创建 governanceRoleAssignmentRequest
命名空间:microsoft.graph
重要
Microsoft Graph版本下的 /beta API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
创建一个角色分配请求,以表示在角色分配上所需的操作。 下表列出了操作。
| 操作 |
类型 |
| 分配角色分配 |
AdminAdd |
| 激活符合条件的角色分配 |
UserAdd |
| 停用激活的角色分配 |
UserRemove |
| 删除角色分配 |
AdminRemove |
| 更新角色分配 |
AdminUpdate |
| 请求扩展我的角色分配 |
UserExtend |
| 扩展角色分配 |
AdminExtend |
| 请求续订已过期的角色分配 |
UserRenew |
| 续订过期的角色分配 |
AdminRenew |
权限
要调用此 API,需要以下权限之一。要了解详细信息,包括如何选择权限的信息,请参阅权限。
Azure 资源
| 权限类型 |
权限 |
| 委派(工作或学校帐户) |
PrivilegedAccess.ReadWrite.AzureResources |
| 委派(个人 Microsoft 帐户) |
不支持。 |
| 应用程序 |
不支持。 |
Azure AD
| 权限类型 |
权限 |
| 委派(工作或学校帐户) |
PrivilegedAccess.ReadWrite.AzureAD |
| 委派(个人 Microsoft 帐户) |
不支持。 |
| 应用程序 |
不支持。 |
组
| 权限类型 |
权限 |
| 委派(工作或学校帐户) |
PrivilegedAccess.ReadWrite.AzureADGroup |
| 委派(个人 Microsoft 帐户) |
不支持。 |
| 应用程序 |
不支持。 |
HTTP 请求
POST /privilegedAccess/azureResources/roleAssignmentRequests
| 名称 |
说明 |
| Authorization |
Bearer {code} |
| Content-type |
application/json |
请求正文
在请求正文中,提供 governanceRoleAssignmentRequest 对象的 JSON 表示形式。
| 属性 |
类型 |
说明 |
| resourceId |
String |
与角色分配请求关联的 Azure 资源的唯一标识符。 Azure 资源可以包括订阅、资源组、虚拟机和SQL数据库。 必填。 |
| roleDefinitionId |
字符串 |
角色分配请求关联的 Azure 角色定义的标识符。 必填。 |
| subjectId |
字符串 |
角色分配请求与之关联的主体或主体的唯一标识符。 主体可以是用户、组或服务主体。 必填。 |
| assignmentState |
字符串 |
分配的状态。 值可以是 Eligible 和 Active。 此为必需属性。 |
| type |
String |
请求类型。 值可以是AdminAdd、UserAdd、AdminUpdate、AdminRemove、UserRemove、AdminRenew``UserExtend``UserRenew和 。AdminExtend 必填。 |
| reason |
String |
出于审核和评审目的,需要为角色分配请求提供原因。 |
| schedule |
governanceSchedule |
角色分配请求的计划。 对于请求类型UserAdd, AdminAdd和AdminUpdate``AdminExtend, 这是必需的。 |
响应
如果成功,此方法在响应正文中返回 201 Created 响应代码和 governanceRoleAssignmentRequest 对象。
错误代码
此 API 返回标准 HTTP 错误代码。 此外,它还返回下表中列出的错误代码。
示例
以下示例演示如何使用此 API。
示例 1:管理员将用户分配到角色
在此示例中,管理员将用户 nawu@contoso.com 分配给计费读取者角色。
注意: 除权限外,本示例还要求请求者对资源至少具有一个 Active 管理员角色分配 (owner 或 user access administrator) 。
| 属性 |
类型 |
必需 |
值 |
| resourceId |
String |
是 |
<resourceId> |
| roleDefinitionId |
字符串 |
是 |
<roleDefinitionId> |
| subjectId |
字符串 |
是 |
<subjectId> |
| assignmentState |
字符串 |
是 |
符合条件/活动 |
| type |
字符串 |
是 |
AdminAdd |
| reason |
String |
取决于角色设置 |
|
| schedule |
governanceSchedule |
是 |
|
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Eligible",
"type": "AdminAdd",
"reason": "Assign an eligible role",
"schedule": {
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"type": "Once"
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequestObject
{
RoleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Eligible",
Type = "AdminAdd",
Reason = "Assign an eligible role",
Schedule = new GovernanceSchedule
{
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:37:43.356Z"),
EndDateTime = DateTimeOffset.Parse("2018-11-08T23:37:43.356Z"),
Type = "Once"
}
};
await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests
.Request()
.AddAsync(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'ea48ad5e-e3b0-4d10-af54-39a45bbfe68d',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Eligible',
type: 'AdminAdd',
reason: 'Assign an eligible role',
schedule: {
startDateTime: '2018-05-12T23:37:43.356Z',
endDateTime: '2018-11-08T23:37:43.356Z',
type: 'Once'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/privilegedAccess/azureResources/roleAssignmentRequests"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphGovernanceRoleAssignmentRequest *governanceRoleAssignmentRequest = [[MSGraphGovernanceRoleAssignmentRequest alloc] init];
[governanceRoleAssignmentRequest setRoleDefinitionId:@"ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"];
[governanceRoleAssignmentRequest setResourceId:@"e5e7d29d-5465-45ac-885f-4716a5ee74b5"];
[governanceRoleAssignmentRequest setSubjectId:@"918e54be-12c4-4f4c-a6d3-2ee0e3661c51"];
[governanceRoleAssignmentRequest setAssignmentState:@"Eligible"];
[governanceRoleAssignmentRequest setType:@"AdminAdd"];
[governanceRoleAssignmentRequest setReason:@"Assign an eligible role"];
MSGraphGovernanceSchedule *schedule = [[MSGraphGovernanceSchedule alloc] init];
[schedule setStartDateTime: "2018-05-12T23:37:43.356Z"];
[schedule setEndDateTime: "2018-11-08T23:37:43.356Z"];
