Azure 內建角色

Azure 角色型存取控制 (RBAC) 有數個 Azure 內建角色,可供您指派給使用者、群組、服務主體和受控身分識別。 角色指派是您控制 Azure 資源存取權的方式。 如果內建的角色無法滿足您組織的特定需求,您可以建立自己的 Azure 自訂角色。 如需有關如何指派角色的詳細資訊,請參閱 指派 Azure 角色的步驟

本文列出 Azure 內建角色。 如果您要尋找 Azure Active Directory (Azure AD) 的系統管理員角色,請參閱 Azure AD 內建角色

下表提供每個內建角色的簡短說明。 按一下角色名稱,即可查看每個角色的 ActionsNotActionsDataActionsNotDataActions 清單。 如需這些動作的意義及其如何套用至管理和資料平面的相關資訊,請參閱了解 Azure 角色定義

全部

內建角色 描述 ID
一般
參與者 授與管理所有資源的完整存取權,但不允許您在 Azure RBAC 中指派角色、管理 Azure 藍圖中的指派,或共用映射資源庫。 b24988ac-6180-42a0-ab88-20f7382dd24c
擁有者 授與管理所有資源的完整存取權,包括在 Azure RBAC 中指派角色的能力。 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
讀取者 查看所有資源,但不允許您進行任何變更。 acdd72a7-3385-48ef-bd42-f606fba81ae7
使用者存取系統管理員 可讓您管理 Azure 資源的使用者存取。 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
計算
傳統虛擬機器參與者 可讓您管理傳統虛擬機器 (不含虛擬機器所連接的虛擬網路或儲存體帳戶),但無法存取它們。 d73bb868-a0df-4d4d-bd69-98a00b01fccb
虛擬機器系統管理員登入 在入口網站中檢視虛擬機器並以系統管理員身分登入 1c0163c0-47e6-4577-8991-ea5c82e286e4
虛擬機器參與者 使用 vm 擴充功能來建立和管理虛擬機器、管理磁片和磁片快照集、安裝和執行軟體、重設虛擬機器根使用者的密碼,以及使用 VM 擴充功能管理本機使用者帳戶。 此角色不會將虛擬機器所連接之虛擬網路或儲存體帳戶的管理存取權授與您。 此角色不允許您在 Azure RBAC 中指派角色。 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
虛擬機器使用者登入 在入口網站中檢視虛擬機器並以一般使用者身分登入。 fb879df8-f326-4884-b1cf-06f3ad86be52
網路功能
CDN 端點參與者 可管理 CDN 端點,但無法將存取權授與其他使用者。 426e0c7f-0c7e-4658-b36f-ff54d6c29b45
CDN 端點讀者 可檢視 CDN 端點,但無法變更。 871e35f6-b5c1-49cc-a043-bde969a0f2cd
CDN 設定檔參與者 可管理 CDN 設定檔及其端點,但無法將存取權授與其他使用者。 ec156ff8-a8d1-4d15-830c-5b80698ca432
CDN 設定檔讀者 可檢視 CDN 設定檔及其端點,但無法變更。 8f96442b-4075-438f-813d-ad51ab4019af
傳統網路參與者 可讓您管理傳統網路,但無法存取它們。 b34d265f-36f7-4a0d-a4d4-e158ca92e90f
DNS 區域參與者 可讓您管理 Azure DNS 中的 DNS 區域與記錄集,但無法讓您控制誰可存取它們。 befefa01-2a29-4197-83a8-272ff33ce314
網路參與者 可讓您管理網路,但無法存取它們。 4d97b98b-1d4f-4787-a291-c67834d212e7
私人 DNS 區域參與者 可讓您管理私人 DNS 區域資源,但不能管理它們所連結的虛擬網路。 b12aa53e-6015-4669-85d0-8515ebb3ae7f
流量管理員參與者 可讓您管理「流量管理員」設定檔,但無法控制誰可以存取它們。 a4b10055-b0c7-44c2-b00f-c7b5b3550cf7
Storage
Avere 參與者 可以建立和管理 Avere vFXT 叢集。 4f8fab4f-1852-4a58-a46a-8eaf358af14a
Avere 操作員 供 Avere vFXT 叢集用來管理叢集 c025889f-8102-4ebf-b32c-fc0c6f0c6bd9
備份參與者 可讓您管理備份服務,但無法建立保存庫及授與存取權給其他人 5e467623-bb1f-42f4-a55d-6e525e11384b
備份操作員 可讓您管理備份服務,但無法移除備份、建立保存庫及為其他人提供存取權 00c29273-979b-4161-815c-10b084fb9324
備份讀取者 可以檢視備份服務,但無法進行變更 a795c7a0-d4a2-40c1-ae25-d81f01202912
傳統儲存體帳戶參與者 可讓您管理傳統儲存體帳戶,但無法存取它們。 86e8f5dc-a6e9-4c67-9d15-de283e8eac25
傳統儲存體帳戶金鑰操作員服務角色 「傳統儲存體帳戶金鑰操作員」可以列出及重新產生「傳統儲存體帳戶」的金鑰 985d6b00-f706-48f5-a6fe-d0ca12fb668d
資料箱參與者 可讓您管理資料箱服務下的所有項目,為他人賦予存取權除外。 add466c9-e687-43fc-8d98-dfcf8d720be5
資料箱讀者 可讓您管理資料箱服務,建立訂單或編輯訂單詳細資料和為他人賦予存取權除外。 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027
Data Lake Analytics 開發人員 可讓您提交、監視及管理您自己的作業,但無法建立或刪除 Data Lake Analytics 帳戶。 47b7735b-770e-4598-a7da-8b91488b4c88
讀取者及資料存取 可讓您檢視所有內容,但無法讓您刪除或建立儲存體帳戶或內含的資源。 也可透過存取儲存體帳戶金鑰,對儲存體帳戶中內含的所有資料進行讀取/寫入存取。 c12c1c16-33a1-487b-954d-41c89c60f349
儲存體帳戶參與者 允許管理儲存體帳戶。 支援存取帳戶金鑰,以透過共用金鑰授權來存取資料。 17d1049b-9a84-46fb-8f53-869881c3d3ab
儲存體帳戶金鑰操作員服務角色 允許列出及重新產生儲存體帳戶存取金鑰。 81a9662b-bebf-436f-a333-f67b29880f12
儲存體 Blob 資料參與者 讀取、寫入和刪除 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 ba92f5b4-2d11-453d-a403-e96b0029c9fe
儲存體 Blob 資料擁有者 支援完整存取 Azure 儲存體 blob 容器和資料,包括指派 POSIX 存取控制。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 b7e6dc6d-f1e8-4753-8033-0f276bb0955b
儲存體 Blob 資料讀者 讀取和列出 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
儲存體 Blob 委派者 取得使用者委派金鑰,以針對使用 Azure AD 認證所簽署的容器或 blob,建立共用存取簽章。 如需詳細資訊,請參閱建立使用者委派 SAS db58b8e5-c6ad-4a2a-8342-4190687cbf4a
儲存體檔案資料 SMB 共用參與者 允許讀取、寫入及刪除 Azure 檔案共用上的檔案/目錄。 此角色在 Windows 檔案伺服器上沒有內建的對等項。 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb
儲存體檔案資料 SMB 共用提升權限的參與者 允許對 Azure 檔案共用上的檔案/目錄,讀取、寫入、刪除和修改 ACL。 此角色相當於 Windows 檔案伺服器上的「變更」檔案共用 ACL。 a7264617-510b-434b-a828-9731dc254ea7
儲存體檔案資料 SMB 共用讀者 允許讀取 Azure 檔案共用上的檔案/目錄。 此角色相當於 Windows 檔案伺服器上的「讀取」檔案共用 ACL。 aba4ae5f-2193-4029-9191-0cb91df5e314
儲存體佇列資料參與者 讀取、寫入及刪除 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 974c5e8b-45b9-4653-ba55-5f855dd0fb88
儲存體佇列資料訊息處理者 從 Azure 儲存體佇列中瞄核、擷取和刪除訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 8a0f0c08-91a1-4084-bc3d-661d67233fed
儲存體佇列資料訊息傳送者 將訊息新增至 Azure 儲存體佇列。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 c6a89b2d-59bc-44d0-9896-0f6e12d7b80a
儲存體佇列資料讀者 讀取和列出 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 19e7f393-937e-4f77-808e-94535e297925
Web
Azure 地圖服務資料參與者 授與讀取、寫入和刪除許可權的存取權,以對應 Azure 地圖服務帳戶的相關資料。 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204
Azure 地圖服務資料讀者 授權從 Azure 地圖服務帳戶讀取地圖相關資料。 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa
Azure 春季雲端資料讀取器 允許對 Azure 春季雲端資料進行讀取存取 b5537268-8956-4941-a8f0-646150406f0c
搜尋服務參與者 可讓您管理「搜尋」服務,但無法存取它們。 7ca78c08-252a-4471-8644-bb5ff32d4ba0
SignalR AccessKey 讀者 讀取 SignalR Service 存取金鑰 04165923-9d83-45d5-8227-78b77b0a687e
SignalR 應用程式伺服器 (預覽) 使用 AAD 驗證選項,讓您的應用程式伺服器存取 SignalR Service。 420fcaa2-552c-430f-98ca-3264be4806c7
SignalR 參與者 建立、讀取、更新和刪除 SignalR 服務資源 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761
SignalR 無伺服器參與者 (預覽) 使用 AAD 驗證選項,讓您的應用程式在無伺服器模式下存取服務。 fd53cd77-2268-407a-8f46-7e7863d0f521
SignalR Service 擁有者 (預覽) Azure SignalR Service REST Api 的完整存取權 7e4f1700-ea5a-4f59-8f37-079cfe29dce3
SignalR Service 讀者 (預覽) Azure SignalR Service REST Api 的唯讀存取 ddde6b66-c0df-4114-a159-3618637b3035
Web 方案參與者 可讓您管理網站的 Web 方案,但無法存取它們。 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b
網站參與者 可讓您管理網站 (非 Web 方案),但無法存取它們。 de139f84-1756-47ae-9be6-808fbbe84772
容器
AcrDelete acr 刪除 c2f4ef07-c644-48eb-af81-4b1b4947fb11
AcrImageSigner ACR 影像簽署者 6cef56e8-d556-48e5-a04f-b8e64114680f
AcrPull acr 提取 7f951dda-4ed3-4680-a7ca-43fe172d538d
AcrPush acr 推送 8311e382-0749-4cb8-b61a-304f252e45ec
AcrQuarantineReader ACR 隔離資料讀取者 cdda3590-29a3-44f6-95f2-9f980659eb04
AcrQuarantineWriter ACR 隔離資料寫入者 c8d4ff99-41c3-41a8-9f60-21dfdad59608
Azure Kubernetes Service 叢集管理員角色 列出叢集管理員認證動作。 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8
Azure Kubernetes Service 叢集使用者角色 列出叢集使用者認證動作。 4abbcc35-e782-43d8-92c5-2d3f1bd2253f
Azure Kubernetes Service 參與者角色 授與讀取和寫入 Azure Kubernetes Service 叢集的存取權 ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8
Azure Kubernetes Service RBAC 管理員 可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 3498e952-d568-435e-9b2c-8d77e338d7f7
Azure Kubernetes Service RBAC 叢集管理員 可讓您管理叢集中的所有資源。 b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b
Azure Kubernetes Service RBAC 讀者 允許唯讀存取,以查看命名空間中的大部分物件。 它不允許查看角色或角色系結。 此角色不允許您查看秘密,因為讀取秘密的內容可讓您存取命名空間中的 ServiceAccount 認證,這會允許 API 存取做為命名空間中的任何 ServiceAccount () 的許可權擴大形式。 在叢集範圍套用此角色可讓您存取所有命名空間。 7f6c6a51-bcf8-42ba-9220-52d62157d7db
Azure Kubernetes Service RBAC 寫入器 允許對命名空間中大部分物件的讀取/寫入存取。此角色不允許查看或修改角色或角色系結。 不過,此角色可讓您存取秘密,並以命名空間中的任何 ServiceAccount 來執行 pod,讓它可以用來取得命名空間中任何 ServiceAccount 的 API 存取層級。 在叢集範圍套用此角色可讓您存取所有命名空間。 a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb
資料庫
Cosmos DB 帳戶讀者角色 可以讀取 Azure Cosmos DB 帳戶資料。 請參閱 DocumentDB 帳戶參與者以管理 Azure Cosmos DB 帳戶。 fbdf93bf-df7d-467e-a4d2-9458aa1360c8
Cosmos DB 操作員 可讓您管理 Azure Cosmos DB 帳戶,但無法存取其中的資料。 防止存取帳戶金鑰和連接字串。 230815da-be43-4aae-9cb4-875f7bd000aa
CosmosBackupOperator 可為帳戶的 Cosmos DB 資料庫或容器提交還原要求 db7b14f2-5adf-42da-9f96-f2ee17bab5cb
CosmosRestoreOperator 可以針對具有連續備份模式 Cosmos DB 資料庫帳戶執行還原動作 5432c526-bc82-444a-b7ba-57c5b0b5b34f
DocumentDB 帳戶參與者 可以管理 Azure Cosmos DB 帳戶。 Azure Cosmos DB 先前稱為 DocumentDB。 5bd9cd88-fe45-4216-938b-f97437e15450
Redis 快取參與者 可讓您管理 Redis 快取,但無法存取它們。 e0f68234-74aa-48ed-b826-c38b57376e17
SQL DB 參與者 可讓您管理 SQL 資料庫,但無法存取它們。 此外,您也無法管理其安全性相關原則或其父 SQL 伺服器。 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec
SQL 受控執行個體參與者 可讓您管理 SQL 受控執行個體和必要的網路設定,但無法將存取權授與其他人。 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d
SQL 安全性管理員 可讓您管理 SQL 伺服器及資料庫的安全性相關原則,但無法存取它們。 056cd41c-7e88-42e1-933e-88ba6a50c9c3
SQL Server 參與者 可讓您管理 SQL 伺服器及資料庫,但無法存取這些伺服器及資料庫,也無法存取其安全性相關原則。 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437
分析
Azure 事件中樞資料擁有者 允許完整存取 Azure 事件中樞資源。 f526a384-b230-433a-b45c-95f59c4a2dec
Azure 事件中樞資料接收者 允許接收 Azure 事件中樞資源。 a638d3c7-ab3a-418d-83e6-5f17a39d4fde
Azure 事件中樞資料傳送者 允許傳送 Azure 事件中樞資源。 2b629674-e913-4c01-ae53-ef4638d8f975
Data Factory 參與者 建立和管理 Data Factory,以及其中的子資源。 673868aa-7521-48a0-acc6-0f60742d39f5
資料清除者 從 Log Analytics 工作區刪除私用資料。 150f5e0c-0603-4f03-8c7f-cf70034c4e90
HDInsight 叢集操作員 可讓您讀取和修改 HDInsight 叢集設定。 61ed4efc-fab3-44fd-b111-e24485cc132a
HDInsight 網域服務參與者 可讀取、建立、修改和刪除 HDInsight 企業安全性套件所需的網域服務相關作業 8d8d5a11-05d3-4bda-a417-a08778121c7c
Log Analytics 參與者 「Log Analytics 參與者」角色可以讀取所有監視資料和編輯監視設定。 編輯監視設定包括將 VM 延伸模組新增至 VM、讀取儲存體帳戶金鑰以便能夠設定從「Azure 儲存體」收集記錄、建立及設定「自動化」帳戶、新增解決方案,以及設定所有 Azure 資源上的 Azure 診斷。 92aaf0da-9dab-42b6-94a3-d43ce8d16293
Log Analytics 讀者 「Log Analytics 讀者」可以檢視和搜尋所有監視資料,以及檢視監視設定,包括檢視所有 Azure 資源上的 Azure 診斷設定。 73c42c96-874c-492b-b04d-ab87d138a893
範疇資料編者 範疇資料編者可以建立、讀取、修改和刪除目錄資料物件,以及建立物件之間的關聯性。 此角色目前為預覽狀態,可能會變更。 8a3c2885-9b38-4fd2-9d99-91af537c1347
範疇資料讀取器 範疇資料讀取器可以讀取目錄資料物件。 此角色目前為預覽狀態,可能會變更。 ff100721-1b9d-43d8-af52-42b69c1272db
範疇資料來源管理員 範疇資料來源管理員可以管理資料來源和資料掃描。 此角色目前為預覽狀態,可能會變更。 200bba9e-f0c8-430f-892b-6f0794863803
結構描述登錄參與者 (預覽) 讀取、寫入及刪除結構描述登錄群組和結構描述。 5dffeca3-4936-4216-b2bc-10343a5abb25
結構描述登錄讀取器 (預覽) 讀取並列出結構描述登錄群組和結構描述。 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2
區塊鏈
區塊鏈成員節點存取 (預覽) 允許存取區塊鏈成員節點 31a002a1-acaf-453e-8a5b-297c9ca1ea24
AI + 機器學習
認知服務參與者 可讓您建立、讀取、更新、刪除及管理認知服務的金鑰。 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68
認知服務自訂視覺參與者 專案的完整存取權,包括查看、建立、編輯或刪除專案的能力。 c1ff6cc2-c111-46fe-8896-e0ef812ad9f3
認知服務自訂視覺部署 發行、取消發行或匯出模型。 部署可查看專案,但無法更新。 5c4089e1-6d96-4d2f-b296-c1bc7137275f
認知服務自訂視覺標籤人員 查看、編輯定型影像,以及建立、新增、移除或刪除影像標記。 標籤者可查看專案,但無法更新定型影像和標記以外的任何專案。 88424f51-ebe7-446f-bc41-7fa16989e96c
認知服務自訂視覺讀者 專案中的唯讀動作。 讀者無法建立或更新專案。 93586559-c37d-4a6b-ba08-b9f0940c2d73
認知服務自訂視覺講師 查看、編輯專案和定型模型,包括發行、取消發行、匯出模型的功能。 講師無法建立或刪除專案。 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b
認知服務資料讀者 (預覽) 可讓您讀取認知服務資料。 b59867f0-fa02-499b-be73-45a86b5b3e1c
認知服務臉部辨識器 可讓您在臉部 API 上執行偵測、驗證、識別、群組和尋找類似的作業。 此角色不允許建立或刪除作業,這項作業非常適合只需要推斷功能的端點,遵循「最低許可權」的最佳作法。 9894cab4-e18a-44aa-828b-cb588cd6f2d7
認知服務計量顧問系統管理員 專案的完整存取權,包括系統層級設定。 cb43c632-a144-4ec5-977c-e80c4affc34a
