更新 unifiedRoleDefinition
命名空间:microsoft.graph
重要
Microsoft Graph版本下的 /beta API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
更新 RBAC 提供程序 的 unifiedRoleDefinition 对象的属性。
目前支持以下 RBAC 提供程序:
- 云电脑
- Intune (设备)
- 目录 (Azure AD)
权限
根据 RBAC 提供程序以及 (或应用程序) 的权限类型,从下表中选择调用此 API 所需的最低特权权限。 若要了解 更多信息(包括在 选择更多特权权限之前要谨慎操作),请搜索"权限"参考 中的以下权限。
对于云电脑提供商
| 权限类型 |
权限(从最低特权到最高特权) |
| 委派(工作或学校帐户) |
RoleManagement.ReadWrite.CloudPC、CloudPC.ReadWrite.All |
| 委派(个人 Microsoft 帐户) |
不支持。 |
| 应用程序 |
RoleManagement.ReadWrite.CloudPC、CloudPC.ReadWrite.All |
对于 Intune (提供程序的设备) 管理
| 权限类型 |
权限(从最低特权到最高特权) |
| 委派(工作或学校帐户) |
DeviceManagementRBAC.ReadWrite.All |
| 委派(个人 Microsoft 帐户) |
不支持。 |
| 应用程序 |
DeviceManagementRBAC.ReadWrite.All |
对于目录 (Azure AD) 提供程序
| 权限类型 |
权限(从最低特权到最高特权) |
| 委派(工作或学校帐户) |
RoleManagement.ReadWrite.Directory、Directory.ReadWrite.All |
| 委派(个人 Microsoft 帐户) |
不支持。 |
| 应用程序 |
RoleManagement.ReadWrite.Directory、Directory.ReadWrite.All |
HTTP 请求
若要更新设备管理提供程序的角色定义,请运行:
PATCH /roleManagement/deviceManagement/roleDefinitions/{id}
更新目录提供程序的角色定义:
PATCH /roleManagement/directory/roleDefinitions/{id}
若要更新云电脑提供商的角色定义,请运行:
PATCH /roleManagement/cloudPc/roleDefinitions/{id}
| 名称 |
说明 |
| Authorization |
持有者 {token} |
请求正文
在请求正文中,提供应更新的相关字段的值。 请求正文中不包括的现有属性将保留其以前的值,或根据对其他属性值的更改重新计算。 为了获得最佳性能,请勿加入尚未更改的现有值。
| 属性 |
类型 |
说明 |
| 说明 |
String |
角色定义的说明。 isBuiltIn 为 true 时为只读。 |
| displayName |
String |
角色显示名称的角色定义。 isBuiltIn 为 true 时为只读。 必需。 |
| id |
String |
角色定义的唯一标识符。 键,不可为 null,只读。 |
| isBuiltIn |
Boolean |
指示角色定义是否属于产品或自定义中包含的默认集的标志。 只读。 |
| isEnabled |
Boolean |
指示角色是否已启用分配的标志。 如果为 false,则角色不能用于分配。 isBuiltIn 为 true 时为只读。 |
| resourceScopes |
String collection |
角色定义授予的作用域权限列表适用。 目前仅支持"/"。 isBuiltIn 为 true 时为只读。 请勿使用。此属性将很快弃用。将作用域附加到角色分配。 |
| rolePermissions |
unifiedRolePermission 集合 |
角色中包含的权限列表。 isBuiltIn 为 true 时为只读。 必需。 |
| templateId |
String |
可以在 isBuiltIn 为 false 时设置的自定义模板标识符。 如果一个标识符在不同目录之间需要相同,则通常使用此标识符。 isBuiltIn 为 true 时为只读。 |
| inheritsPermissionsFrom |
unifiedRoleDefinition 集合 |
给定角色定义从其继承的角色定义的只读集合。 只有Azure AD角色才支持此属性。 |
| version |
String |
指示角色定义的版本。 isBuiltIn 为 true 时为只读。 |
响应
如果成功,此方法返回 204 No Content 响应代码。
示例 1:为目录提供程序更新 unifiedRoleDefinition
请求
PATCH https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/0d55728d-3e24-4309-9b1b-5ac09921475a
Content-type: application/json
{
"description": "Update basic properties of application registrations",
"displayName": "Application Registration Support Administrator",
"rolePermissions":
[
{
"allowedResourceActions":
[
"microsoft.directory/applications/basic/read"
]
}
]
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var unifiedRoleDefinition = new UnifiedRoleDefinition
{
Description = "Update basic properties of application registrations",
DisplayName = "Application Registration Support Administrator",
RolePermissions = new List<UnifiedRolePermission>()
{
new UnifiedRolePermission
{
AllowedResourceActions = new List<String>()
{
"microsoft.directory/applications/basic/read"
}
}
}
};
await graphClient.RoleManagement.Directory.RoleDefinitions["{unifiedRoleDefinition-id}"]
.Request()
.UpdateAsync(unifiedRoleDefinition);
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleDefinition = {
description: 'Update basic properties of application registrations',
displayName: 'Application Registration Support Administrator',
rolePermissions:
[
{
allowedResourceActions:
[
'microsoft.directory/applications/basic/read'
]
}
]
};
await client.api('/roleManagement/directory/roleDefinitions/0d55728d-3e24-4309-9b1b-5ac09921475a')
.version('beta')
.update(unifiedRoleDefinition);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/roleManagement/directory/roleDefinitions/0d55728d-3e24-4309-9b1b-5ac09921475a"]]];
[urlRequest setHTTPMethod:@"PATCH"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphUnifiedRoleDefinition *unifiedRoleDefinition = [[MSGraphUnifiedRoleDefinition alloc] init];
[unifiedRoleDefinition setDescription:@"Update basic properties of application registrations"];