[schedule setType:@"Once"];
[governanceRoleAssignmentRequest setSchedule:schedule];
NSError *error;
NSData *governanceRoleAssignmentRequestData = [governanceRoleAssignmentRequest getSerializedDataWithError:&error];
[urlRequest setHTTPBody:governanceRoleAssignmentRequestData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.roleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d";
governanceRoleAssignmentRequest.resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5";
governanceRoleAssignmentRequest.subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51";
governanceRoleAssignmentRequest.assignmentState = "Eligible";
governanceRoleAssignmentRequest.type = "AdminAdd";
governanceRoleAssignmentRequest.reason = "Assign an eligible role";
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.startDateTime = OffsetDateTimeSerializer.deserialize("2018-05-12T23:37:43.356Z");
schedule.endDateTime = OffsetDateTimeSerializer.deserialize("2018-11-08T23:37:43.356Z");
schedule.type = "Once";
governanceRoleAssignmentRequest.schedule = schedule;
graphClient.privilegedAccess("azureResources").roleAssignmentRequests()
.buildRequest()
.post(governanceRoleAssignmentRequest);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminAdd"
requestBody.SetType(&type)
reason := "Assign an eligible role"
requestBody.SetReason(&reason)
schedule := msgraphsdk.NewGovernanceSchedule()
requestBody.SetSchedule(schedule)
startDateTime, err := time.Parse(time.RFC3339, "2018-05-12T23:37:43.356Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime, err := time.Parse(time.RFC3339, "2018-11-08T23:37:43.356Z")
schedule.SetEndDateTime(&endDateTime)
type := "Once"
schedule.SetType(&type)
privilegedAccessId := "privilegedAccess-id"
result, err := graphClient.PrivilegedAccessById(&privilegedAccessId).RoleAssignmentRequests().Post(requestBody)
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
RoleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
AssignmentState = "Eligible"
Type = "AdminAdd"
Reason = "Assign an eligible role"
Schedule = @{
StartDateTime = [System.DateTime]::Parse("2018-05-12T23:37:43.356Z")
EndDateTime = [System.DateTime]::Parse("2018-11-08T23:37:43.356Z")
Type = "Once"
}
}
New-MgPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "1232e4ea-741a-4be5-8044-5edabdd61672",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminAdd",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate Only",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"duration": "PT0S"
}
}
示例 2:用户激活符合条件的角色
在此示例中,用户 nawu@contoso.com 激活符合条件的计费读取者角色。
| 属性 |
类型 |
必需 |
值 |
| resourceId |
String |
是 |
<resourceId> |
| roleDefinitionId |
字符串 |
是 |
<roleDefinitionId> |
| subjectId |
字符串 |
是 |
<subjectId> |
| assignmentState |
字符串 |
是 |
活动 |
| type |
字符串 |
是 |
UserAdd |
| reason |
String |
取决于角色设置 |
|
| schedule |
governanceSchedule |
是 |
|
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserAdd",
"reason": "Activate the owner role",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"duration": "PT9H"
},
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394"
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequestObject
{
RoleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserAdd",
Reason = "Activate the owner role",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:28:43.537Z"),
Duration = new Duration("PT9H")
},
LinkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394"
};
await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests
.Request()
.AddAsync(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '8b4d1d51-08e9-4254-b0a6-b16177aae376',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserAdd',
reason: 'Activate the owner role',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:28:43.537Z',
duration: 'PT9H'
},
linkedEligibleRoleAssignmentId: 'e327f4be-42a0-47a2-8579-0a39b025b394'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/privilegedAccess/azureResources/roleAssignmentRequests"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphGovernanceRoleAssignmentRequest *governanceRoleAssignmentRequest = [[MSGraphGovernanceRoleAssignmentRequest alloc] init];