認知服務 QnA Maker 編輯器 讓您建立、編輯、匯入和匯出 KB。 您無法發行或刪除知識庫。 f4cc2bf9-21be-47a1-bdf1-5c5804381025
認知服務 QnA Maker 讀者 讓您讀取並測試 KB。 466ccd10-b268-4a11-b098-b4849f024126
認知服務使用者 可讓您讀取和列出認知服務的金鑰。 a97b65f3-24c7-4388-baec-2e87135dc908
物聯網
IoT 中樞資料參與者 允許完整存取 IoT 中樞資料平面作業。 4fc6c259-987e-4a07-842e-c321cc9d413f
IoT 中樞資料讀取器 允許對 IoT 中樞資料平面屬性進行完整讀取存取 b447c946-2db7-41ec-983d-d8bf3b1c77e3
IoT 中樞登錄參與者 允許完整存取 IoT 中樞裝置登錄。 4ea46cd5-c1b2-4a8e-910b-273211f9ce47
IoT 中樞對應項參與者 允許對所有 IoT 中樞裝置和模組 twins 的讀取和寫入權限。 494bdba2-168f-4f31-a0a1-191d2f7c028c
裝置更新系統管理員 提供您完整的管理和內容作業存取權 02ca0879-e8e4-47a5-a61e-5c618b76e64a
裝置更新內容系統管理員 提供內容作業的完整存取權 0378884a-3af5-44ab-8323-f5b22f9f3c98
裝置更新內容讀取程式 提供內容作業的讀取存取權,但不允許進行變更 d1ee9a80-8b14-47f0-bdc2-f4a351625a7b
裝置更新部署系統管理員 提供您完整的管理作業存取權 e4237640-0e3d-4a46-8fda-70bc94856432
裝置更新部署讀者 提供管理作業的讀取權限,但不允許進行變更 49e2f5d2-7741-4835-8efa-19e1fe35e47f
裝置更新讀取器 可讓您讀取管理和內容作業的存取權,但不允許進行變更 e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f
混合實境
遠端呈現系統管理員 為使用者提供轉換、管理會話、轉譯和診斷功能,以供 Azure 遠端轉譯 3df8b902-2a6f-47c7-8cc5-360e9b272a7e
遠端呈現用戶端 為使用者提供 Azure 遠端轉譯管理會話、轉譯及診斷功能。 d39065c4-c120-43c9-ab0a-63eed9795f0a
空間錨點帳戶參與者 可讓您管理帳戶中的空間錨點,但無法刪除 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827
空間錨點帳戶擁有者 可讓您管理帳戶中的空間錨點,包含刪除 70bbe301-9835-447d-afdd-19eb3167307c
空間錨點帳戶讀者 可讓您尋找和讀取帳戶中空間錨點的屬性 5d51204f-eb77-4b1c-b86a-2ec626c49413
整合
API 管理服務參與者 可管理服務與 API 312a565d-c81f-4fd8-895a-4e21e48d571c
API 管理服務操作員角色 可管理服務,但無法管理 API e022efe7-f5ba-4159-bbe4-b44f577e9b61
API 管理服務讀取者角色 具有服務與 API 的唯讀存取權 71522526-b88f-4d52-b57f-d31fc3546d0d
應用程式組態資料擁有者 允許完整存取應用程式組態資料。 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b
應用程式組態資料讀者 允許讀取應用程式組態資料。 516239f1-63e1-4d78-a4de-a74fb236a071
Azure 服務匯流排資料擁有者 允許完整存取 Azure 服務匯流排資源。 090c5cfd-751d-490a-894a-3ce6f1109419
Azure 服務匯流排資料接收者 允許接收 Azure 服務匯流排資源。 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0
Azure 服務匯流排資料傳送者 允許傳送 Azure 服務匯流排資源。 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39
Azure Stack 註冊擁有者 可讓您管理 Azure Stack 註冊。 6f12a6df-dd06-4f3e-bcb1-ce8be600526a
EventGrid 參與者 可讓您管理 EventGrid 作業。 1e241071-0855-49ea-94dc-649edcd759de
EventGrid EventSubscription 參與者 可讓您管理 EventGrid 事件訂用帳戶作業。 428e0ff0-5e57-4d9c-a221-2c70d0e0a443
EventGrid EventSubscription 讀者 可讓您讀取 EventGrid 事件訂用帳戶。 2414bbcf-6497-4faf-8c65-045460748405
FHIR 資料參與者 角色可讓使用者或主體完整存取 FHIR 資料 5a1fc7df-4bf1-4951-a576-89034ee01acd
FHIR 資料匯出工具 角色可讓使用者或主體讀取和匯出 FHIR 資料 3db33094-8700-4567-8da5-1501d4e7e843
FHIR 資料讀取器 角色可讓使用者或主體讀取 FHIR 資料 4c8d0bbc-75d3-4935-991f-5f3c56d81508
FHIR 資料寫入器外掛程式 角色可讓使用者或主體讀取和寫入 FHIR 資料 3f88fce4-5892-4214-ae73-ba5294559913
整合服務環境參與者 可讓您管理整合服務環境,但無法存取它們。 a41e2c5b-bd99-4a07-88f4-9bf657a760b8
整合服務環境開發人員 可讓開發人員在整合服務環境中建立和更新工作流程、整合帳戶和 API 連接。 c7aa55d3-1abb-444a-a5ca-5e51e485d6ec
Intelligent Systems 帳戶參與者 可讓您管理「智慧型系統」帳戶,但無法存取它們。 03a6d094-3444-4b3d-88af-7477090a9e5e
邏輯應用程式參與者 可讓您管理邏輯應用程式,但無法變更對邏輯應用程式的存取。 87a39d53-fc1b-424a-814c-f7e04687dc9e
邏輯應用程式操作員 可讓您讀取、啟用及停用邏輯應用程式,但無法編輯或更新邏輯應用程式。 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe
身分識別
受控身分識別參與者 建立、讀取、更新及刪除使用者指派的身分識別 e40ec5ca-96e0-45a2-b4ff-59039f2c2b59
受控身分識別操作員 讀取及指派使用者指派的身分識別 f1a07417-d97a-45cb-824c-7a7467783830
安全性
證明參與者 可以讀取寫入或刪除證明提供者實例 bbf86eb8-f7b4-4cce-96e4-18cddf81d86e
證明讀者 可以讀取證明提供者屬性 fd1bd22b-8476-40bc-a0bc-69b95687b9f3
Azure Sentinel 自動化參與者 Azure Sentinel 自動化參與者 f4c81013-99ee-4d62-a7ee-b3f1f648599a
Azure Sentinel 參與者 Azure Sentinel 參與者 ab8e14d6-4a74-4a29-9ba8-549422addade
Azure Sentinel 讀者 Azure Sentinel 讀者 8d289c81-5878-46d4-8554-54e1e3d8b5cb
Azure Sentinel 回應者 Azure Sentinel 回應者 3e150937-b8fe-4cfb-8069-0eaf05ecd056
Key Vault 系統管理員 在金鑰保存庫和其中的所有物件上執行所有資料平面作業,包括憑證、金鑰和秘密。 無法管理金鑰保存庫資源或管理角色指派。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 00482a5a-887f-4fb3-b363-3b7fe8e74483
Key Vault 憑證官員 對金鑰保存庫的憑證執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 a4417e6f-fecd-4de8-b567-7b0420556985
Key Vault 參與者 管理金鑰保存庫,但不允許您在 Azure RBAC 中指派角色,也不允許您存取秘密、金鑰或憑證。 f25e0fa2-a7c8-4377-a976-54943a77a395
Key Vault 加密長 在金鑰保存庫的金鑰上執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 14b46e9e-c2b7-41b4-b07b-48a6ebf60603
Key Vault 加密服務加密使用者 讀取金鑰的中繼資料,並執行包裝/解除包裝作業。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 e147488a-f6f5-4113-8e2d-b22465e65bf6
Key Vault 加密使用者 使用金鑰執行密碼編譯作業。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 12338af0-0e69-4776-bea7-57ae8d297424
Key Vault 讀者 讀取金鑰保存庫的中繼資料及其憑證、金鑰和秘密。 無法讀取敏感性值,例如秘密內容或金鑰內容。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 21090545-7ca7-4776-b22c-e363652d74d2
Key Vault 秘密長 對金鑰保存庫的秘密執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 b86a8fe4-44ce-4948-aee5-eccb2c155cd7
Key Vault 秘密使用者 讀取秘密內容。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。 4633458b-17de-408a-b874-0445c86b69e6
受控 HSM 參與者 可讓您管理受管理的 HSM 集區,但無法存取它們。 18500a29-7fe2-46b2-a342-b16a415e101d
安全性系統管理員 資訊安全中心的檢視和更新權限。 與「安全性讀者」角色的權限相同,還可以更新安全性原則及關閉警示和建議。 fb1c8493-542b-48eb-b624-b4c8fea62acd
安全性評量參與者 可讓您將評量推送至資訊安全中心 612c2aa1-cb24-443b-ac28-3ab7272de6f5
安全性管理員 (舊版) 此為舊版角色。 請改用「安全性系統管理員」。 e3d13bf0-dd5a-482e-ba6b-9b8433878d10
安全性讀取者 資訊安全中心的檢視權限。 可以檢視建議、警示、安全性原則和安全性狀態,但無法變更。 39bc4728-0917-49c7-9d2c-d95423bc2eb4
DevOps
DevTest Labs 使用者 可讓您連線、啟動、重新啟及關閉您 Azure DevTest Labs 中的虛擬機器。 76283e04-6283-4c54-8f91-bcf1374a3c64
實驗室建立者 可讓您在 Azure 實驗室帳戶下建立新的實驗室。 b97fb8bc-a8b2-4522-a38b-dd33c7e65ead
監視
Application Insights 元件參與者 可以管理 Application Insights 元件 ae349356-3a1b-4a5e-921d-050484c6347e
Application Insights 快照集偵錯工具 給予使用者權限,以便檢視及下載使用 Application Insights 快照偵錯工具所收集的偵錯快照。 請注意,擁有者參與者角色未包含這些權限。 將 Application Insights 快照偵錯者角色指派給使用者時,您必須直接將此角色授與使用者。 此角色若新增至自訂角色,則無法辨識。 08954f03-6346-4c2e-81c0-ec3a5cfae23b
監視參與者 可以讀取所有監視資料並編輯監視設定。 請參閱開始使用 Azure 監視器的角色、權限和安全性 749f88d5-cbae-40b8-bcfc-e573ddc772fa
監視計量發行者 針對 Azure 資源啟用發佈計量 3913510d-42f4-4e42-8a64-420c390055eb
監視讀取器 可以讀取所有監視資料 (計量、記錄等等)。 請參閱開始使用 Azure 監視器的角色、權限和安全性 43d0d8ad-25c7-4714-9337-8ba259a9fe05
活頁簿參與者 可以儲存共用活頁簿。 e8ddcd69-c73f-4f9f-9844-4100522f16ad
活頁簿讀者 可以讀取活頁簿。 b279062a-9be3-42a0-92ae-8b3cf002ec4d
管理和治理
自動化作業運算子 使用「自動化 Runbook」來建立及管理作業。 4fe576fe-1146-4730-92eb-48519fa6bf9f
自動化運算子 「自動化運算子」能夠啟動、停止、暫止及繼續作業 d3881f73-407a-4167-8283-e981cbba0404
自動化 Runbook 運算子 讀取 Runbook 屬性 - 以便能夠建立 Runbook 的作業。 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5
Azure Arc 啟用的 Kubernetes 叢集使用者角色 列出叢集使用者認證動作。 00493d72-78f6-4148-b6c5-d3ce8e4799dd
Azure Arc Kubernetes 管理員 可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 dffb1e0c-446f-4dde-a09f-99eb5cc68b96
Azure Arc Kubernetes Cluster Admin 可讓您管理叢集中的所有資源。 8393591c-06b9-48a2-a542-1bd6b377f6a2
Azure Arc Kubernetes 檢視器 可讓您查看叢集/命名空間中的所有資源,但秘密除外。 63f0a09d-1495-4db4-a681-037d84835eb4
Azure Arc Kubernetes 寫入器 可讓您更新叢集/命名空間中的所有專案,但 (叢集) 角色和 (叢集) 角色系結除外。 5b999177-9696-4545-85c7-50de3797e5a1
Azure Connected Machine 上線 可以讓 Azure Connected Machine 上線。 b64e21ea-ac4e-4cdf-9dc9-5b892992bee7
Azure Connected Machine 資源管理員 可以讀取、寫入、刪除 Azure Connected Machine 及使之重新上線。 cd570a14-e51a-42ad-bac8-bafd67325302
帳單讀取器 允許對計費資料進行讀取存取 fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
藍圖參與者 可以管理藍圖定義,但不能加以指派。 41077137-e803-4205-871c-5a86e6a753b4
藍圖操作員 可以指派現有已發佈的藍圖,但無法建立新的藍圖。 請注意,只有在以使用者指派的受控識別來指派時才有效。 437d2ced-4a38-4302-8479-ed2bcb43d090
成本管理參與者 可檢視成本和管理成本組態 (例如預算、匯出) 434105ed-43f6-45c7-a02f-909b2ba83430
成本管理讀者 可檢視成本資料和組態 (例如預算、匯出) 72fafb9e-0641-4937-9268-a91bfd8191a3
階層設定管理員 允許使用者編輯和刪除階層設定 350f8d15-c687-4448-8ae1-157740a3936d
Kubernetes Cluster-Azure Arc 上架 用以授權任何使用者/服務建立 connectedClusters 資源的角色定義 34e09817-6cbe-4d01-b1a2-e0eac5743d41
受控應用程式參與者角色 允許建立受控應用程式資源。 641177b8-a67a-45b9-a033-47bc880bb21e
受控應用程式操作員角色 可讓您讀取受控應用程式資源及對其執行動作 c7393b34-138c-406f-901b-d8cf2b17e6ae
受控應用程式讀者 可讓您讀取受控應用程式中的資源及要求 JIT 存取權。 b9331d33-8a36-4f8c-b097-4f54124fdb44
受控服務註冊指派刪除角色 「受控服務註冊指派刪除角色」可讓管理租用戶使用者刪除指派給其租用戶的註冊指派。 91c1777a-f3dc-4fae-b103-61d183457e46
管理群組參與者 管理群組參與者角色 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c
管理群組讀者 管理群組讀者角色 ac63b705-f282-497d-ac71-919bf39d939d
New Relic APM 帳戶參與者 可讓您管理 New Relic Application Performance Management 帳戶及應用程式,但無法存取它們。 5d28c62d-5b37-4476-8438-e587778df237
原則深入解析資料寫入者 (預覽) 允許讀取資源原則及寫入資源元件原則事件。 66bb4e9e-b016-4a94-8249-4c0511c2be84
配額要求操作員 讀取及建立配額要求、取得配額要求狀態,以及建立支援票證。 0e5f05e5-9ab9-446b-b98d-1e2157c94125
保留購買者 可讓您購買保留專案 f7b75c60-3036-4b75-91c3-6b41c27c1689
資源原則參與者 有權建立/修改資源原則、建立支援票證及讀取資源/階層的使用者。 36243c78-bf99-498c-9df9-86d9f8d28608
Site Recovery 參與者 可讓您管理 Site Recovery 服務,但無法建立保存庫和指派角色 6670b86e-a3f7-4917-ac9b-5d6ab1be4567
Site Recovery 操作員 可讓您容錯移轉及容錯回復,但無法執行其他 Site Recovery 管理作業 494ae006-db33-4328-bf46-533a6560a3ca
Site Recovery 讀取者 可讓您檢視 Site Recovery 狀態,但無法執行其他管理作業 dbaa88c4-0c30-4179-9fb3-46319faa6149
支援要求參與者 可讓您建立及管理支援要求 cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e
標記參與者 可讓您管理實體上的標記,無需提供對實體本身的存取。 4a9ae827-6dc8-4573-8ac7-8239d42aa03f
其他
Azure 數位 Twins 資料擁有者 數位 Twins 資料平面的完整存取角色 bcd981a7-7f74-457b-83e1-cceb9e632ffe
Azure 數位 Twins 資料讀者 數位 Twins 資料平面屬性的唯讀角色 d57506d4-4c8d-48b1-8587-93c323f6a5a3
BizTalk 參與者 可讓您管理 BizTalk 服務,但無法存取它們。 5e3c6656-6cfa-4708-81fe-0de47ac73342
桌面虛擬化應用程式群組參與者 桌面虛擬化應用程式群組的參與者。 86240b0e-9422-4c43-887b-b61143f32ba8
桌面虛擬化應用程式群組讀者 桌面虛擬化應用程式群組的讀者。 aebf23d0-b568-4e86-b8f9-fe83a2c6ab55
桌面虛擬化參與者 桌面虛擬化的參與者。 082f0a83-3be5-4ba1-904c-961cca79b387
桌面虛擬化主機集區參與者 桌面虛擬化主機集區的參與者。 e307426c-f9b6-4e81-87de-d99efb3c32bc
桌面虛擬化主機集區讀取器 桌面虛擬化主機集區的讀取器。 ceadfde2-b300-400a-ab7b-6143895aa822
桌上型電腦虛擬化讀者 桌面虛擬化的讀者。 49a72310-ab8d-41df-bbb0-79b649203868
桌面虛擬化工作階段主機操作員 桌面虛擬化工作階段主機的操作員。 2ad6aaab-ead9-4eaa-8ac5-da422f562408
桌面虛擬化使用者 允許使用者使用應用程式群組中的應用程式。 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63
桌面虛擬化使用者會話操作員 桌面虛擬化 Uesr 會話的操作員。 ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6
桌面虛擬化工作區參與者 桌面虛擬化工作區的參與者。 21efdde3-836f-432b-bf3d-3e8e734d4b2b
桌面虛擬化工作區讀者 桌面虛擬化工作區的讀者。 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d
磁片備份讀取器 提供備份保存庫執行磁片備份的許可權。 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24
磁片還原操作員 提供備份保存庫執行磁片還原的許可權。 b50d9833-a0cb-478e-945f-707fcc997c13
磁片快照集參與者 提供備份保存庫管理磁片快照集的許可權。 7efff54f-a5b4-42b5-a1c5-5411624893ce
排程器工作集合參與者 可讓您管理「排程器」工作集合,但無法存取它們。 188a0f2f-5c9e-469b-ae67-2aa5ce574b94
服務中樞操作員 服務中樞操作員可讓您執行與服務中樞連接器相關的所有讀取、寫入和刪除作業。 82200a5b-e217-47a5-b665-6d8765ee745b

