Azure 內建角色
Azure 角色型存取控制 (RBAC) 有數個 Azure 內建角色,可供您指派給使用者、群組、服務主體和受控身分識別。 角色指派是您控制 Azure 資源存取權的方式。 如果內建的角色無法滿足您組織的特定需求,您可以建立自己的 Azure 自訂角色。 如需如何指派角色的詳細資訊,請參閱 指派 Azure 角色的步驟。
本文列出 Azure 內建角色。 如果您要尋找Azure Active Directory (Azure AD) 的系統管理員角色,請參閱Azure AD內建角色。
下表提供每個內建角色的簡短說明。 按一下角色名稱,即可查看每個角色的 Actions
、NotActions
、DataActions
及 NotDataActions
清單。 如需這些動作的意義,以及它們如何套用至控制項和資料平面的資訊,請參閱 瞭解 Azure 角色定義。
全部
內建角色 | 描述 | ID |
---|---|---|
一般 | ||
參與者 | 授與管理所有資源的完整存取權,但不允許您在 Azure RBAC 中指派角色、管理 Azure 藍圖中的指派,或共用映射庫。 | b24988ac-6180-42a0-ab88-20f7382dd24c |
擁有者 | 授與管理所有資源的完整存取權,包括能夠指派 Azure RBAC 中的角色。 | 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 |
讀取者 | 檢視所有資源,但不允許您進行任何變更。 | acdd72a7-3385-48ef-bd42-f606fba81ae7 |
使用者存取系統管理員 | 可讓您管理 Azure 資源的使用者存取。 | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 |
計算 | ||
傳統虛擬機器參與者 | 可讓您管理傳統虛擬機器 (不含虛擬機器所連接的虛擬網路或儲存體帳戶),但無法存取它們。 | d73bb868-a0df-4d4d-bd69-98a00b01fccb |
磁片備份讀取器 | 提供備份保存庫執行磁片備份的許可權。 | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
磁片集區操作員 | 提供 StoragePool 資源提供者的許可權,以管理新增至磁片集區的磁片。 | 60fc6e62-5479-42d4-8bf4-67625fcc2840 |
磁片還原運算子 | 提供備份保存庫執行磁片還原的許可權。 | b50d9833-a0cb-478e-945f-707fcc997c13 |
磁片快照集參與者 | 提供備份保存庫以管理磁片快照集的許可權。 | 7efff54f-a5b4-42b5-a1c5-5411624893ce |
虛擬機器系統管理員登入 | 在入口網站中檢視虛擬機器並以系統管理員身分登入 | 1c0163c0-47e6-4577-8991-ea5c82e286e4 |
虛擬機器參與者 | 建立和管理虛擬機器、管理磁片、安裝和執行軟體、使用 VM 擴充功能重設虛擬機器根使用者的密碼,以及使用 VM 擴充功能管理本機使用者帳戶。 此角色不會授與您虛擬機器所連線之虛擬網路或儲存體帳戶的管理存取權。 此角色不允許您在 Azure RBAC 中指派角色。 | 9980e02c-c2be-4d73-94e8-173b1dc7cf3c |
虛擬機器使用者登入 | 在入口網站中檢視虛擬機器並以一般使用者身分登入。 | fb879df8-f326-4884-b1cf-06f3ad86be52 |
網路功能 | ||
CDN 端點參與者 | 可管理 CDN 端點,但無法將存取權授與其他使用者。 | 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 |
CDN 端點讀者 | 可檢視 CDN 端點,但無法變更。 | 871e35f6-b5c1-49cc-a043-bde969a0f2cd |
CDN 設定檔參與者 | 可管理 CDN 設定檔及其端點,但無法將存取權授與其他使用者。 | ec156ff8-a8d1-4d15-830c-5b80698ca432 |
CDN 設定檔讀者 | 可檢視 CDN 設定檔及其端點,但無法變更。 | 8f96442b-4075-438f-813d-ad51ab4019af |
傳統網路參與者 | 可讓您管理傳統網路,但無法存取它們。 | b34d265f-36f7-4a0d-a4d4-e158ca92e90f |
DNS 區域參與者 | 可讓您管理 Azure DNS 中的 DNS 區域與記錄集,但無法讓您控制誰可存取它們。 | befefa01-2a29-4197-83a8-272ff33ce314 |
網路參與者 | 可讓您管理網路,但無法存取它們。 | 4d97b98b-1d4f-4787-a291-c67834d212e7 |
私人 DNS 區域參與者 | 可讓您管理私人 DNS 區域資源,但無法管理它們連結的虛擬網路。 | b12aa53e-6015-4669-85d0-8515ebb3ae7f |
流量管理員參與者 | 可讓您管理「流量管理員」設定檔,但無法控制誰可以存取它們。 | a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 |
Storage | ||
Avere 參與者 | 可以建立和管理 Avere vFXT 叢集。 | 4f8fab4f-1852-4a58-a46a-8eaf358af14a |
Avere 操作員 | 供 Avere vFXT 叢集用來管理叢集 | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 |
備份參與者 | 可讓您管理備份服務,但無法建立保存庫及授與存取權給其他人 | 5e467623-bb1f-42f4-a55d-6e525e11384b |
備份操作員 | 可讓您管理備份服務,但無法移除備份、建立保存庫及為其他人提供存取權 | 00c29273-979b-4161-815c-10b084fb9324 |
備份讀取者 | 可以檢視備份服務,但無法進行變更 | a795c7a0-d4a2-40c1-ae25-d81f01202912 |
傳統儲存體帳戶參與者 | 可讓您管理傳統儲存體帳戶,但無法存取它們。 | 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 |
傳統儲存體帳戶金鑰操作員服務角色 | 「傳統儲存體帳戶金鑰操作員」可以列出及重新產生「傳統儲存體帳戶」的金鑰 | 985d6b00-f706-48f5-a6fe-d0ca12fb668d |
資料箱參與者 | 可讓您管理資料箱服務下的所有項目,為他人賦予存取權除外。 | add466c9-e687-43fc-8d98-dfcf8d720be5 |
資料箱讀者 | 可讓您管理資料箱服務,建立訂單或編輯訂單詳細資料和為他人賦予存取權除外。 | 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 |
Data Lake Analytics 開發人員 | 可讓您提交、監視及管理您自己的作業,但無法建立或刪除 Data Lake Analytics 帳戶。 | 47b7735b-770e-4598-a7da-8b91488b4c88 |
讀取者及資料存取 | 可讓您檢視所有內容,但無法讓您刪除或建立儲存體帳戶或內含的資源。 也可透過存取儲存體帳戶金鑰,對儲存體帳戶中內含的所有資料進行讀取/寫入存取。 | c12c1c16-33a1-487b-954d-41c89c60f349 |
儲存體帳戶參與者 | 允許管理儲存體帳戶。 支援存取帳戶金鑰,以透過共用金鑰授權來存取資料。 | 17d1049b-9a84-46fb-8f53-869881c3d3ab |
儲存體帳戶金鑰操作員服務角色 | 允許列出及重新產生儲存體帳戶存取金鑰。 | 81a9662b-bebf-436f-a333-f67b29880f12 |
儲存體 Blob 資料參與者 | 讀取、寫入和刪除 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 | ba92f5b4-2d11-453d-a403-e96b0029c9fe |
儲存體 Blob 資料擁有者 | 支援完整存取 Azure 儲存體 blob 容器和資料,包括指派 POSIX 存取控制。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 | b7e6dc6d-f1e8-4753-8033-0f276bb0955b |
儲存體 Blob 資料讀者 | 讀取和列出 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 |
儲存體 Blob 委派者 | 取得使用者委派金鑰,以針對使用 Azure AD 認證所簽署的容器或 blob,建立共用存取簽章。 如需詳細資訊,請參閱建立使用者委派 SAS。 | db58b8e5-c6ad-4a2a-8342-4190687cbf4a |
儲存體檔案資料 SMB 共用參與者 | 允許讀取、寫入及刪除 Azure 檔案共用上的檔案/目錄。 此角色在 Windows 檔案伺服器上沒有內建的對等項。 | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb |
儲存體檔案資料 SMB 共用提升權限的參與者 | 允許對 Azure 檔案共用上的檔案/目錄,讀取、寫入、刪除和修改 ACL。 此角色相當於 Windows 檔案伺服器上的「變更」檔案共用 ACL。 | a7264617-510b-434b-a828-9731dc254ea7 |
儲存體檔案資料 SMB 共用讀者 | 允許讀取 Azure 檔案共用上的檔案/目錄。 此角色相當於Windows檔案伺服器上讀取的檔案共用 ACL。 | aba4ae5f-2193-4029-9191-0cb91df5e314 |
儲存體佇列資料參與者 | 讀取、寫入及刪除 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 |
儲存體佇列資料訊息處理者 | 從 Azure 儲存體佇列中瞄核、擷取和刪除訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 | 8a0f0c08-91a1-4084-bc3d-661d67233fed |
儲存體佇列資料訊息傳送者 | 將訊息新增至 Azure 儲存體佇列。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a |
儲存體佇列資料讀者 | 讀取和列出 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 | 19e7f393-937e-4f77-808e-94535e297925 |
儲存體資料表資料參與者 | 允許讀取、寫入和刪除Azure 儲存體資料表和實體的存取權 | 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 |
儲存體資料表資料讀取器 | 允許讀取存取Azure 儲存體資料表和實體 | 76199698-9eea-4c19-bc75-cec21354c6b6 |
Web | ||
Azure 地圖服務資料參與者 | 授與從 Azure 地圖服務帳戶讀取、寫入和刪除地圖相關資料的存取權。 | 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 |
Azure 地圖服務資料讀者 | 授權從 Azure 地圖服務帳戶讀取地圖相關資料。 | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa |
Azure Spring Cloud 設定伺服器參與者 | 允許讀取、寫入和刪除 Azure Spring Cloud Config Server 的存取權 | a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b |
Azure Spring Cloud 設定伺服器讀取器 | 允許讀取存取 Azure Spring Cloud Config Server | d04c6db6-4947-4782-9e91-30a88feb7be7 |
Azure Spring Cloud 資料讀取器 | 允許讀取存取 Azure Spring Cloud Data | b5537268-8956-4941-a8f0-646150406f0c |
Azure Spring Cloud 服務登錄參與者 | 允許讀取、寫入和刪除 Azure Spring Cloud Service Registry 的存取權 | f5880b48-c26d-48be-b172-7927bfa1c8f1 |
Azure Spring Cloud 服務登錄讀取器 | 允許讀取存取 Azure Spring Cloud Service Registry | cff1b556-2399-4e7e-856d-a8f754be7b65 |
媒體服務帳戶管理員 | 建立、讀取、修改和刪除媒體服務帳戶;唯讀存取其他媒體服務資源。 | 054126f8-9a2b-4f1c-a9ad-eca461f08466 |
媒體服務即時活動管理員 | 建立、讀取、修改和刪除即時事件、資產、資產篩選和串流定位器;其他媒體服務資源的唯讀存取權。 | 532bc159-b25e-42c0-969e-a1d439f60d77 |
媒體服務媒體操作員 | 建立、讀取、修改和刪除資產、資產篩選、串流定位器及作業;其他媒體服務資源的唯讀存取權。 | e4395492-1534-4db2-bedf-88c14621589c |
媒體服務原則管理員 | 建立、讀取、修改和刪除帳戶篩選、串流原則、內容金鑰原則和轉換;其他媒體服務資源的唯讀存取權。 無法建立作業、資產或串流資源。 | c4bba371-dacd-4a26-b320-7250bca963ae |
媒體服務串流端點系統管理員 | 建立、讀取、修改和刪除串流端點;其他媒體服務資源的唯讀存取權。 | 99dba123-b5fe-44d5-874c-ced7199a5804 |
搜尋索引資料參與者 | 授與索引資料Azure 認知搜尋的完整存取權。 | 8ebe5a00-799e-43f5-93ac-243d3dce84a7 |
搜尋索引資料讀取器 | 授與Azure 認知搜尋索引資料的讀取權限。 | 1407120a-92aa-4202-b7e9-c0e197c71c8f |
搜尋服務參與者 | 可讓您管理「搜尋」服務,但無法存取它們。 | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 |
SignalR AccessKey Reader | 讀取SignalR Service存取金鑰 | 04165923-9d83-45d5-8227-78b77b0a687e |
SignalR App Server | 讓您的應用程式伺服器使用AAD驗證選項存取SignalR Service。 | 420fcaa2-552c-430f-98ca-3264be4806c7 |
SignalR REST API 擁有者 | Azure SignalR Service REST API 的完整存取權 | fd53cd77-2268-407a-8f46-7e7863d0f521 |
SignalR REST API 讀取器 | Azure SignalR Service REST API 的唯讀存取權 | ddde6b66-c0df-4114-a159-3618637b3035 |
SignalR Service擁有者 | Azure SignalR Service REST API 的完整存取權 | 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 |
SignalR/Web PubSub 參與者 | 建立、讀取、更新和刪除 SignalR 服務資源 | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 |
Web 方案參與者 | 管理網站的 Web 方案。 不允許您在 Azure RBAC 中指派角色。 | 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b |
網站參與者 | 管理網站,但不是 Web 方案。 不允許您在 Azure RBAC 中指派角色。 | de139f84-1756-47ae-9be6-808fbbe84772 |
容器 | ||
AcrDelete | 從容器登錄中刪除存放庫、標籤或資訊清單。 | c2f4ef07-c644-48eb-af81-4b1b4947fb11 |
AcrImageSigner | 將信任的映射推送至或從已啟用內容信任的容器登錄提取受信任的映射。 | 6cef56e8-d556-48e5-a04f-b8e64114680f |
AcrPull | 從容器登錄提取成品。 | 7f951dda-4ed3-4680-a7ca-43fe172d538d |
AcrPush | 將成品推送至容器登錄或提取成品。 | 8311e382-0749-4cb8-b61a-304f252e45ec |
AcrQuarantineReader | 從容器登錄提取隔離的映射。 | cdda3590-29a3-44f6-95f2-9f980659eb04 |
AcrQuarantineWriter | 將隔離的映射推送至容器登錄,或從容器登錄提取隔離映射。 | c8d4ff99-41c3-41a8-9f60-21dfdad59608 |
Azure Kubernetes Service 叢集管理員角色 | 列出叢集管理員認證動作。 | 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 |
Azure Kubernetes Service 叢集使用者角色 | 列出叢集使用者認證動作。 | 4abbcc35-e782-43d8-92c5-2d3f1bd2253f |
Azure Kubernetes Service參與者角色 | 授與讀取和寫入Azure Kubernetes Service叢集的存取權 | ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 |
Azure Kubernetes Service RBAC 系統管理員 | 可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 | 3498e952-d568-435e-9b2c-8d77e338d7f7 |
Azure Kubernetes Service RBAC 叢集管理員 | 可讓您管理叢集中的所有資源。 | b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b |
Azure Kubernetes Service RBAC 讀取器 | 允許唯讀存取在命名空間中查看大部分的物件。 它不允許檢視角色或角色系結。 此角色不允許檢視秘密,因為讀取秘密的內容可讓您存取命名空間中的 ServiceAccount 認證,這會允許 API 存取為命名空間中的任何 ServiceAccount, (許可權提升形式) 。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 | 7f6c6a51-bcf8-42ba-9220-52d62157d7db |
Azure Kubernetes Service RBAC 寫入器 | 允許讀取/寫入命名空間中大部分的物件。此角色不允許檢視或修改角色或角色系結。 不過,此角色允許以命名空間中的任何 ServiceAccount 身分存取秘密和執行 Pod,因此可用來取得命名空間中任何 ServiceAccount 的 API 存取層級。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb |
資料庫 | ||
Azure 連線SQL Server上線 | 允許在已啟用 Arc 的伺服器上讀取和寫入 Azure 資源的SQL Server。 | e8113dce-c529-4d33-91fa-e9b972617508 |
Cosmos DB 帳戶讀者角色 | 可以讀取 Azure Cosmos DB 帳戶資料。 請參閱 DocumentDB 帳戶參與者以管理 Azure Cosmos DB 帳戶。 | fbdf93bf-df7d-467e-a4d2-9458aa1360c8 |
Cosmos DB 操作員 | 可讓您管理 Azure Cosmos DB 帳戶,但無法存取其中的資料。 防止存取帳戶金鑰和連接字串。 | 230815da-be43-4aae-9cb4-875f7bd000aa |
CosmosBackupOperator | 可為帳戶的 Cosmos DB 資料庫或容器提交還原要求 | db7b14f2-5adf-42da-9f96-f2ee17bab5cb |
CosmosRestoreOperator | 可以針對具有連續備份模式的 Cosmos DB 資料庫帳戶執行還原動作 | 5432c526-bc82-444a-b7ba-57c5b0b5b34f |
DocumentDB 帳戶參與者 | 可以管理 Azure Cosmos DB 帳戶。 Azure Cosmos DB 先前稱為 DocumentDB。 | 5bd9cd88-fe45-4216-938b-f97437e15450 |
Redis 快取參與者 | 可讓您管理 Redis 快取,但無法存取它們。 | e0f68234-74aa-48ed-b826-c38b57376e17 |
SQL DB 參與者 | 可讓您管理 SQL 資料庫,但無法存取它們。 此外,您也無法管理其安全性相關原則或其父 SQL 伺服器。 | 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec |
SQL 受控執行個體參與者 | 可讓您管理 SQL 受控執行個體和必要的網路設定,但無法將存取權授與其他人。 | 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d |
SQL 安全性管理員 | 可讓您管理 SQL 伺服器及資料庫的安全性相關原則,但無法存取它們。 | 056cd41c-7e88-42e1-933e-88ba6a50c9c3 |
SQL Server 參與者 | 可讓您管理 SQL 伺服器及資料庫,但無法存取這些伺服器及資料庫,也無法存取其安全性相關原則。 | 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 |
分析 | ||
Azure 事件中樞資料擁有者 | 允許完整存取 Azure 事件中樞資源。 | f526a384-b230-433a-b45c-95f59c4a2dec |
Azure 事件中樞資料接收者 | 允許接收 Azure 事件中樞資源。 | a638d3c7-ab3a-418d-83e6-5f17a39d4fde |
Azure 事件中樞資料傳送者 | 允許傳送 Azure 事件中樞資源。 | 2b629674-e913-4c01-ae53-ef4638d8f975 |
Data Factory 參與者 | 建立和管理 Data Factory,以及其中的子資源。 | 673868aa-7521-48a0-acc6-0f60742d39f5 |
資料清除者 | 從 Log Analytics 工作區刪除私人資料。 | 150f5e0c-0603-4f03-8c7f-cf70034c4e90 |
HDInsight 叢集操作員 | 可讓您讀取和修改 HDInsight 叢集設定。 | 61ed4efc-fab3-44fd-b111-e24485cc132a |
HDInsight 網域服務參與者 | 可讀取、建立、修改和刪除 HDInsight 企業安全性套件所需的網域服務相關作業 | 8d8d5a11-05d3-4bda-a417-a08778121c7c |
Log Analytics 參與者 | 「Log Analytics 參與者」角色可以讀取所有監視資料和編輯監視設定。 編輯監視設定包括將 VM 擴充功能新增至 VM;讀取儲存體帳戶金鑰,以設定從Azure 儲存體收集記錄、新增解決方案,以及在所有 Azure 資源上設定 Azure 診斷。 | 92aaf0da-9dab-42b6-94a3-d43ce8d16293 |
Log Analytics 讀者 | 「Log Analytics 讀者」可以檢視和搜尋所有監視資料,以及檢視監視設定,包括檢視所有 Azure 資源上的 Azure 診斷設定。 | 73c42c96-874c-492b-b04d-ab87d138a893 |
結構描述登錄參與者 (預覽) | 讀取、寫入及刪除結構描述登錄群組和結構描述。 | 5dffeca3-4936-4216-b2bc-10343a5abb25 |
結構描述登錄讀取器 (預覽) | 讀取並列出結構描述登錄群組和結構描述。 | 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 |
串流分析查詢測試人員 | 可讓您先執行查詢測試,而不需先建立串流分析作業 | 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf |
AI + 機器學習 | ||
AzureML 資料科學家 | 可以在 Azure Machine Learning 工作區內執行所有動作,但建立或删除計算資源以及修改工作區本身除外。 | f6c7c914-8db3-469d-8ca1-694a8f32e121 |
認知服務參與者 | 可讓您建立、讀取、更新、刪除及管理認知服務的金鑰。 | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 |
認知服務自訂視覺參與者 | 專案的完整存取權,包括檢視、建立、編輯或刪除專案的能力。 | c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 |
認知服務自訂視覺部署 | 發佈、取消發佈或匯出模型。 部署可以檢視專案,但無法更新。 | 5c4089e1-6d96-4d2f-b296-c1bc7137275f |
認知服務自訂視覺標籤器 | 檢視、編輯定型影像,並建立、新增、移除或刪除影像標籤。 標籤器可以檢視專案,但無法更新定型影像和標籤以外的任何專案。 | 88424f51-ebe7-446f-bc41-7fa16989e96c |
認知服務自訂視覺讀者 | 專案中的唯讀動作。 讀者無法建立或更新專案。 | 93586559-c37d-4a6b-ba08-b9f0940c2d73 |
認知服務自訂視覺定型器 | 檢視、編輯專案並定型模型,包括發佈、取消發佈、匯出模型的能力。 定型人員無法建立或刪除專案。 | 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b |
認知服務資料讀者 (預覽) | 可讓您讀取認知服務資料。 | b59867f0-fa02-499b-be73-45a86b5b3e1c |
認知服務臉部辨識器 | 可讓您在臉部 API 上執行偵測、驗證、識別、分組和尋找類似的作業。 此角色不允許建立或刪除作業,使其非常適合只需要推斷功能的端點,請遵循「最低許可權」最佳做法。 | 9894cab4-e18a-44aa-828b-cb588cd6f2d7 |
認知服務計量建議程式管理員 | 完整存取專案,包括系統層級設定。 | cb43c632-a144-4ec5-977c-e80c4affc34a |
認知服務 QnA Maker 編輯器 | 讓我們建立、編輯、匯入和匯出 KB。 您無法發佈或刪除 KB。 | f4cc2bf9-21be-47a1-bdf1-5c5804381025 |
認知服務 QnA Maker 讀取器 | 讓我們只閱讀並測試 KB。 | 466ccd10-b268-4a11-b098-b4849f024126 |
認知服務使用者 | 可讓您讀取和列出認知服務的金鑰。 | a97b65f3-24c7-4388-baec-2e87135dc908 |
Internet of things | ||
裝置更新系統管理員 | 提供您管理與內容作業的完整存取權 | 02ca0879-e8e4-47a5-a61e-5c618b76e64a |
裝置更新內容管理員 | 讓您完整存取內容作業 | 0378884a-3af5-44ab-8323-f5b22f9f3c98 |
裝置更新內容讀取器 | 可讓您讀取內容作業的存取權,但不允許進行變更 | d1ee9a80-8b14-47f0-bdc2-f4a351625a7b |
裝置更新部署系統管理員 | 提供您管理作業的完整存取權 | e4237640-0e3d-4a46-8fda-70bc94856432 |
裝置更新部署讀取器 | 可讓您讀取管理作業的存取權,但不允許進行變更 | 49e2f5d2-7741-4835-8efa-19e1fe35e47f |
裝置更新讀取器 | 可讓您讀取管理與內容作業的存取權,但不允許進行變更 | e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f |
IoT 中樞資料參與者 | 允許完整存取IoT 中樞資料平面作業。 | 4fc6c259-987e-4a07-842e-c321cc9d413f |
IoT 中樞資料讀取器 | 允許完整讀取IoT 中樞資料平面屬性 | b447c946-2db7-41ec-983d-d8bf3b1c77e3 |
IoT 中樞登錄參與者 | 允許完整存取IoT 中樞裝置登錄。 | 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 |
IoT 中樞對應項參與者 | 允許讀取和寫入所有IoT 中樞裝置和模組對應項。 | 494bdba2-168f-4f31-a0a1-191d2f7c028c |
混合實境 | ||
遠端轉譯系統管理員 | 為使用者提供 Azure 遠端轉譯的轉換、管理會話、轉譯和診斷功能 | 3df8b902-2a6f-47c7-8cc5-360e9b272a7e |
遠端轉譯用戶端 | 為使用者提供 Azure 遠端轉譯的管理會話、轉譯和診斷功能。 | d39065c4-c120-43c9-ab0a-63eed9795f0a |
空間錨點帳戶參與者 | 可讓您管理帳戶中的空間錨點,但無法刪除 | 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 |
空間錨點帳戶擁有者 | 可讓您管理帳戶中的空間錨點,包含刪除 | 70bbe301-9835-447d-afdd-19eb3167307c |
空間錨點帳戶讀者 | 可讓您尋找和讀取帳戶中空間錨點的屬性 | 5d51204f-eb77-4b1c-b86a-2ec626c49413 |
整合 | ||
API 管理服務參與者 | 可管理服務與 API | 312a565d-c81f-4fd8-895a-4e21e48d571c |
API 管理服務操作員角色 | 可管理服務,但無法管理 API | e022efe7-f5ba-4159-bbe4-b44f577e9b61 |
API 管理服務讀取者角色 | 具有服務與 API 的唯讀存取權 | 71522526-b88f-4d52-b57f-d31fc3546d0d |
應用程式組態資料擁有者 | 允許完整存取應用程式組態資料。 | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b |
應用程式組態資料讀者 | 允許讀取應用程式組態資料。 | 516239f1-63e1-4d78-a4de-a74fb236a071 |
Azure 轉接聽程式 | 允許接聽 Azure 轉寄資源的存取。 | 26e0b698-aa6d-4085-9386-aadae190014d |
Azure 轉送擁有者 | 允許完整存取 Azure 轉寄資源。 | 2787bf04-f1f5-4bfe-8383-c8a24483ee38 |
Azure 轉送寄件者 | 允許傳送 Azure 轉送資源的存取權。 | 26baccc8-ea7-41f1-98f4-1762cc7f685d |
Azure 服務匯流排資料擁有者 | 允許完整存取 Azure 服務匯流排資源。 | 090c5cfd-751d-490a-894a-3ce6f1109419 |
Azure 服務匯流排資料接收者 | 允許接收 Azure 服務匯流排資源。 | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 |
Azure 服務匯流排資料傳送者 | 允許傳送 Azure 服務匯流排資源。 | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 |
Azure Stack 註冊擁有者 | 可讓您管理 Azure Stack 註冊。 | 6f12a6df-dd06-4f3e-bcb1-ce8be600526a |
EventGrid 參與者 | 可讓您管理 EventGrid 作業。 | 1e241071-0855-49ea-94dc-649edcd759de |
EventGrid 資料傳送者 | 允許傳送事件方格事件的存取權。 | d5a91429-5739-47e2-a06b-3470a27159e7 |
EventGrid EventSubscription 參與者 | 可讓您管理 EventGrid 事件訂用帳戶作業。 | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 |
EventGrid EventSubscription 讀者 | 可讓您讀取 EventGrid 事件訂用帳戶。 | 2414bbcf-6497-4faf-8c65-045460748405 |
FHIR 資料參與者 | 角色可讓使用者或主體完整存取 FHIR 資料 | 5a1fc7df-4bf1-4951-a576-89034ee01acd |
FHIR 資料匯出工具 | 角色可讓使用者或主體讀取和匯出 FHIR 資料 | 3db33094-8700-4567-8da5-1501d4e7e843 |
FHIR 資料讀取器 | 角色可讓使用者或主體讀取 FHIR 資料 | 4c8d0bbc-75d3-4935-991f-5f3c56d81508 |
FHIR 資料寫入器 | 角色可讓使用者或主體讀取和寫入 FHIR 資料 | 3f88fce4-5892-4214-ae73-ba5294559913 |
Integration Service Environment 參與者 | 可讓您管理整合服務環境,但無法存取它們。 | a41e2c5b-bd99-4a07-88f4-9bf657a760b8 |
Integration Service Environment Developer | 可讓開發人員在整合服務環境中建立和更新工作流程、整合帳戶和 API 連線。 | c7aa55d3-1abb-444a-a5ca-5e51e485d6ec |
Intelligent Systems 帳戶參與者 | 可讓您管理「智慧型系統」帳戶,但無法存取它們。 | 03a6d094-3444-4b3d-88af-7477090a9e5e |
邏輯應用程式參與者 | 可讓您管理邏輯應用程式,但無法變更對邏輯應用程式的存取。 | 87a39d53-fc1b-424a-814c-f7e04687dc9e |
邏輯應用程式操作員 | 可讓您讀取、啟用及停用邏輯應用程式,但無法編輯或更新邏輯應用程式。 | 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe |
身分識別 | ||
網域服務參與者 | 可以管理Azure AD網域服務和相關的網路設定 | eaeda52-9324-47f6-8069-5d5bade478b2 |
網域服務讀取者 | 可以檢視Azure AD網域服務和相關的網路組態 | 361898ef-9ed1-48c2-849c-a832951106bb |
受控身分識別參與者 | 建立、讀取、更新及刪除使用者指派的身分識別 | e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 |
受控身分識別操作員 | 讀取及指派使用者指派的身分識別 | f1a07417-d97a-45cb-824c-7a7467783830 |
安全性 | ||
證明參與者 | 可以讀取或刪除證明提供者實例 | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e |
證明讀取器 | 可以讀取證明提供者屬性 | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 |
金鑰保存庫系統管理員 | 在金鑰保存庫及其中的所有物件上執行所有資料平面作業,包括憑證、金鑰和秘密。 無法管理金鑰保存庫資源或管理角色指派。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 | 00482a5a-887f-4fb3-b363-3b7fe8e74483 |
Key Vault 憑證長 | 對金鑰保存庫的憑證執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 | a4417e6f-fecd-4de8-b567-7b0420556985 |
Key Vault 參與者 | 管理金鑰保存庫,但不允許您在 Azure RBAC 中指派角色,而且不允許您存取秘密、金鑰或憑證。 | f25e0fa2-a7c8-4377-a976-54943a77a395 |
Key Vault 密碼編譯長 | 對金鑰保存庫的金鑰執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 |
Key Vault 密碼編譯服務加密使用者 | 讀取索引鍵的中繼資料,並執行包裝/解除包裝作業。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 | e147488a-f6f5-4113-8e2d-b22465e65bf6 |
Key Vault 密碼編譯使用者 | 使用金鑰執行密碼編譯作業。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 | 12338af0-0e69-4776-bea7-57ae8d297424 |
Key Vault 讀者 | 讀取金鑰保存庫及其憑證、金鑰和秘密的中繼資料。 無法讀取機密值,例如秘密內容或金鑰資料。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 | 21090545-7ca7-4776-b22c-e363652d74d2 |
Key Vault 祕密長 | 對金鑰保存庫的秘密執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 |
Key Vault 祕密使用者 | 讀取秘密內容。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 | 4633458b-17de-408a-b874-0445c86b69e6 |
受控 HSM 參與者 | 可讓您管理受控 HSM 集區,但無法存取它們。 | 18500a29-7fe2-46b2-a342-b16a415e101d |
Microsoft Sentinel 自動化參與者 | Microsoft Sentinel 自動化參與者 | f4c81013-99ee-4d62-a7ee-b3f1f648599a |
Microsoft Sentinel 参与者 | Microsoft Sentinel 参与者 | ab8e14d6-4a74-4a29-9ba8-549422addade |
Microsoft Sentinel 读者 | Microsoft Sentinel 读者 | 8d289c81-5878-46d4-8554-54e1e3d8b5cb |
Microsoft Sentinel 响应方 | Microsoft Sentinel 响应方 | 3e150937-b8fe-4cfb-8069-0eaf05ecd056 |
安全性系統管理員 | 資訊安全中心的檢視和更新權限。 與「安全性讀者」角色的權限相同,還可以更新安全性原則及關閉警示和建議。 | fb1c8493-542b-48eb-b624-b4c8fea62acd |
安全性評量參與者 | 可讓您將評量推送至資訊安全中心 | 612c2aa1-cb24-443b-ac28-3ab7272de6f5 |
安全性管理員 (舊版) | 此為舊版角色。 請改用「安全性系統管理員」。 | e3d13bf0-dd5a-482e-ba6b-9b8433878d10 |
安全性讀取者 | 資訊安全中心的檢視權限。 可以檢視建議、警示、安全性原則和安全性狀態,但無法變更。 | 39bc4728-0917-49c7-9d2c-d95423bc2eb4 |
DevOps | ||
DevTest Labs 使用者 | 可讓您連線、啟動、重新啟及關閉您 Azure DevTest Labs 中的虛擬機器。 | 76283e04-6283-4c54-8f91-bcf1374a3c64 |
實驗室建立者 | 可讓您在 Azure 實驗室帳戶下建立新的實驗室。 | b97fb8bc-a8b2-4522-a38b-dd33c7e65ead |
監視 | ||
Application Insights 元件參與者 | 可以管理 Application Insights 元件 | ae349356-3a1b-4a5e-921d-050484c6347e |
Application Insights 快照集偵錯工具 | 給予使用者權限,以便檢視及下載使用 Application Insights 快照偵錯工具所收集的偵錯快照。 請注意,擁有者或參與者角色未包含這些權限。 將 Application Insights 快照偵錯者角色指派給使用者時,您必須直接將此角色授與使用者。 此角色若新增至自訂角色,則無法辨識。 | 08954f03-6346-4c2e-81c0-ec3a5cfae23b |
監視參與者 | 可以讀取所有監視資料並編輯監視設定。 請參閱開始使用 Azure 監視器的角色、權限和安全性。 | 749f88d5-cbae-40b8-bcfc-e573ddc772fa |
監視計量發行者 | 針對 Azure 資源啟用發佈計量 | 3913510d-42f4-4e42-8a64-420c390055eb |
監視讀取器 | 可以讀取所有監視資料 (計量、記錄等等)。 請參閱開始使用 Azure 監視器的角色、權限和安全性。 | 43d0d8ad-25c7-4714-9337-8ba259a9fe05 |
活頁簿參與者 | 可以儲存共用活頁簿。 | e8ddcd69-c73f-4f9f-9844-4100522f16ad |
活頁簿讀者 | 可以讀取活頁簿。 | b279062a-9be3-42a0-92ae-8b3cf002ec4d |
管理和控管 | ||
自動化參與者 | 使用 Azure 自動化管理 Azure 自動化資源和其他資源。 | f353d9bd-d4a6-484e-a77a-8050b599b867 |
自動化作業運算子 | 使用「自動化 Runbook」來建立及管理作業。 | 4fe576fe-1146-4730-92eb-48519fa6bf9f |
自動化運算子 | 「自動化運算子」能夠啟動、停止、暫止及繼續作業 | d3881f73-407a-4167-8283-e981cbba0404 |
自動化 Runbook 運算子 | 讀取 Runbook 屬性 - 以便能夠建立 Runbook 的作業。 | 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 |
已啟用 Azure Arc 的 Kubernetes 叢集使用者角色 | 列出叢集使用者認證動作。 | 00493d72-78f6-4148-b6c5-d3ce8e4799dd |
Azure Arc Kubernetes 管理員 | 可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 | dffb1e0c-446f-4dde-a09f-99eb5cc68b96 |
Azure Arc Kubernetes 叢集管理員 | 可讓您管理叢集中的所有資源。 | 8393591c-06b9-48a2-a542-1bd6b377f6a2 |
Azure Arc Kubernetes Viewer | 可讓您檢視叢集/命名空間中的所有資源,但秘密除外。 | 63f0a09d-1495-4db4-a681-037d84835eb4 |
Azure Arc Kubernetes 寫入器 | 可讓您更新叢集/命名空間中的所有專案,但 (叢集) 角色和 (叢集) 角色系結除外。 | 5b999177-9696-4545-85c7-50de3797e5a1 |
Azure Connected Machine 上線 | 可以讓 Azure Connected Machine 上線。 | b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 |
Azure Connected Machine 資源管理員 | 可以讀取、寫入、刪除 Azure Connected Machine 及使之重新上線。 | cd570a14-e51a-42ad-bac8-bafd67325302 |
帳單讀取器 | 允許對計費資料進行讀取存取 | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 |
藍圖參與者 | 可以管理藍圖定義,但不能加以指派。 | 41077137-e803-4205-871c-5a86e6a753b4 |
藍圖操作員 | 可以指派現有已發佈的藍圖,但無法建立新的藍圖。 請注意,只有在以使用者指派的受控識別來指派時才有效。 | 437d2ced-4a38-4302-8479-ed2bcb43d090 |
成本管理參與者 | 可檢視成本和管理成本組態 (例如預算、匯出) | 434105ed-43f6-45c7-a02f-909b2ba83430 |
成本管理讀者 | 可檢視成本資料和組態 (例如預算、匯出) | 72fafb9e-0641-4937-9268-a91bfd8191a3 |
階層設定管理員 | 允許使用者編輯和刪除階層設定 | 350f8d15-c687-4448-8ae1-157740a3936d |
Kubernetes 叢集 - Azure Arc 上線 | 授權任何使用者/服務建立 connectedClusters 資源的角色定義 | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 |
Kubernetes 擴充功能參與者 | 可以建立、更新、取得、列出和刪除 Kubernetes 延伸模組,以及取得擴充功能非同步作業 | 85cb6faf-e071-4c9b-8136-154b5a04f717 |
受控應用程式參與者角色 | 允許建立受控應用程式資源。 | 641177b8-a67a-45b9-a033-47bc880bb21e |
受控應用程式操作員角色 | 可讓您讀取受控應用程式資源及對其執行動作 | c7393b34-138c-406f-901b-d8cf2b17e6ae |
受控應用程式讀者 | 可讓您讀取受控應用程式中的資源及要求 JIT 存取權。 | b9331d33-8a36-4f8c-b097-4f54124fdb44 |
受控服務註冊指派刪除角色 | 「受控服務註冊指派刪除角色」可讓管理租用戶使用者刪除指派給其租用戶的註冊指派。 | 91c1777a-f3dc-4fae-b103-61d183457e46 |
管理群組參與者 | 管理群組參與者角色 | 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c |
管理群組讀者 | 管理群組讀者角色 | ac63b705-f282-497d-ac71-919bf39d939d |
New Relic APM 帳戶參與者 | 可讓您管理 New Relic Application Performance Management 帳戶及應用程式,但無法存取它們。 | 5d28c62d-5b37-4476-8438-e587778df237 |
原則深入解析資料寫入者 (預覽) | 允許讀取資源原則及寫入資源元件原則事件。 | 66bb4e9e-b016-4a94-8249-4c0511c2be84 |
配額要求操作員 | 讀取和建立配額要求、取得配額要求狀態,以及建立支援票證。 | 0e5f05e5-9ab9-446b-b98d-1e2157c94125 |
保留購買者 | 可讓您購買保留 | f7b75c60-3036-4b75-91c3-6b41c27c1689 |
資源原則參與者 | 有權建立/修改資源原則、建立支援票證及讀取資源/階層的使用者。 | 36243c78-bf99-498c-9df9-86d9f8d28608 |
Site Recovery 參與者 | 可讓您管理 Site Recovery 服務,但無法建立保存庫和指派角色 | 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 |
Site Recovery 操作員 | 可讓您容錯移轉及容錯回復,但無法執行其他 Site Recovery 管理作業 | 494ae006-db33-4328-bf46-533a6560a3ca |
Site Recovery 讀取者 | 可讓您檢視 Site Recovery 狀態,但無法執行其他管理作業 | dbaa88c4-0c30-4179-9fb3-46319faa6149 |
支援要求參與者 | 可讓您建立及管理支援要求 | cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e |
標記參與者 | 可讓您管理實體上的標記,無需提供對實體本身的存取。 | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f |
虛擬桌面基礎結構 | ||
桌面虛擬化應用程式群組參與者 | 桌面虛擬化應用程式群組的參與者。 | 86240b0e-9422-4c43-887b-b61143f32ba8 |
桌面虛擬化應用程式群組讀者 | 桌面虛擬化應用程式群組的讀者。 | aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 |
桌面虛擬化參與者 | 桌面虛擬化的參與者。 | 082f0a83-3be5-4ba1-904c-961cca79b387 |
桌面虛擬化主機集區參與者 | 桌面虛擬化主機集區的參與者。 | e307426c-f9b6-4e81-87de-d99efb3c32bc |
桌面虛擬化主機集區讀取器 | 桌面虛擬化主機集區的讀者。 | ceadfde2-b300-400a-ab7b-6143895aa822 |
桌面虛擬化閱讀程式 | 電腦虛擬化的讀者。 | 49a72310-ab8d-41df-bbb0-79b649203868 |
桌面虛擬化工作階段主機操作員 | 桌面虛擬化工作階段主機的操作員。 | 2ad6aaab-ead9-4eaa-8ac5-da422f562408 |
桌面虛擬化使用者 | 允許使用者在應用程式群組中使用應用程式。 | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 |
桌面虛擬化使用者會話操作員 | 桌面虛擬化使用者會話的操作員。 | ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 |
桌面虛擬化工作區參與者 | 桌面虛擬化工作區的參與者。 | 21efdde3-836f-432b-bf3d-3e8e734d4b2b |
桌面虛擬化工作區讀者 | 電腦虛擬化工作區的讀者。 | 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d |
其他 | ||
Azure Digital Twins 資料擁有者 | Digital Twins 資料平面的完整存取角色 | bcd981a7-7f74-457b-83e1-cceb9e632ffe |
Azure Digital Twins 資料讀取器 | Digital Twins 資料平面屬性的唯讀角色 | d57506d4-4c8d-48b1-8587-93c323f6a5a3 |
BizTalk 參與者 | 可讓您管理 BizTalk 服務,但無法存取它們。 | 5e3c6656-6cfa-4708-81fe-0de47ac73342 |
排程器工作集合參與者 | 可讓您管理「排程器」工作集合,但無法存取它們。 | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 |
Services Hub 操作員 | Services Hub 操作員可讓您執行與 Services Hub 連接器相關的所有讀取、寫入和刪除作業。 | 82200a5b-e217-47a5-b665-6d8765ee745b |
一般
參與者
授與管理所有資源的完整存取權,但不允許您在 Azure RBAC 中指派角色、管理 Azure 藍圖中的指派,或共用映射庫。 深入了解
動作 | 描述 |
---|---|
* | 建立和管理所有類型的資源 |
NotActions | |
Microsoft.Authorization/*/Delete | 刪除角色、原則指派、原則定義和原則集定義 |
Microsoft.Authorization/*/Write | 建立角色、角色指派、原則指派、原則定義和原則集定義 |
Microsoft.Authorization/elevateAccess/Action | 授與呼叫者租用戶範圍的使用者存取管理員存取 |
Microsoft.Blueprint/blueprintAssignments/write | 建立或更新任何藍圖指派 |
Microsoft.Blueprint/blueprintAssignments/delete | 刪除任何藍圖指派 |
Microsoft.Compute/galleries/share/action | 將資源庫共用至不同的範圍 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
擁有者
授與管理所有資源的完整存取權,包括能夠指派 Azure RBAC 中的角色。 深入了解
動作 | 描述 |
---|---|
* | 建立和管理所有類型的資源 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"permissions": [
{
"actions": [
"*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
讀取者
檢視所有資源,但不允許您進行任何變更。 深入了解
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "View all resources, but does not allow you to make any changes.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
使用者存取系統管理員
可讓您管理 Azure 資源的使用者存取。 深入了解
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
Microsoft.Authorization/* | 管理授權 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage user access to Azure resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Authorization/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "User Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
計算
傳統虛擬機器參與者
可讓您管理傳統虛擬機器 (不含虛擬機器所連接的虛擬網路或儲存體帳戶),但無法存取它們。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.ClassicCompute/domainNames/* | 建立和管理傳統運算網域名稱 |
Microsoft.ClassicCompute/virtualMachines/* | 建立和管理虛擬機器 |
Microsoft.ClassicNetwork/networkSecurityGroups/join/action | |
Microsoft.ClassicNetwork/reservedIps/link/action | 連結保留的 IP |
Microsoft.ClassicNetwork/reservedIps/read | 取得保留的 IP |
Microsoft.ClassicNetwork/virtualNetworks/join/action | 加入虛擬網路。 |
Microsoft.ClassicNetwork/virtualNetworks/read | 取得虛擬網路。 |
Microsoft.ClassicStorage/storageAccounts/disks/read | 傳回儲存體帳戶磁碟。 |
Microsoft.ClassicStorage/storageAccounts/images/read | 傳回儲存體帳戶映像。 (已被取代。使用 'Microsoft.ClassicStorage/storageAccounts/vmImages') |
Microsoft.ClassicStorage/storageAccounts/listKeys/action | 列出儲存體帳戶的存取金鑰。 |
Microsoft.ClassicStorage/storageAccounts/read | 傳回具有給定帳戶的儲存體帳戶。 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/domainNames/*",
"Microsoft.ClassicCompute/virtualMachines/*",
"Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
"Microsoft.ClassicNetwork/reservedIps/link/action",
"Microsoft.ClassicNetwork/reservedIps/read",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicStorage/storageAccounts/disks/read",
"Microsoft.ClassicStorage/storageAccounts/images/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁片備份讀取器
提供備份保存庫執行磁片備份的許可權。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Compute/disks/read | 取得磁碟的屬性 |
Microsoft.Compute/disks/beginGetAccess/action | 取得磁碟用於 Blob 存取的 SAS URI |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk backup.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/beginGetAccess/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁片集區操作員
提供 StoragePool 資源提供者的許可權,以管理新增至磁片集區的磁片。
動作 | 描述 |
---|---|
Microsoft.Compute/disks/write | 建立新的磁碟,或更新現有磁碟 |
Microsoft.Compute/disks/read | 取得磁碟的屬性 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840",
"name": "60fc6e62-5479-42d4-8bf4-67625fcc2840",
"permissions": [
{
"actions": [
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Pool Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁片還原運算子
提供備份保存庫執行磁片還原的許可權。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Compute/disks/write | 建立新的磁碟,或更新現有磁碟 |
Microsoft.Compute/disks/read | 取得磁碟的屬性 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk restore.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13",
"name": "b50d9833-a0cb-478e-945f-707fcc997c13",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Restore Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁片快照集參與者
提供備份保存庫以管理磁片快照集的許可權。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Compute/snapshots/delete | 刪除快照集 |
Microsoft.Compute/snapshots/write | 建立新的快照集,或更新現有快照集 |
Microsoft.Compute/snapshots/read | 取得快照集的屬性 |
Microsoft.Compute/snapshots/beginGetAccess/action | 取得快照集的 SAS URI 以用於 Blob 存取 |
Microsoft.Compute/snapshots/endGetAccess/action | 撤銷快照集的 SAS URI |
Microsoft.Compute/disks/beginGetAccess/action | 取得磁碟用於 Blob 存取的 SAS URI |
微軟。儲存體/storageAccounts/listkeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
微軟。儲存體/storageAccounts/write | 使用指定參數來建立儲存體帳戶、更新指定儲存體帳戶的屬性或標記,或新增指定儲存體帳戶的自訂網域。 |
微軟。儲存體/storageAccounts/read | 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。 |
微軟。儲存體/storageAccounts/delete | 刪除現有的儲存體帳戶。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to manage disk snapshots.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce",
"name": "7efff54f-a5b4-42b5-a1c5-5411624893ce",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Snapshot Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虛擬機器系統管理員登入
在入口網站中檢視虛擬機器,並以系統管理員身分登入深入瞭解
動作 | 描述 |
---|---|
Microsoft.Network/publicIPAddresses/read | 取得公用 IP 位址定義。 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
Microsoft.Compute/virtualMachines/*/read | |
Microsoft.HybridCompute/machines/*/read | |
Microsoft.HybridConnectivity/endpoints/listCredentials/action | 列出資源的端點存取認證。 |
NotActions | |
無 | |
DataActions | |
Microsoft.Compute/virtualMachines/login/action | 以一般使用者身分登入虛擬機器 |
Microsoft.Compute/virtualMachines/loginAsAdmin/action | 以 Windows 系統管理員或 Linux 根使用者權限登入虛擬機器 |
Microsoft.HybridCompute/machines/login/action | 以一般使用者身分登入 Azure Arc 機器 |
Microsoft.HybridCompute/machines/loginAsAdmin/action | 使用Windows系統管理員或 Linux 根使用者許可權登入 Azure Arc 電腦 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as administrator",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4",