[governanceRoleAssignmentRequest setRoleDefinitionId:@"8b4d1d51-08e9-4254-b0a6-b16177aae376"];
[governanceRoleAssignmentRequest setResourceId:@"e5e7d29d-5465-45ac-885f-4716a5ee74b5"];
[governanceRoleAssignmentRequest setSubjectId:@"918e54be-12c4-4f4c-a6d3-2ee0e3661c51"];
[governanceRoleAssignmentRequest setAssignmentState:@"Active"];
[governanceRoleAssignmentRequest setType:@"UserAdd"];
[governanceRoleAssignmentRequest setReason:@"Activate the owner role"];
MSGraphGovernanceSchedule *schedule = [[MSGraphGovernanceSchedule alloc] init];
[schedule setType:@"Once"];
[schedule setStartDateTime: "2018-05-12T23:28:43.537Z"];
[schedule setDuration:@"PT9H"];
[governanceRoleAssignmentRequest setSchedule:schedule];
[governanceRoleAssignmentRequest setLinkedEligibleRoleAssignmentId:@"e327f4be-42a0-47a2-8579-0a39b025b394"];
NSError *error;
NSData *governanceRoleAssignmentRequestData = [governanceRoleAssignmentRequest getSerializedDataWithError:&error];
[urlRequest setHTTPBody:governanceRoleAssignmentRequestData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.roleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376";
governanceRoleAssignmentRequest.resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5";
governanceRoleAssignmentRequest.subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51";
governanceRoleAssignmentRequest.assignmentState = "Active";
governanceRoleAssignmentRequest.type = "UserAdd";
governanceRoleAssignmentRequest.reason = "Activate the owner role";
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.type = "Once";
schedule.startDateTime = OffsetDateTimeSerializer.deserialize("2018-05-12T23:28:43.537Z");
schedule.duration = DatatypeFactory.newInstance().newDuration("PT9H");
governanceRoleAssignmentRequest.schedule = schedule;
governanceRoleAssignmentRequest.linkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394";
graphClient.privilegedAccess("azureResources").roleAssignmentRequests()
.buildRequest()
.post(governanceRoleAssignmentRequest);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "8b4d1d51-08e9-4254-b0a6-b16177aae376"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserAdd"
requestBody.SetType(&type)
reason := "Activate the owner role"
requestBody.SetReason(&reason)
schedule := msgraphsdk.NewGovernanceSchedule()
requestBody.SetSchedule(schedule)
type := "Once"
schedule.SetType(&type)
startDateTime, err := time.Parse(time.RFC3339, "2018-05-12T23:28:43.537Z")
schedule.SetStartDateTime(&startDateTime)
duration := "PT9H"
schedule.SetDuration(&duration)
linkedEligibleRoleAssignmentId := "e327f4be-42a0-47a2-8579-0a39b025b394"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
privilegedAccessId := "privilegedAccess-id"
result, err := graphClient.PrivilegedAccessById(&privilegedAccessId).RoleAssignmentRequests().Post(requestBody)
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
RoleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376"
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
AssignmentState = "Active"
Type = "UserAdd"
Reason = "Activate the owner role"
Schedule = @{
Type = "Once"
StartDateTime = [System.DateTime]::Parse("2018-05-12T23:28:43.537Z")
Duration = "PT9H"
}
LinkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394"
}
New-MgPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "3ad49a7c-918e-4d86-9f84-fab28f8658c0",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394",
"type": "UserAdd",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Activate the owner role",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "EligibilityRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
},
{
"key": "JustificationRule",
"value": "Grant"
},
{
"key": "ActivationDayRule",
"value": "Grant"
},
{
"key": "ApprovalRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"endDateTime": "0001-01-01T00:00:00Z",
"duration": "PT9H"
}
}
示例 3:用户停用分配的角色
在此示例中,用户 nawu@contoso.com 停用活动的计费读取者角色。
| 属性 |
类型 |
必需 |
值 |
| resourceId |
String |
是 |
<resourceId> |
| roleDefinitionId |
字符串 |
是 |
<roleDefinitionId> |
| subjectId |
字符串 |
是 |
<subjectId> |
| assignmentState |
字符串 |
是 |
活动 |
| type |
字符串 |
是 |
UserRemove |
| reason |
字符串 |
否 |
|
