28:43.537Z"),
Duration = TimeSpan.Parse("PT9H"),
},
LinkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",\
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",\
"assignmentState": "Active",\
"type": "UserAdd",\
"reason": "Activate the owner role",\
"schedule": {\
"type": "Once",\
"startDateTime": "2018-05-12T23:28:43.537Z",\
"duration": "PT9H"\
},\
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394"\
}\
'
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "8b4d1d51-08e9-4254-b0a6-b16177aae376"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserAdd"
requestBody.SetType(&type)
reason := "Activate the owner role"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:28:43.537Z")
schedule.SetStartDateTime(&startDateTime)
duration , err := abstractions.ParseISODuration("PT9H")
schedule.SetDuration(&duration)
requestBody.SetSchedule(schedule)
linkedEligibleRoleAssignmentId := "e327f4be-42a0-47a2-8579-0a39b025b394"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("8b4d1d51-08e9-4254-b0a6-b16177aae376");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserAdd");
governanceRoleAssignmentRequest.setReason("Activate the owner role");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:28:43.537Z");
schedule.setStartDateTime(startDateTime);
PeriodAndDuration duration = PeriodAndDuration.ofDuration(Duration.parse("PT9H"));
schedule.setDuration(duration);
governanceRoleAssignmentRequest.setSchedule(schedule);
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("e327f4be-42a0-47a2-8579-0a39b025b394");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '8b4d1d51-08e9-4254-b0a6-b16177aae376',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserAdd',
reason: 'Activate the owner role',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:28:43.537Z',
duration: 'PT9H'
},
linkedEligibleRoleAssignmentId: 'e327f4be-42a0-47a2-8579-0a39b025b394'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('8b4d1d51-08e9-4254-b0a6-b16177aae376');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserAdd');
$requestBody->setReason('Activate the owner role');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:28:43.537Z'));
$schedule->setDuration(new \DateInterval('PT9H'));
$requestBody->setSchedule($schedule);
$requestBody->setLinkedEligibleRoleAssignmentId('e327f4be-42a0-47a2-8579-0a39b025b394');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Active"
type = "UserAdd"
reason = "Activate the owner role"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-05-12T23:28:43.537Z")
duration = "PT9H"
}
linkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph.generated.models.governance_schedule import GovernanceSchedule
graph_client = GraphServiceClient(credentials, scopes)
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Active",
type = "UserAdd",
reason = "Activate the owner role",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-05-12T23:28:43.537Z",
duration = "PT9H",
),
linked_eligible_role_assignment_id = "e327f4be-42a0-47a2-8579-0a39b025b394",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "3ad49a7c-918e-4d86-9f84-fab28f8658c0",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394",
"type": "UserAdd",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Activate the owner role",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "EligibilityRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
},
{
"key": "JustificationRule",
"value": "Grant"
},
{
"key": "ActivationDayRule",
"value": "Grant"
},
{
"key": "ApprovalRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"endDateTime": "0001-01-01T00:00:00Z",
"duration": "PT9H"
}
}
示例 3:用户停用分配的角色
在此示例中,用户 nawu@contoso.com 停用活动计费读取者角色。
属性
类型
必需
值
resourceId
String
是
<resourceId>
roleDefinitionId
字符串
是
<roleDefinitionId>
subjectId
字符串
是
<subjectId>
assignmentState
字符串
是
活动
type
字符串
是
UserRemove
reason
字符串
否
schedule
governanceSchedule 否
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserRemove",
"reason": "Deactivate the role",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
ResourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserRemove",
Reason = "Deactivate the role",
LinkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",\
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",\
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",\
"assignmentState": "Active",\
"type": "UserRemove",\
"reason": "Deactivate the role",\
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec"\
}\
'
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "bc75b4e6-7403-4243-bf2f-d1f6990be122"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserRemove"
requestBody.SetType(&type)
reason := "Deactivate the role"
requestBody.SetReason(&reason)
linkedEligibleRoleAssignmentId := "cb8a533e-02d5-42ad-8499-916b1e4822ec"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("bc75b4e6-7403-4243-bf2f-d1f6990be122");
governanceRoleAssignmentRequest.setResourceId("fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserRemove");
governanceRoleAssignmentRequest.setReason("Deactivate the role");
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("cb8a533e-02d5-42ad-8499-916b1e4822ec");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'bc75b4e6-7403-4243-bf2f-d1f6990be122',