"name": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.Compute/virtualMachines/loginAsAdmin/action",
"Microsoft.HybridCompute/machines/login/action",
"Microsoft.HybridCompute/machines/loginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虛擬機器參與者
建立和管理虛擬機器、管理磁片、安裝和執行軟體、使用 VM 擴充功能重設虛擬機器根使用者的密碼,以及使用 VM 擴充功能管理本機使用者帳戶。 此角色不會授與您虛擬機器所連線之虛擬網路或儲存體帳戶的管理存取權。 此角色不允許您在 Azure RBAC 中指派角色。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Compute/availabilitySets/* | 建立和管理運算可用性集合 |
Microsoft.Compute/locations/* | 建立和管理運算位置 |
Microsoft.Compute/virtualMachines/* | 執行所有虛擬機器動作,包括建立、更新、刪除、啟動、重新開機和關閉虛擬機器。 在虛擬機器上執行腳本。 |
Microsoft.Compute/virtualMachineScaleSets/* | 建立和管理虛擬機器擴展集 |
Microsoft.Compute/cloudServices/* | |
Microsoft.Compute/disks/write | 建立新的磁碟,或更新現有磁碟 |
Microsoft.Compute/disks/read | 取得磁碟的屬性 |
Microsoft.Compute/disks/delete | 刪除磁碟 |
Microsoft.DevTestLab/schedules/* | |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Network/applicationGateways/backendAddressPools/join/action | 加入應用程式閘道後端位址集區。 不可警示。 |
Microsoft.Network/loadBalancers/backendAddressPools/join/action | 加入負載平衡器後端位址集區。 不可警示。 |
Microsoft.Network/loadBalancers/inboundNatPools/join/action | 加入負載平衡器輸入 NAT 集區。 不可警示。 |
Microsoft.Network/loadBalancers/inboundNatRules/join/action | 加入負載平衡器輸入 nat 規則。 不可警示。 |
Microsoft.Network/loadBalancers/probes/join/action | 允許使用負載平衡器的探查。 例如,使用此權限,VM 擴展集的 healthProbe 屬性就可以參考探查。 不可警示。 |
Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
Microsoft.Network/locations/* | 建立和管理網路位置 |
Microsoft.Network/networkInterfaces/* | 建立和管理網路介面 |
Microsoft.Network/networkSecurityGroups/join/action | 加入網路安全性群組。 不可警示。 |
Microsoft.Network/networkSecurityGroups/read | 取得網路安全性群組定義 |
Microsoft.Network/publicIPAddresses/join/action | 加入公用 IP 位址。 不可警示。 |
Microsoft.Network/publicIPAddresses/read | 取得公用 IP 位址定義。 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.Network/virtualNetworks/subnets/join/action | 加入虛擬網路。 不可警示。 |
Microsoft.RecoveryServices/locations/* | |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | 建立備份保護用途 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read | |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 傳回受保護項目的物件詳細資料 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | 建立備用的受保護項目 |
Microsoft.RecoveryServices/Vaults/backupPolicies/read | 傳回所有保護原則 |
Microsoft.RecoveryServices/Vaults/backupPolicies/write | 建立保護原則 |
Microsoft.RecoveryServices/Vaults/read | 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/usages/read | 傳回復原服務保存庫的使用量詳細資料。 |
Microsoft.RecoveryServices/Vaults/write | 「建立保存庫」作業會建立 'vault' 類型的 Azure 資源 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.SerialConsole/serialPorts/connect/action | 連線序列埠 |
Microsoft.SqlVirtualMachine/* | |
微軟。儲存體/storageAccounts/listKeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
微軟。儲存體/storageAccounts/read | 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/cloudServices/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.SerialConsole/serialPorts/connect/action",
"Microsoft.SqlVirtualMachine/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虛擬機器使用者登入
在入口網站中檢視虛擬機器並以一般使用者身分登入。 深入了解
動作 | 描述 |
---|---|
Microsoft.Network/publicIPAddresses/read | 取得公用 IP 位址定義。 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
Microsoft.Compute/virtualMachines/*/read | |
Microsoft.HybridCompute/machines/*/read | |
Microsoft.HybridConnectivity/endpoints/listCredentials/action | 列出資源的端點存取認證。 |
NotActions | |
無 | |
DataActions | |
Microsoft.Compute/virtualMachines/login/action | 以一般使用者身分登入虛擬機器 |
Microsoft.HybridCompute/machines/login/action | 以一般使用者身分登入 Azure Arc 電腦 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as a regular user.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52",
"name": "fb879df8-f326-4884-b1cf-06f3ad86be52",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.HybridCompute/machines/login/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine User Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
網路功能
CDN 端點參與者
可管理 CDN 端點,但無法將存取權授與其他使用者。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Cdn/edgenodes/read | |
Microsoft.Cdn/operationresults/* | |
Microsoft.Cdn/profiles/endpoints/* | |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can manage CDN endpoints, but can't grant access to other users.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
"name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 端點讀者
可檢視 CDN 端點,但無法變更。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Cdn/edgenodes/read | |
Microsoft.Cdn/operationresults/* | |
Microsoft.Cdn/profiles/endpoints/*/read | |
Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action | |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can view CDN endpoints, but can't make changes.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd",
"name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*/read",
"Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 設定檔參與者
可管理 CDN 設定檔及其端點,但無法將存取權授與其他使用者。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Cdn/edgenodes/read | |
Microsoft.Cdn/operationresults/* | |
Microsoft.Cdn/profiles/* | |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can manage CDN profiles and their endpoints, but can't grant access to other users.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432",
"name": "ec156ff8-a8d1-4d15-830c-5b80698ca432",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN 設定檔讀者
可檢視 CDN 設定檔及其端點,但無法變更。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Cdn/edgenodes/read | |
Microsoft.Cdn/operationresults/* | |
Microsoft.Cdn/profiles/*/read | |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can view CDN profiles and their endpoints, but can't make changes.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af",
"name": "8f96442b-4075-438f-813d-ad51ab4019af",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
傳統網路參與者
可讓您管理傳統網路,但無法存取它們。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.ClassicNetwork/* | 建立和管理傳統網路 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic networks, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
"name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicNetwork/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DNS 區域參與者
可讓您管理 Azure DNS 中的 DNS 區域與記錄集,但無法讓您控制誰可存取它們。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Network/dnsZones/* | 建立和管理 DNS 區域和記錄 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314",
"name": "befefa01-2a29-4197-83a8-272ff33ce314",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/dnsZones/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
網路參與者
可讓您管理網路,但無法存取它們。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Network/* | 建立和管理網路 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage networks, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"name": "4d97b98b-1d4f-4787-a291-c67834d212e7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
私人 DNS 區域參與者
可讓您管理私人 DNS 區域資源,但無法管理它們所連結的虛擬網路。 深入了解
動作 | 描述 |
---|---|
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Network/privateDnsZones/* | |
Microsoft.Network/privateDnsOperationResults/* | |
Microsoft.Network/privateDnsOperationStatuses/* | |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.Network/virtualNetworks/join/action | 加入虛擬網路。 不可警示。 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"permissions": [
{
"actions": [
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/privateDnsZones/*",
"Microsoft.Network/privateDnsOperationResults/*",
"Microsoft.Network/privateDnsOperationStatuses/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Private DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
流量管理員參與者
可讓您管理「流量管理員」設定檔,但無法控制誰可以存取它們。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Network/trafficManagerProfiles/* | |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
"name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/trafficManagerProfiles/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Traffic Manager Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體
Avere 參與者
可以建立和管理 Avere vFXT 叢集。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Compute/*/read | |
Microsoft.Compute/availabilitySets/* | |
Microsoft.Compute/proximityPlacementGroups/* | |
Microsoft.Compute/virtualMachines/* | |
Microsoft.Compute/disks/* | |
Microsoft.Network/*/read | |
Microsoft.Network/networkInterfaces/* | |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網路定義 |
Microsoft.Network/virtualNetworks/subnets/join/action | 加入虛擬網路。 不可警示。 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。 |
Microsoft.Network/networkSecurityGroups/join/action | 加入網路安全性群組。 不可警示。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。儲存體/*/read | |
微軟。儲存體/storageAccounts/* | 建立及管理儲存體帳戶 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Resources/subscriptions/resourceGroups/resources/read | 取得資源群組的資源。 |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/delete | 傳回刪除 Blob 的結果 |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/read | 傳回 Blob 或 Blob 清單 |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/write | 傳回寫入 Blob 的結果 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can create and manage an Avere vFXT cluster.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/proximityPlacementGroups/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/disks/*",
"Microsoft.Network/*/read",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Avere 操作員
Avere vFXT 叢集用來管理叢集 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Compute/virtualMachines/read | 取得虛擬機器的屬性 |
Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
Microsoft.Network/networkInterfaces/write | 建立網路介面,或更新現有的網路介面。 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網路定義 |
Microsoft.Network/virtualNetworks/subnets/join/action | 加入虛擬網路。 不可警示。 |
Microsoft.Network/networkSecurityGroups/join/action | 加入網路安全性群組。 不可警示。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。儲存體/storageAccounts/blobServices/containers/delete | 傳回刪除容器的結果 |
微軟。儲存體/storageAccounts/blobServices/containers/read | 傳回容器的清單 |
微軟。儲存體/storageAccounts/blobServices/containers/write | 傳回放置 Blob 容器的結果 |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/delete | 傳回刪除 Blob 的結果 |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/read | 傳回 Blob 或 Blob 清單 |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/write | 傳回寫入 Blob 的結果 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Used by the Avere vFXT cluster to manage the cluster",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
備份參與者
可讓您管理備份服務,但無法建立保存庫,並授與其他人的存取權 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.RecoveryServices/locations/* | |
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* | 管理備份管理上作業的結果 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* | 在復原服務保存庫的備份網狀架構內建立和管理備份容器 |
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | 重新整理容器清單 |
Microsoft.RecoveryServices/Vaults/backupJobs/* | 建立和管理備份作業 |
Microsoft.RecoveryServices/Vaults/backupJobsExport/action | 匯出作業 |
Microsoft.RecoveryServices/Vaults/backupOperationResults/* | 建立和管理備份管理作業的結果 |
Microsoft.RecoveryServices/Vaults/backupPolicies/* | 建立和管理備份原則 |
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | 建立和管理可以備份的項目 |
Microsoft.RecoveryServices/Vaults/backupProtectedItems/* | 建立和管理備份項目 |
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* | 建立和管理保存備份項目的容器 |
Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* | |
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | 傳回復原服務之受保護項目和受保護伺服器的摘要。 |
Microsoft.RecoveryServices/Vaults/certificates/* | 建立和管理備份復原服務保存庫中與備份相關的憑證 |
Microsoft.RecoveryServices/Vaults/extendedInformation/* | 建立和管理與保存庫相關的擴充資訊 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | 取得復原服務保存庫的警示。 |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
Microsoft.RecoveryServices/Vaults/read | 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/* | 建立和管理註冊的身分識別 |
Microsoft.RecoveryServices/Vaults/usages/* | 建立和管理復原服務保存庫的使用方式 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。儲存體/storageAccounts/read | 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。 |
Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
Microsoft.RecoveryServices/Vaults/backupconfig/* | |
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | 驗證受保護項目上的作業 |
Microsoft.RecoveryServices/Vaults/write | 「建立保存庫」作業會建立 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/backupOperations/read | 傳回復原服務保存庫的備份作業狀態。 |
Microsoft.RecoveryServices/Vaults/backupEngines/read | 傳回已向保存庫註冊的所有備份管理伺服器。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* | |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | 取得所有可保護的容器 |
Microsoft.RecoveryServices/locations/backupStatus/action | 檢查復原服務保存庫的備份狀態 |
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
Microsoft.RecoveryServices/locations/backupValidateFeatures/action | 驗證功能 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | 解決警示。 |
Microsoft.RecoveryServices/operations/read | 作業會傳回資源提供者的作業清單 |
Microsoft.RecoveryServices/locations/operationStatus/read | 取得給定作業的作業狀態 |
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | 列出所有的備份保護用途 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.DataProtection/locations/getBackupStatus/action | 檢查復原服務保存庫的備份狀態 |
Microsoft.DataProtection/backupVaults/backupInstances/write | 建立備份實例 |
Microsoft.DataProtection/backupVaults/backupInstances/delete | 刪除備份實例 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 傳回所有備份實例 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 傳回所有備份實例 |
Microsoft.DataProtection/backupVaults/backupInstances/backup/action | 在備份實例上執行備份 |
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | 驗證備份實例的還原 |
Microsoft.DataProtection/backupVaults/backupInstances/restore/action | 在備份實例上觸發還原 |
Microsoft.DataProtection/backupVaults/backupPolicies/write | 建立備份原則 |
Microsoft.DataProtection/backupVaults/backupPolicies/delete | 刪除備份原則 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 傳回所有備份原則 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 傳回所有備份原則 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 傳回所有復原點 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 傳回所有復原點 |
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | 尋找可還原的時間範圍 |
Microsoft.DataProtection/backupVaults/write | 建立 BackupVault 作業會建立類型為 'Backup Vault' 的 Azure 資源 |
Microsoft.DataProtection/backupVaults/read | 取得訂用帳戶中的備份保存庫清單 |
Microsoft.DataProtection/backupVaults/operationResults/read | 取得備份保存庫修補作業的作業結果 |
Microsoft.DataProtection/locations/checkNameAvailability/action | 檢查要求的 BackupVault 名稱是否可用 |
Microsoft.DataProtection/backupVaults/read | 取得訂用帳戶中的備份保存庫清單 |
Microsoft.DataProtection/backupVaults/read | 取得訂用帳戶中的備份保存庫清單 |
Microsoft.DataProtection/locations/operationStatus/read | 傳回 Backup Vault 的備份作業狀態。 |
Microsoft.DataProtection/locations/operationResults/read | 傳回 Backup Vault 的備份作業結果。 |
Microsoft.DataProtection/backupVaults/validateForBackup/action | 驗證備份實例的備份 |
Microsoft.DataProtection/providers/operations/read | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backup service,but can't create vaults and give access to others",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
"name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/*",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/*",
"Microsoft.RecoveryServices/Vaults/extendedInformation/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
"Microsoft.RecoveryServices/Vaults/usages/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/delete",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/write",
"Microsoft.DataProtection/backupVaults/backupPolicies/delete",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/write",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/locations/checkNameAvailability/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/providers/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
備份操作員
可讓您管理備份服務,但除了移除備份、保存庫建立以及授與其他人的存取 權深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | 傳回作業的狀態 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | 取得對保護容器執行之作業的結果。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | 對受保護的項目執行備份。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | 取得對受保護項目執行之作業的結果。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | 傳回對受保護項目執行之作業的狀態。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 傳回受保護項目的物件詳細資料 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | 為受保護的項目佈建即時項目復原 |
Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | 取得跨區域還原的 AccessToken。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | 取得受保護項目的復原點。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | 還原受保護項目的復原點。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | 為受保護的項目撤銷即時項目復原 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | 建立備用的受保護項目 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | 傳回所有已註冊的容器 |
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | 重新整理容器清單 |
Microsoft.RecoveryServices/Vaults/backupJobs/* | 建立和管理備份作業 |
Microsoft.RecoveryServices/Vaults/backupJobsExport/action | 匯出作業 |
Microsoft.RecoveryServices/Vaults/backupOperationResults/* | 建立和管理備份管理作業的結果 |
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | 取得原則作業的結果。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/read | 傳回所有保護原則 |
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | 建立和管理可以備份的項目 |
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | 傳回所有受保護項目的清單。 |
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | 傳回屬於訂用帳戶的所有容器 |
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | 傳回復原服務之受保護項目和受保護伺服器的摘要。 |
Microsoft.RecoveryServices/Vaults/certificates/write | 「更新資源憑證」作業會更新資源/保存庫的認證憑證。 |
Microsoft.RecoveryServices/Vaults/extendedInformation/read | 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/extendedInformation/write | 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | 取得復原服務保存庫的警示。 |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
Microsoft.RecoveryServices/Vaults/read | 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/read | 「取得容器」作業可用來取得為資源註冊的容器。 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/write | 「註冊服務容器」作業可用來向復原服務註冊容器。 |
Microsoft.RecoveryServices/Vaults/usages/read | 傳回復原服務保存庫的使用量詳細資料。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。儲存體/storageAccounts/read | 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。 |
Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | 驗證受保護項目上的作業 |
Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action | 驗證受保護項目上的作業 |
Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read | 驗證受保護項目上的作業 |
Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read | 驗證受保護項目上的作業 |
Microsoft.RecoveryServices/Vaults/backupOperations/read | 傳回復原服務保存庫的備份作業狀態。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | 取得原則作業的狀態。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write | 建立已註冊的容器 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/query/action | 執行容器內工作負載的查詢 |
Microsoft.RecoveryServices/Vaults/backupEngines/read | 傳回已向保存庫註冊的所有備份管理伺服器。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | 建立備份保護用途 |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | 取得備份保護用途 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | 取得所有可保護的容器 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | 取得容器中的所有項目 |
Microsoft.RecoveryServices/locations/backupStatus/action | 檢查復原服務保存庫的備份狀態 |
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
Microsoft.RecoveryServices/locations/backupValidateFeatures/action | 驗證功能 |
Microsoft.RecoveryServices/locations/backupAadProperties/read | 取得AAD屬性,以在跨區域還原的第三個區域中進行驗證。 |
Microsoft.RecoveryServices/locations/backupCrrJobs/action | 列出復原服務保存庫次要區域中的跨區域還原作業。 |
Microsoft.RecoveryServices/locations/backupCrrJob/action | 取得復原服務保存庫次要區域中的跨區域還原作業詳細資料。 |
Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action | 觸發跨區域還原。 |
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | 傳回復原服務保存庫的 CRR 作業結果。 |
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | 傳回復原服務保存庫的 CRR 作業狀態。 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | 解決警示。 |
Microsoft.RecoveryServices/operations/read | 作業會傳回資源提供者的作業清單 |
Microsoft.RecoveryServices/locations/operationStatus/read | 取得給定作業的作業狀態 |
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | 列出所有的備份保護用途 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 傳回所有備份實例 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 傳回所有備份實例 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 傳回所有備份原則 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 傳回所有備份原則 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 傳回所有復原點 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 傳回所有復原點 |
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | 尋找可還原的時間範圍 |
Microsoft.DataProtection/backupVaults/read | 取得訂用帳戶中的備份保存庫清單 |
Microsoft.DataProtection/backupVaults/operationResults/read | 取得備份保存庫修補作業的作業結果 |
Microsoft.DataProtection/backupVaults/read | 取得訂用帳戶中的備份保存庫清單 |
Microsoft.DataProtection/backupVaults/read | 取得訂用帳戶中的備份保存庫清單 |
Microsoft.DataProtection/locations/operationStatus/read | 傳回 Backup Vault 的備份作業狀態。 |
Microsoft.DataProtection/locations/operationResults/read | 傳回 Backup Vault 的備份作業結果。 |
Microsoft.DataProtection/providers/operations/read | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
"name": "00c29273-979b-4161-815c-10b084fb9324",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/write",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/write",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read",
"Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupAadProperties/read",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",
"Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/providers/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
備份讀取者
可以檢視備份服務,但無法進行變更 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp 是服務所使用的內部作業 |
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | 傳回作業的狀態 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | 取得對保護容器執行之作業的結果。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | 取得對受保護項目執行之作業的結果。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | 傳回對受保護項目執行之作業的狀態。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 傳回受保護項目的物件詳細資料 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | 取得受保護項目的復原點。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | 傳回所有已註冊的容器 |
Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read | 傳回作業的作業結果。 |
Microsoft.RecoveryServices/Vaults/backupJobs/read | 傳回所有作業物件 |
Microsoft.RecoveryServices/Vaults/backupJobsExport/action | 匯出作業 |
Microsoft.RecoveryServices/Vaults/backupOperationResults/read | 傳回復原服務保存庫的備份作業結果。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | 取得原則作業的結果。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/read | 傳回所有保護原則 |
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | 傳回所有受保護項目的清單。 |
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | 傳回屬於訂用帳戶的所有容器 |
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | 傳回復原服務之受保護項目和受保護伺服器的摘要。 |
Microsoft.RecoveryServices/Vaults/extendedInformation/read | 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | 取得復原服務保存庫的警示。 |
Microsoft.RecoveryServices/Vaults/read | 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/read | 「取得容器」作業可用來取得為資源註冊的容器。 |
Microsoft.RecoveryServices/Vaults/backupstorageconfig/read | 傳回復原服務保存庫的儲存體組態。 |
Microsoft.RecoveryServices/Vaults/backupconfig/read | 傳回復原服務保存庫的組態。 |
Microsoft.RecoveryServices/Vaults/backupOperations/read | 傳回復原服務保存庫的備份作業狀態。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | 取得原則作業的狀態。 |
Microsoft.RecoveryServices/Vaults/backupEngines/read | 傳回已向保存庫註冊的所有備份管理伺服器。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | 取得備份保護用途 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | 取得容器中的所有項目 |
Microsoft.RecoveryServices/locations/backupStatus/action | 檢查復原服務保存庫的備份狀態 |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | 解決警示。 |
Microsoft.RecoveryServices/operations/read | 作業會傳回資源提供者的作業清單 |
Microsoft.RecoveryServices/locations/operationStatus/read | 取得給定作業的作業狀態 |
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | 列出所有的備份保護用途 |
Microsoft.RecoveryServices/Vaults/usages/read | 傳回復原服務保存庫的使用量詳細資料。 |
Microsoft.RecoveryServices/locations/backupValidateFeatures/action | 驗證功能 |
Microsoft.RecoveryServices/locations/backupCrrJobs/action | 列出復原服務保存庫次要區域中的跨區域還原作業。 |
Microsoft.RecoveryServices/locations/backupCrrJob/action | 取得復原服務保存庫次要區域中的跨區域還原作業詳細資料。 |
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | 傳回復原服務保存庫的 CRR 作業結果。 |
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | 傳回復原服務保存庫的 CRR 作業狀態。 |
Microsoft.DataProtection/locations/getBackupStatus/action | 檢查復原服務保存庫的備份狀態 |
Microsoft.DataProtection/backupVaults/backupInstances/write | 建立備份實例 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 傳回所有備份實例 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 傳回所有備份實例 |
Microsoft.DataProtection/backupVaults/backupInstances/backup/action | 在備份實例上執行備份 |
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | 驗證備份實例的還原 |
Microsoft.DataProtection/backupVaults/backupInstances/restore/action | 觸發備份實例上的還原 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 傳回所有備份原則 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 傳回所有備份原則 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 傳回所有復原點 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 傳回所有復原點 |
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | 尋找可還原的時間範圍 |
Microsoft.DataProtection/backupVaults/read | 取得訂用帳戶中的備份保存庫清單 |
Microsoft.DataProtection/backupVaults/operationResults/read | 取得備份保存庫修補作業的作業結果 |
Microsoft.DataProtection/backupVaults/read | 取得訂用帳戶中的備份保存庫清單 |
Microsoft.DataProtection/backupVaults/read | 取得訂用帳戶中的備份保存庫清單 |
Microsoft.DataProtection/locations/operationStatus/read | 傳回 Backup Vault 的備份作業狀態。 |
Microsoft.DataProtection/locations/operationResults/read | 傳回 Backup Vault 的備份作業結果。 |
Microsoft.DataProtection/backupVaults/validateForBackup/action | 驗證備份實例的備份 |
Microsoft.DataProtection/providers/operations/read | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can view backup services, but can't make changes",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
"name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/read",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
"Microsoft.RecoveryServices/Vaults/backupconfig/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",
"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/providers/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
傳統儲存體帳戶參與者
可讓您管理傳統儲存體帳戶,但無法存取它們。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.ClassicStorage/storageAccounts/* | 建立及管理儲存體帳戶 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic storage accounts, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
傳統儲存體帳戶金鑰操作員服務角色
傳統儲存體帳戶金鑰操作員允許在傳統儲存體帳戶上列出和重新產生金鑰深入瞭解
動作 | 描述 |
---|---|
Microsoft.ClassicStorage/storageAccounts/listkeys/action | 列出儲存體帳戶的存取金鑰。 |
Microsoft.ClassicStorage/storageAccounts/regeneratekey/action | 重新產生儲存體帳戶的現有存取金鑰。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"permissions": [
{
"actions": [
"Microsoft.ClassicStorage/storageAccounts/listkeys/action",
"Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
資料箱參與者
可讓您管理資料箱服務下的所有項目,為他人賦予存取權除外。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Databox/* | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage everything under Data Box Service except giving access to others.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
"name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Databox/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
資料箱讀者
可讓您管理資料箱服務,建立訂單或編輯訂單詳細資料和為他人賦予存取權除外。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Databox/*/read | |
Microsoft.Databox/jobs/listsecrets/action | |
Microsoft.Databox/jobs/listcredentials/action | 列出與訂單相關的未加密認證。 |
Microsoft.Databox/locations/availableSkus/action | 此方法會傳回可用的 SKU 清單。 |
Microsoft.Databox/locations/validateInputs/action | 此方法會執行所有類型的驗證。 |
Microsoft.Databox/locations/regionConfiguration/action | 此方法會傳回區域的設定。 |
Microsoft.Databox/locations/validateAddress/action | 驗證出貨地址,並提供備用的地址 (若有的話)。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Databox/*/read",
"Microsoft.Databox/jobs/listsecrets/action",
"Microsoft.Databox/jobs/listcredentials/action",
"Microsoft.Databox/locations/availableSkus/action",
"Microsoft.Databox/locations/validateInputs/action",
"Microsoft.Databox/locations/regionConfiguration/action",
"Microsoft.Databox/locations/validateAddress/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Lake Analytics 開發人員
可讓您提交、監視及管理您自己的作業,但無法建立或刪除 Data Lake Analytics 帳戶。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.BigAnalytics/accounts/* | |
Microsoft.DataLakeAnalytics/accounts/* | |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.BigAnalytics/accounts/Delete | |
Microsoft.BigAnalytics/accounts/TakeOwnership/action | |
Microsoft.BigAnalytics/accounts/Write | |
Microsoft.DataLakeAnalytics/accounts/Delete | 刪除 DataLakeAnalytics 帳戶。 |
Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action | 授與權限以取消其他使用者所提交的作業。 |
Microsoft.DataLakeAnalytics/accounts/Write | 建立或更新 DataLakeAnalytics 帳戶。 |
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write | 建立或更新 DataLakeAnalytics 帳戶所連結的 DataLakeStore 帳戶。 |
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete | 取消 DataLakeStore 帳戶與 DataLakeAnalytics 帳戶的連結。 |
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write | 建立或更新 DataLakeAnalytics 帳戶所連結的儲存體帳戶。 |
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete | 取消儲存體帳戶與 DataLakeAnalytics 帳戶的連結。 |
Microsoft.DataLakeAnalytics/accounts/firewallRules/Write | 建立或更新防火牆規則。 |
Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete | 刪除防火牆規則。 |
Microsoft.DataLakeAnalytics/accounts/computePolicies/Write | 建立或更新計算原則。 |
Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete | 刪除計算原則。 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
"name": "47b7735b-770e-4598-a7da-8b91488b4c88",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.BigAnalytics/accounts/*",
"Microsoft.DataLakeAnalytics/accounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.BigAnalytics/accounts/Delete",
"Microsoft.BigAnalytics/accounts/TakeOwnership/action",
"Microsoft.BigAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
"Microsoft.DataLakeAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Lake Analytics Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
讀取者及資料存取
可讓您檢視所有內容,但無法讓您刪除或建立儲存體帳戶或內含的資源。 也可透過存取儲存體帳戶金鑰,對儲存體帳戶中內含的所有資料進行讀取/寫入存取。
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/listKeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
微軟。儲存體/storageAccounts/ListAccountSas/action | 傳回指定儲存體帳戶的帳戶 SAS 權杖。 |
微軟。儲存體/storageAccounts/read | 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
"name": "c12c1c16-33a1-487b-954d-41c89c60f349",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/ListAccountSas/action",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader and Data Access",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體帳戶參與者
允許管理儲存體帳戶。 支援存取帳戶金鑰,以透過共用金鑰授權來存取資料。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/diagnosticSettings/* | 建立、更新或讀取 Analysis Server 的診斷設定 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。儲存體/storageAccounts/* | 建立及管理儲存體帳戶 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體帳戶金鑰操作員服務角色
允許列出及重新產生儲存體帳戶存取金鑰。 深入了解
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/listkeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
微軟。儲存體/storageAccounts/regeneratekey/action | 重新產生指定儲存體帳戶的存取金鑰。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
"name": "81a9662b-bebf-436f-a333-f67b29880f12",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體 Blob 資料參與者
讀取、寫入和刪除 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 深入了解
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/blobServices/containers/delete | 刪除容器。 |
微軟。儲存體/storageAccounts/blobServices/containers/read | 傳回一個容器或一份容器清單。 |
微軟。儲存體/storageAccounts/blobServices/containers/write | 修改容器的中繼資料或屬性。 |
微軟。儲存體/storageAccounts/blobServices/generateUserDelegationKey/action | 傳回 Blob 服務的使用者委派金鑰。 |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/delete | 刪除 Blob。 |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/read | 傳回一個 blob 或一份 blob 清單。 |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/write | 寫入 blob。 |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/move/action | 將 blob 從一個路徑移到另一個路徑 |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/add/action | 傳回新增 Blob 內容的結果 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage blob containers and data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體 Blob 資料擁有者
支援完整存取 Azure 儲存體 blob 容器和資料,包括指派 POSIX 存取控制。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 深入了解
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/blobServices/containers/* | 容器的完整權限。 |
微軟。儲存體/storageAccounts/blobServices/generateUserDelegationKey/action | 傳回 Blob 服務的使用者委派金鑰。 |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/* | Blob 的完整權限。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/*",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體 Blob 資料讀者
讀取和列出 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 深入了解
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/blobServices/containers/read | 傳回一個容器或一份容器清單。 |
微軟。儲存體/storageAccounts/blobServices/generateUserDelegationKey/action | 傳回 Blob 服務的使用者委派金鑰。 |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/blobServices/containers/blobs/read | 傳回一個 blob 或一份 blob 清單。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage blob containers and data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體 Blob 委派者
取得使用者委派金鑰,以針對使用 Azure AD 認證所簽署的容器或 blob,建立共用存取簽章。 如需詳細資訊,請參閱建立使用者委派 SAS。 深入了解
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/blobServices/generateUserDelegationKey/action | 傳回 Blob 服務的使用者委派金鑰。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Blob Delegator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體檔案資料 SMB 共用參與者
允許讀取、寫入及刪除 Azure 檔案共用上的檔案/目錄。 此角色在 Windows 檔案伺服器上沒有內建的對等項。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/fileServices/fileshares/files/read | 傳回一個檔案/資料夾,或一份檔案/資料夾清單。 |
微軟。儲存體/storageAccounts/fileServices/fileshares/files/write | 傳回寫入檔案或建立資料夾的結果。 |
微軟。儲存體/storageAccounts/fileServices/fileshares/files/delete | 傳回刪除檔案/資料夾的結果。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體檔案資料 SMB 共用提升權限的參與者
允許對 Azure 檔案共用上的檔案/目錄,讀取、寫入、刪除和修改 ACL。 此角色相當於 Windows 檔案伺服器上的「變更」檔案共用 ACL。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/fileServices/fileshares/files/read | 傳回一個檔案/資料夾,或一份檔案/資料夾清單。 |
微軟。儲存體/storageAccounts/fileServices/fileshares/files/write | 傳回寫入檔案或建立資料夾的結果。 |
微軟。儲存體/storageAccounts/fileServices/fileshares/files/delete | 傳回刪除檔案/資料夾的結果。 |
微軟。儲存體/storageAccounts/fileServices/fileshares/files/modifypermissions/action | 傳回修改檔案/資料夾權限的結果。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
"name": "a7264617-510b-434b-a828-9731dc254ea7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Elevated Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體檔案資料 SMB 共用讀者
允許讀取 Azure 檔案共用上的檔案/目錄。 此角色相當於Windows檔案伺服器上讀取的檔案共用 ACL。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/fileServices/fileshares/files/read | 傳回一個檔案/資料夾,或一份檔案/資料夾清單。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure File Share over SMB",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
"name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體佇列資料參與者
讀取、寫入及刪除 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 深入了解
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/queueServices/queues/delete | 刪除佇列。 |
微軟。儲存體/storageAccounts/queueServices/queues/read | 傳回一個佇列或一份佇列清單。 |
微軟。儲存體/storageAccounts/queueServices/queues/write | 修改佇列中繼資料或屬性。 |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/queueServices/queues/messages/delete | 從佇列中刪除一或多個訊息。 |
微軟。儲存體/storageAccounts/queueServices/queues/messages/read | 從佇列中瞄核或取出一或多個訊息。 |
微軟。儲存體/storageAccounts/queueServices/queues/messages/write | 將訊息新增至佇列。 |
微軟。儲存體/storageAccounts/queueServices/queues/messages/process/action | 傳回處理訊息的結果 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體佇列資料訊息處理者
從 Azure 儲存體佇列中瞄核、擷取和刪除訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/queueServices/queues/messages/read | 瞄核訊息。 |
微軟。儲存體/storageAccounts/queueServices/queues/messages/process/action | 取出和刪除訊息。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
"name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Processor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體佇列資料訊息傳送者
將訊息新增至 Azure 儲存體佇列。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/queueServices/queues/messages/add/action | 將訊息新增至佇列。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for sending of Azure Storage queue messages",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體佇列資料讀者
讀取和列出 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限。 深入了解
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/queueServices/queues/read | 傳回佇列或佇列清單。 |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/queueServices/queues/messages/read | 從佇列中瞄核或取出一或多個訊息。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage queues and queue messages",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
"name": "19e7f393-937e-4f77-808e-94535e297925",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體資料表資料參與者
允許讀取、寫入和刪除Azure 儲存體資料表和實體的存取權
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/tableServices/tables/read | 查詢資料表 |
微軟。儲存體/storageAccounts/tableServices/tables/write | 建立資料表 |
微軟。儲存體/storageAccounts/tableServices/tables/delete | 刪除資料表 |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/tableServices/tables/entities/read | 查詢資料表實體 |
微軟。儲存體/storageAccounts/tableServices/tables/entities/write | 插入、合併或取代資料表實體 |
微軟。儲存體/storageAccounts/tableServices/tables/entities/delete | 刪除資料表實體 |
微軟。儲存體/storageAccounts/tableServices/tables/entities/add/action | 插入資料表實體 |
微軟。儲存體/storageAccounts/tableServices/tables/entities/update/action | 合併或更新資料表實體 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage tables and entities",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read",
"Microsoft.Storage/storageAccounts/tableServices/tables/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
儲存體資料表資料讀取器
允許讀取Azure 儲存體資料表和實體
動作 | 描述 |
---|---|
微軟。儲存體/storageAccounts/tableServices/tables/read | 查詢資料表 |
NotActions | |
無 | |
DataActions | |
微軟。儲存體/storageAccounts/tableServices/tables/entities/read | 查詢資料表實體 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage tables and entities",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6",
"name": "76199698-9eea-4c19-bc75-cec21354c6b6",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Web
Azure 地圖服務資料參與者
授與從 Azure 地圖服務帳戶讀取、寫入和刪除對應相關資料的存取權。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
微軟。地圖/accounts/*/read | |
微軟。地圖/accounts/*/write | |
微軟。地圖/accounts/*/delete | |
微軟。地圖/accounts/*/action | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read, write, and delete access to map related data from an Azure maps account.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
"name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Maps/accounts/*/read",
"Microsoft.Maps/accounts/*/write",
"Microsoft.Maps/accounts/*/delete",
"Microsoft.Maps/accounts/*/action"
],
"notDataActions": []
}
],
"roleName": "Azure Maps Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 地圖服務資料讀者
授權從 Azure 地圖服務帳戶讀取地圖相關資料。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
微軟。地圖/accounts/*/read | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read map related data from an Azure maps account.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
"name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Maps/accounts/*/read"
],
"notDataActions": []
}
],
"roleName": "Azure Maps Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud 設定伺服器參與者
允許讀取、寫入和刪除 Azure Spring Cloud Config Server 的存取 權深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.AppPlatform/Spring/configService/read | 讀取特定 Azure Spring Cloud 服務實例的 configuration 內容 (,例如 application.yaml) |
Microsoft.AppPlatform/Spring/configService/write | 撰寫特定 Azure Spring Cloud 服務實例的設定伺服器內容 |
Microsoft.AppPlatform/Spring/configService/delete | 刪除特定 Azure Spring Cloud 服務實例的設定伺服器內容 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allow read, write and delete access to Azure Spring Cloud Config Server",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
"name": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/configService/read",
"Microsoft.AppPlatform/Spring/configService/write",
"Microsoft.AppPlatform/Spring/configService/delete"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Config Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud 設定伺服器讀取器
允許讀取存取 Azure Spring Cloud Config Server 深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.AppPlatform/Spring/configService/read | 讀取特定 Azure Spring Cloud 服務實例的 configuration 內容 (,例如 application.yaml) |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Spring Cloud Config Server",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7",
"name": "d04c6db6-4947-4782-9e91-30a88feb7be7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/configService/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Config Server Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud 資料讀取器
允許讀取存取 Azure Spring Cloud Data
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.AppPlatform/Spring/*/read | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Spring Cloud Data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c",
"name": "b5537268-8956-4941-a8f0-646150406f0c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/*/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud 服務登錄參與者
允許讀取、寫入和刪除 Azure Spring Cloud Service Registry 的存取 權深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.AppPlatform/Spring/eurekaService/read | 讀取使用者應用程式 (特定 Azure Spring Cloud 服務實例的) 註冊資訊 |
Microsoft.AppPlatform/Spring/eurekaService/write | 撰寫使用者應用程式 (特定 Azure Spring Cloud 服務實例的) 註冊資訊 |
Microsoft.AppPlatform/Spring/eurekaService/delete | 刪除特定 Azure Spring Cloud 服務實例的使用者應用程式註冊資訊 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allow read, write and delete access to Azure Spring Cloud Service Registry",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1",
"name": "f5880b48-c26d-48be-b172-7927bfa1c8f1",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/eurekaService/read",
"Microsoft.AppPlatform/Spring/eurekaService/write",
"Microsoft.AppPlatform/Spring/eurekaService/delete"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Service Registry Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud 服務登錄讀取器
允許讀取存取 Azure Spring Cloud Service Registry 深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.AppPlatform/Spring/eurekaService/read | 讀取使用者應用程式 (特定 Azure Spring Cloud 服務實例的) 註冊資訊 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Spring Cloud Service Registry",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65",
"name": "cff1b556-2399-4e7e-856d-a8f754be7b65",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/eurekaService/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Service Registry Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
媒體服務帳戶管理員
建立、讀取、修改和刪除媒體服務帳戶;唯讀存取其他媒體服務資源。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/metrics/read | 讀取計量 |
微軟。Insights/metricDefinitions/read | 讀取計量定義 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Media/mediaservices/*/read | |
Microsoft.Media/mediaservices/assets/listStreamingLocators/action | 列出資產的串流定位器 |
Microsoft.Media/mediaservices/streamingLocators/listPaths/action | 列出路徑 |
Microsoft.Media/mediaservices/write | 建立或更新任何媒體服務帳戶 |
Microsoft.Media/mediaservices/delete | 刪除任何媒體服務帳戶 |
Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action | 核准私人端點連線 |
Microsoft.Media/mediaservices/privateEndpointConnections/* | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466",
"name": "054126f8-9a2b-4f1c-a9ad-eca461f08466",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
"Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
"Microsoft.Media/mediaservices/write",
"Microsoft.Media/mediaservices/delete",
"Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action",
"Microsoft.Media/mediaservices/privateEndpointConnections/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Account Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
媒體服務即時活動管理員
建立、讀取、修改和刪除即時事件、資產、資產篩選和串流定位器;其他媒體服務資源的唯讀存取權。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/metrics/read | 讀取計量 |
微軟。Insights/metricDefinitions/read | 讀取計量定義 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Media/mediaservices/*/read | |
Microsoft.Media/mediaservices/assets/* | |
Microsoft.Media/mediaservices/assets/assetfilters/* | |
Microsoft.Media/mediaservices/streamingLocators/* | |
Microsoft.Media/mediaservices/liveEvents/* | |
NotActions | |
Microsoft.Media/mediaservices/assets/getEncryptionKey/action | 取得資產加密金鑰 |
Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action | 列出內容金鑰 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77",
"name": "532bc159-b25e-42c0-969e-a1d439f60d77",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/*",
"Microsoft.Media/mediaservices/assets/assetfilters/*",
"Microsoft.Media/mediaservices/streamingLocators/*",
"Microsoft.Media/mediaservices/liveEvents/*"
],
"notActions": [
"Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
"Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Live Events Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
媒體服務媒體操作員
建立、讀取、修改和刪除資產、資產篩選、串流定位器及作業;其他媒體服務資源的唯讀存取權。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/metrics/read | 讀取計量 |
微軟。Insights/metricDefinitions/read | 讀取計量定義 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Media/mediaservices/*/read | |
Microsoft.Media/mediaservices/assets/* | |
Microsoft.Media/mediaservices/assets/assetfilters/* | |
Microsoft.Media/mediaservices/streamingLocators/* | |
Microsoft.Media/mediaservices/transforms/jobs/* | |
NotActions | |
Microsoft.Media/mediaservices/assets/getEncryptionKey/action | 取得資產加密金鑰 |
Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action | 列出內容金鑰 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c",
"name": "e4395492-1534-4db2-bedf-88c14621589c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/*",
"Microsoft.Media/mediaservices/assets/assetfilters/*",
"Microsoft.Media/mediaservices/streamingLocators/*",
"Microsoft.Media/mediaservices/transforms/jobs/*"
],
"notActions": [
"Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
"Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Media Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
媒體服務原則管理員
建立、讀取、修改和刪除帳戶篩選、串流原則、內容金鑰原則和轉換;其他媒體服務資源的唯讀存取權。 無法建立作業、資產或串流資源。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/metrics/read | 讀取計量 |
微軟。Insights/metricDefinitions/read | 讀取計量定義 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Media/mediaservices/*/read | |
Microsoft.Media/mediaservices/assets/listStreamingLocators/action | 列出資產的串流定位器 |
Microsoft.Media/mediaservices/streamingLocators/listPaths/action | 列出路徑 |
Microsoft.Media/mediaservices/accountFilters/* | |
Microsoft.Media/mediaservices/streamingPolicies/* | |
Microsoft.Media/mediaservices/contentKeyPolicies/* | |
Microsoft.Media/mediaservices/transforms/* | |
NotActions | |
Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action | 取得含有祕密的原則屬性 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae",
"name": "c4bba371-dacd-4a26-b320-7250bca963ae",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
"Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
"Microsoft.Media/mediaservices/accountFilters/*",
"Microsoft.Media/mediaservices/streamingPolicies/*",
"Microsoft.Media/mediaservices/contentKeyPolicies/*",
"Microsoft.Media/mediaservices/transforms/*"
],
"notActions": [
"Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Policy Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
媒體服務串流端點系統管理員
建立、讀取、修改和刪除串流端點;其他媒體服務資源的唯讀存取權。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/metrics/read | 讀取計量 |
微軟。Insights/metricDefinitions/read | 讀取計量定義 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Media/mediaservices/*/read | |
Microsoft.Media/mediaservices/assets/listStreamingLocators/action | 列出資產的串流定位器 |
Microsoft.Media/mediaservices/streamingLocators/listPaths/action | 列出路徑 |
Microsoft.Media/mediaservices/streamingEndpoints/* | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804",
"name": "99dba123-b5fe-44d5-874c-ced7199a5804",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
"Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
"Microsoft.Media/mediaservices/streamingEndpoints/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Streaming Endpoints Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
搜尋索引資料參與者
授與Azure 認知搜尋索引資料的完整存取權。
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.Search/searchServices/indexes/documents/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to Azure Cognitive Search index data.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7",
"name": "8ebe5a00-799e-43f5-93ac-243d3dce84a7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Search/searchServices/indexes/documents/*"
],
"notDataActions": []
}
],
"roleName": "Search Index Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
搜尋索引資料讀取器
授與Azure 認知搜尋索引資料的讀取權限。
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.Search/searchServices/indexes/documents/read | 從索引讀取檔或建議的查詢字詞。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Grants read access to Azure Cognitive Search index data.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f",
"name": "1407120a-92aa-4202-b7e9-c0e197c71c8f",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Search/searchServices/indexes/documents/read"
],
"notDataActions": []
}
],
"roleName": "Search Index Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
搜尋服務參與者
可讓您管理「搜尋」服務,但無法存取它們。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Search/searchServices/* | 建立和管理搜尋服務 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Search services, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0",
"name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Search/searchServices/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Search Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR AccessKey Reader
讀取SignalR Service存取金鑰
動作 | 描述 |
---|---|
Microsoft.SignalRService/*/read | |
Microsoft.SignalRService/SignalR/listkeys/action | 在管理入口網站中或透過 API 檢視 SignalR 存取金鑰 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read SignalR Service Access Keys",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e",
"name": "04165923-9d83-45d5-8227-78b77b0a687e",
"permissions": [
{
"actions": [
"Microsoft.SignalRService/*/read",
"Microsoft.SignalRService/SignalR/listkeys/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SignalR AccessKey Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR App Server
讓您的應用程式伺服器使用AAD驗證選項存取SignalR Service。
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.SignalRService/SignalR/auth/accessKey/action | 產生 AccessKey 來簽署 AccessTokens,金鑰預設會在 90 分鐘內到期。 |
Microsoft.SignalRService/SignalR/serverConnection/write | 啟動伺服器連線。 |
Microsoft.SignalRService/SignalR/clientConnection/write | 關閉用戶端連線。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets your app server access SignalR Service with AAD auth options.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7",
"name": "420fcaa2-552c-430f-98ca-3264be4806c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/auth/accessKey/action",
"Microsoft.SignalRService/SignalR/serverConnection/write",
"Microsoft.SignalRService/SignalR/clientConnection/write"
],
"notDataActions": []
}
],
"roleName": "SignalR App Server",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR REST API 擁有者
完整存取Azure SignalR Service REST API
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.SignalRService/SignalR/auth/clientToken/action | 產生 AccessToken 供用戶端連線到 ASRS,權杖預設會在 5 分鐘內到期。 |
Microsoft.SignalRService/SignalR/hub/send/action | 將訊息廣播到中樞中的所有用戶端連線。 |
Microsoft.SignalRService/SignalR/group/send/action | 將訊息廣播至群組。 |
Microsoft.SignalRService/SignalR/group/read | 檢查群組是否存在或使用者存在於群組中。 |
Microsoft.SignalRService/SignalR/group/write | 加入/離開群組。 |
Microsoft.SignalRService/SignalR/clientConnection/send/action | 將訊息直接傳送至用戶端連線。 |
Microsoft.SignalRService/SignalR/clientConnection/read | 檢查用戶端連線是否存在。 |
Microsoft.SignalRService/SignalR/clientConnection/write | 關閉用戶端連線。 |
Microsoft.SignalRService/SignalR/user/send/action | 將訊息傳送給使用者,這些使用者可能包含多個用戶端連線。 |
Microsoft.SignalRService/SignalR/user/read | 檢查使用者是否存在。 |
Microsoft.SignalRService/SignalR/user/write | 修改使用者。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Full access to Azure SignalR Service REST APIs",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521",
"name": "fd53cd77-2268-407a-8f46-7e7863d0f521",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/auth/clientToken/action",
"Microsoft.SignalRService/SignalR/hub/send/action",
"Microsoft.SignalRService/SignalR/group/send/action",
"Microsoft.SignalRService/SignalR/group/read",
"Microsoft.SignalRService/SignalR/group/write",
"Microsoft.SignalRService/SignalR/clientConnection/send/action",
"Microsoft.SignalRService/SignalR/clientConnection/read",
"Microsoft.SignalRService/SignalR/clientConnection/write",
"Microsoft.SignalRService/SignalR/user/send/action",
"Microsoft.SignalRService/SignalR/user/read",
"Microsoft.SignalRService/SignalR/user/write"
],
"notDataActions": []
}
],
"roleName": "SignalR REST API Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR REST API 讀取器
Azure SignalR Service REST API 的唯讀存取權
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.SignalRService/SignalR/group/read | 檢查群組是否存在或使用者存在於群組中。 |
Microsoft.SignalRService/SignalR/clientConnection/read | 檢查用戶端連線是否存在。 |
Microsoft.SignalRService/SignalR/user/read | 檢查使用者是否存在。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read-only access to Azure SignalR Service REST APIs",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035",
"name": "ddde6b66-c0df-4114-a159-3618637b3035",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/group/read",
"Microsoft.SignalRService/SignalR/clientConnection/read",
"Microsoft.SignalRService/SignalR/user/read"
],
"notDataActions": []
}
],
"roleName": "SignalR REST API Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR Service擁有者
完整存取Azure SignalR Service REST API
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.SignalRService/SignalR/auth/accessKey/action | 產生 AccessKey 來簽署 AccessTokens,金鑰預設會在 90 分鐘內到期。 |
Microsoft.SignalRService/SignalR/auth/clientToken/action | 產生 AccessToken 供用戶端連線到 ASRS,權杖預設會在 5 分鐘內到期。 |
Microsoft.SignalRService/SignalR/hub/send/action | 將訊息廣播到中樞中的所有用戶端連線。 |
Microsoft.SignalRService/SignalR/group/send/action | 將訊息廣播至群組。 |
Microsoft.SignalRService/SignalR/group/read | 檢查群組是否存在或使用者存在於群組中。 |
Microsoft.SignalRService/SignalR/group/write | 加入/離開群組。 |
Microsoft.SignalRService/SignalR/clientConnection/send/action | 將訊息直接傳送至用戶端連線。 |
Microsoft.SignalRService/SignalR/clientConnection/read | 檢查用戶端連線是否存在。 |
Microsoft.SignalRService/SignalR/clientConnection/write | 關閉用戶端連線。 |
Microsoft.SignalRService/SignalR/serverConnection/write | 啟動伺服器連線。 |
Microsoft.SignalRService/SignalR/user/send/action | 將訊息傳送給使用者,這些使用者可能包含多個用戶端連線。 |
Microsoft.SignalRService/SignalR/user/read | 檢查使用者是否存在。 |
Microsoft.SignalRService/SignalR/user/write | 修改使用者。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Full access to Azure SignalR Service REST APIs",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
"name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/auth/accessKey/action",
"Microsoft.SignalRService/SignalR/auth/clientToken/action",
"Microsoft.SignalRService/SignalR/hub/send/action",
"Microsoft.SignalRService/SignalR/group/send/action",
"Microsoft.SignalRService/SignalR/group/read",
"Microsoft.SignalRService/SignalR/group/write",
"Microsoft.SignalRService/SignalR/clientConnection/send/action",
"Microsoft.SignalRService/SignalR/clientConnection/read",
"Microsoft.SignalRService/SignalR/clientConnection/write",
"Microsoft.SignalRService/SignalR/serverConnection/write",
"Microsoft.SignalRService/SignalR/user/send/action",
"Microsoft.SignalRService/SignalR/user/read",
"Microsoft.SignalRService/SignalR/user/write"
],
"notDataActions": []
}
],
"roleName": "SignalR Service Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR/Web PubSub 參與者
建立、讀取、更新和刪除 SignalR 服務資源
動作 | 描述 |
---|---|
Microsoft.SignalRService/* | |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete SignalR service resources",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
"name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
"permissions": [
{
"actions": [
"Microsoft.SignalRService/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SignalR/Web PubSub Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Web 方案參與者
管理網站的 Web 方案。 不允許您在 Azure RBAC 中指派角色。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Web/serverFarms/* | 建立和管理伺服器陣列 |
Microsoft.Web/hostingEnvironments/Join/Action | 加入 App Service 環境 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the web plans for websites, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
"name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/serverFarms/*",
"Microsoft.Web/hostingEnvironments/Join/Action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Web Plan Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
網站參與者
管理網站,但不是 Web 方案。 不允許您在 Azure RBAC 中指派角色。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/components/* | 建立和管理 Insights 元件 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Web/certificates/* | 建立和管理網站憑證 |
Microsoft.Web/listSitesAssignedToHostName/read | 取得指派給主機名稱之網站的名稱。 |
Microsoft.Web/serverFarms/join/action | 加入App Service方案 |
Microsoft.Web/serverFarms/read | 取得 App Service 方案的屬性 |
Microsoft.Web/sites/* | 建立和管理網站 (建立網站也需要相關聯應用程式服務方案的寫入權限) |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage websites (not web plans), but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
"name": "de139f84-1756-47ae-9be6-808fbbe84772",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/components/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/certificates/*",
"Microsoft.Web/listSitesAssignedToHostName/read",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Website Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
容器
AcrDelete
從容器登錄中刪除存放庫、標籤或資訊清單。 深入了解
動作 | 描述 |
---|---|
Microsoft.ContainerRegistry/registries/artifacts/delete | 刪除容器登錄中的成品。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
將信任的映射推送至或從已啟用內容信任的容器登錄提取受信任的映射。 深入了解
動作 | 描述 |
---|---|
Microsoft.ContainerRegistry/registries/sign/write | 推送/提取容器登錄的內容信任中繼資料。 |
NotActions | |
無 | |
DataActions | |
Microsoft.ContainerRegistry/registries/trustedCollections/write | 允許推送或發佈容器登錄內容的受信任集合。 這類似于 Microsoft.ContainerRegistry/registries/sign/write 動作,不同之處在于這是資料動作 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
從容器登錄提取成品。 深入了解
動作 | 描述 |
---|---|