| schedule |
governanceSchedule |
否 |
|
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserRemove",
"reason": "Deactivate the role",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequestObject
{
RoleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
ResourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserRemove",
Reason = "Deactivate the role",
LinkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec"
};
await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests
.Request()
.AddAsync(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'bc75b4e6-7403-4243-bf2f-d1f6990be122',
resourceId: 'fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserRemove',
reason: 'Deactivate the role',
linkedEligibleRoleAssignmentId: 'cb8a533e-02d5-42ad-8499-916b1e4822ec'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/privilegedAccess/azureResources/roleAssignmentRequests"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphGovernanceRoleAssignmentRequest *governanceRoleAssignmentRequest = [[MSGraphGovernanceRoleAssignmentRequest alloc] init];
[governanceRoleAssignmentRequest setRoleDefinitionId:@"bc75b4e6-7403-4243-bf2f-d1f6990be122"];
[governanceRoleAssignmentRequest setResourceId:@"fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"];
[governanceRoleAssignmentRequest setSubjectId:@"918e54be-12c4-4f4c-a6d3-2ee0e3661c51"];
[governanceRoleAssignmentRequest setAssignmentState:@"Active"];
[governanceRoleAssignmentRequest setType:@"UserRemove"];
[governanceRoleAssignmentRequest setReason:@"Deactivate the role"];
[governanceRoleAssignmentRequest setLinkedEligibleRoleAssignmentId:@"cb8a533e-02d5-42ad-8499-916b1e4822ec"];
NSError *error;
NSData *governanceRoleAssignmentRequestData = [governanceRoleAssignmentRequest getSerializedDataWithError:&error];
[urlRequest setHTTPBody:governanceRoleAssignmentRequestData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.roleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122";
governanceRoleAssignmentRequest.resourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735";
governanceRoleAssignmentRequest.subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51";
governanceRoleAssignmentRequest.assignmentState = "Active";
governanceRoleAssignmentRequest.type = "UserRemove";
governanceRoleAssignmentRequest.reason = "Deactivate the role";
governanceRoleAssignmentRequest.linkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec";
graphClient.privilegedAccess("azureResources").roleAssignmentRequests()
.buildRequest()
.post(governanceRoleAssignmentRequest);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "bc75b4e6-7403-4243-bf2f-d1f6990be122"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserRemove"
requestBody.SetType(&type)
reason := "Deactivate the role"
requestBody.SetReason(&reason)
linkedEligibleRoleAssignmentId := "cb8a533e-02d5-42ad-8499-916b1e4822ec"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
privilegedAccessId := "privilegedAccess-id"
result, err := graphClient.PrivilegedAccessById(&privilegedAccessId).RoleAssignmentRequests().Post(requestBody)
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
RoleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122"
ResourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
AssignmentState = "Active"
Type = "UserRemove"
Reason = "Deactivate the role"
LinkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
New-MgPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "abfcdb57-8e5d-42a0-ae67-7598b96fddb1",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec",
"type": "UserRemove",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate only",
"schedule": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
}
}
示例 4:管理员从角色中删除用户
在此示例中,管理员从计费读取者角色中删除用户 nawu@contoso.com。
注意: 除权限外,本示例还要求请求者对资源至少具有一个 Active 管理员角色分配 (owner 或 user access administrator) 。
| 属性 |
类型 |
必需 |
值 |
| resourceId |
String |
是 |
<resourceId> |
| roleDefinitionId |
字符串 |
是 |
<roleDefinitionId> |
| subjectId |
字符串 |
是 |
<subjectId> |
| assignmentState |
字符串 |
是 |
符合条件/活动 |
| type |
字符串 |
是 |
AdminRemove |
| reason |
字符串 |
否 |
|
| schedule |
governanceSchedule |
否 |
|