一般

參與者

授與管理所有資源的完整存取權,但不允許您在 Azure RBAC 中指派角色、管理 Azure 藍圖中的指派,或共用映射資源庫。 深入了解

動作 描述
* 建立和管理所有類型的資源
NotActions
Microsoft. 授權/*/delete 刪除角色、原則指派、原則定義和原則集定義
Microsoft 授權/*/Write 建立角色、角色指派、原則指派、原則定義和原則集定義
Microsoft 授權/elevateAccess/Action 授與呼叫者租用戶範圍的使用者存取管理員存取
Microsoft 藍圖/blueprintAssignments/write 建立或更新任何藍圖指派
Microsoft 藍圖/blueprintAssignments/delete 刪除任何藍圖指派
Microsoft. 計算/galleries/share/action 共用資源庫至不同的範圍
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
  "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.Compute/galleries/share/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

擁有者

授與管理所有資源的完整存取權,包括在 Azure RBAC 中指派角色的能力。 深入了解

動作 描述
* 建立和管理所有類型的資源
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

讀取者

查看所有資源,但不允許您進行任何變更。 深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "View all resources, but does not allow you to make any changes.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

使用者存取系統管理員

可讓您管理 Azure 資源的使用者存取。 深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft 授權/* 管理授權
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage user access to Azure resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "User Access Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

計算

傳統虛擬機器參與者

可讓您管理傳統虛擬機器 (不含虛擬機器所連接的虛擬網路或儲存體帳戶),但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Microsoft.classiccompute/domainNames/* 建立和管理傳統運算網域名稱
Microsoft. Microsoft.classiccompute/virtualMachines/* 建立和管理虛擬機器
Microsoft. Microsoft.classicnetwork/networkSecurityGroups/join/action
Microsoft. Microsoft.classicnetwork/reservedIps/link/action 連結保留的 IP
Microsoft. Microsoft.classicnetwork/reservedIps/read 取得保留的 IP
Microsoft. Microsoft.classicnetwork/virtualNetworks/join/action 加入虛擬網路。
Microsoft. Microsoft.classicnetwork/virtualNetworks/read 取得虛擬網路。
Microsoft. Microsoft.classicstorage/storageAccounts/disks/read 傳回儲存體帳戶磁碟。
Microsoft. Microsoft.classicstorage/storageAccounts/images/read 傳回儲存體帳戶映像。 (已淘汰。 使用 'Microsoft.ClassicStorage/storageAccounts/vmImages')
Microsoft. Microsoft.classicstorage/storageAccounts/listKeys/action 列出儲存體帳戶的存取金鑰。
Microsoft. Microsoft.classicstorage/storageAccounts/read 傳回具有給定帳戶的儲存體帳戶。
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
  "name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/domainNames/*",
        "Microsoft.ClassicCompute/virtualMachines/*",
        "Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
        "Microsoft.ClassicNetwork/reservedIps/link/action",
        "Microsoft.ClassicNetwork/reservedIps/read",
        "Microsoft.ClassicNetwork/virtualNetworks/join/action",
        "Microsoft.ClassicNetwork/virtualNetworks/read",
        "Microsoft.ClassicStorage/storageAccounts/disks/read",
        "Microsoft.ClassicStorage/storageAccounts/images/read",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.ClassicStorage/storageAccounts/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Virtual Machine Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

虛擬機器系統管理員登入

在入口網站中查看虛擬機器,並以系統管理員身分登入 深入瞭解

動作 描述
Microsoft. Network/publicIPAddresses/read 取得公用 IP 位址定義。
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. Network/loadBalancers/read 取得負載平衡器定義
Microsoft. Network/networkInterfaces/read 取得網路介面定義。
Microsoft. Compute/virtualMachines/*/read
NotActions
DataActions
Microsoft. 計算/virtualMachines/login/action 以一般使用者身分登入虛擬機器
Microsoft. 計算/virtualMachines/loginAsAdmin/action 以 Windows 系統管理員或 Linux 根使用者權限登入虛擬機器
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "View Virtual Machines in the portal and login as administrator",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4",
  "name": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Compute/virtualMachines/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/virtualMachines/login/action",
        "Microsoft.Compute/virtualMachines/loginAsAdmin/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Virtual Machine Administrator Login",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

虛擬機器參與者

使用 vm 擴充功能來建立和管理虛擬機器、管理磁片和磁片快照集、安裝和執行軟體、重設虛擬機器根使用者的密碼,以及使用 VM 擴充功能管理本機使用者帳戶。 此角色不會將虛擬機器所連接之虛擬網路或儲存體帳戶的管理存取權授與您。 此角色不允許您在 Azure RBAC 中指派角色。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Compute/availabilitySets/* 建立和管理運算可用性集合
Microsoft. Compute/locations/* 建立和管理運算位置
Microsoft. Compute/virtualMachines/* 執行所有虛擬機器動作,包括建立、更新、刪除、啟動、重新開機和關閉虛擬機器的電源。 在虛擬機器上執行腳本。
Microsoft. Compute/virtualMachineScaleSets/* 建立和管理虛擬機器擴展集
Microsoft. 計算/disks/write 建立新的磁碟,或更新現有磁碟
Microsoft. 計算/disks/read 取得磁碟的屬性
Microsoft. 計算/disks/delete 刪除磁碟
Microsoft. microsoft.devtestlab/schedules/*
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. Network/applicationGateways/backendAddressPools/join/action 加入應用程式閘道後端位址集區。 不可警示。
Microsoft. Network/loadBalancers/backendAddressPools/join/action 加入負載平衡器後端位址集區。 不可警示。
Microsoft. Network/loadBalancers/inboundNatPools/join/action 加入負載平衡器輸入 NAT 集區。 不可警示。
Microsoft. Network/loadBalancers/inboundNatRules/join/action 加入負載平衡器輸入 nat 規則。 不可警示。
Microsoft. Network/loadBalancers/probes/join/action 允許使用負載平衡器的探查。 例如,使用此權限,VM 擴展集的 healthProbe 屬性就可以參考探查。 不可警示。
Microsoft. Network/loadBalancers/read 取得負載平衡器定義
Microsoft. Network/locations/* 建立和管理網路位置
Microsoft. Network/networkInterfaces/* 建立和管理網路介面
Microsoft. Network/networkSecurityGroups/join/action 加入網路安全性群組。 不可警示。
Microsoft. Network/networkSecurityGroups/read 取得網路安全性群組定義
Microsoft. Network/publicIPAddresses/join/action 加入公用 IP 位址。 不可警示。
Microsoft. Network/publicIPAddresses/read 取得公用 IP 位址定義。
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. Network/virtualNetworks/subnets/join/action 加入虛擬網路。 不可警示。
Microsoft. az.recoveryservices/locations/*
Microsoft. Az.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/write 建立備份保護用途
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/read 傳回受保護項目的物件詳細資料
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/write 建立備用的受保護項目
Microsoft. Az.recoveryservices/Vaults/backupPolicies/read 傳回所有保護原則
Microsoft. Az.recoveryservices/Vaults/backupPolicies/write 建立保護原則
Microsoft. Az.recoveryservices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/usages/read 傳回復原服務保存庫的使用量詳細資料。
Microsoft. Az.recoveryservices/Vaults/write 「建立保存庫」作業會建立 'vault' 類型的 Azure 資源
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.sqlvirtualmachine/*
Microsoft. 儲存體/storageAccounts/listKeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft. 儲存體/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
  "name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/availabilitySets/*",
        "Microsoft.Compute/locations/*",
        "Microsoft.Compute/virtualMachines/*",
        "Microsoft.Compute/virtualMachineScaleSets/*",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/delete",
        "Microsoft.DevTestLab/schedules/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/loadBalancers/probes/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/locations/*",
        "Microsoft.Network/networkInterfaces/*",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.RecoveryServices/locations/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/write",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/write",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.SqlVirtualMachine/*",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Virtual Machine Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