Microsoft.ContainerRegistry/registries/pull/read | 從容器登錄中提取或取得映像。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
將成品推送至容器登錄或提取成品。 深入了解
動作 | 描述 |
---|---|
Microsoft.ContainerRegistry/registries/pull/read | 從容器登錄中提取或取得映像。 |
Microsoft.ContainerRegistry/registries/push/write | 將映像推送或寫入至容器登錄。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
從容器登錄提取隔離的映射。 深入了解
動作 | 描述 |
---|---|
Microsoft.ContainerRegistry/registries/quarantine/read | 從容器登錄中提取或取得隔離的映像 |
NotActions | |
無 | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 允許從容器登錄提取或取得隔離的成品。 這類似于 Microsoft.ContainerRegistry/registries/quarantine/read,不同之處在于它是資料動作 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
將隔離的映射推送至容器登錄,或從容器登錄提取隔離映射。 深入了解
動作 | 描述 |
---|---|
Microsoft.ContainerRegistry/registries/quarantine/read | 從容器登錄中提取或取得隔離的映像 |
Microsoft.ContainerRegistry/registries/quarantine/write | 寫入/修改已隔離映像的隔離狀態 |
NotActions | |
無 | |
DataActions | |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | 允許從容器登錄提取或取得隔離的成品。 這類似于 Microsoft.ContainerRegistry/registries/quarantine/read,不同之處在于它是資料動作 |
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | 允許寫入或更新隔離成品的隔離狀態。 這類似于 Microsoft.ContainerRegistry/registries/quarantine/write 動作,不同之處在于它是資料動作 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 叢集管理員角色
列出叢集管理員認證動作。 深入了解
動作 | 描述 |
---|---|
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | 列出受控叢集的 clusterAdmin 認證 |
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | 使用清單認證依角色名稱取得受控叢集存取設定檔 |
Microsoft.ContainerService/managedClusters/read | 取得受控叢集 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service 叢集使用者角色
列出叢集使用者認證動作。 深入了解
動作 | 描述 |
---|---|
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出受控叢集的 clusterUser 認證 |
Microsoft.ContainerService/managedClusters/read | 取得受控叢集 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service參與者角色
授與讀取和寫入Azure Kubernetes Service叢集的存取權深入瞭解
動作 | 描述 |
---|---|
Microsoft.ContainerService/managedClusters/read | 取得受控叢集 |
Microsoft.ContainerService/managedClusters/write | 建立新的受控叢集,或更新現有的受控叢集 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 系統管理員
可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出受控叢集的 clusterUser 認證 |
NotActions | |
無 | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
Microsoft.ContainerService/managedClusters/resourcequotas/write | 寫入 resourcequotas |
Microsoft.ContainerService/managedClusters/resourcequotas/delete | 刪除 resourcequotas |
Microsoft.ContainerService/managedClusters/namespaces/write | 寫入命名空間 |
Microsoft.ContainerService/managedClusters/namespaces/delete | 刪除命名空間 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 叢集管理員
可讓您管理叢集中的所有資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | 列出受控叢集的 clusterUser 認證 |
NotActions | |
無 | |
DataActions | |
Microsoft.ContainerService/managedClusters/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 讀取器
允許唯讀存取來查看命名空間中的大部分物件。 它不允許檢視角色或角色系結。 此角色不允許檢視秘密,因為讀取秘密的內容可存取命名空間中的 ServiceAccount 認證,因此允許 API 存取作為命名空間中的任何 ServiceAccount, (一種形式的許可權提升) 。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | 讀取控制器重新布建 |
Microsoft.ContainerService/managedClusters/apps/daemonsets/read | 讀取精靈集 |
Microsoft.ContainerService/managedClusters/apps/deployments/read | 讀取部署 |
Microsoft.ContainerService/managedClusters/apps/replicasets/read | 讀取複本集 |
Microsoft.ContainerService/managedClusters/apps/statefulsets/read | 讀取具狀態集 |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | 讀取 horizontalpodautoscalers |
Microsoft.ContainerService/managedClusters/batch/cronjobs/read | 讀取 cronjobs |
Microsoft.ContainerService/managedClusters/batch/jobs/read | 讀取作業 |
Microsoft.ContainerService/managedClusters/configmaps/read | 讀取 configmap |
Microsoft.ContainerService/managedClusters/endpoints/read | 讀取端點 |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | 讀取事件 |
Microsoft.ContainerService/managedClusters/events/read | 讀取事件 |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | 讀取精靈集 |
Microsoft.ContainerService/managedClusters/extensions/deployments/read | 讀取部署 |
Microsoft.ContainerService/managedClusters/extensions/ingresses/read | 讀取輸入 |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | 讀取網路原則 |
Microsoft.ContainerService/managedClusters/extensions/replicasets/read | 讀取複本集 |
Microsoft.ContainerService/managedClusters/limitranges/read | 讀取 limitranges |
Microsoft.ContainerService/managedClusters/namespaces/read | 讀取命名空間 |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | 讀取輸入 |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | 讀取網路原則 |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | 讀取 persistentvolumeclaims |
Microsoft.ContainerService/managedClusters/pods/read | 讀取 Pod |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | 讀取 poddisruptionbudgets |
Microsoft.ContainerService/managedClusters/replicationcontrollers/read | 讀取 replicationcontrollers |
Microsoft.ContainerService/managedClusters/replicationcontrollers/read | 讀取 replicationcontrollers |
Microsoft.ContainerService/managedClusters/resourcequotas/read | 讀取 resourcequotas |
Microsoft.ContainerService/managedClusters/serviceaccounts/read | 讀取 serviceaccounts |
Microsoft.ContainerService/managedClusters/services/read | 讀取服務 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC 寫入器
允許讀取/寫入命名空間中大部分的物件。此角色不允許檢視或修改角色或角色系結。 不過,此角色允許以命名空間中的任何 ServiceAccount 身分存取秘密和執行 Pod,因此可用來取得命名空間中任何 ServiceAccount 的 API 存取層級。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | 讀取控制器重新布建 |
Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
Microsoft.ContainerService/managedClusters/apps/deployments/* | |
Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
Microsoft.ContainerService/managedClusters/batch/jobs/* | |
Microsoft.ContainerService/managedClusters/configmaps/* | |
Microsoft.ContainerService/managedClusters/endpoints/* | |
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | 讀取事件 |
Microsoft.ContainerService/managedClusters/events/read | 讀取事件 |
Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
Microsoft.ContainerService/managedClusters/limitranges/read | 讀取 limitranges |
Microsoft.ContainerService/managedClusters/namespaces/read | 讀取命名空間 |
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
Microsoft.ContainerService/managedClusters/pods/* | |
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
Microsoft.ContainerService/managedClusters/resourcequotas/read | 讀取 resourcequotas |
Microsoft.ContainerService/managedClusters/secrets/* | |
Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
Microsoft.ContainerService/managedClusters/services/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
資料庫
Azure 連線SQL Server上線
允許在已啟用 Arc 的伺服器上讀取和寫入 Azure 資源的SQL Server。 深入了解
動作 | 描述 |
---|---|
Microsoft.AzureArcData/sqlServerInstances/read | 擷取SQL Server實例資源 |
Microsoft.AzureArcData/sqlServerInstances/write | 更新SQL Server實例資源 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508",
"name": "e8113dce-c529-4d33-91fa-e9b972617508",
"permissions": [
{
"actions": [
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected SQL Server Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB 帳戶讀者角色
可以讀取 Azure Cosmos DB 帳戶資料。 請參閱 DocumentDB 帳戶參與者以管理 Azure Cosmos DB 帳戶。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.DocumentDB/*/read | 讀取任何集合 |
Microsoft.DocumentDB/databaseAccounts/readonlykeys/action | 讀取資料庫帳戶的唯讀金鑰。 |
微軟。Insights/MetricDefinitions/read | 讀取計量定義 |
微軟。Insights/Metrics/read | 讀取計量 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB 操作員
可讓您管理 Azure Cosmos DB 帳戶,但無法存取其中的資料。 防止存取帳戶金鑰和連接字串。 深入了解
動作 | 描述 |
---|---|
Microsoft.DocumentDb/databaseAccounts/* | |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。 |
NotActions | |
Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* | |
Microsoft.DocumentDB/databaseAccounts/regenerateKey/* | |
Microsoft.DocumentDB/databaseAccounts/listKeys/* | |
Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* | |
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write | 建立或更新SQL角色定義 |
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete | 刪除SQL角色定義 |
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write | 建立或更新SQL角色指派 |
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete | 刪除SQL角色指派 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
"name": "230815da-be43-4aae-9cb4-875f7bd000aa",
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [
"Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
"Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
"Microsoft.DocumentDB/databaseAccounts/listKeys/*",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosBackupOperator
可以提交Cosmos資料庫或帳戶容器的還原要求深入瞭解
動作 | 描述 |
---|---|
Microsoft.DocumentDB/databaseAccounts/backup/action | 提交要求以設定備份 |
Microsoft.DocumentDB/databaseAccounts/restore/action | 提交還原要求 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can submit restore request for a Cosmos DB database or a container for an account",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/databaseAccounts/backup/action",
"Microsoft.DocumentDB/databaseAccounts/restore/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosBackupOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosRestoreOperator
可以針對具有連續備份模式的 Cosmos DB 資料庫帳戶執行還原動作
動作 | 描述 |
---|---|
Microsoft.DocumentDB/locations/restoreableDatabaseAccounts/restore/action | 提交還原要求 |
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read | |
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read | 讀取可還原的資料庫帳戶或列出所有可還原的資料庫帳戶 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosRestoreOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DocumentDB 帳戶參與者
可以管理 Azure Cosmos DB 帳戶。 Azure Cosmos DB 先前稱為 DocumentDB。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.DocumentDb/databaseAccounts/* | 建立及管理 Azure Cosmos DB 帳戶 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DocumentDB accounts, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
"name": "5bd9cd88-fe45-4216-938b-f97437e15450",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DocumentDB Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Redis 快取參與者
可讓您管理 Redis 快取,但無法存取它們。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Cache/register/action | 向訂用帳戶註冊 'Microsoft.Cache' 資源提供者 |
Microsoft.Cache/redis/* | 建立和管理 Redis 快取 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Redis caches, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
"name": "e0f68234-74aa-48ed-b826-c38b57376e17",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/register/action",
"Microsoft.Cache/redis/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Redis Cache Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL DB 參與者
可讓您管理 SQL 資料庫,但無法存取它們。 此外,您也無法管理其安全性相關原則或其父 SQL 伺服器。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Sql/locations/*/read | |
Microsoft.Sql/servers/databases/* | 建立和管理 SQL 資料庫 |
Microsoft.Sql/servers/read | 傳回伺服器清單,或取得指定伺服器的屬性。 |
Microsoft.Support/* | 建立和更新支援票證 |
微軟。Insights/metrics/read | 讀取計量 |
微軟。Insights/metricDefinitions/read | 讀取計量定義 |
NotActions | |
Microsoft.Sql/servers/databases/ledgerDigestUploads/write | 啟用上傳總帳摘要 |
Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action | 停用上傳總帳摘要 |
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/databases/auditingSettings/* | 編輯稽核設定 |
Microsoft.Sql/servers/databases/auditRecords/read | 擷取資料庫 Blob 稽核記錄 |
Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 編輯資料遮罩原則 |
Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/securityAlertPolicies/* | 編輯安全性警示原則 |
Microsoft.Sql/servers/databases/securityMetrics/* | 編輯安全性計量 |
Microsoft.Sql/servers/databases/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
Microsoft.Sql/servers/vulnerabilityAssessments/* | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL DB Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL 受控執行個體參與者
可讓您管理 SQL 受控執行個體和必要的網路設定,但無法將存取權授與其他人。
動作 | 描述 |
---|---|
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Network/networkSecurityGroups/* | |
Microsoft.Network/routeTables/* | |
Microsoft.Sql/locations/*/read | |
Microsoft.Sql/locations/instanceFailoverGroups/* | |
Microsoft.Sql/managedInstances/* | |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Network/virtualNetworks/subnets/* | |
Microsoft.Network/virtualNetworks/* | |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/metrics/read | 讀取計量 |
微軟。Insights/metricDefinitions/read | 讀取計量定義 |
NotActions | |
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete | 只刪除特定受控伺服器Azure Active Directory驗證物件 |
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | 只新增或更新特定受控伺服器Azure Active Directory驗證物件 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"permissions": [
{
"actions": [
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/locations/instanceFailoverGroups/*",
"Microsoft.Sql/managedInstances/*",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Managed Instance Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL 安全性管理員
可讓您管理 SQL 伺服器及資料庫的安全性相關原則,但無法存取它們。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Sql/locations/administratorAzureAsyncOperation/read | 取得受控實例 azure 非同步管理員作業結果。 |
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* | |
Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/auditingSettings/* | 建立和管理 SQL Server 稽核設定 |
Microsoft.Sql/servers/extendedAuditingSettings/read | 擷取指定伺服器上所設定之擴充伺服器 Blob 稽核原則的詳細資料 |
Microsoft.Sql/servers/databases/auditingSettings/* | 建立和管理 SQL Server 資料庫稽核設定 |
Microsoft.Sql/servers/databases/auditRecords/read | 擷取資料庫 Blob 稽核記錄 |
Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 建立和管理 SQL Server 資料庫資料遮罩原則 |
Microsoft.Sql/servers/databases/extendedAuditingSettings/read | 擷取指定資料庫上所設定之擴充 Blob 稽核原則的詳細資料 |
Microsoft.Sql/servers/databases/read | 傳回資料庫清單,或取得指定資料庫的屬性。 |
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/servers/databases/schemas/read | 取得資料庫結構描述。 |
Microsoft.Sql/servers/databases/schemas/tables/columns/read | 取得資料庫資料行。 |
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/schemas/tables/read | 取得資料庫資料表。 |
Microsoft.Sql/servers/databases/securityAlertPolicies/* | 建立和管理 SQL Server 資料庫安全性警示原則 |
Microsoft.Sql/servers/databases/securityMetrics/* | 建立和管理 SQL Server 資料庫安全性度量 |
Microsoft.Sql/servers/databases/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/transparentDataEncryption/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
Microsoft.Sql/servers/devOpsAuditingSettings/* | |
Microsoft.Sql/servers/firewallRules/* | |
Microsoft.Sql/servers/read | 傳回伺服器清單,或取得指定伺服器的屬性。 |
Microsoft.Sql/servers/securityAlertPolicies/* | 建立和管理 SQL Server 安全性警示原則 |
Microsoft.Sql/servers/vulnerabilityAssessments/* | |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Sql/servers/azureADOnlyAuthentications/* | |
Microsoft.Sql/managedInstances/read | 傳回受控執行個體的清單,或取得指定受控執行個體的屬性。 |
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* | |
Microsoft.Security/sqlVulnerabilityAssessments/* | |
Microsoft.Sql/managedInstances/administrators/read | 取得受控執行個體系統管理員的清單。 |
Microsoft.Sql/servers/administrators/read | 取得特定的Azure Active Directory系統管理員物件 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/transparentDataEncryption/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/firewallRules/*",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Support/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/*",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
"Microsoft.Security/sqlVulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/administrators/read",
"Microsoft.Sql/servers/administrators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Security Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Server 參與者
可讓您管理 SQL 伺服器及資料庫,但無法存取這些伺服器及資料庫,也無法存取其安全性相關原則。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Sql/locations/*/read | |
Microsoft.Sql/servers/* | 建立和管理 SQL Server |
Microsoft.Support/* | 建立和更新支援票證 |
微軟。Insights/metrics/read | 讀取計量 |
微軟。Insights/metricDefinitions/read | 讀取計量定義 |
NotActions | |
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/auditingSettings/* | 編輯 SQL Server 稽核設定 |
Microsoft.Sql/servers/databases/auditingSettings/* | 編輯 SQL Server 資料庫稽核設定 |
Microsoft.Sql/servers/databases/auditRecords/read | 擷取資料庫 Blob 稽核記錄 |
Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 編輯 SQL Server 資料庫資料遮罩原則 |
Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/securityAlertPolicies/* | 編輯 SQL Server 資料庫安全性警示原則 |
Microsoft.Sql/servers/databases/securityMetrics/* | 編輯 SQL Server 資料庫安全性度量 |
Microsoft.Sql/servers/databases/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
Microsoft.Sql/servers/devOpsAuditingSettings/* | |
Microsoft.Sql/servers/extendedAuditingSettings/* | |
Microsoft.Sql/servers/securityAlertPolicies/* | 編輯 SQL Server 安全性警示原則 |
Microsoft.Sql/servers/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/azureADOnlyAuthentications/delete | 只刪除特定伺服器Azure Active Directory驗證物件 |
Microsoft.Sql/servers/azureADOnlyAuthentications/write | 只新增或更新特定伺服器Azure Active Directory驗證物件 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
分析
Azure 事件中樞資料擁有者
允許完整存取 Azure 事件中樞資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.EventHub/* | |
NotActions | |
無 | |
DataActions | |
Microsoft.EventHub/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Event Hubs resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec",
"name": "f526a384-b230-433a-b45c-95f59c4a2dec",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 事件中樞資料接收者
允許接收 Azure 事件中樞資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.EventHub/*/eventhubs/consumergroups/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.EventHub/*/receive/action | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows receive access to Azure Event Hubs resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/consumergroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/receive/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Receiver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 事件中樞資料傳送者
允許傳送 Azure 事件中樞資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.EventHub/*/eventhubs/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.EventHub/*/send/action | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows send access to Azure Event Hubs resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975",
"name": "2b629674-e913-4c01-ae53-ef4638d8f975",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Factory 參與者
建立和管理 Data Factory,以及其中的子資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.DataFactory/dataFactories/* | 建立和管理 Data Factory 以及其中的子資源。 |
Microsoft.DataFactory/factories/* | 建立和管理 Data Factory 以及其中的子資源。 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.EventGrid/eventSubscriptions/write | 建立或更新 eventSubscription |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Create and manage data factories, as well as child resources within them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5",
"name": "673868aa-7521-48a0-acc6-0f60742d39f5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DataFactory/dataFactories/*",
"Microsoft.DataFactory/factories/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.EventGrid/eventSubscriptions/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Factory Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
資料清除者
從 Log Analytics 工作區刪除私人資料。 深入了解
動作 | 描述 |
---|---|
微軟。Insights/components/*/read | |
微軟。Insights/components/purge/action | 從 Application Insights 清除資料 |
Microsoft.OperationalInsights/workspaces/*/read | 檢視記錄分析資料 |
Microsoft.OperationalInsights/workspaces/purge/action | 從工作區刪除指定的資料 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can purge analytics data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90",
"name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90",
"permissions": [
{
"actions": [
"Microsoft.Insights/components/*/read",
"Microsoft.Insights/components/purge/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/purge/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Purger",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
HDInsight 叢集操作員
可讓您讀取和修改 HDInsight 叢集設定。 深入了解
動作 | 描述 |
---|---|
Microsoft.HDInsight/*/read | |
Microsoft.HDInsight/clusters/getGatewaySettings/action | 取得 HDInsight 叢集的閘道設定 |
Microsoft.HDInsight/clusters/updateGatewaySettings/action | 更新 HDInsight 叢集的閘道設定 |
Microsoft.HDInsight/clusters/configurations/* | |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you read and modify HDInsight cluster configurations.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a",
"name": "61ed4efc-fab3-44fd-b111-e24485cc132a",
"permissions": [
{
"actions": [
"Microsoft.HDInsight/*/read",
"Microsoft.HDInsight/clusters/getGatewaySettings/action",
"Microsoft.HDInsight/clusters/updateGatewaySettings/action",
"Microsoft.HDInsight/clusters/configurations/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Cluster Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
HDInsight 網域服務參與者
可讀取、建立、修改和刪除 HDInsight Enterprise安全性套件所需的網域服務相關作業深入瞭解
動作 | 描述 |
---|---|
微軟。AAD/*/read | |
微軟。AAD/domainServices/*/read | |
微軟。AAD/domainServices/oucontainer/* | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c",
"name": "8d8d5a11-05d3-4bda-a417-a08778121c7c",
"permissions": [
{
"actions": [
"Microsoft.AAD/*/read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.AAD/domainServices/oucontainer/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Log Analytics 參與者
「Log Analytics 參與者」角色可以讀取所有監視資料和編輯監視設定。 編輯監視設定包括將 VM 擴充功能新增至 VM;讀取儲存體帳戶金鑰,以設定從Azure 儲存體收集記錄、新增解決方案,以及設定所有 Azure 資源的 Azure 診斷。 深入了解
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
Microsoft.ClassicCompute/virtualMachines/extensions/* | |
Microsoft.ClassicStorage/storageAccounts/listKeys/action | 列出儲存體帳戶的存取金鑰。 |
Microsoft.Compute/virtualMachines/extensions/* | |
Microsoft.HybridCompute/machines/extensions/write | 安裝或更新 Azure Arc 擴充 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/diagnosticSettings/* | 建立、更新或讀取 Analysis Server 的診斷設定 |
Microsoft.OperationalInsights/* | |
Microsoft.OperationsManagement/* | |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
微軟。儲存體/storageAccounts/listKeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.ClassicCompute/virtualMachines/extensions/*",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.Compute/virtualMachines/extensions/*",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.OperationalInsights/*",
"Microsoft.OperationsManagement/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Log Analytics 讀者
「Log Analytics 讀者」可以檢視和搜尋所有監視資料,以及檢視監視設定,包括檢視所有 Azure 資源上的 Azure 診斷設定。 深入了解
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新的引擎進行搜尋。 |
Microsoft.OperationalInsights/workspaces/search/action | 執行搜尋查詢 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.OperationalInsights/workspaces/sharedKeys/read | 擷取工作區的共用金鑰。 這些金鑰可用來將 Microsoft Operational Insights 代理程式連線到工作區。 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893",
"name": "73c42c96-874c-492b-b04d-ab87d138a893",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.OperationalInsights/workspaces/sharedKeys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
結構描述登錄參與者 (預覽)
讀取、寫入及刪除結構描述登錄群組和結構描述。
動作 | 描述 |
---|---|
Microsoft.EventHub/namespaces/schemagroups/* | |
NotActions | |
無 | |
DataActions | |
Microsoft.EventHub/namespaces/schemas/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read, write, and delete Schema Registry groups and schemas.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25",
"name": "5dffeca3-4936-4216-b2bc-10343a5abb25",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/*"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Contributor (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
結構描述登錄讀取器 (預覽)
讀取並列出結構描述登錄群組和結構描述。
動作 | 描述 |
---|---|
Microsoft.EventHub/namespaces/schemagroups/read | 取得 SchemaGroup 資源描述的清單 |
NotActions | |
無 | |
DataActions | |
Microsoft.EventHub/namespaces/schemas/read | 擷取架構 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read and list Schema Registry groups and schemas.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
"name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/read"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
串流分析查詢測試人員
可讓您先執行查詢測試,而不需先建立串流分析作業
動作 | 描述 |
---|---|
Microsoft.StreamAnalytics/locations/TestQuery/action | 串流分析資源提供者的測試查詢 |
Microsoft.StreamAnalytics/locations/OperationResults/read | 讀取串流分析作業結果 |
Microsoft.StreamAnalytics/locations/SampleInput/action | 串流分析資源提供者的範例輸入 |
Microsoft.StreamAnalytics/locations/CompileQuery/action | 編譯串流分析資源提供者的查詢 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you perform query testing without creating a stream analytics job first",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
"name": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
"permissions": [
{
"actions": [
"Microsoft.StreamAnalytics/locations/TestQuery/action",
"Microsoft.StreamAnalytics/locations/OperationResults/read",
"Microsoft.StreamAnalytics/locations/SampleInput/action",
"Microsoft.StreamAnalytics/locations/CompileQuery/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Stream Analytics Query Tester",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AI + 機器學習
AzureML 資料科學家
可以在 Azure Machine Learning 工作區內執行所有動作,但建立或删除計算資源以及修改工作區本身除外。
動作 | 描述 |
---|---|
Microsoft.MachineLearningServices/workspaces/*/read | |
Microsoft.MachineLearningServices/workspaces/*/action | |
Microsoft.MachineLearningServices/workspaces/*/delete | |
Microsoft.MachineLearningServices/workspaces/*/write | |
NotActions | |
Microsoft.MachineLearningServices/workspaces/delete | 刪除機器學習服務工作區 |
Microsoft.MachineLearningServices/workspaces/write | 建立或更新機器學習服務工作區 |
Microsoft.MachineLearningServices/workspaces/computes/*/write | |
Microsoft.MachineLearningServices/workspaces/computes/*/delete | |
Microsoft.MachineLearningServices/workspaces/computes/listKeys/action | 列出機器學習服務工作區中的計算資源祕密 |
Microsoft.MachineLearningServices/workspaces/listKeys/action | 列出機器學習服務工作區的祕密 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121",
"name": "f6c7c914-8db3-469d-8ca1-694a8f32e121",
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/*/read",
"Microsoft.MachineLearningServices/workspaces/*/action",
"Microsoft.MachineLearningServices/workspaces/*/delete",
"Microsoft.MachineLearningServices/workspaces/*/write"
],
"notActions": [
"Microsoft.MachineLearningServices/workspaces/delete",
"Microsoft.MachineLearningServices/workspaces/write",
"Microsoft.MachineLearningServices/workspaces/computes/*/write",
"Microsoft.MachineLearningServices/workspaces/computes/*/delete",
"Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
"Microsoft.MachineLearningServices/workspaces/listKeys/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AzureML Data Scientist",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務參與者
可讓您建立、讀取、更新、刪除及管理認知服務的金鑰。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.CognitiveServices/* | |
Microsoft.Features/features/read | 取得訂用帳戶的功能。 |
Microsoft.Features/providers/features/read | 取得給定資源提供者中某個訂用帳戶的功能。 |
Microsoft.Features/providers/features/register/action | 註冊給定資源提供者中某個訂用帳戶的功能。 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/diagnosticSettings/* | 建立、更新或讀取 Analysis Server 的診斷設定 |
微軟。Insights/logDefinitions/read | 讀取記錄定義 |
微軟。Insights/metricdefinitions/read | 讀取計量定義 |
微軟。Insights/metrics/read | 讀取計量 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you create, read, update, delete and manage keys of Cognitive Services.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
"name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.CognitiveServices/*",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/logDefinitions/read",
"Microsoft.Insights/metricdefinitions/read",
"Microsoft.Insights/metrics/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cognitive Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務自訂視覺參與者
完整存取專案,包括檢視、建立、編輯或刪除專案的能力。 深入了解
動作 | 描述 |
---|---|
Microsoft.CognitiveServices/*/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/accounts/CustomVision/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Full access to the project, including the ability to view, create, edit, or delete projects.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
"name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Custom Vision Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務自訂視覺部署
發佈、取消發佈或匯出模型。 部署可以檢視專案,但無法更新。 深入了解
動作 | 描述 |
---|---|
Microsoft.CognitiveServices/*/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/accounts/CustomVision/*/read | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/* | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/* | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/* | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/* | |
Microsoft.CognitiveServices/accounts/CustomVision/classify/* | |
Microsoft.CognitiveServices/accounts/CustomVision/detect/* | |
NotDataActions | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | 匯出專案。 |
{
"assignableScopes": [
"/"
],
"description": "Publish, unpublish or export models. Deployment can view the project but can't update.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f",
"name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*",
"Microsoft.CognitiveServices/accounts/CustomVision/classify/*",
"Microsoft.CognitiveServices/accounts/CustomVision/detect/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Deployment",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務自訂視覺標籤器
檢視、編輯定型影像,並建立、新增、移除或刪除影像標記。 標籤器可以檢視專案,但無法更新定型影像和標籤以外的任何專案。 深入了解
動作 | 描述 |
---|---|