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminRemove"
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequestObject
{
RoleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminRemove"
};
await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests
.Request()
.AddAsync(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '65bb4622-61f5-4f25-9d75-d0e20cf92019',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminRemove'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/privilegedAccess/azureResources/roleAssignmentRequests"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphGovernanceRoleAssignmentRequest *governanceRoleAssignmentRequest = [[MSGraphGovernanceRoleAssignmentRequest alloc] init];
[governanceRoleAssignmentRequest setRoleDefinitionId:@"65bb4622-61f5-4f25-9d75-d0e20cf92019"];
[governanceRoleAssignmentRequest setResourceId:@"e5e7d29d-5465-45ac-885f-4716a5ee74b5"];
[governanceRoleAssignmentRequest setSubjectId:@"74765671-9ca4-40d7-9e36-2f4a570608a6"];
[governanceRoleAssignmentRequest setAssignmentState:@"Eligible"];
[governanceRoleAssignmentRequest setType:@"AdminRemove"];
NSError *error;
NSData *governanceRoleAssignmentRequestData = [governanceRoleAssignmentRequest getSerializedDataWithError:&error];
[urlRequest setHTTPBody:governanceRoleAssignmentRequestData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.roleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019";
governanceRoleAssignmentRequest.resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5";
governanceRoleAssignmentRequest.subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6";
governanceRoleAssignmentRequest.assignmentState = "Eligible";
governanceRoleAssignmentRequest.type = "AdminRemove";
graphClient.privilegedAccess("azureResources").roleAssignmentRequests()
.buildRequest()
.post(governanceRoleAssignmentRequest);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "65bb4622-61f5-4f25-9d75-d0e20cf92019"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminRemove"
requestBody.SetType(&type)
privilegedAccessId := "privilegedAccess-id"
result, err := graphClient.PrivilegedAccessById(&privilegedAccessId).RoleAssignmentRequests().Post(requestBody)
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
RoleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019"
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
AssignmentState = "Eligible"
Type = "AdminRemove"
}
New-MgPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "c934fcb9-cf53-42ac-a8b4-6246f6726299",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminRemove",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
},
"schedule": null
}
示例 5:管理员更新角色分配
在此示例中,管理员将用户的角色分配 nawu@contoso.com 更新为所有者。
注意: 除权限外,本示例还要求请求者对资源至少具有一个 Active 管理员角色分配 (owner 或 user access administrator) 。
| 属性 |
类型 |
必需 |
值 |
| resourceId |
String |
是 |
<resourceId> |
| roleDefinitionId |
字符串 |
是 |
<roleDefinitionId> |
| subjectId |
字符串 |
是 |
<subjectId> |
| assignmentState |
字符串 |
是 |
符合条件/活动 |
| type |
字符串 |
是 |
AdminUpdate |
| reason |
String |
取决于 roleSettings |
|
| schedule |
governanceSchedule |
可访问 |
|
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"assignmentState": "Eligible",
"type": "AdminUpdate",
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31.000Z"
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequestObject
{
RoleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "1566d11d-d2b6-444a-a8de-28698682c445",
AssignmentState = "Eligible",
Type = "AdminUpdate",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-03-08T05:42:45.317Z"),
EndDateTime = DateTimeOffset.Parse("2018-06-05T05:42:31Z")
}
};
await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests
.Request()
.AddAsync(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '70521f3e-3b95-4e51-b4d2-a2f485b02103',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '1566d11d-d2b6-444a-a8de-28698682c445',
assignmentState: 'Eligible',
type: 'AdminUpdate',
schedule: {
type: 'Once',
startDateTime: '2018-03-08T05:42:45.317Z',