虛擬機器使用者登入

在入口網站中檢視虛擬機器並以一般使用者身分登入。 深入了解

動作 描述
Microsoft. Network/publicIPAddresses/read 取得公用 IP 位址定義。
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. Network/loadBalancers/read 取得負載平衡器定義
Microsoft. Network/networkInterfaces/read 取得網路介面定義。
Microsoft. Compute/virtualMachines/*/read
NotActions
DataActions
Microsoft. 計算/virtualMachines/login/action 以一般使用者身分登入虛擬機器
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "View Virtual Machines in the portal and login as a regular user.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52",
  "name": "fb879df8-f326-4884-b1cf-06f3ad86be52",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Compute/virtualMachines/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/virtualMachines/login/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Virtual Machine User Login",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

網路功能

CDN 端點參與者

可管理 CDN 端點,但無法將存取權授與其他使用者。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Cdn/edgenodes/read
Microsoft Cdn/operationresults/*
Microsoft Cdn/profiles/endpoints/*
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage CDN endpoints, but can't grant access to other users.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
  "name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/endpoints/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Endpoint Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 端點讀者

可檢視 CDN 端點,但無法變更。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Cdn/edgenodes/read
Microsoft Cdn/operationresults/*
/Profiles/endpoints/*/read
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view CDN endpoints, but can't make changes.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd",
  "name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/endpoints/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Endpoint Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 設定檔參與者

可管理 CDN 設定檔及其端點,但無法將存取權授與其他使用者。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Cdn/edgenodes/read
Microsoft Cdn/operationresults/*
Microsoft Cdn/profiles/*
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage CDN profiles and their endpoints, but can't grant access to other users.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432",
  "name": "ec156ff8-a8d1-4d15-830c-5b80698ca432",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Profile Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 設定檔讀者

可檢視 CDN 設定檔及其端點,但無法變更。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Cdn/edgenodes/read
Microsoft Cdn/operationresults/*
/Profiles/*/read
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view CDN profiles and their endpoints, but can't make changes.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af",
  "name": "8f96442b-4075-438f-813d-ad51ab4019af",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Profile Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

傳統網路參與者

可讓您管理傳統網路,但無法存取它們。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft.classicnetwork/* 建立和管理傳統網路
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic networks, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
  "name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicNetwork/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Network Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DNS 區域參與者

可讓您管理 Azure DNS 中的 DNS 區域與記錄集,但無法讓您控制誰可存取它們。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. Network/dnsZones/* 建立和管理 DNS 區域和記錄
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314",
  "name": "befefa01-2a29-4197-83a8-272ff33ce314",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/dnsZones/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "DNS Zone Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

網路參與者

可讓您管理網路,但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 網路/* 建立和管理網路
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage networks, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
  "name": "4d97b98b-1d4f-4787-a291-c67834d212e7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Network Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

私人 DNS 區域參與者

可讓您管理私人 DNS 區域資源,但不能管理它們所連結的虛擬網路。 深入了解

動作 描述
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. Network/privateDnsZones/*
Microsoft. Network/privateDnsOperationResults/*
Microsoft. Network/privateDnsOperationStatuses/*
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. Network/virtualNetworks/join/action 加入虛擬網路。 不可警示。
Microsoft 授權/*/read 讀取角色和角色指派
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
  "name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/privateDnsZones/*",
        "Microsoft.Network/privateDnsOperationResults/*",
        "Microsoft.Network/privateDnsOperationStatuses/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Private DNS Zone Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

流量管理員參與者

可讓您管理「流量管理員」設定檔,但無法控制誰可以存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. Network/trafficManagerProfiles/*
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
  "name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/trafficManagerProfiles/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Traffic Manager Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體

Avere 參與者

可以建立和管理 Avere vFXT 叢集。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Compute/*/read
Microsoft. Compute/availabilitySets/*
Microsoft. Compute/proximityPlacementGroups/*
Microsoft. Compute/virtualMachines/*
Microsoft. Compute/disks/*
Microsoft. Network/*/read
Microsoft. Network/networkInterfaces/*
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. Network/virtualNetworks/subnets/read 取得虛擬網路子網路定義
Microsoft. Network/virtualNetworks/subnets/join/action 加入虛擬網路。 不可警示。
Microsoft. Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
Microsoft. Network/networkSecurityGroups/join/action 加入網路安全性群組。 不可警示。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. Storage/*/read
Microsoft. 儲存體/storageAccounts/* 建立及管理儲存體帳戶
Microsoft 支援/* 建立和更新支援票證
Microsoft .Resources/subscriptions/resourceGroups/resources/read 取得資源群組的資源。
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/delete 傳回刪除 Blob 的結果
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/read 傳回 Blob 或 Blob 清單
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/write 傳回寫入 Blob 的結果
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create and manage an Avere vFXT cluster.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a",
  "name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/*/read",
        "Microsoft.Compute/availabilitySets/*",
        "Microsoft.Compute/proximityPlacementGroups/*",
        "Microsoft.Compute/virtualMachines/*",
        "Microsoft.Compute/disks/*",
        "Microsoft.Network/*/read",
        "Microsoft.Network/networkInterfaces/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/*/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Avere Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Avere 操作員

Avere vFXT 叢集用來管理叢集的 深入瞭解

動作 描述
Microsoft. 計算/virtualMachines/read 取得虛擬機器的屬性
Microsoft. Network/networkInterfaces/read 取得網路介面定義。
Microsoft. Network/networkInterfaces/write 建立網路介面,或更新現有的網路介面。
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. Network/virtualNetworks/subnets/read 取得虛擬網路子網路定義
Microsoft. Network/virtualNetworks/subnets/join/action 加入虛擬網路。 不可警示。
Microsoft. Network/networkSecurityGroups/join/action 加入網路安全性群組。 不可警示。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 儲存體/storageAccounts/blobServices/containers/delete 傳回刪除容器的結果
Microsoft. 儲存體/storageAccounts/blobServices/containers/read 傳回容器的清單
Microsoft. 儲存體/storageAccounts/blobServices/containers/write 傳回放置 Blob 容器的結果
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/delete 傳回刪除 Blob 的結果
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/read 傳回 Blob 或 Blob 清單
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/write 傳回寫入 Blob 的結果
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Used by the Avere vFXT cluster to manage the cluster",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
  "name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Avere Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

備份參與者

可讓您管理備份服務,但無法建立保存庫並將存取權授與其他人 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. az.recoveryservices/locations/*
Microsoft. Az.recoveryservices/Vaults/backupFabrics/operationResults/* 管理備份管理上作業的結果
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/* 在復原服務保存庫的備份網狀架構內建立和管理備份容器
Microsoft. Az.recoveryservices/Vaults/backupFabrics/refreshContainers/action 重新整理容器清單
Microsoft. Az.recoveryservices/Vaults/backupJobs/* 建立和管理備份作業
Microsoft. Az.recoveryservices/Vaults/backupJobsExport/action 匯出作業
Microsoft. Az.recoveryservices/Vaults/backupOperationResults/* 建立和管理備份管理作業的結果
Microsoft. Az.recoveryservices/Vaults/backupPolicies/* 建立和管理備份原則
Microsoft. Az.recoveryservices/Vaults/backupProtectableItems/* 建立和管理可以備份的項目
Microsoft. Az.recoveryservices/Vaults/backupProtectedItems/* 建立和管理備份項目
Microsoft. Az.recoveryservices/Vaults/backupProtectionContainers/* 建立和管理保存備份項目的容器
Microsoft. Az.recoveryservices/Vaults/backupSecurityPIN/*
Microsoft. Az.recoveryservices/Vaults/backupUsageSummaries/read 傳回復原服務之受保護項目和受保護伺服器的摘要。
Microsoft. Az.recoveryservices/Vaults/certificates/* 建立和管理備份復原服務保存庫中與備份相關的憑證
Microsoft. Az.recoveryservices/Vaults/extendedInformation/* 建立和管理與保存庫相關的擴充資訊
Microsoft. Az.recoveryservices/Vaults/monitoringAlerts/read 取得復原服務保存庫的警示。
Microsoft. Az.recoveryservices/Vaults/monitoringConfigurations/*
Microsoft. Az.recoveryservices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/* 建立和管理註冊的身分識別
Microsoft. Az.recoveryservices/Vaults/usages/* 建立和管理復原服務保存庫的使用方式
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 儲存體/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft. Az.recoveryservices/Vaults/backupstorageconfig/*
Microsoft. Az.recoveryservices/Vaults/backupconfig/*
Microsoft. Az.recoveryservices/Vaults/backupValidateOperation/action 驗證受保護項目上的作業
Microsoft. Az.recoveryservices/Vaults/write 「建立保存庫」作業會建立 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/backupOperations/read 傳回復原服務保存庫的備份作業狀態。
Microsoft. Az.recoveryservices/Vaults/backupEngines/read 傳回已向保存庫註冊的所有備份管理伺服器。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/*
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectableContainers/read 取得所有可保護的容器
Microsoft. Az.recoveryservices/locations/backupStatus/action 檢查復原服務保存庫的備份狀態
Microsoft. Az.recoveryservices/locations/backupPreValidateProtection/action
Microsoft. Az.recoveryservices/locations/backupValidateFeatures/action 驗證功能
Microsoft. Az.recoveryservices/Vaults/monitoringAlerts/write 解決警示。
Microsoft. az.recoveryservices/operations/read 作業會傳回資源提供者的作業清單
Microsoft. Az.recoveryservices/locations/operationStatus/read 取得給定作業的作業狀態
Microsoft. Az.recoveryservices/Vaults/backupProtectionIntents/read 列出所有的備份保護用途
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage backup service,but can't create vaults and give access to others",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
  "name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/*",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
        "Microsoft.RecoveryServices/Vaults/usages/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/write",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

備份操作員

可讓您管理備份服務,但移除備份、建立保存庫以及為其他人提供存取權的 詳細資訊

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. Az.recoveryservices/Vaults/backupFabrics/operationResults/read 傳回作業的狀態
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/operationResults/read 取得對保護容器執行之作業的結果。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action 對受保護的項目執行備份。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read 取得對受保護項目執行之作業的結果。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read 傳回對受保護項目執行之作業的狀態。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/read 傳回受保護項目的物件詳細資料
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action 為受保護的項目佈建即時項目復原
Microsoft. Az.recoveryservices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action 取得跨區域還原的 AccessToken。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read 取得受保護項目的復原點。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action 還原受保護項目的復原點。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action 為受保護的項目撤銷即時項目復原
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/write 建立備用的受保護項目
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/read 傳回所有已註冊的容器
Microsoft. Az.recoveryservices/Vaults/backupFabrics/refreshContainers/action 重新整理容器清單
Microsoft. Az.recoveryservices/Vaults/backupJobs/* 建立和管理備份作業
Microsoft. Az.recoveryservices/Vaults/backupJobsExport/action 匯出作業
Microsoft. Az.recoveryservices/Vaults/backupOperationResults/* 建立和管理備份管理作業的結果
Microsoft. Az.recoveryservices/Vaults/backupPolicies/operationResults/read 取得原則作業的結果。
Microsoft. Az.recoveryservices/Vaults/backupPolicies/read 傳回所有保護原則
Microsoft. Az.recoveryservices/Vaults/backupProtectableItems/* 建立和管理可以備份的項目
Microsoft. Az.recoveryservices/Vaults/backupProtectedItems/read 傳回所有受保護項目的清單。
Microsoft. Az.recoveryservices/Vaults/backupProtectionContainers/read 傳回屬於訂用帳戶的所有容器
Microsoft. Az.recoveryservices/Vaults/backupUsageSummaries/read 傳回復原服務之受保護項目和受保護伺服器的摘要。
Microsoft. Az.recoveryservices/Vaults/certificates/write 「更新資源憑證」作業會更新資源/保存庫的認證憑證。
Microsoft. Az.recoveryservices/Vaults/extendedInformation/read 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/extendedInformation/write 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/monitoringAlerts/read 取得復原服務保存庫的警示。
Microsoft. Az.recoveryservices/Vaults/monitoringConfigurations/*
Microsoft. Az.recoveryservices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/operationResults/read 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/read 「取得容器」作業可用來取得為資源註冊的容器。
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/write 「註冊服務容器」作業可用來向復原服務註冊容器。
Microsoft. Az.recoveryservices/Vaults/usages/read 傳回復原服務保存庫的使用量詳細資料。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 儲存體/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft. Az.recoveryservices/Vaults/backupstorageconfig/*
Microsoft. Az.recoveryservices/Vaults/backupValidateOperation/action 驗證受保護項目上的作業
Microsoft. Az.recoveryservices/Vaults/backupOperations/read 傳回復原服務保存庫的備份作業狀態。
Microsoft. Az.recoveryservices/Vaults/backupPolicies/operations/read 取得原則作業的狀態。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/write 建立已註冊的容器
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/inquire/action 執行容器內工作負載的查詢
Microsoft. Az.recoveryservices/Vaults/backupEngines/read 傳回已向保存庫註冊的所有備份管理伺服器。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/write 建立備份保護用途
Microsoft. Az.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/read 取得備份保護用途
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectableContainers/read 取得所有可保護的容器
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/items/read 取得容器中的所有項目
Microsoft. Az.recoveryservices/locations/backupStatus/action 檢查復原服務保存庫的備份狀態
Microsoft. Az.recoveryservices/locations/backupPreValidateProtection/action
Microsoft. Az.recoveryservices/locations/backupValidateFeatures/action 驗證功能
Microsoft. Az.recoveryservices/locations/backupAadProperties/read 取得用於跨區域還原的第三個區域中進行驗證的 AAD 屬性。
Microsoft. Az.recoveryservices/locations/backupCrrJobs/action 列出復原服務保存庫次要區域中的跨區域還原作業。
Microsoft. Az.recoveryservices/locations/backupCrrJob/action 在復原服務保存庫的次要區域中取得跨區域還原作業詳細資料。
Microsoft. Az.recoveryservices/locations/backupCrossRegionRestore/action 觸發跨區域還原。
Microsoft. Az.recoveryservices/locations/backupCrrOperationResults/read 傳回復原服務保存庫的 CRR 操作結果。
Microsoft. Az.recoveryservices/locations/backupCrrOperationsStatus/read 傳回復原服務保存庫的 CRR 操作狀態。
Microsoft. Az.recoveryservices/Vaults/monitoringAlerts/write 解決警示。
Microsoft. az.recoveryservices/operations/read 作業會傳回資源提供者的作業清單
Microsoft. Az.recoveryservices/locations/operationStatus/read 取得給定作業的作業狀態
Microsoft. Az.recoveryservices/Vaults/backupProtectionIntents/read 列出所有的備份保護用途
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
  "name": "00c29273-979b-4161-815c-10b084fb9324",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
        "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/write",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/write",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/locations/backupAadProperties/read",
        "Microsoft.RecoveryServices/locations/backupCrrJobs/action",
        "Microsoft.RecoveryServices/locations/backupCrrJob/action",
        "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
        "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
        "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