Microsoft.CognitiveServices/*/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/accounts/CustomVision/*/read | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | 取得傳送至預測端點的影像。 |
Microsoft.CognitiveServices/accounts/CustomVision/projects/images/* | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/* | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/* | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action | 此 API 會取得陣列/批次未標記影像的建議標籤和區域,以及標記的信賴度。 如果找不到任何標籤,它會傳回空陣列。 |
NotDataActions | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | 匯出專案。 |
{
"assignableScopes": [
"/"
],
"description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c",
"name": "88424f51-ebe7-446f-bc41-7fa16989e96c",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Labeler",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務自訂視覺讀者
專案中的唯讀動作。 讀者無法建立或更新專案。 深入了解
動作 | 描述 |
---|---|
Microsoft.CognitiveServices/*/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/accounts/CustomVision/*/read | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | 取得傳送至預測端點的影像。 |
NotDataActions | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | 匯出專案。 |
{
"assignableScopes": [
"/"
],
"description": "Read-only actions in the project. Readers can't create or update the project.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73",
"name": "93586559-c37d-4a6b-ba08-b9f0940c2d73",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務自訂視覺訓練器
檢視、編輯專案並定型模型,包括發佈、取消發佈、匯出模型的能力。 訓練人員無法建立或刪除專案。 深入了解
動作 | 描述 |
---|---|
Microsoft.CognitiveServices/*/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/accounts/CustomVision/* | |
NotDataActions | |
Microsoft.CognitiveServices/accounts/CustomVision/projects/action | 建立專案。 |
Microsoft.CognitiveServices/accounts/CustomVision/projects/delete | 刪除特定專案。 |
Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action | 匯入專案。 |
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | 匯出專案。 |
{
"assignableScopes": [
"/"
],
"description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
"name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/delete",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Trainer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務資料讀者 (預覽)
可讓您讀取認知服務資料。
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/*/read | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you read Cognitive Services data.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c",
"name": "b59867f0-fa02-499b-be73-45a86b5b3e1c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/*/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Data Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務臉部辨識器
可讓您在臉部 API 上執行偵測、驗證、識別、分組及尋找類似的作業。 此角色不允許建立或刪除作業,這使其非常適合只需要推斷功能的端點,遵循「最低許可權」最佳做法。
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/accounts/Face/detect/action | 偵測影像中的人臉、傳回臉部矩形,以及選擇性地使用 faceId、地標和屬性。 |
Microsoft.CognitiveServices/accounts/Face/verify/action | 確認兩張臉部是否屬於同一個人,或一張臉部是否屬於某個人。 |
Microsoft.CognitiveServices/accounts/Face/identify/action | 1 對多識別,從人員群組或大型人員群組尋找特定查詢人員臉部最接近的相符專案。 |
Microsoft.CognitiveServices/accounts/Face/group/action | 根據臉部相似度,將候選臉部分成群組。 |
Microsoft.CognitiveServices/accounts/Face/findsimilars/action | 給定查詢臉部的 faceId,從 faceId 陣列、臉部清單或大型臉部清單搜尋類似外觀的臉部。 faceId |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7",
"name": "9894cab4-e18a-44aa-828b-cb588cd6f2d7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/Face/detect/action",
"Microsoft.CognitiveServices/accounts/Face/verify/action",
"Microsoft.CognitiveServices/accounts/Face/identify/action",
"Microsoft.CognitiveServices/accounts/Face/group/action",
"Microsoft.CognitiveServices/accounts/Face/findsimilars/action"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Face Recognizer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務計量建議程式管理員
專案的完整存取權,包括系統層級組態。 深入了解
動作 | 描述 |
---|---|
Microsoft.CognitiveServices/*/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Full access to the project, including the system level configuration.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a",
"name": "cb43c632-a144-4ec5-977c-e80c4affc34a",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Metrics Advisor Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務 QnA Maker 編輯器
讓我們來建立、編輯、匯入和匯出 KB。 您無法發佈或刪除 KB。 深入了解
動作 | 描述 |
---|---|
Microsoft.CognitiveServices/*/read | |
Microsoft.Authorization/roleAssignments/read | 取得關於角色指派的資訊。 |
Microsoft.Authorization/roleDefinitions/read | 取得關於角色定義的資訊。 |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read | 取得特定知識庫的知識庫或詳細資料清單。 |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read | 下載知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write | 建立新知識庫的非同步作業。 |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write | 用來修改知識庫或取代知識庫內容的非同步作業。 |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer 呼叫以查詢知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action | 訓練呼叫以將建議新增至知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker/變更/read | 從執行時間下載變更。 |
Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write | 取代變更資料。 |
Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read | 取得端點的端點金鑰 |
Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action | 重新產生端點金鑰。 |
Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read | 取得端點的端點設定 |
Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write | 更新端點查看端點。 |
Microsoft.CognitiveServices/accounts/QnAMaker/operations/read | 取得特定長時間執行作業的詳細資料。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read | 取得特定知識庫的知識庫或詳細資料清單。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read | 下載知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write | 建立新知識庫的非同步作業。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write | 用來修改知識庫或取代知識庫內容的非同步作業。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer 呼叫以查詢知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action | 訓練呼叫以將建議新增至知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/變更/read | 從執行時間下載變更。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write | 取代變更資料。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read | 取得端點的端點金鑰 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action | 重新產生端點金鑰。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read | 取得端點的端點設定 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write | 更新端點查看端點。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read | 取得特定長時間執行作業的詳細資料。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read | 取得特定知識庫的知識庫或詳細資料清單。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read | 下載知識庫。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write | 建立新知識庫的非同步作業。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write | 用來修改知識庫或取代知識庫內容的非同步作業。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer 呼叫以查詢知識庫。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action | 訓練呼叫以將建議新增至知識庫。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read | 從執行時間下載變更。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write | 取代變更資料。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read | 取得端點的端點金鑰 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action | 重新產生端點金鑰。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read | 取得端點的端點設定 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write | 更新端點查看端點。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read | 取得特定長時間執行作業的詳細資料。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Let's you create, edit, import and export a KB. You cannot publish or delete a KB.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025",
"name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/operations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services QnA Maker Editor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務 QnA Maker 讀取器
讓我們只閱讀並測試 KB。 深入了解
動作 | 描述 |
---|---|
Microsoft.CognitiveServices/*/read | |
Microsoft.Authorization/roleAssignments/read | 取得關於角色指派的資訊。 |
Microsoft.Authorization/roleDefinitions/read | 取得關於角色定義的資訊。 |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read | 取得特定知識庫的知識庫或詳細資料清單。 |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read | 下載知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer 呼叫以查詢知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker/變更/read | 從執行時間下載變更。 |
Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read | 取得端點的端點金鑰 |
Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read | 取得端點的端點設定 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read | 取得特定知識庫的知識庫或詳細資料清單。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read | 下載知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer 呼叫以查詢知識庫。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/變更/read | 從執行時間下載變更。 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read | 取得端點的端點金鑰 |
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read | 取得端點的端點設定 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read | 取得特定知識庫的知識庫或詳細資料清單。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read | 下載知識庫。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer 呼叫以查詢知識庫。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read | 從執行時間下載變更。 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read | 取得端點的端點金鑰 |
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read | 取得端點的端點設定 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Let's you read and test a KB only.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126",
"name": "466ccd10-b268-4a11-b098-b4849f024126",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services QnA Maker Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
認知服務使用者
可讓您讀取和列出認知服務的金鑰。 深入了解
動作 | 描述 |
---|---|
Microsoft.CognitiveServices/*/read | |
Microsoft.CognitiveServices/accounts/listkeys/action | 列出金鑰 |
微軟。Insights/alertRules/read | 讀取傳統計量警示 |
微軟。Insights/diagnosticSettings/read | 讀取資源診斷設定 |
微軟。Insights/logDefinitions/read | 讀取記錄定義 |
微軟。Insights/metricdefinitions/read | 讀取計量定義 |
微軟。Insights/metrics/read | 讀取計量 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
Microsoft.CognitiveServices/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you read and list keys of Cognitive Services.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908",
"name": "a97b65f3-24c7-4388-baec-2e87135dc908",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.CognitiveServices/accounts/listkeys/action",
"Microsoft.Insights/alertRules/read",
"Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Insights/logDefinitions/read",
"Microsoft.Insights/metricdefinitions/read",
"Microsoft.Insights/metrics/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Internet of things
裝置更新系統管理員
讓您完整存取管理和內容作業 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
NotActions | |
無 | |
DataActions | |
Microsoft.DeviceUpdate/accounts/instances/updates/read | 執行與更新相關的讀取作業 |
Microsoft.DeviceUpdate/accounts/instances/updates/write | 執行與更新相關的寫入作業 |
Microsoft.DeviceUpdate/accounts/instances/updates/delete | 執行與更新相關的刪除作業 |
Microsoft.DeviceUpdate/accounts/instances/management/read | 執行與管理相關的讀取作業 |
Microsoft.DeviceUpdate/accounts/instances/management/write | 執行與管理相關的寫入作業 |
Microsoft.DeviceUpdate/accounts/instances/management/delete | 執行與管理相關的刪除作業 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Gives you full access to management and content operations",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a",
"name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read",
"Microsoft.DeviceUpdate/accounts/instances/updates/write",
"Microsoft.DeviceUpdate/accounts/instances/updates/delete",
"Microsoft.DeviceUpdate/accounts/instances/management/read",
"Microsoft.DeviceUpdate/accounts/instances/management/write",
"Microsoft.DeviceUpdate/accounts/instances/management/delete"
],
"notDataActions": []
}
],
"roleName": "Device Update Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
裝置更新內容管理員
讓您完整存取內容作業 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
NotActions | |
無 | |
DataActions | |
Microsoft.DeviceUpdate/accounts/instances/updates/read | 執行與更新相關的讀取作業 |
Microsoft.DeviceUpdate/accounts/instances/updates/write | 執行與更新相關的寫入作業 |
Microsoft.DeviceUpdate/accounts/instances/updates/delete | 執行與更新相關的刪除作業 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Gives you full access to content operations",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98",
"name": "0378884a-3af5-44ab-8323-f5b22f9f3c98",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read",
"Microsoft.DeviceUpdate/accounts/instances/updates/write",
"Microsoft.DeviceUpdate/accounts/instances/updates/delete"
],
"notDataActions": []
}
],
"roleName": "Device Update Content Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
裝置更新內容讀取器
可讓您讀取內容作業的存取權,但不允許進行變更 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
NotActions | |
無 | |
DataActions | |
Microsoft.DeviceUpdate/accounts/instances/updates/read | 執行與更新相關的讀取作業 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Gives you read access to content operations, but does not allow making changes",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
"name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Content Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
裝置更新部署系統管理員
讓您完整存取管理作業 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
NotActions | |
無 | |
DataActions | |
Microsoft.DeviceUpdate/accounts/instances/management/read | 執行與管理相關的讀取作業 |
Microsoft.DeviceUpdate/accounts/instances/management/write | 執行與管理相關的寫入作業 |
Microsoft.DeviceUpdate/accounts/instances/management/delete | 執行與管理相關的刪除作業 |
Microsoft.DeviceUpdate/accounts/instances/updates/read | 執行與更新相關的讀取作業 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Gives you full access to management operations",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432",
"name": "e4237640-0e3d-4a46-8fda-70bc94856432",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/management/read",
"Microsoft.DeviceUpdate/accounts/instances/management/write",
"Microsoft.DeviceUpdate/accounts/instances/management/delete",
"Microsoft.DeviceUpdate/accounts/instances/updates/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Deployments Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
裝置更新部署讀取器
可讓您讀取管理作業的存取權,但不允許進行變更 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
NotActions | |
無 | |
DataActions | |
Microsoft.DeviceUpdate/accounts/instances/management/read | 執行與管理相關的讀取作業 |
Microsoft.DeviceUpdate/accounts/instances/updates/read | 執行與更新相關的讀取作業 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Gives you read access to management operations, but does not allow making changes",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f",
"name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/management/read",
"Microsoft.DeviceUpdate/accounts/instances/updates/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Deployments Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
裝置更新讀取器
可讓您讀取管理與內容作業的存取權,但不允許進行變更 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
NotActions | |
無 | |
DataActions | |
Microsoft.DeviceUpdate/accounts/instances/updates/read | 執行與更新相關的讀取作業 |
Microsoft.DeviceUpdate/accounts/instances/management/read | 執行與管理相關的讀取作業 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Gives you read access to management and content operations, but does not allow making changes",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
"name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read",
"Microsoft.DeviceUpdate/accounts/instances/management/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT 中樞資料參與者
允許完整存取IoT 中樞資料平面作業。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.Devices/IotHubs/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to IoT Hub data plane operations.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f",
"name": "4fc6c259-987e-4a07-842e-c321cc9d413f",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/*"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT 中樞資料讀取器
允許完整讀取存取IoT 中樞資料平面屬性深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.Devices/IotHubs/*/read | |
Microsoft.Devices/IotHubs/fileUpload/notifications/action | 接收、完成或放棄檔案上傳通知 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full read access to IoT Hub data-plane properties",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3",
"name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/*/read",
"Microsoft.Devices/IotHubs/fileUpload/notifications/action"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT 中樞登錄參與者
允許完整存取IoT 中樞裝置登錄。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.Devices/IotHubs/devices/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to IoT Hub device registry.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
"name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/devices/*"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Registry Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT 中樞對應項參與者
允許讀取和寫入所有IoT 中樞裝置和模組對應項。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.Devices/IotHubs/twins/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read and write access to all IoT Hub device and module twins.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c",
"name": "494bdba2-168f-4f31-a0a1-191d2f7c028c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/twins/*"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Twin Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
混合實境
遠端轉譯系統管理員
為使用者提供 Azure 轉換、管理會話、轉譯和診斷功能遠端轉譯深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.MixedReality/RemoteRenderingAccounts/convert/action | 開始資產轉換 |
Microsoft.MixedReality/RemoteRenderingAccounts/convert/read | 取得資產轉換屬性 |
Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete | 停止資產轉換 |
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read | 取得會話屬性 |
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action | 啟動會話 |
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete | 停止會話 |
Microsoft.MixedReality/RemoteRenderingAccounts/render/read | 連接到一個工作階段 |
Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | 連線至遠端轉譯偵測器 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
"name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/RemoteRenderingAccounts/convert/action",
"Microsoft.MixedReality/RemoteRenderingAccounts/convert/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
"Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
],
"notDataActions": []
}
],
"roleName": "Remote Rendering Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
遠端轉譯用戶端
為使用者提供 Azure 遠端轉譯的管理會話、轉譯和診斷功能。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read | 取得會話屬性 |
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action | 啟動會話 |
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete | 停止會話 |
Microsoft.MixedReality/RemoteRenderingAccounts/render/read | 連接到一個工作階段 |
Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | 連線至遠端轉譯偵測器 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a",
"name": "d39065c4-c120-43c9-ab0a-63eed9795f0a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
"Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
],
"notDataActions": []
}
],
"roleName": "Remote Rendering Client",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
空間錨點帳戶參與者
可讓您管理帳戶中的空間錨點,但無法將其刪除 深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.MixedReality/SpatialAnchorsAccounts/create/action | 建立空間錨點 |
Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read | 探索附近的空間錨點 |
Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read | 取得空間錨點的屬性 |
Microsoft.MixedReality/SpatialAnchorsAccounts/query/read | 找出空間錨點 |
Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | 提交診斷資料,以協助改善 Azure 空間錨點服務的品質 |
Microsoft.MixedReality/SpatialAnchorsAccounts/write | 更新空間錨點屬性 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage spatial anchors in your account, but not delete them",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
"name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
"Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/write"
],
"notDataActions": []
}
],
"roleName": "Spatial Anchors Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
空間錨點帳戶擁有者
可讓您管理帳戶中的空間錨點,包括刪除它們 深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.MixedReality/SpatialAnchorsAccounts/create/action | 建立空間錨點 |
Microsoft.MixedReality/SpatialAnchorsAccounts/delete | 刪除空間錨點 |
Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read | 探索附近的空間錨點 |
Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read | 取得空間錨點的屬性 |
Microsoft.MixedReality/SpatialAnchorsAccounts/query/read | 找出空間錨點 |
Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | 提交診斷資料,以協助改善 Azure 空間錨點服務的品質 |
Microsoft.MixedReality/SpatialAnchorsAccounts/write | 更新空間錨點屬性 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage spatial anchors in your account, including deleting them",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c",
"name": "70bbe301-9835-447d-afdd-19eb3167307c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
"Microsoft.MixedReality/SpatialAnchorsAccounts/delete",
"Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/write"
],
"notDataActions": []
}
],
"roleName": "Spatial Anchors Account Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
空間錨點帳戶讀者
可讓您在帳戶中尋找和讀取空間錨點的屬性 深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read | 探索附近的空間錨點 |
Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read | 取得空間錨點的屬性 |
Microsoft.MixedReality/SpatialAnchorsAccounts/query/read | 找出空間錨點 |
Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | 提交診斷資料,以協助改善 Azure 空間錨點服務的品質 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you locate and read properties of spatial anchors in your account",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413",
"name": "5d51204f-eb77-4b1c-b86a-2ec626c49413",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read"
],
"notDataActions": []
}
],
"roleName": "Spatial Anchors Account Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
整合
API 管理服務參與者
可以管理服務和 API 深入瞭解
動作 | 描述 |
---|---|
Microsoft.ApiManagement/service/* | 建立和管理 API 管理服務 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can manage service and the APIs",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c",
"name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API 管理服務操作員角色
可以管理服務,但無法管理 API 深入瞭解
動作 | 描述 |
---|---|
Microsoft.ApiManagement/service/*/read | 讀取 API 管理服務執行個體 |
Microsoft.ApiManagement/service/backup/action | 將 API 管理服務備份到使用者所提供之儲存體帳戶中的指定容器 |
Microsoft.ApiManagement/service/delete | 刪除 API 管理服務執行個體 |
Microsoft.ApiManagement/service/managedeployments/action | 變更 SKU/單位、新增/移除 API 管理服務的區域部署 |
Microsoft.ApiManagement/service/read | 讀取 API 管理服務執行個體的中繼資料 |
Microsoft.ApiManagement/service/restore/action | 從使用者所提供之儲存體帳戶中的指定容器來還原 API 管理服務 |
Microsoft.ApiManagement/service/updatecertificate/action | 上傳 API 管理服務的 TLS/SSL 憑證 |
Microsoft.ApiManagement/service/updatehostname/action | 設定、更新或移除 API 管理服務的自訂網域名稱 |
Microsoft.ApiManagement/service/write | 建立或更新 API 管理服務執行個體 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.ApiManagement/service/users/keys/read | 取得與使用者相關聯的金鑰 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can manage service but not the APIs",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61",
"name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*/read",
"Microsoft.ApiManagement/service/backup/action",
"Microsoft.ApiManagement/service/delete",
"Microsoft.ApiManagement/service/managedeployments/action",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/restore/action",
"Microsoft.ApiManagement/service/updatecertificate/action",
"Microsoft.ApiManagement/service/updatehostname/action",
"Microsoft.ApiManagement/service/write",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.ApiManagement/service/users/keys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Operator Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API 管理服務讀取者角色
服務與 API 的唯讀存取 深入瞭解
動作 | 描述 |
---|---|
Microsoft.ApiManagement/service/*/read | 讀取 API 管理服務執行個體 |
Microsoft.ApiManagement/service/read | 讀取 API 管理服務執行個體的中繼資料 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.ApiManagement/service/users/keys/read | 取得與使用者相關聯的金鑰 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read-only access to service and APIs",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d",
"name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*/read",
"Microsoft.ApiManagement/service/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.ApiManagement/service/users/keys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
應用程式組態資料擁有者
允許完整存取應用程式組態資料。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.AppConfiguration/configurationStores/*/read | |
Microsoft.AppConfiguration/configurationStores/*/write | |
Microsoft.AppConfiguration/configurationStores/*/delete | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows full access to App Configuration data.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
"name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppConfiguration/configurationStores/*/read",
"Microsoft.AppConfiguration/configurationStores/*/write",
"Microsoft.AppConfiguration/configurationStores/*/delete"
],
"notDataActions": []
}
],
"roleName": "App Configuration Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
應用程式組態資料讀者
允許讀取應用程式組態資料。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.AppConfiguration/configurationStores/*/read | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows read access to App Configuration data.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071",
"name": "516239f1-63e1-4d78-a4de-a74fb236a071",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppConfiguration/configurationStores/*/read"
],
"notDataActions": []
}
],
"roleName": "App Configuration Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 轉接聽程式
允許接聽 Azure 轉寄資源的存取。
動作 | 描述 |
---|---|
Microsoft.Relay/*/wcfRelays/read | |
Microsoft.Relay/*/hybridConnections/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.Relay/*/listen/action | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for listen access to Azure Relay resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d",
"name": "26e0b698-aa6d-4085-9386-aadae190014d",
"permissions": [
{
"actions": [
"Microsoft.Relay/*/wcfRelays/read",
"Microsoft.Relay/*/hybridConnections/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*/listen/action"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Listener",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 轉送擁有者
允許完整存取 Azure 轉寄資源。
動作 | 描述 |
---|---|
Microsoft.Relay/* | |
NotActions | |
無 | |
DataActions | |
Microsoft.Relay/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Relay resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38",
"name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38",
"permissions": [
{
"actions": [
"Microsoft.Relay/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 轉送寄件者
允許傳送 Azure 轉送資源的存取權。
動作 | 描述 |
---|---|
Microsoft.Relay/*/wcfRelays/read | |
Microsoft.Relay/*/hybridConnections/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.Relay/*/send/action | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for send access to Azure Relay resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d",
"name": "26baccc8-eea7-41f1-98f4-1762cc7f685d",
"permissions": [
{
"actions": [
"Microsoft.Relay/*/wcfRelays/read",
"Microsoft.Relay/*/hybridConnections/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 服務匯流排資料擁有者
允許完整存取 Azure 服務匯流排資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.ServiceBus/* | |
NotActions | |
無 | |
DataActions | |
Microsoft.ServiceBus/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Service Bus resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
"name": "090c5cfd-751d-490a-894a-3ce6f1109419",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 服務匯流排資料接收者
允許接收 Azure 服務匯流排資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.ServiceBus/*/queues/read | |
Microsoft.ServiceBus/*/topics/read | |
Microsoft.ServiceBus/*/topics/subscriptions/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.ServiceBus/*/receive/action | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for receive access to Azure Service Bus resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
"name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*/queues/read",
"Microsoft.ServiceBus/*/topics/read",
"Microsoft.ServiceBus/*/topics/subscriptions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*/receive/action"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Receiver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure 服務匯流排資料傳送者
允許傳送 Azure 服務匯流排資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.ServiceBus/*/queues/read | |
Microsoft.ServiceBus/*/topics/read | |
Microsoft.ServiceBus/*/topics/subscriptions/read | |
NotActions | |
無 | |
DataActions | |
Microsoft.ServiceBus/*/send/action | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for send access to Azure Service Bus resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
"name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*/queues/read",
"Microsoft.ServiceBus/*/topics/read",
"Microsoft.ServiceBus/*/topics/subscriptions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Stack 註冊擁有者
可讓您管理 Azure Stack 註冊。
動作 | 描述 |
---|---|
Microsoft.AzureStack/edgeSubscriptions/read | |
Microsoft.AzureStack/registrations/products/*/action | |
Microsoft.AzureStack/registrations/products/read | 取得 Azure Stack Marketplace 產品的屬性 |
Microsoft.AzureStack/registrations/read | 取得 Azure Stack 註冊的屬性 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Stack registrations.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