endDateTime: '2018-06-05T05:42:31.000Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/privilegedAccess/azureResources/roleAssignmentRequests"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphGovernanceRoleAssignmentRequest *governanceRoleAssignmentRequest = [[MSGraphGovernanceRoleAssignmentRequest alloc] init];
[governanceRoleAssignmentRequest setRoleDefinitionId:@"70521f3e-3b95-4e51-b4d2-a2f485b02103"];
[governanceRoleAssignmentRequest setResourceId:@"e5e7d29d-5465-45ac-885f-4716a5ee74b5"];
[governanceRoleAssignmentRequest setSubjectId:@"1566d11d-d2b6-444a-a8de-28698682c445"];
[governanceRoleAssignmentRequest setAssignmentState:@"Eligible"];
[governanceRoleAssignmentRequest setType:@"AdminUpdate"];
MSGraphGovernanceSchedule *schedule = [[MSGraphGovernanceSchedule alloc] init];
[schedule setType:@"Once"];
[schedule setStartDateTime: "2018-03-08T05:42:45.317Z"];
[schedule setEndDateTime: "2018-06-05T05:42:31Z"];
[governanceRoleAssignmentRequest setSchedule:schedule];
NSError *error;
NSData *governanceRoleAssignmentRequestData = [governanceRoleAssignmentRequest getSerializedDataWithError:&error];
[urlRequest setHTTPBody:governanceRoleAssignmentRequestData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.roleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103";
governanceRoleAssignmentRequest.resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5";
governanceRoleAssignmentRequest.subjectId = "1566d11d-d2b6-444a-a8de-28698682c445";
governanceRoleAssignmentRequest.assignmentState = "Eligible";
governanceRoleAssignmentRequest.type = "AdminUpdate";
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.type = "Once";
schedule.startDateTime = OffsetDateTimeSerializer.deserialize("2018-03-08T05:42:45.317Z");
schedule.endDateTime = OffsetDateTimeSerializer.deserialize("2018-06-05T05:42:31Z");
governanceRoleAssignmentRequest.schedule = schedule;
graphClient.privilegedAccess("azureResources").roleAssignmentRequests()
.buildRequest()
.post(governanceRoleAssignmentRequest);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "70521f3e-3b95-4e51-b4d2-a2f485b02103"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "1566d11d-d2b6-444a-a8de-28698682c445"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminUpdate"
requestBody.SetType(&type)
schedule := msgraphsdk.NewGovernanceSchedule()
requestBody.SetSchedule(schedule)
type := "Once"
schedule.SetType(&type)
startDateTime, err := time.Parse(time.RFC3339, "2018-03-08T05:42:45.317Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime, err := time.Parse(time.RFC3339, "2018-06-05T05:42:31.000Z")
schedule.SetEndDateTime(&endDateTime)
privilegedAccessId := "privilegedAccess-id"
result, err := graphClient.PrivilegedAccessById(&privilegedAccessId).RoleAssignmentRequests().Post(requestBody)
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
RoleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103"
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
SubjectId = "1566d11d-d2b6-444a-a8de-28698682c445"
AssignmentState = "Eligible"
Type = "AdminUpdate"
Schedule = @{
Type = "Once"
StartDateTime = [System.DateTime]::Parse("2018-03-08T05:42:45.317Z")
EndDateTime = [System.DateTime]::Parse("2018-06-05T05:42:31.000Z")
}
}
New-MgPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "4f6d4802-b3ac-4f5a-86d7-a6a4edd7d383",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminUpdate",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31Z",
"duration": "PT0S"
}
}
示例 6:管理员延长即将过期的角色分配
本示例将用户 ANUJCUSER 的到期角色分配扩展到API 管理服务参与者。
注意: 除权限外,本示例还要求请求者对资源至少具有一个 Active 管理员角色分配 (owner 或 user access administrator) 。
| 属性 |
类型 |
必需 |
值 |
| resourceId |
String |
是 |
<resourceId> |
| roleDefinitionId |
字符串 |
是 |
<roleDefinitionId> |
| subjectId |
字符串 |
是 |
<subjectId> |
| assignmentState |
字符串 |
是 |
符合条件/活动 |
| type |
字符串 |
是 |
AdminExtend |
| reason |
String |
取决于 roleSettings |
|
| schedule |
governanceSchedule |
可访问 |
|
请求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminExtend",
"reason": "extend role assignment",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z"
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequestObject
{
RoleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminExtend",
Reason = "extend role assignment",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:53:55.327Z"),
