什麼是 Azure AD 權限管理?What is Azure AD entitlement management? (預覽)(Preview)

重要

Azure Active Directory (Azure AD) 權利管理目前處於公開預覽狀態。Azure Active Directory (Azure AD) entitlement management is currently in public preview. 此預覽版本是在沒有服務等級協定的情況下提供,不建議用於生產工作負載。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 可能不支援特定功能,或可能已經限制功能。Certain features might not be supported or might have constrained capabilities. 如需詳細資訊,請參閱 Microsoft Azure 預覽版增補使用條款For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

在組織中的員工需要存取各種群組、 應用程式,以及站台來執行其工作。Employees in organizations need access to various groups, applications, and sites to perform their job. 管理此存取權,是一項挑戰。Managing this access is challenging. 在大部分情況下,沒有任何組織的清單,使用者需要專案的所有資源。In most cases, there is no organized list of all the resources a user needs for a project. 專案經理有充分的了解所需的資源,多久以及相關的每個人將最後一個專案。The project manager has a good understanding of the resources needed, the individuals involved, and how long the project will last. 不過,專案經理通常沒有核准,或授與給其他人的存取權的權限。However, the project manager typically does not have permissions to approve or grant access to others. 當您嘗試使用外部的個人或公司時,此案例中變得很複雜。This scenario gets more complicated when you try to work with external individuals or companies.

Azure Active Directory (Azure AD) 權利管理可協助您管理的內部使用者以及在組織外部的使用者群組、 應用程式和 SharePoint Online 網站的存取權。Azure Active Directory (Azure AD) entitlement management can help you manage access to groups, applications, and SharePoint Online sites for internal users and also users outside your organization.

為何要使用權利管理?Why use entitlement management?

企業組織經常面臨的挑戰,例如管理資源的存取權時:Enterprise organizations often face challenges when managing access to resources such as:

  • 使用者可能不知道他們應該有何種存取權Users may not know what access they should have
  • 使用者可能難以找出適當的人員或適當的資源Users may have difficulty locating the right individuals or right resources
  • 一旦使用者找到並收到資源的存取權,他們可能要抓緊頭上再高於所需的商務目的存取Once users find and receive access to a resource, they may hold on to access longer than is required for business purposes

需要從另一個目錄,例如來自供應鏈的組織或其他商務夥伴的外部使用者的存取權的使用者更難處理這些問題。These problems are compounded for users who need access from another directory, such as external users that are from supply chain organizations or other business partners. 例如:For example:

  • 組織可能不知道所有其他目錄中的特定個人能夠邀請他們Organizations may not know all of the specific individuals in other directories to be able to invite them
  • 即使組織能夠邀請這些使用者,組織可能不記得要以一致的方式管理所有使用者的存取權Even if organizations were able to invite these users, organizations may not remember to manage all of the user's access consistently

Azure AD 權限管理可以協助解決這些挑戰。Azure AD entitlement management can help address these challenges.

我可以使用權利管理來做什麼?What can I do with entitlement management?

以下是一些權限管理的功能:Here are some of capabilities of entitlement management:

  • 建立封裝的使用者可以要求的相關資源Create packages of related resources that users can request
  • 定義規則來要求資源存取的到期時Define rules for how to request resources and when access expires
  • 管理內部與外部使用者的存取權的生命週期Govern the lifecycle of access for both internal and external users
  • 資源的委派管理Delegate management of resources
  • 指定核准者核准要求Designate approvers to approve requests
  • 建立報表,以追蹤歷程記錄Create reports to track history

如需身分識別控管和權限管理的概觀,觀看下列影片 Ignite 2018 大會中:For an overview of Identity Governance and entitlement management, watch the following video from the Ignite 2018 conference:

可以管理哪些資源?What resources can I manage?