"name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
"permissions": [
{
"actions": [
"Microsoft.AzureStack/edgeSubscriptions/read",
"Microsoft.AzureStack/registrations/products/*/action",
"Microsoft.AzureStack/registrations/products/read",
"Microsoft.AzureStack/registrations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Stack Registration Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
EventGrid 參與者
可讓您管理 EventGrid 作業。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.EventGrid/* | 建立和管理事件方格資源 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage EventGrid operations.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de",
"name": "1e241071-0855-49ea-94dc-649edcd759de",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
EventGrid 資料傳送者
允許傳送事件方格事件的存取權。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.EventGrid/topics/read | 讀取主題 |
Microsoft.EventGrid/domains/read | 讀取網域 |
Microsoft.EventGrid/partnerNamespaces/read | |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
NotActions | |
無 | |
DataActions | |
Microsoft.EventGrid/events/send/action | 將事件傳送至主題 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows send access to event grid events.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7",
"name": "d5a91429-5739-47e2-a06b-3470a27159e7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/topics/read",
"Microsoft.EventGrid/domains/read",
"Microsoft.EventGrid/partnerNamespaces/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventGrid/events/send/action"
],
"notDataActions": []
}
],
"roleName": "EventGrid Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
EventGrid EventSubscription 參與者
可讓您管理 EventGrid 事件訂用帳戶作業。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.EventGrid/eventSubscriptions/* | 建立和管理區域事件訂用帳戶 |
Microsoft.EventGrid/topicTypes/eventSubscriptions/read | 依主題類型列出全域事件訂用帳戶 |
Microsoft.EventGrid/locations/eventSubscriptions/read | 列出區域事件訂用帳戶 |
Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read | 依主題類型列出區域事件訂用帳戶 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage EventGrid event subscription operations.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
"name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/*",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid EventSubscription Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
EventGrid EventSubscription 讀者
可讓您讀取 EventGrid 事件訂用帳戶。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.EventGrid/eventSubscriptions/read | 讀取 eventSubscription |
Microsoft.EventGrid/topicTypes/eventSubscriptions/read | 依主題類型列出全域事件訂用帳戶 |
Microsoft.EventGrid/locations/eventSubscriptions/read | 列出區域事件訂用帳戶 |
Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read | 依主題類型列出區域事件訂用帳戶 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you read EventGrid event subscriptions.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405",
"name": "2414bbcf-6497-4faf-8c65-045460748405",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid EventSubscription Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR 資料參與者
角色可讓使用者或主體完整存取 FHIR 資料 深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.HealthcareApis/services/fhir/resources/* | |
Microsoft.HealthcareApis/workspaces/fhirservices/resources/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal full access to FHIR Data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd",
"name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/*",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR 資料匯出工具
角色可讓使用者或主體讀取和匯出 FHIR 資料 深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.HealthcareApis/services/fhir/resources/read | 讀取 FHIR 資源 (包括搜尋和版本設定的歷程記錄) 。 |
Microsoft.HealthcareApis/services/fhir/resources/export/action | 匯出作業 ($export) 。 |
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | 讀取 FHIR 資源 (包括搜尋和版本設定的歷程記錄) 。 |
Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action | 匯出作業 ($export) 。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and export FHIR Data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",
"name": "3db33094-8700-4567-8da5-1501d4e7e843",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/export/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Exporter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR 資料讀取器
角色可讓使用者或主體閱讀 FHIR 資料 深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.HealthcareApis/services/fhir/resources/read | 讀取 FHIR 資源 (包括搜尋和版本設定的歷程記錄) 。 |
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | 讀取 FHIR 資源 (包括搜尋和版本設定的歷程記錄) 。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read FHIR Data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508",
"name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR 資料寫入器
角色可讓使用者或主體讀取和寫入 FHIR 資料 深入瞭解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.HealthcareApis/services/fhir/resources/* | |
Microsoft.HealthcareApis/workspaces/fhirservices/resources/* | |
NotDataActions | |
Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action | 硬式刪除 (包括版本歷程記錄) 。 |
Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action | 硬式刪除 (包括版本歷程記錄) 。 |
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and write FHIR Data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913",
"name": "3f88fce4-5892-4214-ae73-ba5294559913",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/*",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
],
"notDataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action"
]
}
],
"roleName": "FHIR Data Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Integration Service Environment 參與者
可讓您管理整合服務環境,但無法存取它們。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Logic/integrationServiceEnvironments/* | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage integration service environments, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
"name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Support/*",
"Microsoft.Logic/integrationServiceEnvironments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Integration Service Environment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Integration Service Environment Developer
可讓開發人員在整合服務環境中建立和更新工作流程、整合帳戶和 API 連線。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Logic/integrationServiceEnvironments/read | 讀取整合服務環境。 |
Microsoft.Logic/integrationServiceEnvironments/*/join/action | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
"name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Support/*",
"Microsoft.Logic/integrationServiceEnvironments/read",
"Microsoft.Logic/integrationServiceEnvironments/*/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Integration Service Environment Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Intelligent Systems 帳戶參與者
可讓您管理「智慧型系統」帳戶,但無法存取它們。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.IntelligentSystems/accounts/* | 建立及管理 Intelligent Systems 帳戶 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Intelligent Systems accounts, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e",
"name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.IntelligentSystems/accounts/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Intelligent Systems Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
邏輯應用程式參與者
可讓您管理邏輯應用程式,但無法變更對邏輯應用程式的存取。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.ClassicStorage/storageAccounts/listKeys/action | 列出儲存體帳戶的存取金鑰。 |
Microsoft.ClassicStorage/storageAccounts/read | 傳回具有給定帳戶的儲存體帳戶。 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/metricAlerts/* | |
微軟。Insights/diagnosticSettings/* | 建立、更新或讀取 Analysis Server 的診斷設定 |
微軟。Insights/logdefinitions/* | 此為使用者需要透過入口網站存取活動記錄時所需的權限。 列出活動記錄檔中的記錄檔分類。 |
微軟。Insights/metricDefinitions/* | 讀取度量定義 (可用資源的度量類型清單)。 |
Microsoft.Logic/* | 管理 Logic Apps 資源。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。儲存體/storageAccounts/listkeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
微軟。儲存體/storageAccounts/read | 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Web/connectionGateways/* | 建立及管理「連線閘道」。 |
Microsoft.Web/connections/* | 建立及管理「連線」。 |
Microsoft.Web/customApis/* | 建立及管理「自訂 API」。 |
Microsoft.Web/serverFarms/join/action | 加入App Service方案 |
Microsoft.Web/serverFarms/read | 取得 App Service 方案的屬性 |
Microsoft.Web/sites/functions/listSecrets/action | 列出函式秘密。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage logic app, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e",
"name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metricAlerts/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/logdefinitions/*",
"Microsoft.Insights/metricDefinitions/*",
"Microsoft.Logic/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*",
"Microsoft.Web/connectionGateways/*",
"Microsoft.Web/connections/*",
"Microsoft.Web/customApis/*",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/functions/listSecrets/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic App Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
邏輯應用程式操作員
可讓您讀取、啟用及停用邏輯應用程式,但無法編輯或更新邏輯應用程式。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/*/read | 讀取 Insights 警示規則 |
微軟。Insights/metricAlerts/*/read | |
微軟。Insights/diagnosticSettings/*/read | 取得 Logic Apps 的診斷設定 |
微軟。Insights/metricDefinitions/*/read | 取得 Logic Apps 的可用計量。 |
Microsoft.Logic/*/read | 讀取 Logic Apps 資源。 |
Microsoft.Logic/workflows/disable/action | 停用工作流程。 |
Microsoft.Logic/workflows/enable/action | 啟用工作流程。 |
Microsoft.Logic/workflows/validate/action | 驗證工作流程。 |
Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Web/connectionGateways/*/read | 讀取「連線閘道」。 |
Microsoft.Web/connections/*/read | 讀取「連線」。 |
Microsoft.Web/customApis/*/read | 讀取「自訂 API」。 |
Microsoft.Web/serverFarms/read | 取得 App Service 方案的屬性 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you read, enable and disable logic app.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
"name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*/read",
"Microsoft.Insights/metricAlerts/*/read",
"Microsoft.Insights/diagnosticSettings/*/read",
"Microsoft.Insights/metricDefinitions/*/read",
"Microsoft.Logic/*/read",
"Microsoft.Logic/workflows/disable/action",
"Microsoft.Logic/workflows/enable/action",
"Microsoft.Logic/workflows/validate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/connectionGateways/*/read",
"Microsoft.Web/connections/*/read",
"Microsoft.Web/customApis/*/read",
"Microsoft.Web/serverFarms/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic App Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
身分識別
網域服務參與者
可以管理Azure AD網域服務和相關的網路設定深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/read | 取得或列出部署。 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/deployments/delete | 刪除部署。 |
Microsoft.Resources/deployments/cancel/action | 取消部署。 |
Microsoft.Resources/deployments/validate/action | 驗證部署。 |
Microsoft.Resources/deployments/whatIf/action | 預測範本部署變更。 |
Microsoft.Resources/deployments/exportTemplate/action | 部署的匯出範本 |
Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
Microsoft.Resources/deployments/operationstatuses/read | 取得或列出部署作業狀態。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。Insights/AlertRules/Write | 建立或更新傳統計量警示 |
微軟。Insights/AlertRules/Delete | 刪除傳統計量警示 |
微軟。Insights/AlertRules/Read | 讀取傳統計量警示 |
微軟。Insights/AlertRules/Activated/Action | 傳統計量警示已啟用 |
微軟。Insights/AlertRules/Resolved/Action | 傳統計量警示已解決 |
微軟。Insights/AlertRules/Throttled/Action | 傳統計量警示規則已節流 |
微軟。Insights/AlertRules/Incidents/Read | 讀取傳統計量警示事件 |
微軟。AAD/register/action | 註冊網域服務 |
微軟。AAD/unregister/action | 取消註冊網域服務 |
微軟。AAD/domainServices/read | 讀取網域服務 |
微軟。AAD/domainServices/write | 寫入網域服務 |
微軟。AAD/domainServices/delete | 刪除網域服務 |
微軟。AAD/domainServices/providers/Microsoft。Insights/diagnosticSettings/read | 取得 Domain Service 的診斷設定 |
微軟。AAD/domainServices/providers/Microsoft。Insights/diagnosticSettings/write | 建立或更新 Domain Service 資源的診斷設定 |
微軟。AAD/domainServices/providers/Microsoft。Insights/logDefinitions/read | 取得 Domain Service 的可用記錄 |
微軟。AAD/domainServices/oucontainer/read | 讀取 Ou 容器 |
微軟。AAD/domainServices/oucontainer/write | 寫入 Ou 容器 |
微軟。AAD/domainServices/oucontainer/delete | 刪除 Ou 容器 |
Microsoft.Network/register/action | 註冊訂用帳戶 |
Microsoft.Network/unregister/action | 取消註冊訂用帳戶 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.Network/virtualNetworks/write | 建立虛擬網路,或更新現有的虛擬網路 |
Microsoft.Network/virtualNetworks/delete | 刪除虛擬網路 |
Microsoft.Network/virtualNetworks/peer/action | 讓某個虛擬網路與另一個虛擬網路對等互連 |
Microsoft.Network/virtualNetworks/join/action | 加入虛擬網路。 不可警示。 |
Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網路定義 |
Microsoft.Network/virtualNetworks/subnets/write | 建立虛擬網路子網路,或更新現有的虛擬網路子網路 |
Microsoft.Network/virtualNetworks/subnets/delete | 刪除虛擬網路子網路 |
Microsoft.Network/virtualNetworks/subnets/join/action | 加入虛擬網路。 不可警示。 |
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | 取得虛擬網路對等互連定義 |
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write | 建立虛擬網路對等互連,或更新現有的虛擬網路對等互連 |
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete | 刪除虛擬網路對等互連 |
Microsoft.Network/virtualNetworks/providers/Microsoft。Insights/diagnosticSettings/read | 取得虛擬網路的診斷設定 |
Microsoft.Network/virtualNetworks/providers/Microsoft。Insights/metricDefinitions/read | 取得 PingMesh 的可用計量 |
Microsoft.Network/azureFirewalls/read | 取得 Azure 防火牆 |
Microsoft.Network/ddosProtectionPlans/read | 取得 DDoS 保護計劃 |
Microsoft.Network/ddosProtectionPlans/join/action | 加入 DDoS 保護方案。 不可警示。 |
Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
Microsoft.Network/loadBalancers/delete | 刪除負載平衡器 |
Microsoft.Network/loadBalancers/*/read | |
Microsoft.Network/loadBalancers/backendAddressPools/join/action | 加入負載平衡器後端位址集區。 不可警示。 |
Microsoft.Network/loadBalancers/inboundNatRules/join/action | 加入負載平衡器輸入 nat 規則。 不可警示。 |
Microsoft.Network/natGateways/join/action | 加入 NAT 閘道 |
Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
Microsoft.Network/networkInterfaces/write | 建立網路介面,或更新現有的網路介面。 |
Microsoft.Network/networkInterfaces/delete | 刪除網路介面 |
Microsoft.Network/networkInterfaces/join/action | 將虛擬機器加入網路介面。 不可警示。 |
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | 取得預設的安全性規則定義 |
Microsoft.Network/networkSecurityGroups/read | 取得網路安全性群組定義 |
Microsoft.Network/networkSecurityGroups/write | 建立網路安全性群組,或更新現有的網路安全性群組 |
Microsoft.Network/networkSecurityGroups/delete | 刪除網路安全性群組 |
Microsoft.Network/networkSecurityGroups/join/action | 加入網路安全性群組。 不可警示。 |
Microsoft.Network/networkSecurityGroups/securityRules/read | 取得安全性規則定義 |
Microsoft.Network/networkSecurityGroups/securityRules/write | 建立安全性規則,或更新現有的安全性規則 |
Microsoft.Network/networkSecurityGroups/securityRules/delete | 刪除安全性規則 |
Microsoft.Network/routeTables/read | 取得路由表定義 |
Microsoft.Network/routeTables/write | 建立路由表或更新現有的路由表 |
Microsoft.Network/routeTables/delete | 刪除路由表定義 |
Microsoft.Network/routeTables/join/action | 聯結路由表。 不可警示。 |
Microsoft.Network/routeTables/routes/read | 取得路由定義 |
Microsoft.Network/routeTables/routes/write | 建立路由,或更新現有路由 |
Microsoft.Network/routeTables/routes/delete | 刪除路由定義 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure AD Domain Services and related network configurations",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
"name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.AAD/register/action",
"Microsoft.AAD/unregister/action",
"Microsoft.AAD/domainServices/read",
"Microsoft.AAD/domainServices/write",
"Microsoft.AAD/domainServices/delete",
"Microsoft.AAD/domainServices/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.AAD/domainServices/providers/Microsoft.Insights/diagnosticSettings/write",
"Microsoft.AAD/domainServices/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.AAD/domainServices/oucontainer/read",
"Microsoft.AAD/domainServices/oucontainer/write",
"Microsoft.AAD/domainServices/oucontainer/delete",
"Microsoft.Network/register/action",
"Microsoft.Network/unregister/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/natGateways/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
網域服務讀取者
可檢視 Azure AD Domain Services 和相關網路組態
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/read | 取得或列出部署。 |
Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
Microsoft.Resources/deployments/operationstatuses/read | 取得或列出部署作業狀態。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。Insights/AlertRules/Read | 讀取傳統計量警示 |
微軟。Insights/AlertRules/Incidents/Read | 讀取傳統計量警示事件 |
微軟。AAD/domainServices/read | 讀取網域服務 |
微軟。AAD/domainServices/oucontainer/read | 讀取 Ou 容器 |
微軟。AAD/domainServices/OutboundNetworkDependenciesEndpoints/read | 取得所有輸出相依性的網路端點 |
微軟。AAD/domainServices/providers/Microsoft。Insights/diagnosticSettings/read | 取得 Domain Service 的診斷設定 |
微軟。AAD/domainServices/providers/Microsoft。Insights/logDefinitions/read | 取得 Domain Service 的可用記錄 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網路定義 |
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | 取得虛擬網路對等互連定義 |
Microsoft.Network/virtualNetworks/providers/Microsoft。Insights/diagnosticSettings/read | 取得虛擬網路的診斷設定 |
Microsoft.Network/virtualNetworks/providers/Microsoft。Insights/metricDefinitions/read | 取得 PingMesh 的可用計量 |
Microsoft.Network/azureFirewalls/read | 取得 Azure 防火牆 |
Microsoft.Network/ddosProtectionPlans/read | 取得 DDoS 保護計劃 |
Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
Microsoft.Network/loadBalancers/*/read | |
Microsoft.Network/natGateways/read | 取得 Nat 閘道定義 |
Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | 取得預設的安全性規則定義 |
Microsoft.Network/networkSecurityGroups/read | 取得網路安全性群組定義 |
Microsoft.Network/networkSecurityGroups/securityRules/read | 取得安全性規則定義 |
Microsoft.Network/routeTables/read | 取得路由表定義 |
Microsoft.Network/routeTables/routes/read | 取得路由定義 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can view Azure AD Domain Services and related network configurations",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
"name": "361898ef-9ed1-48c2-849c-a832951106bb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.AAD/domainServices/read",
"Microsoft.AAD/domainServices/oucontainer/read",
"Microsoft.AAD/domainServices/OutboundNetworkDependenciesEndpoints/read",
"Microsoft.AAD/domainServices/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.AAD/domainServices/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/routes/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控身分識別參與者
建立、讀取、更新和刪除使用者指派的身分識別 深入瞭解
動作 | 描述 |
---|---|
Microsoft.ManagedIdentity/userAssignedIdentities/read | 取得現有已指派使用者的身分識別 |
Microsoft.ManagedIdentity/userAssignedIdentities/write | 建立新的已指派使用者的身分識別,或更新與現有已指派使用者之身分識別相關聯的標記 |
Microsoft.ManagedIdentity/userAssignedIdentities/delete | 刪除現有已指派使用者的身分識別 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete User Assigned Identity",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控身分識別操作員
深入瞭解並指派使用者指派的身分識別
動作 | 描述 |
---|---|
Microsoft.ManagedIdentity/userAssignedIdentities/*/read | |
Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action | |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read and Assign User Assigned Identity",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
"name": "f1a07417-d97a-45cb-824c-7a7467783830",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全性
證明參與者
可讀取寫入或刪除證明提供者實例 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Attestation/attestationProviders/attestation/read | |
Microsoft.Attestation/attestationProviders/attestation/write | |
Microsoft.Attestation/attestationProviders/attestation/delete | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can read write or delete the attestation provider instance",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/attestation/write",
"Microsoft.Attestation/attestationProviders/attestation/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
證明讀取器
可閱讀證明提供者屬性 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Attestation/attestationProviders/attestation/read | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can read the attestation provider properties",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 管理員
在金鑰保存庫及其中的所有物件上執行所有資料平面作業,包括憑證、金鑰和秘密。 無法管理金鑰保存庫資源或管理角色指派。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 確認 Key Vault 名稱有效,且並非使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除之 Key Vault 的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可以對 Microsoft.KeyVault 資源提供者執行的作業 |
NotActions | |
無 | |
DataActions | |
Microsoft.KeyVault/vaults/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
"name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 憑證長
在金鑰保存庫的憑證上執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 確認 Key Vault 名稱有效,且並非使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除之 Key Vault 的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可以對 Microsoft.KeyVault 資源提供者執行的作業 |
NotActions | |
無 | |
DataActions | |
Microsoft.KeyVault/vaults/certificatecas/* | |
Microsoft.KeyVault/vaults/certificates/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
"name": "a4417e6f-fecd-4de8-b567-7b0420556985",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificatecas/*",
"Microsoft.KeyVault/vaults/certificates/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificates Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 參與者
管理金鑰保存庫,但不允許您在 Azure RBAC 中指派角色,而且不允許存取秘密、金鑰或憑證。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.KeyVault/* | |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.KeyVault/locations/deletedVaults/purge/action | 清除虛刪除的 Key Vault |
Microsoft.KeyVault/hsmPools/* | |
Microsoft.KeyVault/managedHsms/* | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage key vaults, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
"name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.KeyVault/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.KeyVault/hsmPools/*",
"Microsoft.KeyVault/managedHsms/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Key Vault Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 密碼編譯長
對金鑰保存庫的金鑰執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 確認 Key Vault 名稱有效,且並非使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除之 Key Vault 的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可以對 Microsoft.KeyVault 資源提供者執行的作業 |
NotActions | |
無 | |
DataActions | |
Microsoft.KeyVault/vaults/keys/* | |
Microsoft.KeyVault/vaults/keyrotationpolicies/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/*",
"Microsoft.KeyVault/vaults/keyrotationpolicies/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 密碼編譯服務加密使用者
讀取金鑰的中繼資料,並執行包裝/解除包裝作業。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 深入了解
動作 | 描述 |
---|---|
Microsoft.EventGrid/eventSubscriptions/write | 建立或更新 eventSubscription |
Microsoft.EventGrid/eventSubscriptions/read | 讀取 eventSubscription |
Microsoft.EventGrid/eventSubscriptions/delete | 刪除 eventSubscription |
NotActions | |
無 | |
DataActions | |
Microsoft.KeyVault/vaults/keys/read | 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開內容。 對於非對稱金鑰,這項作業會公開公開金鑰,並包含執行公開金鑰演算法的能力,例如加密和驗證簽章。 私密金鑰和對稱金鑰永遠不會公開。 |
Microsoft.KeyVault/vaults/keys/wrap/action | 使用金鑰保存庫金鑰包裝對稱金鑰。 請注意,如果金鑰保存庫金鑰為非對稱,則此作業可由具有讀取權限的主體執行。 |
Microsoft.KeyVault/vaults/keys/unwrap/action | 使用金鑰保存庫金鑰解除包裝對稱金鑰。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
"name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
"permissions": [
{
"actions": [
"Microsoft.EventGrid/eventSubscriptions/write",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/eventSubscriptions/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Encryption User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 密碼編譯使用者
使用金鑰執行密碼編譯作業。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.KeyVault/vaults/keys/read | 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開內容。 對於非對稱金鑰,這項作業會公開公開金鑰,並包含執行公開金鑰演算法的能力,例如加密和驗證簽章。 私密金鑰和對稱金鑰永遠不會公開。 |
Microsoft.KeyVault/vaults/keys/update/action | 更新與指定索引鍵相關聯的指定屬性。 |
Microsoft.KeyVault/vaults/keys/backup/action | 建立金鑰的備份檔案。 檔案可用來在相同訂用帳戶的金鑰保存庫中還原金鑰。 可能會套用限制。 |
Microsoft.KeyVault/vaults/keys/encrypt/action | 使用金鑰加密純文字。 請注意,如果金鑰非對稱,則此作業可由具有讀取權限的主體執行。 |
Microsoft.KeyVault/vaults/keys/decrypt/action | 使用金鑰解密加密文字。 |
Microsoft.KeyVault/vaults/keys/wrap/action | 使用金鑰保存庫金鑰包裝對稱金鑰。 請注意,如果金鑰保存庫金鑰為非對稱,則此作業可由具有讀取權限的主體執行。 |
Microsoft.KeyVault/vaults/keys/unwrap/action | 使用金鑰保存庫金鑰解除包裝對稱金鑰。 |
Microsoft.KeyVault/vaults/keys/sign/action | 使用索引鍵簽署訊息摘要 (雜湊) 。 |
Microsoft.KeyVault/vaults/keys/verify/action | 使用金鑰驗證訊息摘要的簽章 (雜湊) 。 請注意,如果金鑰非對稱,則此作業可由具有讀取權限的主體執行。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
"name": "12338af0-0e69-4776-bea7-57ae8d297424",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/update/action",
"Microsoft.KeyVault/vaults/keys/backup/action",
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action",
"Microsoft.KeyVault/vaults/keys/sign/action",
"Microsoft.KeyVault/vaults/keys/verify/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 讀者
讀取金鑰保存庫及其憑證、金鑰和秘密的中繼資料。 無法讀取機密值,例如秘密內容或金鑰資料。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 確認 Key Vault 名稱有效,且並非使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除之 Key Vault 的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可以對 Microsoft.KeyVault 資源提供者執行的作業 |
NotActions | |
無 | |
DataActions | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/vaults/secrets/readMetadata/action | 列出或檢視秘密的屬性,而不是其值。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
"name": "21090545-7ca7-4776-b22c-e363652d74d2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 祕密長
對金鑰保存庫的秘密執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 確認 Key Vault 名稱有效,且並非使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除之 Key Vault 的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可以對 Microsoft.KeyVault 資源提供者執行的作業 |
NotActions | |
無 | |
DataActions | |
Microsoft.KeyVault/vaults/secrets/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 祕密使用者
讀取秘密內容。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 深入了解
動作 | 描述 |
---|---|
無 | |
NotActions | |
無 | |
DataActions | |
Microsoft.KeyVault/vaults/secrets/getSecret/action | 取得秘密的值。 |
Microsoft.KeyVault/vaults/secrets/readMetadata/action | 列出或檢視秘密的屬性,而不是其值。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
"name": "4633458b-17de-408a-b874-0445c86b69e6",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控 HSM 參與者
可讓您管理受控 HSM 集區,但無法存取它們。 深入了解
動作 | 描述 |
---|---|
Microsoft.KeyVault/managedHSMs/* | |
Microsoft.KeyVault/deletedManagedHsms/read | 檢視已刪除受控 hsm 的屬性 |
Microsoft.KeyVault/locations/deletedManagedHsms/read | 檢視已刪除受控 hsm 的屬性 |
Microsoft.KeyVault/locations/deletedManagedHsms/purge/action | 清除虛刪除的受控 hsm |
Microsoft.KeyVault/locations/managedHsmOperationResults/read | 檢查長時間執行之作業的結果 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage managed HSM pools, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
"name": "18500a29-7fe2-46b2-a342-b16a415e101d",
"permissions": [
{
"actions": [
"Microsoft.KeyVault/managedHSMs/*",
"Microsoft.KeyVault/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
"Microsoft.KeyVault/locations/managedHsmOperationResults/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed HSM contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 自動化參與者
Microsoft Sentinel 自動化參與者 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Logic/workflows/triggers/read | 讀取觸發程序。 |
Microsoft.Logic/workflows/triggers/listCallbackUrl/action | 取得觸發程序的回呼 URL。 |
Microsoft.Logic/workflows/runs/read | 讀取工作流程的執行。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read | 列出Web Apps Hostruntime 工作流程觸發程式。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | 取得 Web Apps Hostruntime 工作流程觸發程式 URI。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/run/read | 列出Web Apps Hostruntime 工作流程執行。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Automation Contributor",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Logic/workflows/triggers/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Logic/workflows/runs/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Automation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 参与者
Microsoft Sentinel 參與者 深入瞭解
動作 | 描述 |
---|---|
Microsoft.SecurityInsights/* | |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新的引擎進行搜尋。 |
Microsoft.OperationalInsights/workspaces/*/read | 檢視記錄分析資料 |
Microsoft.OperationalInsights/workspaces/savedSearches/* | |
Microsoft.OperationsManagement/solutions/read | 取得現有的 OMS 解決方案 |
Microsoft.OperationalInsights/workspaces/query/read | 針對工作區中的資料執行查詢 |
Microsoft.OperationalInsights/workspaces/query/*/read | |
Microsoft.OperationalInsights/workspaces/dataSources/read | 取得工作區下的資料來源。 |
Microsoft.OperationalInsights/querypacks/*/read | |
微軟。Insights/workbooks/* | |
微軟。Insights/myworkbooks/read | 讀取私人活頁簿 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Contributor",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
"name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/*",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 读者
Microsoft Sentinel 讀者 深入瞭解
動作 | 描述 |
---|---|
Microsoft.SecurityInsights/*/read | |
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action | 檢查使用者授權和使用權 |
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action | 查詢威脅情報指標 |
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action | 查詢威脅情報指標 |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新的引擎進行搜尋。 |
Microsoft.OperationalInsights/workspaces/*/read | 檢視記錄分析資料 |
Microsoft.OperationalInsights/workspaces/LinkedServices/read | 取得指定工作區下已連結的服務。 |
Microsoft.OperationalInsights/workspaces/savedSearches/read | 取得已儲存的搜尋查詢 |
Microsoft.OperationsManagement/solutions/read | 取得現有的 OMS 解決方案 |