備份讀取者

可以查看備份服務,但無法進行變更 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Az.recoveryservices/locations/allocatedStamp/read GetAllocatedStamp 是服務所使用的內部作業
Microsoft. Az.recoveryservices/Vaults/backupFabrics/operationResults/read 傳回作業的狀態
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/operationResults/read 取得對保護容器執行之作業的結果。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read 取得對受保護項目執行之作業的結果。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read 傳回對受保護項目執行之作業的狀態。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/read 傳回受保護項目的物件詳細資料
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read 取得受保護項目的復原點。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/read 傳回所有已註冊的容器
Microsoft. Az.recoveryservices/Vaults/backupJobs/operationResults/read 傳回作業的作業結果。
Microsoft. Az.recoveryservices/Vaults/backupJobs/read 傳回所有作業物件
Microsoft. Az.recoveryservices/Vaults/backupJobsExport/action 匯出作業
Microsoft. Az.recoveryservices/Vaults/backupOperationResults/read 傳回復原服務保存庫的備份作業結果。
Microsoft. Az.recoveryservices/Vaults/backupPolicies/operationResults/read 取得原則作業的結果。
Microsoft. Az.recoveryservices/Vaults/backupPolicies/read 傳回所有保護原則
Microsoft. Az.recoveryservices/Vaults/backupProtectedItems/read 傳回所有受保護項目的清單。
Microsoft. Az.recoveryservices/Vaults/backupProtectionContainers/read 傳回屬於訂用帳戶的所有容器
Microsoft. Az.recoveryservices/Vaults/backupUsageSummaries/read 傳回復原服務之受保護項目和受保護伺服器的摘要。
Microsoft. Az.recoveryservices/Vaults/extendedInformation/read 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/monitoringAlerts/read 取得復原服務保存庫的警示。
Microsoft. Az.recoveryservices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/operationResults/read 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/read 「取得容器」作業可用來取得為資源註冊的容器。
Microsoft. Az.recoveryservices/Vaults/backupstorageconfig/read 傳回復原服務保存庫的儲存體組態。
Microsoft. Az.recoveryservices/Vaults/backupconfig/read 傳回復原服務保存庫的組態。
Microsoft. Az.recoveryservices/Vaults/backupOperations/read 傳回復原服務保存庫的備份作業狀態。
Microsoft. Az.recoveryservices/Vaults/backupPolicies/operations/read 取得原則作業的狀態。
Microsoft. Az.recoveryservices/Vaults/backupEngines/read 傳回已向保存庫註冊的所有備份管理伺服器。
Microsoft. Az.recoveryservices/Vaults/backupFabrics/backupProtectionIntent/read 取得備份保護用途
Microsoft. Az.recoveryservices/Vaults/backupFabrics/protectionContainers/items/read 取得容器中的所有項目
Microsoft. Az.recoveryservices/locations/backupStatus/action 檢查復原服務保存庫的備份狀態
Microsoft. Az.recoveryservices/Vaults/monitoringConfigurations/*
Microsoft. Az.recoveryservices/Vaults/monitoringAlerts/write 解決警示。
Microsoft. az.recoveryservices/operations/read 作業會傳回資源提供者的作業清單
Microsoft. Az.recoveryservices/locations/operationStatus/read 取得給定作業的作業狀態
Microsoft. Az.recoveryservices/Vaults/backupProtectionIntents/read 列出所有的備份保護用途
Microsoft. Az.recoveryservices/Vaults/usages/read 傳回復原服務保存庫的使用量詳細資料。
Microsoft. Az.recoveryservices/locations/backupValidateFeatures/action 驗證功能
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view backup services, but can't make changes",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
  "name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/read",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

傳統儲存體帳戶參與者

可讓您管理傳統儲存體帳戶,但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Microsoft.classicstorage/storageAccounts/* 建立及管理儲存體帳戶
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic storage accounts, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
  "name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Storage Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

傳統儲存體帳戶金鑰操作員服務角色

您可以使用傳統儲存體帳戶金鑰操作員,在傳統儲存體帳戶上列出和重新產生金鑰。 深入瞭解

動作 描述
Microsoft. Microsoft.classicstorage/storageAccounts/listkeys/action 列出儲存體帳戶的存取金鑰。
Microsoft. Microsoft.classicstorage/storageAccounts/regeneratekey/action 重新產生儲存體帳戶的現有存取金鑰。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
  "name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ClassicStorage/storageAccounts/listkeys/action",
        "Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Storage Account Key Operator Service Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

資料箱參與者

可讓您管理資料箱服務下的所有項目,為他人賦予存取權除外。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
資料箱/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage everything under Data Box Service except giving access to others.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
  "name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Databox/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Box Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

資料箱讀者

可讓您管理資料箱服務,建立訂單或編輯訂單詳細資料和為他人賦予存取權除外。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
資料箱/*/read
Microsoft. 資料箱/jobs/listsecrets/action
Microsoft. 資料箱/jobs/listcredentials/action 列出與訂單相關的未加密認證。
Microsoft. 資料箱/locations/availableSkus/action 此方法會傳回可用的 SKU 清單。
Microsoft. 資料箱/locations/validateInputs/action 此方法會執行所有類型的驗證。
Microsoft. 資料箱/locations/regionConfiguration/action 此方法會傳回區域的設定。
Microsoft. 資料箱/locations/validateAddress/action 驗證出貨地址,並提供備用的地址 (若有的話)。
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
  "name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Databox/*/read",
        "Microsoft.Databox/jobs/listsecrets/action",
        "Microsoft.Databox/jobs/listcredentials/action",
        "Microsoft.Databox/locations/availableSkus/action",
        "Microsoft.Databox/locations/validateInputs/action",
        "Microsoft.Databox/locations/regionConfiguration/action",
        "Microsoft.Databox/locations/validateAddress/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Box Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Lake Analytics 開發人員

可讓您提交、監視及管理您自己的作業,但無法建立或刪除 Data Lake Analytics 帳戶。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft.BigAnalytics/accounts/*
Microsoft. DataLakeAnalytics/accounts/*
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
Microsoft.BigAnalytics/accounts/Delete
Microsoft.BigAnalytics/accounts/TakeOwnership/action
Microsoft.BigAnalytics/accounts/Write
Microsoft. DataLakeAnalytics/accounts/Delete 刪除 DataLakeAnalytics 帳戶。
Microsoft. DataLakeAnalytics/accounts/TakeOwnership/action 授與權限以取消其他使用者所提交的作業。
Microsoft. DataLakeAnalytics/accounts/Write 建立或更新 DataLakeAnalytics 帳戶。
Microsoft. DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write 建立或更新 DataLakeAnalytics 帳戶所連結的 DataLakeStore 帳戶。
Microsoft. DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete 取消 DataLakeStore 帳戶與 DataLakeAnalytics 帳戶的連結。
Microsoft. DataLakeAnalytics/accounts/storageAccounts/Write 建立或更新 DataLakeAnalytics 帳戶所連結的儲存體帳戶。
Microsoft. DataLakeAnalytics/accounts/storageAccounts/Delete 取消儲存體帳戶與 DataLakeAnalytics 帳戶的連結。
Microsoft. DataLakeAnalytics/accounts/firewallRules/Write 建立或更新防火牆規則。
Microsoft. DataLakeAnalytics/accounts/firewallRules/Delete 刪除防火牆規則。
Microsoft. DataLakeAnalytics/accounts/computePolicies/Write 建立或更新計算原則。
Microsoft. DataLakeAnalytics/accounts/computePolicies/Delete 刪除計算原則。
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
  "name": "47b7735b-770e-4598-a7da-8b91488b4c88",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.BigAnalytics/accounts/*",
        "Microsoft.DataLakeAnalytics/accounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.BigAnalytics/accounts/Delete",
        "Microsoft.BigAnalytics/accounts/TakeOwnership/action",
        "Microsoft.BigAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
        "Microsoft.DataLakeAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Lake Analytics Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

讀取者及資料存取

可讓您檢視所有內容,但無法讓您刪除或建立儲存體帳戶或內含的資源。 也可透過存取儲存體帳戶金鑰,對儲存體帳戶中內含的所有資料進行讀取/寫入存取。

動作 描述
Microsoft. 儲存體/storageAccounts/listKeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft. 儲存體/storageAccounts/ListAccountSas/action 傳回指定儲存體帳戶的帳戶 SAS 權杖。
Microsoft. 儲存體/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
  "name": "c12c1c16-33a1-487b-954d-41c89c60f349",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/ListAccountSas/action",
        "Microsoft.Storage/storageAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader and Data Access",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體帳戶參與者

允許管理儲存體帳戶。 支援存取帳戶金鑰,以透過共用金鑰授權來存取資料。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft Insights/diagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft. Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 儲存體/storageAccounts/* 建立及管理儲存體帳戶
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
  "name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體帳戶金鑰操作員服務角色

允許列出及重新產生儲存體帳戶存取金鑰。 深入了解

動作 描述
Microsoft. 儲存體/storageAccounts/listkeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft. 儲存體/storageAccounts/regeneratekey/action 重新產生指定儲存體帳戶的存取金鑰。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
  "name": "81a9662b-bebf-436f-a333-f67b29880f12",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Key Operator Service Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體 Blob 資料參與者

讀取、寫入和刪除 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft. 儲存體/storageAccounts/blobServices/containers/delete 刪除容器。
Microsoft. 儲存體/storageAccounts/blobServices/containers/read 傳回一個容器或一份容器清單。
Microsoft. 儲存體/storageAccounts/blobServices/containers/write 修改容器的中繼資料或屬性。
Microsoft. 儲存體/storageAccounts/blobServices/generateUserDelegationKey/action 傳回 Blob 服務的使用者委派金鑰。
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/delete 刪除 Blob。
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/read 傳回一個 blob 或一份 blob 清單。
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/write 寫入 blob。
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/move/action 將 blob 從一個路徑移到另一個路徑
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/add/action 傳回新增 Blob 內容的結果
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write and delete access to Azure Storage blob containers and data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
  "name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體 Blob 資料擁有者

支援完整存取 Azure 儲存體 blob 容器和資料,包括指派 POSIX 存取控制。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft. 儲存體/storageAccounts/blobServices/containers/* 容器的完整權限。
Microsoft. 儲存體/storageAccounts/blobServices/generateUserDelegationKey/action 傳回 Blob 服務的使用者委派金鑰。
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/* Blob 的完整權限。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
  "name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/*",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體 Blob 資料讀者

讀取和列出 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft. 儲存體/storageAccounts/blobServices/containers/read 傳回一個容器或一份容器清單。
Microsoft. 儲存體/storageAccounts/blobServices/generateUserDelegationKey/action 傳回 Blob 服務的使用者委派金鑰。
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/blobServices/containers/blobs/read 傳回一個 blob 或一份 blob 清單。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage blob containers and data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體 Blob 委派者

取得使用者委派金鑰,以針對使用 Azure AD 認證所簽署的容器或 blob,建立共用存取簽章。 如需詳細資訊,請參閱建立使用者委派 SAS深入了解

動作 描述
Microsoft. 儲存體/storageAccounts/blobServices/generateUserDelegationKey/action 傳回 Blob 服務的使用者委派金鑰。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
  "name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Delegator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體檔案資料 SMB 共用參與者

允許讀取、寫入及刪除 Azure 檔案共用上的檔案/目錄。 此角色在 Windows 檔案伺服器上沒有內建的對等項。 深入了解

動作 描述
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/fileServices/fileshares/files/read 傳回一個檔案/資料夾,或一份檔案/資料夾清單。
Microsoft. 儲存體/storageAccounts/fileServices/fileshares/files/write 傳回寫入檔案或建立資料夾的結果。
Microsoft. 儲存體/storageAccounts/fileServices/fileshares/files/delete 傳回刪除檔案/資料夾的結果。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體檔案資料 SMB 共用提升權限的參與者

允許對 Azure 檔案共用上的檔案/目錄,讀取、寫入、刪除和修改 ACL。 此角色相當於 Windows 檔案伺服器上的「變更」檔案共用 ACL。 深入了解

動作 描述
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/fileServices/fileshares/files/read 傳回一個檔案/資料夾,或一份檔案/資料夾清單。
Microsoft. 儲存體/storageAccounts/fileServices/fileshares/files/write 傳回寫入檔案或建立資料夾的結果。
Microsoft. 儲存體/storageAccounts/fileServices/fileshares/files/delete 傳回刪除檔案/資料夾的結果。
Microsoft. 儲存體/storageAccounts/fileServices/fileshares/files/modifypermissions/action 傳回修改檔案/資料夾權限的結果。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
  "name": "a7264617-510b-434b-a828-9731dc254ea7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Elevated Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體檔案資料 SMB 共用讀者