[unifiedRoleDefinition setDisplayName:@"Application Registration Support Administrator"];
NSMutableArray *rolePermissionsList = [[NSMutableArray alloc] init];
MSGraphUnifiedRolePermission *rolePermissions = [[MSGraphUnifiedRolePermission alloc] init];
NSMutableArray *allowedResourceActionsList = [[NSMutableArray alloc] init];
[allowedResourceActionsList addObject: @"microsoft.directory/applications/basic/read"];
[rolePermissions setAllowedResourceActions:allowedResourceActionsList];
[rolePermissionsList addObject: rolePermissions];
[unifiedRoleDefinition setRolePermissions:rolePermissionsList];
NSError *error;
NSData *unifiedRoleDefinitionData = [unifiedRoleDefinition getSerializedDataWithError:&error];
[urlRequest setHTTPBody:unifiedRoleDefinitionData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
UnifiedRoleDefinition unifiedRoleDefinition = new UnifiedRoleDefinition();
unifiedRoleDefinition.description = "Update basic properties of application registrations";
unifiedRoleDefinition.displayName = "Application Registration Support Administrator";
LinkedList<UnifiedRolePermission> rolePermissionsList = new LinkedList<UnifiedRolePermission>();
UnifiedRolePermission rolePermissions = new UnifiedRolePermission();
LinkedList<String> allowedResourceActionsList = new LinkedList<String>();
allowedResourceActionsList.add("microsoft.directory/applications/basic/read");
rolePermissions.allowedResourceActions = allowedResourceActionsList;
rolePermissionsList.add(rolePermissions);
unifiedRoleDefinition.rolePermissions = rolePermissionsList;
graphClient.roleManagement().directory().roleDefinitions("0d55728d-3e24-4309-9b1b-5ac09921475a")
.buildRequest()
.patch(unifiedRoleDefinition);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewUnifiedRoleDefinition()
description := "Update basic properties of application registrations"
requestBody.SetDescription(&description)
displayName := "Application Registration Support Administrator"
requestBody.SetDisplayName(&displayName)
requestBody.SetRolePermissions( []UnifiedRolePermission {
msgraphsdk.NewUnifiedRolePermission(),
SetAdditionalData(map[string]interface{}{
"allowedResourceActions": []String {
"microsoft.directory/applications/basic/read",
}
}
}
unifiedRoleDefinitionId := "unifiedRoleDefinition-id"
graphClient.RoleManagement().Directory().RoleDefinitionsById(&unifiedRoleDefinitionId).Patch(requestBody)
Import-Module Microsoft.Graph.DeviceManagement.Enrolment
$params = @{
Description = "Update basic properties of application registrations"
DisplayName = "Application Registration Support Administrator"
RolePermissions = @(
@{
AllowedResourceActions = @(
"microsoft.directory/applications/basic/read"
)
}
)
}
Update-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $unifiedRoleDefinitionId -BodyParameter $params
响应
下面展示了示例响应。
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 204 No Content
Content-type: application/json
示例 2:为 CloudPC 提供程序更新 unifiedRoleDefinition
请求
PATCH https://graph.microsoft.com/beta/roleManagement/cloudPc/roleDefinitions/b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff
Content-type: application/json
{
"description": "Update basic properties and permission of application registrations",
"displayName": "ExampleCustomRole",
"rolePermissions":
[
{
"allowedResourceActions":
[
"Microsoft.CloudPC/CloudPCs/Read",
"Microsoft.CloudPC/CloudPCs/Reprovision"
]
}
]
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var unifiedRoleDefinition = new UnifiedRoleDefinition
{
Description = "Update basic properties and permission of application registrations",
DisplayName = "ExampleCustomRole",
RolePermissions = new List<UnifiedRolePermission>()
{
new UnifiedRolePermission
{
AllowedResourceActions = new List<String>()
{
"Microsoft.CloudPC/CloudPCs/Read",
"Microsoft.CloudPC/CloudPCs/Reprovision"
}
}
}
};
await graphClient.RoleManagement.CloudPC.RoleDefinitions["{unifiedRoleDefinition-id}"]
.Request()
.UpdateAsync(unifiedRoleDefinition);