以下是您可以管理存取權與權限管理的資源類型:Here are the types of resources you can manage access to with entitlement management:

  • Azure AD 安全性群組Azure AD security groups
  • Office 365 群組Office 365 groups
  • Azure AD 企業應用程式,包括 SaaS 應用程式和自訂整合的應用程式支援同盟或佈建Azure AD enterprise applications, including SaaS application and custom-integrated applications that support federation or provisioning
  • SharePoint Online 網站集合和網站SharePoint Online site collections and sites

您也可以控制其他依賴 Azure AD 安全性群組或 Office 365 群組的資源的存取權。You can also control access to other resources that rely upon Azure AD security groups or Office 365 groups. 例如:For example:

  • 您也可以為使用者授權的 Microsoft Office 365 中,提供存取封裝中使用的 Azure AD 安全性群組,並設定群組型授權該群組You can give users licenses for Microsoft Office 365 by using an Azure AD security group in an access package and configuring group-based licensing for that group
  • 您可以存取封裝中使用的 Azure AD 安全性群組,並建立來管理 Azure 資源的存取權授與使用者Azure 角色指派該群組You can give users access to manage Azure resources by using an Azure AD security group in an access package and creating an Azure role assignment for that group

存取封裝和原則是什麼?What are access packages and policies?

權利管理介紹的概念存取套件Entitlement management introduces the concept of an access package. 存取封裝是使用者需要處理專案,或執行其作業的所有資源的組合。An access package is a bundle of all the resources a user needs to work on a project or perform their job. 資源包括群組、 應用程式或站台的存取權。The resources include access to groups, applications, or sites. 存取封裝用來管理您的內部員工,以及在組織外部的使用者的存取。Access packages are used to govern access for your internal employees, and also users outside your organization. 存取套件會定義在名為目錄的容器中。Access packages are defined in containers called catalogs.

存取封裝也包含一或多個原則Access packages also include one or more policies. 原則定義的規則或 guardrails 存取套件。A policy defines the rules or guardrails to access an access package. 啟用原則會強制執行適當的使用者會被授與存取適當的資源,並正確數量的時間。Enabling a policy enforces that only the right users are granted access, to the right resources, and for the right amount of time.

存取封裝和原則

存取封裝和其原則,會定義存取套件管理員:With an access package and its policies, the access package manager defines:

  • 資源Resources
  • 角色的使用者需要的資源Roles the users need for the resources
  • 內部使用者以及外部使用者有資格以要求存取權Internal users and external users that are eligible to request access
  • 核准程序和使用者可以核准或拒絕存取Approval process and the users that can approve or deny access
  • 使用者的存取權的持續時間Duration of user's access

下圖顯示的不同元素的範例,在權限管理。The following diagram shows an example of the different elements in entitlement management. 它會顯示兩個範例中存取套件。It shows two example access packages.

  • 存取封裝 1包含做為資源的單一群組。Access package 1 includes a single group as a resource. 可讓一組目錄中的使用者來要求權限的原則來定義存取。Access is defined with a policy that enables a set of users in the directory to request access.
  • 存取封裝 2包含群組、 應用程式,以及 SharePoint Online 網站做為資源。Access package 2 includes a group, an application, and a SharePoint Online site as resources. 存取會使用兩個不同的原則定義。Access is defined with two different policies. 第一個原則可讓一組目錄中的使用者來要求權限。The first policy enables a set of users in the directory to request access. 第二個原則可讓外部目錄中的使用者來要求權限。The second policy enables users in an external directory to request access.

權利管理概觀

外部使用者External users

使用時Azure AD 企業對企業 (B2B)邀請體驗,您必須已經知道您想要帶入您的資源目錄,並使用的外部來賓使用者的電子郵件地址。When using the Azure AD business-to-business (B2B) invite experience, you must already know the email addresses of the external guest users you want to bring into your resource directory and work with. 此絕佳正努力的較小或短期專案和您已經知道所有參與者,但這是很難管理,如果您有許多您想要使用的使用者時,或經過一段時間變更的參與者的運作方式。This works great when you're working on a smaller or short-term project and you already know all the participants, but this is harder to manage if you have lots of users you want to work with or if the participants change over time. 比方說,您可以使用另一個組織並有一個連絡窗口與該組織中,但經過一段時間來自該組織的其他使用者也需要存取的功能。For example, you might be working with another organization and have one point of contact with that organization, but over time additional users from that organization will also need access.