resourceId: 'fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserRemove',
reason: 'Deactivate the role',
linkedEligibleRoleAssignmentId: 'cb8a533e-02d5-42ad-8499-916b1e4822ec'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('bc75b4e6-7403-4243-bf2f-d1f6990be122');
$requestBody->setResourceId('fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserRemove');
$requestBody->setReason('Deactivate the role');
$requestBody->setLinkedEligibleRoleAssignmentId('cb8a533e-02d5-42ad-8499-916b1e4822ec');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122"
resourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Active"
type = "UserRemove"
reason = "Deactivate the role"
linkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
graph_client = GraphServiceClient(credentials, scopes)
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
resource_id = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Active",
type = "UserRemove",
reason = "Deactivate the role",
linked_eligible_role_assignment_id = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "abfcdb57-8e5d-42a0-ae67-7598b96fddb1",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec",
"type": "UserRemove",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate only",
"schedule": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
}
}
示例 4:管理员从角色中删除用户
在此示例中,管理员将用户 nawu@contoso.com 从“计费读取者”角色中删除。
注意: 除了权限,此示例还要求请求者在资源上至少有一个 Active 管理员角色分配 (owner 或 user access administrator) 。
属性
类型
必需
值
resourceId
String
是
<resourceId>
roleDefinitionId
字符串
是
<roleDefinitionId>
subjectId
字符串
是
<subjectId>
assignmentState
字符串
是
符合条件的/活动
type
字符串
是
AdminRemove
reason
字符串
否
schedule
governanceSchedule 否
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminRemove"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminRemove",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",\
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",\
"assignmentState": "Eligible",\
"type": "AdminRemove"\
}\
'
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "65bb4622-61f5-4f25-9d75-d0e20cf92019"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminRemove"
requestBody.SetType(&type)
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("65bb4622-61f5-4f25-9d75-d0e20cf92019");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminRemove");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '65bb4622-61f5-4f25-9d75-d0e20cf92019',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminRemove'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('65bb4622-61f5-4f25-9d75-d0e20cf92019');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminRemove');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
assignmentState = "Eligible"
type = "AdminRemove"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
graph_client = GraphServiceClient(credentials, scopes)
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
assignment_state = "Eligible",
type = "AdminRemove",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "c934fcb9-cf53-42ac-a8b4-6246f6726299",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminRemove",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
},
"schedule": null
}
示例 5:管理员更新角色分配
在此示例中,管理员将用户 nawu@contoso.com 的角色分配更新为所有者。
注意: 除了权限,此示例还要求请求者在资源上至少有一个 Active 管理员角色分配 (owner 或 user access administrator) 。
属性
类型
必需
值
resourceId
String
是
<resourceId>
roleDefinitionId
字符串
是
<roleDefinitionId>
subjectId
字符串
是
<subjectId>
assignmentState
字符串
是
符合条件的/活动
type
字符串
是
AdminUpdate
reason
String
依赖于 roleSettings
schedule
governanceSchedule 是
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"assignmentState": "Eligible",
"type": "AdminUpdate",
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31.000Z"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "1566d11d-d2b6-444a-a8de-28698682c445",
AssignmentState = "Eligible",
Type = "AdminUpdate",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-03-08T05:42:45.317Z"),
EndDateTime = DateTimeOffset.Parse("2018-06-05T05:42:31.000Z"),
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",\
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",\
"assignmentState": "Eligible",\
"type": "AdminUpdate",\
"schedule": {\
"type": "Once",\
"startDateTime": "2018-03-08T05:42:45.317Z",\
"endDateTime": "2018-06-05T05:42:31.000Z"\
}\
}\
'
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "70521f3e-3b95-4e51-b4d2-a2f485b02103"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "1566d11d-d2b6-444a-a8de-28698682c445"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminUpdate"
requestBody.SetType(&type)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-03-08T05:42:45.317Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-06-05T05:42:31.000Z")
schedule.SetEndDateTime(&endDateTime)
requestBody.SetSchedule(schedule)
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("70521f3e-3b95-4e51-b4d2-a2f485b02103");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("1566d11d-d2b6-444a-a8de-28698682c445");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminUpdate");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-03-08T05:42:45.317Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-06-05T05:42:31.000Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '70521f3e-3b95-4e51-b4d2-a2f485b02103',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '1566d11d-d2b6-444a-a8de-28698682c445',