Microsoft.OperationalInsights/workspaces/query/read | 針對工作區中的資料執行查詢 |
Microsoft.OperationalInsights/workspaces/query/*/read | |
Microsoft.OperationalInsights/querypacks/*/read | |
Microsoft.OperationalInsights/workspaces/dataSources/read | 取得工作區下的資料來源。 |
微軟。Insights/workbooks/read | 讀取活頁簿 |
微軟。Insights/myworkbooks/read | 讀取私人活頁簿 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Reader",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/LinkedServices/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 响应方
Microsoft Sentinel 回應程式 深入瞭解
動作 | 描述 |
---|---|
Microsoft.SecurityInsights/*/read | |
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action | 檢查使用者授權和使用權 |
Microsoft.SecurityInsights/automationRules/* | |
Microsoft.SecurityInsights/cases/* | |
Microsoft.SecurityInsights/incidents/* | |
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action | 將標籤附加至威脅情報指標 |
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action | 查詢威脅情報指標 |
Microsoft.SecurityInsights/threatIntelligence/bulkTag/action | 大量標記威脅情報 |
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action | 將標籤附加至威脅情報指標 |
Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action | 取代威脅情報指標的標記 |
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action | 查詢威脅情報指標 |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新的引擎進行搜尋。 |
Microsoft.OperationalInsights/workspaces/*/read | 檢視記錄分析資料 |
Microsoft.OperationalInsights/workspaces/dataSources/read | 取得工作區下的資料來源。 |
Microsoft.OperationalInsights/workspaces/savedSearches/read | 取得已儲存的搜尋查詢 |
Microsoft.OperationsManagement/solutions/read | 取得現有的 OMS 解決方案 |
Microsoft.OperationalInsights/workspaces/query/read | 針對工作區中的資料執行查詢 |
Microsoft.OperationalInsights/workspaces/query/*/read | |
Microsoft.OperationalInsights/workspaces/dataSources/read | 取得工作區下的資料來源。 |
Microsoft.OperationalInsights/querypacks/*/read | |
微軟。Insights/workbooks/read | 讀取活頁簿 |
微軟。Insights/myworkbooks/read | 讀取私人活頁簿 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.SecurityInsights/cases/*/Delete | |
Microsoft.SecurityInsights/incidents/*/Delete | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Responder",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/automationRules/*",
"Microsoft.SecurityInsights/cases/*",
"Microsoft.SecurityInsights/incidents/*",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/cases/*/Delete",
"Microsoft.SecurityInsights/incidents/*/Delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Responder",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全性系統管理員
資訊安全中心的檢視和更新權限。 與「安全性讀者」角色的權限相同,還可以更新安全性原則及關閉警示和建議。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Authorization/policyAssignments/* | 建立及管理原則指派 |
Microsoft.Authorization/policyDefinitions/* | 建立及管理原則定義 |
Microsoft.Authorization/policyExemptions/* | 建立和管理原則豁免 |
Microsoft.Authorization/policySetDefinitions/* | 建立及管理原則集合 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Management/managementGroups/read | 列出已驗證之使用者的管理群組。 |
Microsoft.operationalInsights/workspaces/*/read | 檢視記錄分析資料 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Security/* | 建立和管理安全性元件和原則 |
Microsoft.IoTSecurity/* | |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Security Admin Role",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
"name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Management/managementGroups/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.IoTSecurity/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全性評量參與者
可讓您將評量推送至資訊安全中心
動作 | 描述 |
---|---|
Microsoft.Security/assessments/write | 在您的訂用帳戶上建立或更新安全性評量 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you push assessments to Security Center",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"permissions": [
{
"actions": [
"Microsoft.Security/assessments/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Assessment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全性管理員 (舊版)
此為舊版角色。 請改用「安全性系統管理員」。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.ClassicCompute/*/read | 讀取傳統虛擬機器的設定資訊 |
Microsoft.ClassicCompute/virtualMachines/*/write | 撰寫傳統虛擬機器的設定 |
Microsoft.ClassicNetwork/*/read | 讀取傳統網路的組態資訊 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Security/* | 建立和管理安全性元件和原則 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "This is a legacy role. Please use Security Administrator instead",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/*/read",
"Microsoft.ClassicCompute/virtualMachines/*/write",
"Microsoft.ClassicNetwork/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Manager (Legacy)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全性讀取者
資訊安全中心的檢視權限。 可以檢視建議、警示、安全性原則和安全性狀態,但無法變更。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/read | 讀取傳統計量警示 |
Microsoft.operationalInsights/workspaces/*/read | 檢視記錄分析資料 |
Microsoft.Resources/deployments/*/read | |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Security/*/read | 讀取安全性元件和原則 |
Microsoft.IoTSecurity/*/read | |
Microsoft.Support/*/read | |
Microsoft.Security/iotDefenderSettings/packageDownloads/action | 取得可下載的 IoT Defender 套件資訊 |
Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action | 下載具有訂用帳戶配額資料的管理員啟用檔案 |
Microsoft.Security/iotSensors/downloadResetPassword/action | 下載 IoT 感應器的重設密碼檔案 |
Microsoft.IoTSecurity/defenderSettings/packageDownloads/action | 取得可下載的 IoT Defender 套件資訊 |
Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action | 下載管理員啟用檔案 |
Microsoft.Management/managementGroups/read | 列出已驗證之使用者的管理群組。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Security Reader Role",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*/read",
"Microsoft.IoTSecurity/*/read",
"Microsoft.Support/*/read",
"Microsoft.Security/iotDefenderSettings/packageDownloads/action",
"Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
"Microsoft.Security/iotSensors/downloadResetPassword/action",
"Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
"Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
"Microsoft.Management/managementGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DevOps
DevTest Labs 使用者
可讓您連線、啟動、重新啟及關閉您 Azure DevTest Labs 中的虛擬機器。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Compute/availabilitySets/read | 取得可用性設定組的屬性 |
Microsoft.Compute/virtualMachines/*/read | 讀取虛擬機器的屬性 (VM 大小、執行階段狀態、VM 擴充功能等) |
Microsoft.Compute/virtualMachines/deallocate/action | 關閉虛擬機器的電源,並將計算資源釋出 |
Microsoft.Compute/virtualMachines/read | 取得虛擬機器的屬性 |
Microsoft.Compute/virtualMachines/restart/action | 重新啟動虛擬機器 |
Microsoft.Compute/virtualMachines/start/action | 啟動虛擬機器 |
Microsoft.DevTestLab/*/read | 讀取實驗室的屬性 |
Microsoft.DevTestLab/labs/claimAnyVm/action | 在實驗室中宣告隨機的可宣告虛擬機器。 |
Microsoft.DevTestLab/labs/createEnvironment/action | 在實驗室中建立虛擬機器。 |
Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action | 請確認目前的使用者在實驗室中具備有效的設定檔。 |
Microsoft.DevTestLab/labs/formulas/delete | 刪除公式。 |
Microsoft.DevTestLab/labs/formulas/read | 讀取公式。 |
Microsoft.DevTestLab/labs/formulas/write | 新增或修改公式。 |
Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action | 評估實驗室原則。 |
Microsoft.DevTestLab/labs/virtualMachines/claim/action | 取得現有虛擬機器的擁有權 |
Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action | 列出適用的啟動/停止排程 (若有的話)。 |
Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action | 取得代表虛擬機器 RDP 檔案內容的字串 |
Microsoft.Network/loadBalancers/backendAddressPools/join/action | 加入負載平衡器後端位址集區。 不可警示。 |
Microsoft.Network/loadBalancers/inboundNatRules/join/action | 加入負載平衡器輸入 nat 規則。 不可警示。 |
Microsoft.Network/networkInterfaces/*/read | 讀取網路介面的屬性 (例如網路介面所屬的所有負載平衡器) |
Microsoft.Network/networkInterfaces/join/action | 將虛擬機器加入網路介面。 不可警示。 |
Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
Microsoft.Network/networkInterfaces/write | 建立網路介面,或更新現有的網路介面。 |
Microsoft.Network/publicIPAddresses/*/read | 讀取公用 IP 位址的屬性 |
Microsoft.Network/publicIPAddresses/join/action | 加入公用 IP 位址。 不可警示。 |
Microsoft.Network/publicIPAddresses/read | 取得公用 IP 位址定義。 |
Microsoft.Network/virtualNetworks/subnets/join/action | 加入虛擬網路。 不可警示。 |
Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
Microsoft.Resources/deployments/read | 取得或列出部署。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。儲存體/storageAccounts/listKeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
NotActions | |
Microsoft.Compute/virtualMachines/vmSizes/read | 列出虛擬機器所能更新成的大小 |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64",
"name": "76283e04-6283-4c54-8f91-bcf1374a3c64",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.DevTestLab/*/read",
"Microsoft.DevTestLab/labs/claimAnyVm/action",
"Microsoft.DevTestLab/labs/createEnvironment/action",
"Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action",
"Microsoft.DevTestLab/labs/formulas/delete",
"Microsoft.DevTestLab/labs/formulas/read",
"Microsoft.DevTestLab/labs/formulas/write",
"Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action",
"Microsoft.DevTestLab/labs/virtualMachines/claim/action",
"Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action",
"Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/networkInterfaces/*/read",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/publicIPAddresses/*/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": [
"Microsoft.Compute/virtualMachines/vmSizes/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DevTest Labs User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
實驗室建立者
可讓您在 Azure 實驗室帳戶下建立新的實驗室。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.LabServices/labAccounts/*/read | |
Microsoft.LabServices/labAccounts/createLab/action | 在實驗室帳戶中建立實驗室。 |
Microsoft.LabServices/labAccounts/getPricingAndAvailability/action | 依大小、地理位置和作業系統的各種組合,取得實驗室帳戶的價格和可用性。 |
Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action | 取得此訂用帳戶的核心限制及使用量 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.LabServices/labPlans/images/read | 取得影像的屬性。 |
Microsoft.LabServices/labPlans/read | 取得實驗室計畫的屬性。 |
Microsoft.LabServices/labPlans/saveImage/action | 從連結至實驗室計畫之資源庫中的虛擬機器建立映射。 |
Microsoft.LabServices/labs/read | 取得實驗室的屬性。 |
Microsoft.LabServices/labs/schedules/read | 取得排程的屬性。 |
Microsoft.LabServices/labs/users/read | 取得使用者的屬性。 |
Microsoft.LabServices/labs/virtualMachines/read | 取得虛擬機器的屬性。 |
Microsoft.LabServices/locations/usages/read | 取得位置中的使用量 |
Microsoft.LabServices/skus/read | 取得實驗室服務 SKU 的屬性。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
Microsoft.LabServices/labPlans/createLab/action | 從實驗室計畫建立新的實驗室。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you create new labs under your Azure Lab Accounts.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead",
"name": "b97fb8bc-a8b2-4522-a38b-dd33c7e65ead",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.LabServices/labAccounts/*/read",
"Microsoft.LabServices/labAccounts/createLab/action",
"Microsoft.LabServices/labAccounts/getPricingAndAvailability/action",
"Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.LabServices/labPlans/images/read",
"Microsoft.LabServices/labPlans/read",
"Microsoft.LabServices/labPlans/saveImage/action",
"Microsoft.LabServices/labs/read",
"Microsoft.LabServices/labs/schedules/read",
"Microsoft.LabServices/labs/users/read",
"Microsoft.LabServices/labs/virtualMachines/read",
"Microsoft.LabServices/locations/usages/read",
"Microsoft.LabServices/skus/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.LabServices/labPlans/createLab/action"
],
"notDataActions": []
}
],
"roleName": "Lab Creator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
監視
Application Insights 元件參與者
可以管理應用程式Insights元件深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統警示規則 |
微軟。Insights/generateLiveToken/read | 即時計量取得權杖 |
微軟。Insights/metricAlerts/* | 建立和管理新的警示規則 |
微軟。Insights/components/* | 建立和管理 Insights 元件 |
微軟。Insights/scheduledqueryrules/* | |
微軟。Insights/拓撲/讀取 | 讀取拓撲 |
微軟。Insights/transactions/read | 讀取交易 |
微軟。Insights/webtests/* | 建立和管理 Insights web 測試 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can manage Application Insights components",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e",
"name": "ae349356-3a1b-4a5e-921d-050484c6347e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/generateLiveToken/read",
"Microsoft.Insights/metricAlerts/*",
"Microsoft.Insights/components/*",
"Microsoft.Insights/scheduledqueryrules/*",
"Microsoft.Insights/topology/read",
"Microsoft.Insights/transactions/read",
"Microsoft.Insights/webtests/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Application Insights Component Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Application Insights 快照集偵錯工具
給予使用者權限,以便檢視及下載使用 Application Insights 快照偵錯工具所收集的偵錯快照。 請注意,擁有者或參與者角色未包含這些權限。 將 Application Insights 快照偵錯者角色指派給使用者時,您必須直接將此角色授與使用者。 此角色若新增至自訂角色,則無法辨識。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/components/*/read | |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Gives user permission to use Application Insights Snapshot Debugger features",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b",
"name": "08954f03-6346-4c2e-81c0-ec3a5cfae23b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/components/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Application Insights Snapshot Debugger",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
監視參與者
可以讀取所有監視資料並編輯監視設定。 請參閱開始使用 Azure 監視器的角色、權限和安全性。 深入了解
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
Microsoft.AlertsManagement/alerts/* | |
Microsoft.AlertsManagement/alertsSummary/* | |
微軟。Insights/actiongroups/* | |
微軟。Insights/activityLogAlerts/* | |
微軟。Insights/AlertRules/* | 建立和管理傳統計量警示 |
微軟。Insights/components/* | 建立和管理 Insights 元件 |
微軟。Insights/createNotifications/* | |
微軟。Insights/dataCollectionEndpoints/* | |
微軟。Insights/dataCollectionRules/* | |
微軟。Insights/dataCollectionRuleAssociations/* | |
Microsoft.Insights/DiagnosticSettings/* | 建立、更新或讀取 Analysis Server 的診斷設定 |
微軟。Insights/eventtypes/* | 列出訂用帳戶中的活動記錄檔事件 (管理事件)。 此權限適用於以程式設計方式存取和入口網站存取活動記錄檔。 |
微軟。Insights/LogDefinitions/* | 此為使用者需要透過入口網站存取活動記錄時所需的權限。 列出活動記錄檔中的記錄檔分類。 |
微軟。Insights/metricalerts/* | |
微軟。Insights/MetricDefinitions/* | 讀取度量定義 (可用資源的度量類型清單)。 |
微軟。Insights/Metrics/* | 讀取資源的度量。 |
微軟。Insights/notificationStatus/* | |
微軟。Insights/註冊/動作 | 註冊 Microsoft Insights 提供者 |
微軟。Insights/scheduledqueryrules/* | |
微軟。Insights/webtests/* | 建立和管理 Insights web 測試 |
微軟。Insights/workbooks/* | |
微軟。Insights/workbooktemplates/* | |
微軟。Insights/privateLinkScopes/* | |
微軟。Insights/privateLinkScopeOperationStatuses/* | |
Microsoft.OperationalInsights/workspaces/write | 建立新的工作區,或藉由提供來自現有工作區的客戶識別碼來連結至現有工作區。 |
Microsoft.OperationalInsights/workspaces/intelligencepacks/* | 讀取/寫入/刪除記錄分析解決方案套件。 |
Microsoft.OperationalInsights/workspaces/savedSearches/* | 讀取/寫入/刪除記錄分析已儲存的搜尋。 |
Microsoft.OperationalInsights/workspaces/search/action | 執行搜尋查詢 |
Microsoft.OperationalInsights/workspaces/sharedKeys/action | 擷取工作區的共用金鑰。 這些金鑰可用來將 Microsoft Operational Insights 代理程式連線到工作區。 |
Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* | 讀取/寫入/刪除記錄分析儲存體深入解析設定。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.WorkloadMonitor/monitors/* | 取得客體 VM 健康情況監視器的相關資訊。 |
Microsoft.AlertsManagement/smartDetectorAlertRules/* | |
Microsoft.AlertsManagement/actionRules/* | |
Microsoft.AlertsManagement/smartGroups/* | |
Microsoft.AlertsManagement/migrateFromSmartDetection/* | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can read all monitoring data and update monitoring settings.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"name": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.AlertsManagement/alerts/*",
"Microsoft.AlertsManagement/alertsSummary/*",
"Microsoft.Insights/actiongroups/*",
"Microsoft.Insights/activityLogAlerts/*",
"Microsoft.Insights/AlertRules/*",
"Microsoft.Insights/components/*",
"Microsoft.Insights/createNotifications/*",
"Microsoft.Insights/dataCollectionEndpoints/*",
"Microsoft.Insights/dataCollectionRules/*",
"Microsoft.Insights/dataCollectionRuleAssociations/*",
"Microsoft.Insights/DiagnosticSettings/*",
"Microsoft.Insights/eventtypes/*",
"Microsoft.Insights/LogDefinitions/*",
"Microsoft.Insights/metricalerts/*",
"Microsoft.Insights/MetricDefinitions/*",
"Microsoft.Insights/Metrics/*",
"Microsoft.Insights/notificationStatus/*",
"Microsoft.Insights/Register/Action",
"Microsoft.Insights/scheduledqueryrules/*",
"Microsoft.Insights/webtests/*",
"Microsoft.Insights/workbooks/*",
"Microsoft.Insights/workbooktemplates/*",
"Microsoft.Insights/privateLinkScopes/*",
"Microsoft.Insights/privateLinkScopeOperationStatuses/*",
"Microsoft.OperationalInsights/workspaces/write",
"Microsoft.OperationalInsights/workspaces/intelligencepacks/*",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*",
"Microsoft.Support/*",
"Microsoft.WorkloadMonitor/monitors/*",
"Microsoft.AlertsManagement/smartDetectorAlertRules/*",
"Microsoft.AlertsManagement/actionRules/*",
"Microsoft.AlertsManagement/smartGroups/*",
"Microsoft.AlertsManagement/migrateFromSmartDetection/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Monitoring Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
監視計量發行者
針對 Azure 資源啟用發佈計量 深入瞭解
動作 | 描述 |
---|---|
微軟。Insights/註冊/動作 | 註冊 Microsoft Insights 提供者 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
NotActions | |
無 | |
DataActions | |
微軟。Insights/Metrics/Write | 寫入計量 |
微軟。Insights/遙測/寫入 | 寫入遙測 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Enables publishing metrics against Azure resources",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb",
"name": "3913510d-42f4-4e42-8a64-420c390055eb",
"permissions": [
{
"actions": [
"Microsoft.Insights/Register/Action",
"Microsoft.Support/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Insights/Metrics/Write",
"Microsoft.Insights/Telemetry/Write"
],
"notDataActions": []
}
],
"roleName": "Monitoring Metrics Publisher",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
監視讀取器
可以讀取所有監視資料 (計量、記錄等等)。 請參閱開始使用 Azure 監視器的角色、權限和安全性。 深入了解
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
Microsoft.OperationalInsights/workspaces/search/action | 執行搜尋查詢 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can read all monitoring data.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05",
"name": "43d0d8ad-25c7-4714-9337-8ba259a9fe05",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Monitoring Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
活頁簿參與者
可以儲存共用活頁簿。 深入了解
動作 | 描述 |
---|---|
微軟。Insights/活頁簿/寫入 | 建立或更新活頁簿 |
微軟。Insights/workbooks/delete | 刪除活頁簿 |
微軟。Insights/活頁簿/read | 讀取活頁簿 |
微軟。Insights/workbooktemplates/write | 建立或更新活頁簿範本 |
微軟。Insights/workbooktemplates/delete | 刪除活頁簿範本 |
微軟。Insights/workbooktemplates/read | 讀取活頁簿範本 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can save shared workbooks.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad",
"name": "e8ddcd69-c73f-4f9f-9844-4100522f16ad",
"permissions": [
{
"actions": [
"Microsoft.Insights/workbooks/write",
"Microsoft.Insights/workbooks/delete",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/workbooktemplates/write",
"Microsoft.Insights/workbooktemplates/delete",
"Microsoft.Insights/workbooktemplates/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Workbook Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
活頁簿讀者
可以讀取活頁簿。 深入了解
動作 | 描述 |
---|---|
microsoft.insights/workbooks/read | 讀取活頁簿 |
microsoft.insights/workbooktemplates/read | 讀取活頁簿範本 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can read workbooks.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d",
"name": "b279062a-9be3-42a0-92ae-8b3cf002ec4d",
"permissions": [
{
"actions": [
"microsoft.insights/workbooks/read",
"microsoft.insights/workbooktemplates/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Workbook Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
管理與治理
自動化參與者
使用 Azure 自動化管理 Azure 自動化資源和其他資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.Automation/automationAccounts/* | |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
微軟。Insights/ActionGroups/* | |
微軟。Insights/ActivityLogAlerts/* | |
微軟。Insights/MetricAlerts/* | |
微軟。Insights/ScheduledQueryRules/* | |
微軟。Insights/diagnosticSettings/* | 建立、更新或讀取 Analysis Server 的診斷設定 |
Microsoft.OperationalInsights/workspaces/sharedKeys/action | 擷取工作區的共用金鑰。 這些金鑰可用來將 Microsoft Operational Insights 代理程式連線到工作區。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Manage azure automation resources and other resources using azure automation.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867",
"name": "f353d9bd-d4a6-484e-a77a-8050b599b867",
"permissions": [
{
"actions": [
"Microsoft.Automation/automationAccounts/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/ActionGroups/*",
"Microsoft.Insights/ActivityLogAlerts/*",
"Microsoft.Insights/MetricAlerts/*",
"Microsoft.Insights/ScheduledQueryRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.OperationalInsights/workspaces/sharedKeys/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Automation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
自動化作業運算子
使用「自動化 Runbook」來建立及管理作業。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read | 讀取混合式 Runbook 背景工作角色群組 |
Microsoft.Automation/automationAccounts/jobs/read | 取得 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobs/resume/action | 繼續 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobs/stop/action | 停止 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobs/streams/read | 取得 Azure 自動化作業串流 |
Microsoft.Automation/automationAccounts/jobs/suspend/action | 暫止 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobs/write | 建立 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobs/output/read | 取得作業的輸出 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Create and Manage Jobs using Automation Runbooks.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f",
"name": "4fe576fe-1146-4730-92eb-48519fa6bf9f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
"Microsoft.Automation/automationAccounts/jobs/read",
"Microsoft.Automation/automationAccounts/jobs/resume/action",
"Microsoft.Automation/automationAccounts/jobs/stop/action",
"Microsoft.Automation/automationAccounts/jobs/streams/read",
"Microsoft.Automation/automationAccounts/jobs/suspend/action",
"Microsoft.Automation/automationAccounts/jobs/write",
"Microsoft.Automation/automationAccounts/jobs/output/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Automation Job Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
自動化運算子
自動化操作員能夠啟動、停止、暫停和繼續作業 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read | 讀取混合式 Runbook 背景工作角色群組 |
Microsoft.Automation/automationAccounts/jobs/read | 取得 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobs/resume/action | 繼續 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobs/stop/action | 停止 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobs/streams/read | 取得 Azure 自動化作業串流 |
Microsoft.Automation/automationAccounts/jobs/suspend/action | 暫止 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobs/write | 建立 Azure 自動化作業 |
Microsoft.Automation/automationAccounts/jobSchedules/read | 取得 Azure 自動化作業排程 |
Microsoft.Automation/automationAccounts/jobSchedules/write | 建立 Azure 自動化作業排程 |
Microsoft.Automation/automationAccounts/linkedWorkspace/read | 取得連結至自動化帳戶的工作區 |
Microsoft.Automation/automationAccounts/read | 取得 Azure 自動化帳戶 |
Microsoft.Automation/automationAccounts/runbooks/read | 取得 Azure 自動化 Runbook |
Microsoft.Automation/automationAccounts/schedules/read | 取得 Azure 自動化排程資產 |
Microsoft.Automation/automationAccounts/schedules/write | 建立或更新 Azure 自動化排程資產 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Automation/automationAccounts/jobs/output/read | 取得作業的輸出 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Automation Operators are able to start, stop, suspend, and resume jobs",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404",
"name": "d3881f73-407a-4167-8283-e981cbba0404",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
"Microsoft.Automation/automationAccounts/jobs/read",
"Microsoft.Automation/automationAccounts/jobs/resume/action",
"Microsoft.Automation/automationAccounts/jobs/stop/action",
"Microsoft.Automation/automationAccounts/jobs/streams/read",
"Microsoft.Automation/automationAccounts/jobs/suspend/action",
"Microsoft.Automation/automationAccounts/jobs/write",
"Microsoft.Automation/automationAccounts/jobSchedules/read",
"Microsoft.Automation/automationAccounts/jobSchedules/write",
"Microsoft.Automation/automationAccounts/linkedWorkspace/read",
"Microsoft.Automation/automationAccounts/read",
"Microsoft.Automation/automationAccounts/runbooks/read",
"Microsoft.Automation/automationAccounts/schedules/read",
"Microsoft.Automation/automationAccounts/schedules/write",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Automation/automationAccounts/jobs/output/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Automation Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
自動化 Runbook 運算子
讀取 Runbook 屬性 - 以便能夠建立 Runbook 的作業。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Automation/automationAccounts/runbooks/read | 取得 Azure 自動化 Runbook |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read Runbook properties - to be able to create Jobs of the runbook.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5",
"name": "5fb5aef8-1081-4b8e-bb16-9d5d0385bab5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Automation/automationAccounts/runbooks/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Automation Runbook Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
已啟用 Azure Arc 的 Kubernetes 叢集使用者角色
列出叢集使用者認證動作。
動作 | 描述 |
---|---|
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action | 列出 clusterUser 認證 (預覽) |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | 列出 clusterUser 認證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",
"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 管理員
可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 讀取控制器重新布建 |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write | 寫入區域變數accessreviews |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 讀取事件 |
Microsoft.Kubernetes/connectedClusters/events/read | 讀取事件 |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | 讀取限制範圍 |
Microsoft.Kubernetes/connectedClusters/namespaces/read | 讀取命名空間 |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* | |
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 讀取 resourcequotas |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 叢集管理員
可讓您管理叢集中的所有資源。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Viewer
可讓您檢視叢集/命名空間中的所有資源,但秘密除外。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 讀取控制器重新布建 |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read | 讀取精靈集 |
Microsoft.Kubernetes/connectedClusters/apps/deployments/read | 讀取部署 |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read | 讀取複本集 |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read | 讀取具狀態集 |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read | 讀取 horizontalpodautoscalers |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read | 讀取 cronjobs |
Microsoft.Kubernetes/connectedClusters/batch/jobs/read | 讀取作業 |
Microsoft.Kubernetes/connectedClusters/configmaps/read | 讀取 configmap |
Microsoft.Kubernetes/connectedClusters/endpoints/read | 讀取端點 |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 讀取事件 |
Microsoft.Kubernetes/connectedClusters/events/read | 讀取事件 |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read | 讀取精靈集 |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read | 讀取部署 |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read | 讀取輸入 |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read | 讀取網路原則 |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read | 讀取複本集 |
Microsoft.Kubernetes/connectedClusters/limitranges/read | 讀取 limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/read | 讀取命名空間 |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read | 讀取輸入 |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read | 讀取網路原則 |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read | 讀取 persistentvolumeclaims |
Microsoft.Kubernetes/connectedClusters/pods/read | 讀取 Pod |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read | 讀取 poddisruptionbudgets |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | 讀取 replicationcontrollers |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read | 讀取 replicationcontrollers |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 讀取 resourcequotas |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read | 讀取 serviceaccounts |
Microsoft.Kubernetes/connectedClusters/services/read | 讀取服務 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except secrets.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes 寫入器
可讓您更新叢集/命名空間中的所有專案,但 (叢集) 角色和 (叢集) 角色系結除外。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read | 讀取控制器重新布建 |
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/apps/deployments/* | |
Microsoft.Kubernetes/connectedClusters/apps/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* | |
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* | |
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* | |
Microsoft.Kubernetes/connectedClusters/batch/jobs/* | |
Microsoft.Kubernetes/connectedClusters/configmaps/* | |
Microsoft.Kubernetes/connectedClusters/endpoints/* | |
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read | 讀取事件 |
Microsoft.Kubernetes/connectedClusters/events/read | 讀取事件 |
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* | |
Microsoft.Kubernetes/connectedClusters/extensions/deployments/* | |
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* | |