允許讀取 Azure 檔案共用上的檔案/目錄。 此角色相當於 Windows 檔案伺服器上的「讀取」檔案共用 ACL。 深入了解

動作 描述
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/fileServices/fileshares/files/read 傳回一個檔案/資料夾,或一份檔案/資料夾清單。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure File Share over SMB",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
  "name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體佇列資料參與者

讀取、寫入及刪除 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft. 儲存體/storageAccounts/queueServices/queues/delete 刪除佇列。
Microsoft. 儲存體/storageAccounts/queueServices/queues/read 傳回一個佇列或一份佇列清單。
Microsoft. 儲存體/storageAccounts/queueServices/queues/write 修改佇列中繼資料或屬性。
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/queueServices/queues/messages/delete 從佇列中刪除一或多個訊息。
Microsoft. 儲存體/storageAccounts/queueServices/queues/messages/read 從佇列中瞄核或取出一或多個訊息。
Microsoft. 儲存體/storageAccounts/queueServices/queues/messages/write 將訊息新增至佇列。
Microsoft. 儲存體/storageAccounts/queueServices/queues/messages/process/action 傳回處理訊息的結果
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
  "name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體佇列資料訊息處理者

從 Azure 儲存體佇列中瞄核、擷取和刪除訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/queueServices/queues/messages/read 瞄核訊息。
Microsoft. 儲存體/storageAccounts/queueServices/queues/messages/process/action 取出和刪除訊息。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
  "name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Message Processor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體佇列資料訊息傳送者

將訊息新增至 Azure 儲存體佇列。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/queueServices/queues/messages/add/action 將訊息新增至佇列。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for sending of Azure Storage queue messages",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
  "name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Message Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體佇列資料讀者

讀取和列出 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft. 儲存體/storageAccounts/queueServices/queues/read 傳回佇列或佇列清單。
NotActions
DataActions
Microsoft. 儲存體/storageAccounts/queueServices/queues/messages/read 從佇列中瞄核或取出一或多個訊息。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage queues and queue messages",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
  "name": "19e7f393-937e-4f77-808e-94535e297925",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Web

Azure 地圖服務資料參與者

授與讀取、寫入和刪除許可權的存取權,以對應 Azure 地圖服務帳戶的相關資料。 深入了解

動作 描述
NotActions
DataActions
Microsoft. Maps/accounts/*/read
Microsoft. Maps/accounts/*/write
Microsoft. Maps/accounts/*/delete
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read, write, and delete access to map related data from an Azure maps account.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
  "name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read",
        "Microsoft.Maps/accounts/*/write",
        "Microsoft.Maps/accounts/*/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Maps Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 地圖服務資料讀者

授權從 Azure 地圖服務帳戶讀取地圖相關資料。 深入了解

動作 描述
NotActions
DataActions
Microsoft. Maps/accounts/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read map related data from an Azure maps account.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
  "name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Maps Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 春季雲端資料讀取器

允許對 Azure 春季 Cloud Data 的讀取存取權 深入瞭解

動作 描述
NotActions
DataActions
Microsoft. AppPlatform/Spring/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c",
  "name": "b5537268-8956-4941-a8f0-646150406f0c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

搜尋服務參與者

可讓您管理「搜尋」服務,但無法存取它們。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. Search/searchServices/* 建立和管理搜尋服務
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Search services, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0",
  "name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Search/searchServices/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Search Service Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR AccessKey 讀者

讀取 SignalR Service 存取金鑰

動作 描述
Microsoft.signalrservice/*/read
Microsoft. Microsoft.signalrservice/SignalR/listkeys/action 在管理入口網站中或透過 API 檢視 SignalR 存取金鑰
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read SignalR Service Access Keys",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e",
  "name": "04165923-9d83-45d5-8227-78b77b0a687e",
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*/read",
        "Microsoft.SignalRService/SignalR/listkeys/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR AccessKey Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR 應用程式伺服器 (預覽)

使用 AAD 驗證選項,讓您的應用程式伺服器存取 SignalR Service。

動作 描述
NotActions
DataActions
Microsoft. Microsoft.signalrservice/SignalR/auth/accessKey/action 產生 AccessKey 來簽署 AccessTokens,依預設,金鑰會在90分鐘內到期。
Microsoft. Microsoft.signalrservice/SignalR/serverConnection/write 啟動伺服器連接。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets your app server access SignalR Service with AAD auth options.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7",
  "name": "420fcaa2-552c-430f-98ca-3264be4806c7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/accessKey/action",
        "Microsoft.SignalRService/SignalR/serverConnection/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR App Server (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR 參與者

建立、讀取、更新和刪除 SignalR 服務資源

動作 描述
Microsoft.signalrservice/*
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete SignalR service resources",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
  "name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR 無伺服器參與者 (預覽)

使用 AAD 驗證選項,讓您的應用程式在無伺服器模式下存取服務。

動作 描述
NotActions
DataActions
Microsoft. Microsoft.signalrservice/SignalR/auth/clientToken/action 產生 AccessToken,讓用戶端連線到 ASRS,權杖預設會在5分鐘內到期。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets your app access service in serverless mode with AAD auth options.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521",
  "name": "fd53cd77-2268-407a-8f46-7e7863d0f521",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/clientToken/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR Serverless Contributor (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR Service 擁有者 (預覽)

Azure SignalR Service REST Api 的完整存取權

動作 描述
NotActions
DataActions
Microsoft. Microsoft.signalrservice/SignalR/auth/accessKey/action 產生 AccessKey 來簽署 AccessTokens,依預設,金鑰會在90分鐘內到期。
Microsoft. Microsoft.signalrservice/SignalR/auth/clientToken/action 產生 AccessToken,讓用戶端連線到 ASRS,權杖預設會在5分鐘內到期。
Microsoft. Microsoft.signalrservice/SignalR/hub/send/action 將訊息廣播至中樞內的所有用戶端連接。
Microsoft. Microsoft.signalrservice/SignalR/group/send/action 將訊息廣播到群組。
Microsoft. Microsoft.signalrservice/SignalR/group/read 檢查群組是否存在或使用者存在於群組中。
Microsoft. Microsoft.signalrservice/SignalR/group/write 加入/離開群組。
Microsoft. Microsoft.signalrservice/SignalR/clientConnection/send/action 將訊息直接傳送至用戶端連接。
Microsoft. Microsoft.signalrservice/SignalR/clientConnection/read 檢查用戶端連接是否存在。
Microsoft. Microsoft.signalrservice/SignalR/clientConnection/write 關閉用戶端連接。
Microsoft. Microsoft.signalrservice/SignalR/user/send/action 傳送訊息給使用者,其中可能包含多個用戶端連接。
Microsoft. Microsoft.signalrservice/SignalR/user/read 檢查使用者是否存在。
Microsoft. Microsoft.signalrservice/SignalR/user/write 修改使用者。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to Azure SignalR Service REST APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
  "name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/accessKey/action",
        "Microsoft.SignalRService/SignalR/auth/clientToken/action",
        "Microsoft.SignalRService/SignalR/hub/send/action",
        "Microsoft.SignalRService/SignalR/group/send/action",
        "Microsoft.SignalRService/SignalR/group/read",
        "Microsoft.SignalRService/SignalR/group/write",
        "Microsoft.SignalRService/SignalR/clientConnection/send/action",
        "Microsoft.SignalRService/SignalR/clientConnection/read",
        "Microsoft.SignalRService/SignalR/clientConnection/write",
        "Microsoft.SignalRService/SignalR/user/send/action",
        "Microsoft.SignalRService/SignalR/user/read",
        "Microsoft.SignalRService/SignalR/user/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR Service Owner (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR Service 讀者 (預覽)

Azure SignalR Service REST Api 的唯讀存取

動作 描述
NotActions
DataActions
Microsoft. Microsoft.signalrservice/SignalR/group/read 檢查群組是否存在或使用者存在於群組中。
Microsoft. Microsoft.signalrservice/SignalR/clientConnection/read 檢查用戶端連接是否存在。
Microsoft. Microsoft.signalrservice/SignalR/user/read 檢查使用者是否存在。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only access to Azure SignalR Service REST APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035",
  "name": "ddde6b66-c0df-4114-a159-3618637b3035",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/group/read",
        "Microsoft.SignalRService/SignalR/clientConnection/read",
        "Microsoft.SignalRService/SignalR/user/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR Service Reader (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Web 方案參與者

可讓您管理網站的 Web 方案,但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. Web/serverFarms/* 建立和管理伺服器陣列
Microsoft. Web/hostingEnvironments/Join/Action 加入 App Service 環境
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage the web plans for websites, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
  "name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/serverFarms/*",
        "Microsoft.Web/hostingEnvironments/Join/Action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Web Plan Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

網站參與者

可讓您管理網站 (非 Web 方案),但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft Insights/components/* 建立和管理 Insights 元件
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. Web/certificates/* 建立和管理網站憑證
Microsoft. Web/listSitesAssignedToHostName/read 取得指派給主機名稱之網站的名稱。
Microsoft. Web/serverFarms/join/action 加入 App Service 計畫
Microsoft. Web/serverFarms/read 取得 App Service 方案的屬性
Microsoft. Web/sites/* 建立和管理網站 (建立網站也需要相關聯應用程式服務方案的寫入權限)
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage websites (not web plans), but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
  "name": "de139f84-1756-47ae-9be6-808fbbe84772",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/certificates/*",
        "Microsoft.Web/listSitesAssignedToHostName/read",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Website Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

容器

AcrDelete

acr 刪除 深入瞭解

動作 描述
Microsoft. >microsoft.containerregistry/registries/artifacts/delete 刪除容器登錄中的成品。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

acr 影像簽署者 深入瞭解

動作 描述
Microsoft. >microsoft.containerregistry/registries/sign/write 推送/提取容器登錄的內容信任中繼資料。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr image signer",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

acr 提取 深入瞭解

動作 描述
Microsoft. >microsoft.containerregistry/registries/pull/read 從容器登錄中提取或取得映像。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

acr push 深入瞭解

動作 描述
Microsoft. >microsoft.containerregistry/registries/pull/read 從容器登錄中提取或取得映像。
Microsoft. >microsoft.containerregistry/registries/push/write 將映像推送或寫入至容器登錄。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

ACR 隔離資料讀取者

動作 描述
Microsoft. >microsoft.containerregistry/registries/quarantine/read 從容器登錄中提取或取得隔離的映像
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

ACR 隔離資料寫入者

動作 描述
Microsoft. >microsoft.containerregistry/registries/quarantine/read 從容器登錄中提取或取得隔離的映像
Microsoft. >microsoft.containerregistry/registries/quarantine/write 寫入/修改已隔離映像的隔離狀態
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service 叢集管理員角色

列出叢集管理員認證動作。 深入了解

動作 描述
Microsoft. >microsoft.containerservice/managedClusters/listClusterAdminCredential/action 列出受控叢集的 clusterAdmin 認證
Microsoft. >microsoft.containerservice/managedClusters/accessProfiles/listCredential/action 使用清單認證依角色名稱取得受控叢集存取設定檔
Microsoft. >microsoft.containerservice/managedClusters/read 取得受控叢集
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service 叢集使用者角色

列出叢集使用者認證動作。 深入了解

動作 描述
Microsoft. >microsoft.containerservice/managedClusters/listClusterUserCredential/action 列出受控叢集的 clusterUser 認證
Microsoft. >microsoft.containerservice/managedClusters/read 取得受控叢集
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service 參與者角色

授與讀取和寫入 Azure Kubernetes Service 叢集的存取權 深入瞭解

動作 描述
Microsoft. >microsoft.containerservice/managedClusters/read 取得受控叢集
Microsoft. >microsoft.containerservice/managedClusters/write 建立新的受控叢集,或更新現有的受控叢集
Microsoft .resources/deployments/* 建立和管理部署
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/write",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 管理員

可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. >microsoft.containerservice/managedClusters/listClusterUserCredential/action 列出受控叢集的 clusterUser 認證
NotActions
DataActions
Microsoft. >microsoft.containerservice/managedClusters/*
NotDataActions
Microsoft. >microsoft.containerservice/managedClusters/resourcequotas/write 寫入 resourcequotas
Microsoft. >microsoft.containerservice/managedClusters/resourcequotas/delete 刪除 resourcequotas
Microsoft. >microsoft.containerservice/managedClusters/namespaces/write 寫入命名空間
Microsoft. >microsoft.containerservice/managedClusters/namespaces/delete 刪除命名空間
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 叢集管理員

可讓您管理叢集中的所有資源。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. >microsoft.containerservice/managedClusters/listClusterUserCredential/action 列出受控叢集的 clusterUser 認證
NotActions
DataActions
Microsoft. >microsoft.containerservice/managedClusters/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 讀者

允許唯讀存取,以查看命名空間中的大部分物件。 它不允許查看角色或角色系結。 此角色不允許您查看秘密,因為讀取秘密的內容可讓您存取命名空間中的 ServiceAccount 認證,這會允許 API 存取做為命名空間中的任何 ServiceAccount () 的許可權擴大形式。 在叢集範圍套用此角色可讓您存取所有命名空間。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft. >microsoft.containerservice/managedClusters/apps/controllerrevisions/read 讀取 controllerrevisions
Microsoft. >microsoft.containerservice/managedClusters/apps/daemonsets/read 讀取 daemonset
Microsoft. >microsoft.containerservice/managedClusters/apps/deployments/read 讀取部署
Microsoft. >microsoft.containerservice/managedClusters/apps/replicasets/read 讀取 replicaset
Microsoft. >microsoft.containerservice/managedClusters/apps/statefulsets/read 讀取 statefulset
Microsoft. >microsoft.containerservice/managedClusters/autoscaling/horizontalpodautoscalers/read 讀取 horizontalpodautoscalers
Microsoft. >microsoft.containerservice/managedClusters/batch/cronjobs/read 讀取 cronjobs
Microsoft. >microsoft.containerservice/managedClusters/batch/jobs/read 讀取作業
Microsoft. >microsoft.containerservice/managedClusters/configmaps/read 讀取 configmaps
Microsoft. >microsoft.containerservice/managedClusters/endpoints/read 讀取端點
Microsoft. >microsoft.containerservice/managedClusters/events.k8s.io/events/read 讀取事件
Microsoft. >microsoft.containerservice/managedClusters/events/read 讀取事件
Microsoft. >microsoft.containerservice/managedClusters/extensions/daemonsets/read 讀取 daemonset
Microsoft. >microsoft.containerservice/managedClusters/extensions/deployments/read 讀取部署
Microsoft. >microsoft.containerservice/managedClusters/extensions/ingresses/read 讀取 ingresses
Microsoft. >microsoft.containerservice/managedClusters/extensions/networkpolicies/read 讀取 networkpolicies
Microsoft. >microsoft.containerservice/managedClusters/extensions/replicasets/read 讀取 replicaset
Microsoft. >microsoft.containerservice/managedClusters/limitranges/read 讀取 limitranges
Microsoft. >microsoft.containerservice/managedClusters/namespaces/read 讀取命名空間
Microsoft. >microsoft.containerservice/managedClusters/networking.k8s.io/ingresses/read 讀取 ingresses
Microsoft. >microsoft.containerservice/managedClusters/networking.k8s.io/networkpolicies/read 讀取 networkpolicies
Microsoft. >microsoft.containerservice/managedClusters/persistentvolumeclaims/read 讀取 persistentvolumeclaims
Microsoft. >microsoft.containerservice/managedClusters/pods/read 讀取 pod
Microsoft. >microsoft.containerservice/managedClusters/policy/poddisruptionbudgets/read 讀取 poddisruptionbudgets
Microsoft. >microsoft.containerservice/managedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft. >microsoft.containerservice/managedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft. >microsoft.containerservice/managedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft. >microsoft.containerservice/managedClusters/serviceaccounts/read 讀取 serviceaccounts
Microsoft. >microsoft.containerservice/managedClusters/services/read 讀取服務
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 寫入器