使用權利管理時,您可以定義原則,可讓您指定,也可以要求存取封裝使用 Azure AD 中,組織的使用者。With entitlement management, you can define a policy that allows users from organizations you specify, that are also using Azure AD, to be able to request an access package. 您可以指定是否需要核准 」 和 「 存取的到期日。You can specify whether approval is required and an expiration date for the access. 如果需要核准,您也可以指定為核准者從您先前受邀-因為它們都可能會知道哪些從其組織的外部使用者需要存取的外部組織的一或多個使用者。If approval is required, you can also designate as an approver one or more users from the external organization that you previously invited - since they are likely to know which external users from their organization need access. 一旦您已設定存取套件,您可以傳送存取套件連結至您在外部組織的聯絡人。Once you have configured the access package, you can send a link to the access package to your contact person at the external organization. 該連絡人可以與其他使用者共用之外部組織,以及他們可以使用此連結來要求存取套件。That contact can share with other users in the external organization, and they can use this link to request the access package. 來自該組織已邀請到目錄的使用者也可以使用該連結。Users from that organization who have already been invited into your directory can also use that link.

要求獲准後,權利管理將會佈建必要的存取權,可能包括邀請使用者,如果它們尚不在您的目錄中的使用者。When a request is approved, entitlement management will provision the user with the necessary access, which may include inviting the user if they're not already in your directory. Azure AD 會自動為它們建立 B2B 帳戶。Azure AD will automatically create a B2B account for them. 請注意,系統管理員可能會有先前限制的組織允許共同作業,藉由設定B2B 允許或拒絕清單來允許或封鎖邀請其他組織。Note that an administrator may have previously limited which organizations are permitted for collaboration, by setting a B2B allow or deny list to allow or block invites to other organizations. 如果使用者不允許所允許或封鎖清單中,則不會受邀。If the user is not permitted by the allow or block list, then they will not be invited.

因為您不想要永久的外部使用者的存取權,您會指定在原則中,例如 180 天的到期日。Since you do not want the external user's access to last forever, you specify an expiration date in the policy, such as 180 days. 在 180 天後,若不更新其存取權,權利管理將會移除該存取套件相關聯的所有存取。After 180 days, if their access is not renewed, entitlement management will remove all access associated with that access package. 如果已透過權利管理受邀的使用者不有任何其他存取封裝指派,然後時,他們會失去其過去的指派,其 B2B 帳戶將 30 天內,封鎖登入並接著移除。If the user who was invited through entitlement management has no other access package assignments, then when they lose their last assignment, their B2B account will be blocked from sign in for 30 days, and subsequently removed. 這可防止暴增的不必要的帳戶。This prevents the proliferation of unnecessary accounts.

術語Terminology

若要進一步了解權限管理和其文件,您應該檢閱下列詞彙。To better understand entitlement management and its documentation, you should review the following terms.

詞彙或概念Term or concept 描述Description
權利管理entitlement management 指派、 撤銷,並管理存取套件的服務。A service that assigns, revokes, and administers access packages.
存取封裝access package 權限和使用者可以要求的資源原則的集合。A collection of permissions and policies to resources that users can request. 存取封裝一定會包含在目錄中。An access package is always contained in a catalog.
存取要求access request 要求存取存取套件。A request to access an access package. 要求通常會透過工作流程。A request typically goes through a workflow.
policiespolicy 一組規則來定義存取生命週期,例如使用者如何取得存取、 誰可以認可,以及使用者可以存取的時間長度。A set of rules that defines the access lifecycle, such as how users get access, who can approve, and how long users have access. 原則的範例包括員工存取,以及外部存取。Example policies include employee access and external access.
catalogcatalog 相關的資源和存取封裝的容器。A container of related resources and access packages.
一般類別目錄General catalog 始終是可用的內建目錄。A built-in catalog that is always available. 若要將資源新增至一般類別目錄中,需要特定權限。To add resources to the General catalog, requires certain permissions.
resourceresource 資產或使用者可以授與權限的服務 (例如群組、 應用程式或站台)。An asset or service (such as a group, application, or site) that a user can be granted permissions to.
資源類型resource type 資源類型,其中包括群組、 應用程式和 SharePoint Online 網站。The type of resource, which includes groups, applications, and SharePoint Online sites.
資源角色resource role 與資源相關聯的權限集合。A collection of permissions associated with a resource.
資源目錄resource directory 有一或多個共用的資源目錄。A directory that has one or more resources to share.
指派的使用者assigned users 存取封裝的使用者或群組的指派。An assignment of an access package to a user or group.
enableenable 讓使用者要求存取封裝程序。The process of making an access package available for users to request.