EndDateTime = DateTimeOffset.Parse("2018-08-10T23:53:55.327Z")
}
};
await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests
.Request()
.AddAsync(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '0e88fd18-50f5-4ee1-9104-01c3ed910065',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminExtend',
reason: 'extend role assignment',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:53:55.327Z',
endDateTime: '2018-08-10T23:53:55.327Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/privilegedAccess/azureResources/roleAssignmentRequests"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphGovernanceRoleAssignmentRequest *governanceRoleAssignmentRequest = [[MSGraphGovernanceRoleAssignmentRequest alloc] init];
[governanceRoleAssignmentRequest setRoleDefinitionId:@"0e88fd18-50f5-4ee1-9104-01c3ed910065"];
[governanceRoleAssignmentRequest setResourceId:@"e5e7d29d-5465-45ac-885f-4716a5ee74b5"];
[governanceRoleAssignmentRequest setSubjectId:@"74765671-9ca4-40d7-9e36-2f4a570608a6"];
[governanceRoleAssignmentRequest setAssignmentState:@"Eligible"];
[governanceRoleAssignmentRequest setType:@"AdminExtend"];
[governanceRoleAssignmentRequest setReason:@"extend role assignment"];
MSGraphGovernanceSchedule *schedule = [[MSGraphGovernanceSchedule alloc] init];
[schedule setType:@"Once"];
[schedule setStartDateTime: "2018-05-12T23:53:55.327Z"];
[schedule setEndDateTime: "2018-08-10T23:53:55.327Z"];
[governanceRoleAssignmentRequest setSchedule:schedule];
NSError *error;
NSData *governanceRoleAssignmentRequestData = [governanceRoleAssignmentRequest getSerializedDataWithError:&error];
[urlRequest setHTTPBody:governanceRoleAssignmentRequestData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.roleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065";
governanceRoleAssignmentRequest.resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5";
governanceRoleAssignmentRequest.subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6";
governanceRoleAssignmentRequest.assignmentState = "Eligible";
governanceRoleAssignmentRequest.type = "AdminExtend";
governanceRoleAssignmentRequest.reason = "extend role assignment";
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.type = "Once";
schedule.startDateTime = OffsetDateTimeSerializer.deserialize("2018-05-12T23:53:55.327Z");
schedule.endDateTime = OffsetDateTimeSerializer.deserialize("2018-08-10T23:53:55.327Z");
governanceRoleAssignmentRequest.schedule = schedule;
graphClient.privilegedAccess("azureResources").roleAssignmentRequests()
.buildRequest()
.post(governanceRoleAssignmentRequest);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "0e88fd18-50f5-4ee1-9104-01c3ed910065"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminExtend"
requestBody.SetType(&type)
reason := "extend role assignment"
requestBody.SetReason(&reason)
schedule := msgraphsdk.NewGovernanceSchedule()
requestBody.SetSchedule(schedule)
type := "Once"
schedule.SetType(&type)
startDateTime, err := time.Parse(time.RFC3339, "2018-05-12T23:53:55.327Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime, err := time.Parse(time.RFC3339, "2018-08-10T23:53:55.327Z")
schedule.SetEndDateTime(&endDateTime)
privilegedAccessId := "privilegedAccess-id"
result, err := graphClient.PrivilegedAccessById(&privilegedAccessId).RoleAssignmentRequests().Post(requestBody)
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
RoleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065"
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
AssignmentState = "Eligible"
Type = "AdminExtend"
Reason = "extend role assignment"
Schedule = @{
Type = "Once"
StartDateTime = [System.DateTime]::Parse("2018-05-12T23:53:55.327Z")
EndDateTime = [System.DateTime]::Parse("2018-08-10T23:53:55.327Z")
}
}
New-MgPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
响应
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "486f0c05-47c8-4498-9c06-086a78c83004",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminExtend",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "extend role assignment",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z",
"duration": "PT0S"
}
}