允許對命名空間中大部分物件的讀取/寫入存取。此角色不允許查看或修改角色或角色系結。 不過,此角色可讓您存取秘密,並以命名空間中的任何 ServiceAccount 來執行 pod,讓它可以用來取得命名空間中任何 ServiceAccount 的 API 存取層級。 在叢集範圍套用此角色可讓您存取所有命名空間。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft. >microsoft.containerservice/managedClusters/apps/controllerrevisions/read 讀取 controllerrevisions
Microsoft. >microsoft.containerservice/managedClusters/apps/daemonsets/*
Microsoft. >microsoft.containerservice/managedClusters/apps/deployments/*
Microsoft. >microsoft.containerservice/managedClusters/apps/replicasets/*
Microsoft. >microsoft.containerservice/managedClusters/apps/statefulsets/*
Microsoft. >microsoft.containerservice/managedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft. >microsoft.containerservice/managedClusters/batch/cronjobs/*
Microsoft. >microsoft.containerservice/managedClusters/batch/jobs/*
Microsoft. >microsoft.containerservice/managedClusters/configmaps/*
Microsoft. >microsoft.containerservice/managedClusters/endpoints/*
Microsoft. >microsoft.containerservice/managedClusters/events.k8s.io/events/read 讀取事件
Microsoft. >microsoft.containerservice/managedClusters/events/read 讀取事件
Microsoft. >microsoft.containerservice/managedClusters/extensions/daemonsets/*
Microsoft. >microsoft.containerservice/managedClusters/extensions/deployments/*
Microsoft. >microsoft.containerservice/managedClusters/extensions/ingresses/*
Microsoft. >microsoft.containerservice/managedClusters/extensions/networkpolicies/*
Microsoft. >microsoft.containerservice/managedClusters/extensions/replicasets/*
Microsoft. >microsoft.containerservice/managedClusters/limitranges/read 讀取 limitranges
Microsoft. >microsoft.containerservice/managedClusters/namespaces/read 讀取命名空間
Microsoft. >microsoft.containerservice/managedClusters/networking.k8s.io/ingresses/*
Microsoft. >microsoft.containerservice/managedClusters/networking.k8s.io/networkpolicies/*
Microsoft. >microsoft.containerservice/managedClusters/persistentvolumeclaims/*
Microsoft. >microsoft.containerservice/managedClusters/pods/*
Microsoft. >microsoft.containerservice/managedClusters/policy/poddisruptionbudgets/*
Microsoft. >microsoft.containerservice/managedClusters/replicationcontrollers/*
Microsoft. >microsoft.containerservice/managedClusters/replicationcontrollers/*
Microsoft. >microsoft.containerservice/managedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft. >microsoft.containerservice/managedClusters/secrets/*
Microsoft. >microsoft.containerservice/managedClusters/serviceaccounts/*
Microsoft. >microsoft.containerservice/managedClusters/services/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

資料庫

Cosmos DB 帳戶讀者角色

可以讀取 Azure Cosmos DB 帳戶資料。 請參閱 DocumentDB 帳戶參與者以管理 Azure Cosmos DB 帳戶。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft.DocumentDB/*/read 讀取任何集合
Microsoft.DocumentDB/databaseAccounts/readonlykeys/action 讀取資料庫帳戶的唯讀金鑰。
Microsoft Insights/MetricDefinitions/read 讀取計量定義
Microsoft Insights/Metrics/read 讀取計量
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read Azure Cosmos DB Accounts data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDB/*/read",
        "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
        "Microsoft.Insights/MetricDefinitions/read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cosmos DB Account Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Cosmos DB 操作員

可讓您管理 Azure Cosmos DB 帳戶,但無法存取其中的資料。 防止存取帳戶金鑰和連接字串。 深入了解

動作 描述
Microsoft.DocumentDb/databaseAccounts/*
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
NotActions
Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*
Microsoft.DocumentDB/databaseAccounts/regenerateKey/*
Microsoft.DocumentDB/databaseAccounts/listKeys/*
Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write 建立或更新 SQL 角色定義
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete 刪除 SQL 角色定義
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write 建立或更新 SQL 角色指派
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete 刪除 SQL 角色指派
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
  "name": "230815da-be43-4aae-9cb4-875f7bd000aa",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDb/databaseAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
      ],
      "notActions": [
        "Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
        "Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
        "Microsoft.DocumentDB/databaseAccounts/listKeys/*",
        "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cosmos DB Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CosmosBackupOperator

可以提交 Cosmos DB 資料庫或帳戶的容器的還原要求 深入瞭解

動作 描述
Microsoft.DocumentDB/databaseAccounts/backup/action 提交要求以設定備份
Microsoft.DocumentDB/databaseAccounts/restore/action 提交還原要求
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can submit restore request for a Cosmos DB database or a container for an account",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
  "name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDB/databaseAccounts/backup/action",
        "Microsoft.DocumentDB/databaseAccounts/restore/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CosmosBackupOperator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CosmosRestoreOperator

可以針對具有連續備份模式 Cosmos DB 資料庫帳戶執行還原動作

動作 描述
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action 提交還原要求
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read 讀取可還原的資料庫帳戶,或列出所有可還原的資料庫帳戶
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
  "name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CosmosRestoreOperator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DocumentDB 帳戶參與者

可以管理 Azure Cosmos DB 帳戶。 Azure Cosmos DB 先前稱為 DocumentDB。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft.DocumentDb/databaseAccounts/* 建立及管理 Azure Cosmos DB 帳戶
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage DocumentDB accounts, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
  "name": "5bd9cd88-fe45-4216-938b-f97437e15450",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDb/databaseAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "DocumentDB Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Redis 快取參與者

可讓您管理 Redis 快取,但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Cache/register/action 向訂用帳戶註冊 'Microsoft.Cache' 資源提供者
Microsoft. Cache/redis/* 建立和管理 Redis 快取
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Redis caches, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
  "name": "e0f68234-74aa-48ed-b826-c38b57376e17",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cache/register/action",
        "Microsoft.Cache/redis/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Redis Cache Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL DB 參與者

可讓您管理 SQL 資料庫,但無法存取它們。 此外,您也無法管理其安全性相關原則或其父 SQL 伺服器。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
/Locations/*/read
/Servers/databases/* 建立和管理 SQL 資料庫
Microsoft .sql/servers/read 傳回伺服器清單,或取得指定伺服器的屬性。
Microsoft 支援/* 建立和更新支援票證
Microsoft Insights/metrics/read 讀取計量
Microsoft Insights/metricDefinitions/read 讀取計量定義
NotActions
/ManagedInstances/databases/currentSensitivityLabels/*
/ManagedInstances/databases/recommendedSensitivityLabels/*
/ManagedInstances/databases/schemas/tables/columns/sensitivityLabels/*
/ManagedInstances/databases/securityAlertPolicies/*
/ManagedInstances/databases/sensitivityLabels/*
/ManagedInstances/databases/vulnerabilityAssessments/*
/ManagedInstances/securityAlertPolicies/*
/ManagedInstances/vulnerabilityAssessments/*
/Servers/databases/auditingSettings/* 編輯稽核設定
Microsoft .Sql/servers/databases/auditRecords/read 擷取資料庫 Blob 稽核記錄
/Servers/databases/currentSensitivityLabels/*
/Servers/databases/dataMaskingPolicies/* 編輯資料遮罩原則
/Servers/databases/extendedAuditingSettings/*
/Servers/databases/recommendedSensitivityLabels/*
/Servers/databases/schemas/tables/columns/sensitivityLabels/*
/Servers/databases/securityAlertPolicies/* 編輯安全性警示原則
/Servers/databases/securityMetrics/* 編輯安全性計量
/Servers/databases/sensitivityLabels/*
/Servers/databases/vulnerabilityAssessments/*
/Servers/databases/vulnerabilityAssessmentScans/*
/Servers/databases/vulnerabilityAssessmentSettings/*
/Servers/vulnerabilityAssessments/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
  "name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/servers/databases/*",
        "Microsoft.Sql/servers/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL DB Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL 受控執行個體參與者

可讓您管理 SQL 受控執行個體和必要的網路設定,但無法將存取權授與其他人。

動作 描述
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. Network/networkSecurityGroups/*
Microsoft. Network/routeTables/*
/Locations/*/read
/Locations/instanceFailoverGroups/*
/ManagedInstances/*
Microsoft 支援/* 建立和更新支援票證
Microsoft. Network/virtualNetworks/subnets/*
Microsoft. Network/virtualNetworks/*
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft Insights/metrics/read 讀取計量
Microsoft Insights/metricDefinitions/read 讀取計量定義
NotActions
Microsoft .Sql/managedInstances/azureADOnlyAuthentications/delete 只 Azure Active Directory authentication 物件刪除特定的受管理伺服器
Microsoft .Sql/managedInstances/azureADOnlyAuthentications/write 新增或更新特定的受管理伺服器 Azure Active Directory 僅限驗證物件
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
  "name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/networkSecurityGroups/*",
        "Microsoft.Network/routeTables/*",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/locations/instanceFailoverGroups/*",
        "Microsoft.Sql/managedInstances/*",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/*",
        "Microsoft.Network/virtualNetworks/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL Managed Instance Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL 安全性管理員

可讓您管理 SQL 伺服器及資料庫的安全性相關原則,但無法存取它們。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .Sql/locations/administratorAzureAsyncOperation/read 取得受控實例的 azure async 系統管理員作業結果。
/ManagedInstances/databases/currentSensitivityLabels/*
/ManagedInstances/databases/recommendedSensitivityLabels/*
/ManagedInstances/databases/schemas/tables/columns/sensitivityLabels/*
/ManagedInstances/databases/securityAlertPolicies/*
/ManagedInstances/databases/sensitivityLabels/*
/ManagedInstances/databases/vulnerabilityAssessments/*
/ManagedInstances/securityAlertPolicies/*
/ManagedInstances/databases/transparentDataEncryption/*
/ManagedInstances/vulnerabilityAssessments/*
/Servers/auditingSettings/* 建立和管理 SQL Server 稽核設定
Microsoft .Sql/servers/extendedAuditingSettings/read 擷取指定伺服器上所設定之擴充伺服器 Blob 稽核原則的詳細資料
/Servers/databases/auditingSettings/* 建立和管理 SQL Server 資料庫稽核設定
Microsoft .Sql/servers/databases/auditRecords/read 擷取資料庫 Blob 稽核記錄
/Servers/databases/currentSensitivityLabels/*
/Servers/databases/dataMaskingPolicies/* 建立和管理 SQL Server 資料庫資料遮罩原則
Microsoft .Sql/servers/databases/extendedAuditingSettings/read 擷取指定資料庫上所設定之擴充 Blob 稽核原則的詳細資料
Microsoft .sql/servers/databases/read 傳回資料庫清單,或取得指定資料庫的屬性。
/Servers/databases/recommendedSensitivityLabels/*
Microsoft .sql/servers/databases/schemas/read 取得資料庫結構描述。
Microsoft .sql/servers/databases/schemas/tables/columns/read 取得資料庫資料行。
/Servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft .sql/servers/databases/schemas/tables/read 取得資料庫資料表。
/Servers/databases/securityAlertPolicies/* 建立和管理 SQL Server 資料庫安全性警示原則
/Servers/databases/securityMetrics/* 建立和管理 SQL Server 資料庫安全性度量
/Servers/databases/sensitivityLabels/*
/Servers/databases/transparentDataEncryption/*
/Servers/databases/vulnerabilityAssessments/*
/Servers/databases/vulnerabilityAssessmentScans/*
/Servers/databases/vulnerabilityAssessmentSettings/*
/Servers/devOpsAuditingSettings/*
/Servers/firewallRules/*
Microsoft .sql/servers/read 傳回伺服器清單,或取得指定伺服器的屬性。
/Servers/securityAlertPolicies/* 建立和管理 SQL Server 安全性警示原則
/Servers/vulnerabilityAssessments/*
Microsoft 支援/* 建立和更新支援票證
/Servers/azureADOnlyAuthentications/*
Microsoft .Sql/managedInstances/read 傳回受控執行個體的清單,或取得指定受控執行個體的屬性。
/ManagedInstances/azureADOnlyAuthentications/*
Microsoft. Security/sqlVulnerabilityAssessments/*
Microsoft .Sql/managedInstances/administrators/read 取得受控執行個體系統管理員的清單。
Microsoft .sql/servers/administrators/read 取得特定的 Azure Active Directory 系統管理員物件
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
  "name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/auditingSettings/*",
        "Microsoft.Sql/servers/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/read",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/read",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/read",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/read",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/transparentDataEncryption/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/devOpsAuditingSettings/*",
        "Microsoft.Sql/servers/firewallRules/*",
        "Microsoft.Sql/servers/read",
        "Microsoft.Sql/servers/securityAlertPolicies/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*",
        "Microsoft.Support/*",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/*",
        "Microsoft.Sql/managedInstances/read",
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
        "Microsoft.Security/sqlVulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/administrators/read",
        "Microsoft.Sql/servers/administrators/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL Security Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL Server 參與者