角色和權限Roles and permissions

權利管理具有不同的角色,根據工作功能。Entitlement management has different roles based on job function.

角色Role 描述Description
使用者管理員User administrator 管理權限管理的所有的層面。Manage all aspects of entitlement management.
建立使用者和群組。Create users and groups.
類別目錄的建立者Catalog creator 建立及管理目錄。Create and manage catalogs. 通常是 IT 系統管理員或資源擁有者。Typically an IT administrator or resource owner. 會自動建立目錄的人會成為類別目錄的第一個類別目錄的擁有者。The person that creates a catalog automatically becomes the catalog's first catalog owner.
目錄擁有者Catalog owner 編輯及管理現有的目錄。Edit and manage existing catalogs. 通常是 IT 系統管理員或資源擁有者。Typically an IT administrator or resource owner.
存取封裝管理員Access package manager 編輯和管理目錄內的所有現有存取套件。Edit and manage all existing access packages within a catalog.
核准者Approver 核准要求,以存取套件。Approve requests to access packages.
要求者Requestor 要求存取套件。Request access packages.

下表列出每個角色的權限。The following table lists the permissions for each of these roles.

TaskTask 使用者管理員User admin 類別目錄的建立者Catalog creator 目錄擁有者Catalog owner 存取封裝管理員Access package manager 核准者Approver
在一般的目錄中建立新的存取封裝Create a new access package in the General catalog ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
在目錄中建立新的存取封裝Create a new access package in a catalog ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
新增/移除從存取套件的資源角色Add/remove resource roles to/from an access package ✔️ :heavy_check_mark: ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
指定誰可以要求存取套件Specify who can request an access package ✔️ :heavy_check_mark: ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
直接將使用者指派給存取套件Directly assign a user to an access package ✔️ :heavy_check_mark: ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
檢視指派給存取套件的人員View who has an assignment to an access package ✔️ :heavy_check_mark: ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
檢視存取套件的要求View an access package's requests ✔️ :heavy_check_mark: ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
檢視要求的傳遞錯誤View a request's delivery errors ✔️ :heavy_check_mark: ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
取消暫止的要求Cancel a pending request ✔️ :heavy_check_mark: ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
隱藏存取套件Hide an access package ✔️ :heavy_check_mark: ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
刪除存取封裝Delete an access package ✔️ :heavy_check_mark: ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
核准存取要求Approve an access request ✔️ :heavy_check_mark:
建立目錄Create a catalog ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
新增/移除從一般的目錄資源Add/remove resources to/from the General catalog ✔️ :heavy_check_mark:
新增/移除從目錄資源Add/remove resources to/from a catalog ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
新增目錄擁有者或存取套件管理員Add catalog owners or access package managers ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:
編輯/刪除目錄Edit/delete a catalog ✔️ :heavy_check_mark: ✔️ :heavy_check_mark:

授權需求License requirements

使用這項功能需要 Azure AD Premium P2 授權。Using this feature requires an Azure AD Premium P2 license. 若要為您的需求尋找適當的授權,請參閱 比較 Free、 Basic 及 Premium 版本的正式運作功能To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

特製化的雲端,例如 Azure Government、 Azure 德國和 Azure 中國 21Vianet 目前不適用於此預覽版本中。Specialized clouds, such as Azure Government, Azure Germany, and Azure China 21Vianet, are not currently available for use in this preview.

後續步驟Next steps