assignmentState: 'Eligible',
type: 'AdminUpdate',
schedule: {
type: 'Once',
startDateTime: '2018-03-08T05:42:45.317Z',
endDateTime: '2018-06-05T05:42:31.000Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('70521f3e-3b95-4e51-b4d2-a2f485b02103');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('1566d11d-d2b6-444a-a8de-28698682c445');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminUpdate');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-03-08T05:42:45.317Z'));
$schedule->setEndDateTime(new \DateTime('2018-06-05T05:42:31.000Z'));
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "1566d11d-d2b6-444a-a8de-28698682c445"
assignmentState = "Eligible"
type = "AdminUpdate"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-03-08T05:42:45.317Z")
endDateTime = [System.DateTime]::Parse("2018-06-05T05:42:31.000Z")
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph.generated.models.governance_schedule import GovernanceSchedule
graph_client = GraphServiceClient(credentials, scopes)
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "1566d11d-d2b6-444a-a8de-28698682c445",
assignment_state = "Eligible",
type = "AdminUpdate",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-03-08T05:42:45.317Z",
end_date_time = "2018-06-05T05:42:31.000Z",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "4f6d4802-b3ac-4f5a-86d7-a6a4edd7d383",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminUpdate",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31Z",
"duration": "PT0S"
}
}
示例 6:管理员扩展即将过期的角色分配
此示例将用户 ANUJCUSER 即将过期的角色分配扩展到API 管理服务参与者。
注意: 除了权限,此示例还要求请求者在资源上至少有一个 Active 管理员角色分配 (owner 或 user access administrator) 。
属性
类型
必需
值
resourceId
String
是
<resourceId>
roleDefinitionId
字符串
是
<roleDefinitionId>
subjectId
字符串
是
<subjectId>
assignmentState
字符串
是
符合条件的/活动
type
字符串
是
AdminExtend
reason
String
依赖于 roleSettings
schedule
governanceSchedule 是
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminExtend",
"reason": "extend role assignment",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminExtend",
Reason = "extend role assignment",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:53:55.327Z"),
EndDateTime = DateTimeOffset.Parse("2018-08-10T23:53:55.327Z"),
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",\
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",\
"assignmentState": "Eligible",\
"type": "AdminExtend",\
"reason": "extend role assignment",\
"schedule": {\
"type": "Once",\
"startDateTime": "2018-05-12T23:53:55.327Z",\
"endDateTime": "2018-08-10T23:53:55.327Z"\
}\
}\
'
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "0e88fd18-50f5-4ee1-9104-01c3ed910065"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminExtend"
requestBody.SetType(&type)
reason := "extend role assignment"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:53:55.327Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-08-10T23:53:55.327Z")
schedule.SetEndDateTime(&endDateTime)
requestBody.SetSchedule(schedule)
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("0e88fd18-50f5-4ee1-9104-01c3ed910065");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminExtend");
governanceRoleAssignmentRequest.setReason("extend role assignment");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:53:55.327Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-08-10T23:53:55.327Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '0e88fd18-50f5-4ee1-9104-01c3ed910065',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminExtend',
reason: 'extend role assignment',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:53:55.327Z',
endDateTime: '2018-08-10T23:53:55.327Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('0e88fd18-50f5-4ee1-9104-01c3ed910065');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminExtend');
$requestBody->setReason('extend role assignment');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:53:55.327Z'));
$schedule->setEndDateTime(new \DateTime('2018-08-10T23:53:55.327Z'));
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
assignmentState = "Eligible"
type = "AdminExtend"
reason = "extend role assignment"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-05-12T23:53:55.327Z")
endDateTime = [System.DateTime]::Parse("2018-08-10T23:53:55.327Z")
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph.generated.models.governance_schedule import GovernanceSchedule
graph_client = GraphServiceClient(credentials, scopes)
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
assignment_state = "Eligible",
type = "AdminExtend",
reason = "extend role assignment",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-05-12T23:53:55.327Z",
end_date_time = "2018-08-10T23:53:55.327Z",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "486f0c05-47c8-4498-9c06-086a78c83004",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminExtend",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "extend role assignment",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z",
"duration": "PT0S"
}
}