使用基于角色的访问控制管理门户访问Manage portal access using role-based access control

适用于:Applies to:

  • Azure Active DirectoryAzure Active Directory
  • Office 365Office 365

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

使用基于角色的访问控制 (RBAC) ,可以在安全操作团队内创建角色和组,以授予对门户的适当访问权限。Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. 根据你创建的角色和组,你可以精细控制有权访问门户的用户可以看到和执行哪些操作。Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do.

大型异地分布式安全操作团队通常采用基于层的模型来分配和授权对安全门户的访问。Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access to security portals. 典型的层包括以下三个级别:Typical tiers include the following three levels:

Tier 说明Description
第 1 层Tier 1 本地安全运营团队/IT 团队Local security operations team / IT team
此团队通常会会审并调查其地理位置中包含的警报,并上报至第 2 层(如果需要进行主动修正)。This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.
第 2 层Tier 2 区域安全运营团队Regional security operations team
此团队可以看到其区域的所有设备并执行修正操作。This team can see all the devices for their region and perform remediation actions.
第 3 层Tier 3 全局安全运营团队Global security operations team
此团队由安全专家组成,有权从门户查看和执行所有操作。This team consists of security experts and are authorized to see and perform all actions from the portal.

Defender for Endpoint RBAC 旨在支持你基于层或基于角色的选择模型,让你可以精细地控制哪些角色可以看到、他们可以访问的设备以及他们可以采取的操作。Defender for Endpoint RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. RBAC 框架以以下控件为中心:The RBAC framework is centered around the following controls:

  • 控制谁可以采取特定操作Control who can take specific action

    • 创建自定义角色并控制他们可以通过粒度访问的 Defender for Endpoint 功能。Create custom roles and control what Defender for Endpoint capabilities they can access with granularity.
  • 控制谁可以看到有关特定设备组的信息Control who can see information on specific device group or groups

    • 按特定条件 (如名称、标记、域和其他)创建设备组,然后使用特定的 Azure Active Directory (Azure AD) 访问它们。Create device groups by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group.

若要实现基于角色的访问,你需要定义管理员角色、分配相应的权限,以及分配分配给这些角色的 Azure AD 用户组。To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles.

准备工作Before you begin

在使用 RBAC 之前,了解可以授予权限的角色以及启用 RBAC 的后果非常重要。Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences of turning on RBAC.

警告

在启用该功能之前,你必须在 Azure AD 中拥有全局管理员角色或安全管理员角色,并且你的 Azure AD 组已准备好降低被锁定在门户外的风险,这一点很重要。Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.

首次登录 Microsoft Defender 安全中心时,你被授予完全访问权限或只读访问权限。When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access. 完全访问权限授予在 Azure AD 中具有安全管理员或全局管理员角色的用户。Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. 只读访问权限授予在 Azure AD 中具有安全读者角色的用户。Read only access is granted to users with a Security Reader role in Azure AD.

具有 Defender for Endpoint 全局管理员角色的用户可以不受限制地访问所有设备,无论其设备组关联和 Azure AD 用户组分配如何Someone with a Defender for Endpoint Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments

警告

最初,只有具有 Azure AD 全局管理员或安全管理员权限的用户才能在 Microsoft Defender 安全中心创建和分配角色,因此,在 Azure AD 中准备好正确的组非常重要。Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.

启用基于角色的访问控制将导致具有只读权限的用户 (例如,分配给 Azure AD 安全读者角色) 的用户将失去访问权限,直到他们被分配到角色。Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.

具有管理员权限的用户将自动分配具有完整权限的默认内置 Defender 全局管理员角色 Defender。Users with admin permissions are automatically assigned the default built-in Defender for Endpoint global administrator role with full permissions. 选择使用 RBAC 后,可以将不是 Azure AD 全局管理员或安全管理员的其他用户分配到 Defender for Endpoint 全局管理员角色。After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Defender for Endpoint global administrator role.

选择使用 RBAC 后,无法像首次登录门户时一样还原到初始角色。After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.