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleDefinition = {
description: 'Update basic properties and permission of application registrations',
displayName: 'ExampleCustomRole',
rolePermissions:
[
{
allowedResourceActions:
[
'Microsoft.CloudPC/CloudPCs/Read',
'Microsoft.CloudPC/CloudPCs/Reprovision'
]
}
]
};
await client.api('/roleManagement/cloudPc/roleDefinitions/b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff')
.version('beta')
.update(unifiedRoleDefinition);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/roleManagement/cloudPc/roleDefinitions/b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff"]]];
[urlRequest setHTTPMethod:@"PATCH"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphUnifiedRoleDefinition *unifiedRoleDefinition = [[MSGraphUnifiedRoleDefinition alloc] init];
[unifiedRoleDefinition setDescription:@"Update basic properties and permission of application registrations"];
[unifiedRoleDefinition setDisplayName:@"ExampleCustomRole"];
NSMutableArray *rolePermissionsList = [[NSMutableArray alloc] init];
MSGraphUnifiedRolePermission *rolePermissions = [[MSGraphUnifiedRolePermission alloc] init];
NSMutableArray *allowedResourceActionsList = [[NSMutableArray alloc] init];
[allowedResourceActionsList addObject: @"Microsoft.CloudPC/CloudPCs/Read"];
[allowedResourceActionsList addObject: @"Microsoft.CloudPC/CloudPCs/Reprovision"];
[rolePermissions setAllowedResourceActions:allowedResourceActionsList];
[rolePermissionsList addObject: rolePermissions];
[unifiedRoleDefinition setRolePermissions:rolePermissionsList];
NSError *error;
NSData *unifiedRoleDefinitionData = [unifiedRoleDefinition getSerializedDataWithError:&error];
[urlRequest setHTTPBody:unifiedRoleDefinitionData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
UnifiedRoleDefinition unifiedRoleDefinition = new UnifiedRoleDefinition();
unifiedRoleDefinition.description = "Update basic properties and permission of application registrations";
unifiedRoleDefinition.displayName = "ExampleCustomRole";
LinkedList<UnifiedRolePermission> rolePermissionsList = new LinkedList<UnifiedRolePermission>();
UnifiedRolePermission rolePermissions = new UnifiedRolePermission();
LinkedList<String> allowedResourceActionsList = new LinkedList<String>();
allowedResourceActionsList.add("Microsoft.CloudPC/CloudPCs/Read");
allowedResourceActionsList.add("Microsoft.CloudPC/CloudPCs/Reprovision");
rolePermissions.allowedResourceActions = allowedResourceActionsList;
rolePermissionsList.add(rolePermissions);
unifiedRoleDefinition.rolePermissions = rolePermissionsList;
graphClient.roleManagement().cloudPC().roleDefinitions("b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff")
.buildRequest()
.patch(unifiedRoleDefinition);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewUnifiedRoleDefinition()
description := "Update basic properties and permission of application registrations"
requestBody.SetDescription(&description)
displayName := "ExampleCustomRole"
requestBody.SetDisplayName(&displayName)
requestBody.SetRolePermissions( []UnifiedRolePermission {
msgraphsdk.NewUnifiedRolePermission(),
SetAdditionalData(map[string]interface{}{
"allowedResourceActions": []String {
"Microsoft.CloudPC/CloudPCs/Read",
"Microsoft.CloudPC/CloudPCs/Reprovision",
}
}
}
unifiedRoleDefinitionId := "unifiedRoleDefinition-id"
graphClient.RoleManagement().CloudPC().RoleDefinitionsById(&unifiedRoleDefinitionId).Patch(requestBody)
Import-Module Microsoft.Graph.DeviceManagement.Enrolment
$params = @{
Description = "Update basic properties and permission of application registrations"
DisplayName = "ExampleCustomRole"
RolePermissions = @(
@{
AllowedResourceActions = @(
"Microsoft.CloudPC/CloudPCs/Read"
"Microsoft.CloudPC/CloudPCs/Reprovision"
)
}
)
}
Update-MgRoleManagementCloudPcRoleDefinition -UnifiedRoleDefinitionId $unifiedRoleDefinitionId -BodyParameter $params
响应
下面展示了示例响应。
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 204 No Content
Content-type: application/json