Microsoft.Kubernetes/connectedClusters/limitranges/read | 讀取 limitranges |
Microsoft.Kubernetes/connectedClusters/namespaces/read | 讀取命名空間 |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* | |
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* | |
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* | |
Microsoft.Kubernetes/connectedClusters/pods/* | |
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* | |
Microsoft.Kubernetes/connectedClusters/resourcequotas/read | 讀取 resourcequotas |
Microsoft.Kubernetes/connectedClusters/secrets/* | |
Microsoft.Kubernetes/connectedClusters/serviceaccounts/* | |
Microsoft.Kubernetes/connectedClusters/services/* | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",
"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Connected Machine 上線
可以讓 Azure Connected Machine 上線。 深入了解
動作 | 描述 |
---|---|
Microsoft.HybridCompute/machines/read | 讀取任何 Azure Arc 機器 |
Microsoft.HybridCompute/machines/write | 寫入 Azure Arc 機器 |
Microsoft.HybridCompute/privateLinkScopes/read | 讀取任何 Azure Arc privateLinkScopes |
Microsoft.GuestConfiguration/guestConfigurationAssignments/read | 取得來賓組態指派。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can onboard Azure Connected Machines.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7",
"name": "b64e21ea-ac4e-4cdf-9dc9-5b892992bee7",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/privateLinkScopes/read",
"Microsoft.GuestConfiguration/guestConfigurationAssignments/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected Machine Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Connected Machine 資源管理員
可以讀取、寫入、刪除 Azure Connected Machine 及使之重新上線。
動作 | 描述 |
---|---|
Microsoft.HybridCompute/machines/read | 讀取任何 Azure Arc 機器 |
Microsoft.HybridCompute/machines/write | 寫入 Azure Arc 機器 |
Microsoft.HybridCompute/machines/delete | 刪除 Azure Arc 機器 |
Microsoft.HybridCompute/machines/UpgradeExtensions/action | 升級 Azure Arc 機器上的擴充功能 |
Microsoft.HybridCompute/machines/extensions/read | 讀取任何 Azure Arc 延伸模組 |
Microsoft.HybridCompute/machines/extensions/write | 安裝或更新 Azure Arc 擴充 |
Microsoft.HybridCompute/machines/extensions/delete | 刪除 Azure Arc 延伸模組 |
Microsoft.HybridCompute/privateLinkScopes/* | |
Microsoft.HybridCompute/*/read | |
Microsoft.Resources/deployments/* | 建立和管理部署 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can read, write, delete and re-onboard Azure Connected Machines.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302",
"name": "cd570a14-e51a-42ad-bac8-bafd67325302",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/machines/UpgradeExtensions/action",
"Microsoft.HybridCompute/machines/extensions/read",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.HybridCompute/machines/extensions/delete",
"Microsoft.HybridCompute/privateLinkScopes/*",
"Microsoft.HybridCompute/*/read",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected Machine Resource Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
帳單讀取器
允許讀取帳單資料的存取 權深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Billing/*/read | 讀取帳單資訊 |
Microsoft.Commerce/*/read | |
Microsoft.Consumption/*/read | |
Microsoft.Management/managementGroups/read | 列出已驗證之使用者的管理群組。 |
Microsoft.CostManagement/*/read | |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows read access to billing data",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64",
"name": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Billing/*/read",
"Microsoft.Commerce/*/read",
"Microsoft.Consumption/*/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Billing Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
藍圖參與者
可以管理藍圖定義,但不能加以指派。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Blueprint/blueprints/* | 建立和管理藍圖定義或藍圖成品。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can manage blueprint definitions, but not assign them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4",
"name": "41077137-e803-4205-871c-5a86e6a753b4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Blueprint/blueprints/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Blueprint Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
藍圖操作員
可以指派現有已發佈的藍圖,但無法建立新的藍圖。 請注意,只有在以使用者指派的受控識別來指派時才有效。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Blueprint/blueprintAssignments/* | 建立和管理藍圖指派。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090",
"name": "437d2ced-4a38-4302-8479-ed2bcb43d090",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Blueprint/blueprintAssignments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Blueprint Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
成本管理參與者
可以檢視成本和管理成本設定 (例如預算、匯出) 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Consumption/* | |
Microsoft.CostManagement/* | |
Microsoft.Billing/billingPeriods/read | |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Advisor/configurations/read | 取得組態 |
Microsoft.Advisor/recommendations/read | 讀取建議 |
Microsoft.Management/managementGroups/read | 列出已驗證之使用者的管理群組。 |
Microsoft.Billing/billingProperty/read | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can view costs and manage cost configuration (e.g. budgets, exports)",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430",
"name": "434105ed-43f6-45c7-a02f-909b2ba83430",
"permissions": [
{
"actions": [
"Microsoft.Consumption/*",
"Microsoft.CostManagement/*",
"Microsoft.Billing/billingPeriods/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Advisor/configurations/read",
"Microsoft.Advisor/recommendations/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Billing/billingProperty/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cost Management Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
成本管理讀者
可以檢視成本資料和組態 (例如預算、匯出) 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Consumption/*/read | |
Microsoft.CostManagement/*/read | |
Microsoft.Billing/billingPeriods/read | |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Advisor/configurations/read | 取得組態 |
Microsoft.Advisor/recommendations/read | 讀取建議 |
Microsoft.Management/managementGroups/read | 列出已驗證之使用者的管理群組。 |
Microsoft.Billing/billingProperty/read | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can view cost data and configuration (e.g. budgets, exports)",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3",
"name": "72fafb9e-0641-4937-9268-a91bfd8191a3",
"permissions": [
{
"actions": [
"Microsoft.Consumption/*/read",
"Microsoft.CostManagement/*/read",
"Microsoft.Billing/billingPeriods/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Advisor/configurations/read",
"Microsoft.Advisor/recommendations/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Billing/billingProperty/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cost Management Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
階層設定管理員
允許使用者編輯和刪除階層設定
動作 | 描述 |
---|---|
Microsoft.Management/managementGroups/settings/write | 建立或更新管理群組階層設定。 |
Microsoft.Management/managementGroups/settings/delete | 刪除管理群組階層設定。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows users to edit and delete Hierarchy Settings",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d",
"name": "350f8d15-c687-4448-8ae1-157740a3936d",
"permissions": [
{
"actions": [
"Microsoft.Management/managementGroups/settings/write",
"Microsoft.Management/managementGroups/settings/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Hierarchy Settings Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 叢集 - Azure Arc 上線
授權任何使用者/服務建立 connectedClusters 資源的角色定義 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Kubernetes/connectedClusters/Write | 寫入 connectedClusters |
Microsoft.Kubernetes/connectedClusters/read | 讀取 connectedClusters |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create connectedClusters resource",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Kubernetes 擴充功能參與者
可以建立、更新、取得、列出和刪除 Kubernetes 延伸模組,以及取得擴充功能非同步作業
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.KubernetesConfiguration/extensions/write | 建立或更新擴充功能資源。 |
Microsoft.KubernetesConfiguration/extensions/read | 取得擴充實例資源。 |
Microsoft.KubernetesConfiguration/extensions/delete | 刪除擴充實例資源。 |
Microsoft.KubernetesConfiguration/extensions/operations/read | 取得非同步作業狀態。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控應用程式參與者角色
允許建立受控應用程式資源。
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
Microsoft.Solutions/applications/* | |
Microsoft.Solutions/register/action | 向 Solutions 註冊。 |
Microsoft.Resources/subscriptions/resourceGroups/* | |
Microsoft.Resources/deployments/* | 建立和管理部署 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows for creating managed application resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e",
"name": "641177b8-a67a-45b9-a033-47bc880bb21e",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Solutions/applications/*",
"Microsoft.Solutions/register/action",
"Microsoft.Resources/subscriptions/resourceGroups/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Application Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控應用程式操作員角色
可讓您讀取受控應用程式資源及對其執行動作
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
Microsoft.Solutions/applications/read | 擷取應用程式清單。 |
Microsoft.Solutions/*/action | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you read and perform actions on Managed Application resources",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae",
"name": "c7393b34-138c-406f-901b-d8cf2b17e6ae",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Solutions/applications/read",
"Microsoft.Solutions/*/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Application Operator Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控應用程式讀者
可讓您讀取受控應用程式中的資源及要求 JIT 存取權。
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Solutions/jitRequests/* | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you read resources in a managed app and request JIT access.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44",
"name": "b9331d33-8a36-4f8c-b097-4f54124fdb44",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Solutions/jitRequests/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Applications Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控服務註冊指派刪除角色
「受控服務註冊指派刪除角色」可讓管理租用戶使用者刪除指派給其租用戶的註冊指派。 深入了解
動作 | 描述 |
---|---|
Microsoft.ManagedServices/registrationAssignments/read | 取出受控服務註冊指派的清單。 |
Microsoft.ManagedServices/registrationAssignments/delete | 移除受控服務註冊指派。 |
Microsoft.ManagedServices/operationStatuses/read | 讀取資源的作業狀態。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46",
"name": "91c1777a-f3dc-4fae-b103-61d183457e46",
"permissions": [
{
"actions": [
"Microsoft.ManagedServices/registrationAssignments/read",
"Microsoft.ManagedServices/registrationAssignments/delete",
"Microsoft.ManagedServices/operationStatuses/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Services Registration assignment Delete Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
管理群組參與者
管理群組參與者角色 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Management/managementGroups/delete | 刪除管理群組。 |
Microsoft.Management/managementGroups/read | 列出已驗證之使用者的管理群組。 |
Microsoft.Management/managementGroups/subscriptions/delete | 從管理群組中取消訂用帳戶的關聯。 |
Microsoft.Management/managementGroups/subscriptions/write | 將現有的訂用帳戶關聯至管理群組。 |
Microsoft.Management/managementGroups/write | 建立或更新管理群組。 |
Microsoft.Management/managementGroups/subscriptions/read | 列出指定管理群組下的訂用帳戶。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Management Group Contributor Role",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c",
"name": "5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c",
"permissions": [
{
"actions": [
"Microsoft.Management/managementGroups/delete",
"Microsoft.Management/managementGroups/read",
"Microsoft.Management/managementGroups/subscriptions/delete",
"Microsoft.Management/managementGroups/subscriptions/write",
"Microsoft.Management/managementGroups/write",
"Microsoft.Management/managementGroups/subscriptions/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Management Group Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
管理群組讀者
管理群組讀者角色
動作 | 描述 |
---|---|
Microsoft.Management/managementGroups/read | 列出已驗證之使用者的管理群組。 |
Microsoft.Management/managementGroups/subscriptions/read | 列出指定管理群組下的訂用帳戶。 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Management Group Reader Role",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d",
"name": "ac63b705-f282-497d-ac71-919bf39d939d",
"permissions": [
{
"actions": [
"Microsoft.Management/managementGroups/read",
"Microsoft.Management/managementGroups/subscriptions/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Management Group Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
New Relic APM 帳戶參與者
可讓您管理 New Relic Application Performance Management 帳戶及應用程式,但無法存取它們。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NewRelic.APM/accounts/* | |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage New Relic Application Performance Management accounts and applications, but not access to them.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237",
"name": "5d28c62d-5b37-4476-8438-e587778df237",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"NewRelic.APM/accounts/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "New Relic APM Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
原則深入解析資料寫入者 (預覽)
允許讀取資源原則及寫入資源元件原則事件。 深入了解
動作 | 描述 |
---|---|
Microsoft.Authorization/policyassignments/read | 取得關於原則指派的資訊。 |
Microsoft.Authorization/policydefinitions/read | 取得關於原則定義的資訊。 |
Microsoft.Authorization/policyexemptions/read | 取得原則豁免的相關資訊。 |
Microsoft.Authorization/policysetdefinitions/read | 取得原則集合定義的相關資訊。 |
NotActions | |
無 | |
DataActions | |
Microsoft.PolicyInsights/checkDataPolicyCompliance/action | 根據資料原則檢查給定元件的合規性狀態。 |
Microsoft.PolicyInsights/policyEvents/logDataEvents/action | 記錄資源元件原則事件。 |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Allows read access to resource policies and write access to resource component policy events.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84",
"name": "66bb4e9e-b016-4a94-8249-4c0511c2be84",
"permissions": [
{
"actions": [
"Microsoft.Authorization/policyassignments/read",
"Microsoft.Authorization/policydefinitions/read",
"Microsoft.Authorization/policyexemptions/read",
"Microsoft.Authorization/policysetdefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.PolicyInsights/checkDataPolicyCompliance/action",
"Microsoft.PolicyInsights/policyEvents/logDataEvents/action"
],
"notDataActions": []
}
],
"roleName": "Policy Insights Data Writer (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
配額要求操作員
讀取和建立配額要求、取得配額要求狀態,以及建立支援票證。 深入了解
動作 | 描述 |
---|---|
Microsoft.Capacity/resourceProviders/locations/serviceLimits/read | 取得指定資源與位置的目前服務限制或配額 |
Microsoft.Capacity/resourceProviders/locations/serviceLimits/write | 為指定的資源和位置建立服務限制或配額 |
Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read | 取得指定資源與位置的任何服務限制要求 |
Microsoft.Capacity/register/action | 註冊容量資源提供者,並讓您能夠建立容量資源。 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Read and create quota requests, get quota request status, and create support tickets.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125",
"name": "0e5f05e5-9ab9-446b-b98d-1e2157c94125",
"permissions": [
{
"actions": [
"Microsoft.Capacity/resourceProviders/locations/serviceLimits/read",
"Microsoft.Capacity/resourceProviders/locations/serviceLimits/write",
"Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read",
"Microsoft.Capacity/register/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Quota Request Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
保留購買者
可讓您購買保留 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/roleAssignments/read | 取得關於角色指派的資訊。 |
Microsoft.Capacity/catalogs/read | 讀取保留目錄 |
Microsoft.Capacity/register/action | 註冊容量資源提供者,並讓您能夠建立容量資源。 |
Microsoft.Compute/register/action | 向 Microsoft.Compute 資源提供者註冊訂用帳戶 |
Microsoft.Consumption/register/action | 向 Consumption RP 註冊 |
Microsoft.Consumption/reservationRecommendationDetails/read | 列出保留建議詳細資料 |
Microsoft.Consumption/reservationRecommendations/read | 列出訂用帳戶保留執行個體的單一或共用建議。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。SQL/register/action | 為 Microsoft SQL Database 資源提供者註冊訂用帳戶,並讓您能夠建立 Microsoft SQL Database。 |
Microsoft.Support/supporttickets/write | 允許建立及更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you purchase reservations",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689",
"name": "f7b75c60-3036-4b75-91c3-6b41c27c1689",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Capacity/catalogs/read",
"Microsoft.Capacity/register/action",
"Microsoft.Compute/register/action",
"Microsoft.Consumption/register/action",
"Microsoft.Consumption/reservationRecommendationDetails/read",
"Microsoft.Consumption/reservationRecommendations/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.SQL/register/action",
"Microsoft.Support/supporttickets/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reservation Purchaser",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
資源原則參與者
有權建立/修改資源原則、建立支援票證及讀取資源/階層的使用者。 深入了解
動作 | 描述 |
---|---|
*/read | 讀取密碼以外的所有類型的資源。 |
Microsoft.Authorization/policyassignments/* | 建立及管理原則指派 |
Microsoft.Authorization/policydefinitions/* | 建立及管理原則定義 |
Microsoft.Authorization/policyexemptions/* | 建立和管理原則豁免 |
Microsoft.Authorization/policysetdefinitions/* | 建立及管理原則集合 |
Microsoft.PolicyInsights/* | |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608",
"name": "36243c78-bf99-498c-9df9-86d9f8d28608",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Authorization/policyassignments/*",
"Microsoft.Authorization/policydefinitions/*",
"Microsoft.Authorization/policyexemptions/*",
"Microsoft.Authorization/policysetdefinitions/*",
"Microsoft.PolicyInsights/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Resource Policy Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Site Recovery 參與者
可讓您管理保存庫建立和角色指派以外的Site Recovery服務深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp 是服務所使用的內部作業 |
Microsoft.RecoveryServices/locations/allocateStamp/action | AllocateStamp 是服務所使用的內部作業 |
Microsoft.RecoveryServices/Vaults/certificates/write | 「更新資源憑證」作業會更新資源/保存庫的認證憑證。 |
Microsoft.RecoveryServices/Vaults/extendedInformation/* | 建立和管理與保存庫相關的擴充資訊 |
Microsoft.RecoveryServices/Vaults/read | 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/refreshContainers/read | |
Microsoft.RecoveryServices/Vaults/registeredIdentities/* | 建立和管理註冊的身分識別 |
Microsoft.RecoveryServices/vaults/replicationAlertSettings/* | 建立或更新複寫警示設定 |
Microsoft.RecoveryServices/vaults/replicationEvents/read | 讀取任何事件 |
Microsoft.RecoveryServices/vaults/replicationFabrics/* | 建立和管理複寫網狀架構 |
Microsoft.RecoveryServices/vaults/replicationJobs/* | 建立和管理複寫作業 |
Microsoft.RecoveryServices/vaults/replicationPolicies/* | 建立和管理複寫原則 |
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/* | 建立和管理復原計劃 |
Microsoft.RecoveryServices/vaults/replicationVaultSettings/* | |
Microsoft.RecoveryServices/Vaults/storageConfig/* | 建立和管理復原服務保存庫的儲存體設定 |
Microsoft.RecoveryServices/Vaults/tokenInfo/read | |
Microsoft.RecoveryServices/Vaults/usages/read | 傳回復原服務保存庫的使用量詳細資料。 |
Microsoft.RecoveryServices/Vaults/vaultTokens/read | 「保存庫權杖」作業可用來取得保存庫層級後端作業的保存庫權杖。 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/* | 讀取復原服務保存庫的警示 |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read | |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。儲存體/storageAccounts/read | 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。 |
Microsoft.RecoveryServices/vaults/replicationOperationStatus/read | 讀取任何保存庫複寫作業狀態 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Site Recovery service except vault creation and role assignment",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567",
"name": "6670b86e-a3f7-4917-ac9b-5d6ab1be4567",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/locations/allocateStamp/action",
"Microsoft.RecoveryServices/Vaults/certificates/write",
"Microsoft.RecoveryServices/Vaults/extendedInformation/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/refreshContainers/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
"Microsoft.RecoveryServices/vaults/replicationAlertSettings/*",
"Microsoft.RecoveryServices/vaults/replicationEvents/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/*",
"Microsoft.RecoveryServices/vaults/replicationJobs/*",
"Microsoft.RecoveryServices/vaults/replicationPolicies/*",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*",
"Microsoft.RecoveryServices/vaults/replicationVaultSettings/*",
"Microsoft.RecoveryServices/Vaults/storageConfig/*",
"Microsoft.RecoveryServices/Vaults/tokenInfo/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/vaultTokens/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/vaults/replicationOperationStatus/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Site Recovery Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Site Recovery 操作員
可讓您容錯移轉和容錯回復,但無法執行其他Site Recovery管理作業深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
微軟。Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp 是服務所使用的內部作業 |
Microsoft.RecoveryServices/locations/allocateStamp/action | AllocateStamp 是服務所使用的內部作業 |
Microsoft.RecoveryServices/Vaults/extendedInformation/read | 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/read | 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/refreshContainers/read | |
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/read | 「取得容器」作業可用來取得為資源註冊的容器。 |
Microsoft.RecoveryServices/vaults/replicationAlertSettings/read | 讀取任何警示設定 |
Microsoft.RecoveryServices/vaults/replicationEvents/read | 讀取任何事件 |
Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action | 檢查網狀架構的一致性 |
Microsoft.RecoveryServices/vaults/replicationFabrics/read | 讀取任何網狀架構 |
Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action | 重新關聯閘道 |
Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action | 更新網狀架構的憑證 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read | 讀取任何網路 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read | 讀取任何網路對應 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read | 讀取任何保護容器 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read | 讀取任何可保護的項目 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action | 套用復原點 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action | 容錯移轉認可 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action | 計劃性容錯移轉 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read | 讀取任何受保護的項目 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read | 讀取任何複寫復原點 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action | 修復複寫 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action | 重新保護受保護的項目 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action | 切換保護容器 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action | Test Failover |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action | 測試容錯移轉清理 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action | 容錯移轉 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action | 更新行動服務 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read | 讀取任何保護容器對應 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read | 讀取任何復原服務提供者 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action | 重新整理提供者 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read | 讀取任何存放裝置分類 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read | 讀取任何存放裝置分類對應 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read | 讀取任何 vCenter |
Microsoft.RecoveryServices/vaults/replicationJobs/* | 建立和管理複寫作業 |
Microsoft.RecoveryServices/vaults/replicationPolicies/read | 讀取任何原則 |
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action | 容錯移轉認可復原方案 |
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/planFailover/action | 計劃性容錯移轉復原方案 |
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read | 讀取任何復原方案 |
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action | 重新保護復原方案 |
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action | 測試容錯移轉復原方案 |
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action | 測試容錯移轉清理復原方案 |
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action | 容錯移轉復原方案 |
Microsoft.RecoveryServices/vaults/replicationVaultSettings/read | 讀取任何 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/* | 讀取復原服務保存庫的警示 |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read | |
Microsoft.RecoveryServices/Vaults/storageConfig/read | |
Microsoft.RecoveryServices/Vaults/tokenInfo/read | |
Microsoft.RecoveryServices/Vaults/usages/read | 傳回復原服務保存庫的使用量詳細資料。 |
Microsoft.RecoveryServices/Vaults/vaultTokens/read | 「保存庫權杖」作業可用來取得保存庫層級後端作業的保存庫權杖。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
微軟。儲存體/storageAccounts/read | 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you failover and failback but not perform other Site Recovery management operations",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca",
"name": "494ae006-db33-4328-bf46-533a6560a3ca",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/locations/allocateStamp/action",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/refreshContainers/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/vaults/replicationAlertSettings/read",
"Microsoft.RecoveryServices/vaults/replicationEvents/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read",
"Microsoft.RecoveryServices/vaults/replicationJobs/*",
"Microsoft.RecoveryServices/vaults/replicationPolicies/read",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action",
"Microsoft.RecoveryServices/vaults/replicationVaultSettings/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
"Microsoft.RecoveryServices/Vaults/storageConfig/read",
"Microsoft.RecoveryServices/Vaults/tokenInfo/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/vaultTokens/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Site Recovery Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Site Recovery 讀取者
可讓您檢視Site Recovery狀態,但無法執行其他管理作業深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp 是服務所使用的內部作業 |
Microsoft.RecoveryServices/Vaults/extendedInformation/read | 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | 取得復原服務保存庫的警示。 |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read | |
Microsoft.RecoveryServices/Vaults/read | 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源 |
Microsoft.RecoveryServices/Vaults/refreshContainers/read | |
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/read | 「取得容器」作業可用來取得為資源註冊的容器。 |
Microsoft.RecoveryServices/vaults/replicationAlertSettings/read | 讀取任何警示設定 |
Microsoft.RecoveryServices/vaults/replicationEvents/read | 讀取任何事件 |
Microsoft.RecoveryServices/vaults/replicationFabrics/read | 讀取任何網狀架構 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read | 讀取任何網路 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read | 讀取任何網路對應 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read | 讀取任何保護容器 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read | 讀取任何可保護的項目 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read | 讀取任何受保護的項目 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read | 讀取任何複寫復原點 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read | 讀取任何保護容器對應 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read | 讀取任何復原服務提供者 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read | 讀取任何存放裝置分類 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read | 讀取任何存放裝置分類對應 |
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read | 讀取任何 vCenter |
Microsoft.RecoveryServices/vaults/replicationJobs/read | 讀取任何作業 |
Microsoft.RecoveryServices/vaults/replicationPolicies/read | 讀取任何原則 |
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read | 讀取任何復原方案 |
Microsoft.RecoveryServices/vaults/replicationVaultSettings/read | 讀取任何 |
Microsoft.RecoveryServices/Vaults/storageConfig/read | |
Microsoft.RecoveryServices/Vaults/tokenInfo/read | |
Microsoft.RecoveryServices/Vaults/usages/read | 傳回復原服務保存庫的使用量詳細資料。 |
Microsoft.RecoveryServices/Vaults/vaultTokens/read | 「保存庫權杖」作業可用來取得保存庫層級後端作業的保存庫權杖。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you view Site Recovery status but not perform other management operations",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149",
"name": "dbaa88c4-0c30-4179-9fb3-46319faa6149",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/refreshContainers/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/vaults/replicationAlertSettings/read",
"Microsoft.RecoveryServices/vaults/replicationEvents/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read",
"Microsoft.RecoveryServices/vaults/replicationJobs/read",
"Microsoft.RecoveryServices/vaults/replicationPolicies/read",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read",
"Microsoft.RecoveryServices/vaults/replicationVaultSettings/read",
"Microsoft.RecoveryServices/Vaults/storageConfig/read",
"Microsoft.RecoveryServices/Vaults/tokenInfo/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/vaultTokens/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Site Recovery Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
支援要求參與者
可讓您建立和管理支援要求 深入瞭解
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
無 | |
DataActions | |
無 | |
NotDataActions | |
無 |
{
"assignableScopes": [
"/"
],
"description": "Lets you create and manage Support requests",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
"name": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Support Request Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
標記參與者
可讓您管理實體上的標記,無需提供對實體本身的存取。 深入了解
動作 |
---|