可讓您管理 SQL 伺服器及資料庫,但無法存取這些伺服器及資料庫,也無法存取其安全性相關原則。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
/Locations/*/read
/Servers/* 建立和管理 SQL Server
Microsoft 支援/* 建立和更新支援票證
Microsoft Insights/metrics/read 讀取計量
Microsoft Insights/metricDefinitions/read 讀取計量定義
NotActions
/ManagedInstances/databases/currentSensitivityLabels/*
/ManagedInstances/databases/recommendedSensitivityLabels/*
/ManagedInstances/databases/schemas/tables/columns/sensitivityLabels/*
/ManagedInstances/databases/securityAlertPolicies/*
/ManagedInstances/databases/sensitivityLabels/*
/ManagedInstances/databases/vulnerabilityAssessments/*
/ManagedInstances/securityAlertPolicies/*
/ManagedInstances/vulnerabilityAssessments/*
/Servers/auditingSettings/* 編輯 SQL Server 稽核設定
/Servers/databases/auditingSettings/* 編輯 SQL Server 資料庫稽核設定
Microsoft .Sql/servers/databases/auditRecords/read 擷取資料庫 Blob 稽核記錄
/Servers/databases/currentSensitivityLabels/*
/Servers/databases/dataMaskingPolicies/* 編輯 SQL Server 資料庫資料遮罩原則
/Servers/databases/extendedAuditingSettings/*
/Servers/databases/recommendedSensitivityLabels/*
/Servers/databases/schemas/tables/columns/sensitivityLabels/*
/Servers/databases/securityAlertPolicies/* 編輯 SQL Server 資料庫安全性警示原則
/Servers/databases/securityMetrics/* 編輯 SQL Server 資料庫安全性度量
/Servers/databases/sensitivityLabels/*
/Servers/databases/vulnerabilityAssessments/*
/Servers/databases/vulnerabilityAssessmentScans/*
/Servers/databases/vulnerabilityAssessmentSettings/*
/Servers/devOpsAuditingSettings/*
/Servers/extendedAuditingSettings/*
/Servers/securityAlertPolicies/* 編輯 SQL Server 安全性警示原則
/Servers/vulnerabilityAssessments/*
Microsoft .Sql/servers/azureADOnlyAuthentications/delete 只 Azure Active Directory authentication 物件刪除特定伺服器
Microsoft .Sql/servers/azureADOnlyAuthentications/write 將特定伺服器新增或更新 Azure Active Directory 只有驗證物件
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
  "name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/servers/*",
        "Microsoft.Support/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/devOpsAuditingSettings/*",
        "Microsoft.Sql/servers/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/securityAlertPolicies/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/write"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL Server Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

分析

Azure 事件中樞資料擁有者

允許完整存取 Azure 事件中樞資源。 深入了解

動作 描述
Microsoft EventHub/*
NotActions
DataActions
Microsoft EventHub/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Event Hubs resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec",
  "name": "f526a384-b230-433a-b45c-95f59c4a2dec",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Event Hubs Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 事件中樞資料接收者

允許接收 Azure 事件中樞資源。 深入了解

動作 描述
Microsoft EventHub/*/eventhubs/consumergroups/read
NotActions
DataActions
Microsoft EventHub/*/receive/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows receive access to Azure Event Hubs resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
  "name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*/eventhubs/consumergroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*/receive/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Event Hubs Data Receiver",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 事件中樞資料傳送者

允許傳送 Azure 事件中樞資源。 深入了解

動作 描述
Microsoft EventHub/*/eventhubs/read
NotActions
DataActions
Microsoft EventHub/*/send/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows send access to Azure Event Hubs resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975",
  "name": "2b629674-e913-4c01-ae53-ef4638d8f975",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*/eventhubs/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Event Hubs Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Factory 參與者

建立和管理 Data Factory,以及其中的子資源。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. DataFactory/dataFactories/* 建立和管理 Data Factory 以及其中的子資源。
Microsoft. DataFactory/factories/* 建立和管理 Data Factory 以及其中的子資源。
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. EventGrid/eventSubscriptions/write 建立或更新 eventSubscription
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create and manage data factories, as well as child resources within them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5",
  "name": "673868aa-7521-48a0-acc6-0f60742d39f5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DataFactory/dataFactories/*",
        "Microsoft.DataFactory/factories/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.EventGrid/eventSubscriptions/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Factory Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

資料清除者

從 Log Analytics 工作區刪除私用資料。 深入了解

動作 描述
/Components/*/read
Microsoft Insights/components/purge/action 從 Application Insights 清除資料
Microsoft. OperationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft. OperationalInsights/workspaces/purge/action 從工作區刪除指定的資料
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can purge analytics data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90",
  "name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/components/*/read",
        "Microsoft.Insights/components/purge/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/purge/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Purger",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

HDInsight 叢集操作員

可讓您讀取和修改 HDInsight 叢集設定。 深入了解

動作 描述
Microsoft HDInsight/*/read
Microsoft HDInsight/clusters/getGatewaySettings/action 取得 HDInsight 叢集的閘道設定
Microsoft HDInsight/clusters/updateGatewaySettings/action 更新 HDInsight 叢集的閘道設定
Microsoft HDInsight/clusters/configurations/*
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/operations/read 取得或列出部署作業。
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read and modify HDInsight cluster configurations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a",
  "name": "61ed4efc-fab3-44fd-b111-e24485cc132a",
  "permissions": [
    {
      "actions": [
        "Microsoft.HDInsight/*/read",
        "Microsoft.HDInsight/clusters/getGatewaySettings/action",
        "Microsoft.HDInsight/clusters/updateGatewaySettings/action",
        "Microsoft.HDInsight/clusters/configurations/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "HDInsight Cluster Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

HDInsight 網域服務參與者

可以讀取、建立、修改和刪除 HDInsight 所需的網域服務相關作業企業安全性套件 深入瞭解

動作 描述
MICROSOFT AAD/*/read
MICROSOFT AAD/domainServices/*/read
MICROSOFT AAD/domainServices/oucontainer/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c",
  "name": "8d8d5a11-05d3-4bda-a417-a08778121c7c",
  "permissions": [
    {
      "actions": [
        "Microsoft.AAD/*/read",
        "Microsoft.AAD/domainServices/*/read",
        "Microsoft.AAD/domainServices/oucontainer/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "HDInsight Domain Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Log Analytics 參與者

「Log Analytics 參與者」角色可以讀取所有監視資料和編輯監視設定。 編輯監視設定包括將 VM 延伸模組新增至 VM、讀取儲存體帳戶金鑰以便能夠設定從「Azure 儲存體」收集記錄、建立及設定「自動化」帳戶、新增解決方案,以及設定所有 Azure 資源上的 Azure 診斷。 深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft. Automation/automationAccounts/*
Microsoft. Microsoft.classiccompute/virtualMachines/extensions/*
Microsoft. Microsoft.classicstorage/storageAccounts/listKeys/action 列出儲存體帳戶的存取金鑰。
Microsoft. Compute/virtualMachines/extensions/*
Microsoft. HybridCompute/machines/extensions/write 安裝或更新 Azure Arc 擴充
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft Insights/diagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
OperationalInsights/*
Microsoft.operationsmanagement/*
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .resources/subscriptions/resourcegroups/deployments/*
Microsoft. 儲存體/storageAccounts/listKeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
  "name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Automation/automationAccounts/*",
        "Microsoft.ClassicCompute/virtualMachines/extensions/*",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.Compute/virtualMachines/extensions/*",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.OperationalInsights/*",
        "Microsoft.OperationsManagement/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Log Analytics Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Log Analytics 讀者

「Log Analytics 讀者」可以檢視和搜尋所有監視資料,以及檢視監視設定,包括檢視所有 Azure 資源上的 Azure 診斷設定。 深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft. OperationalInsights/workspaces/analytics/query/action 使用新的引擎進行搜尋。
Microsoft. OperationalInsights/workspaces/search/action 執行搜尋查詢
Microsoft 支援/* 建立和更新支援票證
NotActions
Microsoft. OperationalInsights/workspaces/sharedKeys/read 擷取工作區的共用金鑰。 這些金鑰可用來將 Microsoft Operational Insights 代理程式連線到工作區。
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893",
  "name": "73c42c96-874c-492b-b04d-ab87d138a893",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.OperationalInsights/workspaces/sharedKeys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Log Analytics Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

範疇資料編者

範疇資料編者可以建立、讀取、修改和刪除目錄資料物件,以及建立物件之間的關聯性。 此角色目前為預覽狀態,可能會變更。

動作 描述
Microsoft. 範疇/accounts/read 讀取 Microsoft 範疇提供者的帳戶資源。
NotActions
DataActions
Microsoft. 範疇/accounts/data/read 讀取資料物件。
Microsoft. 範疇/accounts/data/write 建立、更新和刪除資料物件。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "The Microsoft.Purview data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8a3c2885-9b38-4fd2-9d99-91af537c1347",
  "name": "8a3c2885-9b38-4fd2-9d99-91af537c1347",
  "permissions": [
    {
      "actions": [
        "Microsoft.Purview/accounts/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Purview/accounts/data/read",
        "Microsoft.Purview/accounts/data/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Purview Data Curator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

範疇資料讀取器

範疇資料讀取器可以讀取目錄資料物件。 此角色目前為預覽狀態,可能會變更。

動作 描述
Microsoft. 範疇/accounts/read 讀取 Microsoft 範疇提供者的帳戶資源。
NotActions
DataActions
Microsoft. 範疇/accounts/data/read 讀取資料物件。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "The Microsoft.Purview data reader can read catalog data objects. This role is in preview and subject to change.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ff100721-1b9d-43d8-af52-42b69c1272db",
  "name": "ff100721-1b9d-43d8-af52-42b69c1272db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Purview/accounts/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Purview/accounts/data/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Purview Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

範疇資料來源管理員

範疇資料來源管理員可以管理資料來源和資料掃描。 此角色目前為預覽狀態,可能會變更。

動作 描述
Microsoft. 範疇/accounts/read 讀取 Microsoft 範疇提供者的帳戶資源。
NotActions
DataActions
Microsoft. 範疇/accounts/scan/read 讀取資料來源和掃描。
Microsoft. 範疇/accounts/scan/write 建立、更新和刪除資料來源,以及管理掃描。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "The Microsoft.Purview data source administrator can manage data sources and data scans. This role is in preview and subject to change.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/200bba9e-f0c8-430f-892b-6f0794863803",
  "name": "200bba9e-f0c8-430f-892b-6f0794863803",
  "permissions": [
    {
      "actions": [
        "Microsoft.Purview/accounts/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Purview/accounts/scan/read",
        "Microsoft.Purview/accounts/scan/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Purview Data Source Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

結構描述登錄參與者 (預覽)

讀取、寫入及刪除結構描述登錄群組和結構描述。

動作 描述
/Namespaces/schemagroups/*
NotActions
DataActions
/Namespaces/schemas/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, write, and delete Schema Registry groups and schemas.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25",
  "name": "5dffeca3-4936-4216-b2bc-10343a5abb25",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/namespaces/schemagroups/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/namespaces/schemas/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Schema Registry Contributor (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

結構描述登錄讀取器 (預覽)

讀取並列出結構描述登錄群組和結構描述。

動作 描述
/Namespaces/schemagroups/read 取得 SchemaGroup 資源描述的清單
NotActions
DataActions
/Namespaces/schemas/read 取出架構
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and list Schema Registry groups and schemas.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
  "name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/namespaces/schemagroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/namespaces/schemas/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Schema Registry Reader (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

區塊鏈

區塊鏈成員節點存取 (預覽)

允許存取區塊鏈成員節點 深入瞭解

動作 描述
Microsoft. 區塊鏈/blockchainMembers/transactionNodes/read 取得或列出現有的區塊鏈成員交易節點。
NotActions
DataActions
Microsoft. 區塊鏈/blockchainMembers/transactionNodes/connect/action 連線至區塊鏈成員交易節點。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for access to Blockchain Member nodes",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24",
  "name": "31a002a1-acaf-453e-8a5b-297c9ca1ea24",
  "permissions": [
    {
      "actions": [
        "Microsoft.Blockchain/blockchainMembers/transactionNodes/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Blockchain Member Node Access (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AI + 機器學習

認知服務參與者

可讓您建立、讀取、更新、刪除及管理認知服務的金鑰。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
CognitiveServices/*
Microsoft. 功能/features/read 取得訂用帳戶的功能。
Microsoft. 功能/providers/features/read 取得給定資源提供者中某個訂用帳戶的功能。
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft Insights/diagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft Insights/logDefinitions/read 讀取記錄定義
Microsoft Insights/metricdefinitions/read 讀取計量定義
Microsoft Insights/metrics/read 讀取計量
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .resources/deployments/operations/read 取得或列出部署作業。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .resources/subscriptions/resourcegroups/deployments/*
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you create, read, update, delete and manage keys of Cognitive Services.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
  "name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.CognitiveServices/*",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Insights/logDefinitions/read",
        "Microsoft.Insights/metricdefinitions/read",
        "Microsoft.Insights/metrics/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺參與者

專案的完整存取權,包括查看、建立、編輯或刪除專案的能力。 深入了解

動作 描述
CognitiveServices/*/read
NotActions
DataActions
Microsoft. CognitiveServices/accounts/CustomVision/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to the project, including the ability to view, create, edit, or delete projects.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
  "name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Custom Vision Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺部署

發行、取消發行或匯出模型。 部署可查看專案,但無法更新。 深入了解

動作 描述
CognitiveServices/*/read
NotActions
DataActions
Microsoft. CognitiveServices/accounts/CustomVision/*/read
Microsoft. CognitiveServices/accounts/CustomVision/projects/predictions/*
Microsoft. CognitiveServices/accounts/CustomVision/projects/iterations/publish/*
Microsoft. CognitiveServices/accounts/CustomVision/projects/iterations/export/*
Microsoft. CognitiveServices/accounts/CustomVision/projects/quicktest/*
Microsoft. CognitiveServices/accounts/CustomVision/classify/*
Microsoft. CognitiveServices/accounts/CustomVision/detect/*
NotDataActions
Microsoft. CognitiveServices/accounts/CustomVision/projects/export/read 匯出專案。
{
  "assignableScopes": [
    "/"
  ],
  "description": "Publish, unpublish or export models. Deployment can view the project but can't update.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f",
  "name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/classify/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/detect/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Deployment",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺標籤人員

查看、編輯定型影像,以及建立、新增、移除或刪除影像標記。 標籤者可查看專案,但無法更新定型影像和標記以外的任何專案。 深入了解

動作 描述
CognitiveServices/*/read
NotActions
DataActions
Microsoft. CognitiveServices/accounts/CustomVision/*/read
Microsoft. CognitiveServices/accounts/CustomVision/projects/predictions/query/action 取得已傳送至您預測端點的影像。
Microsoft. CognitiveServices/accounts/CustomVision/projects/images/*
Microsoft. CognitiveServices/accounts/CustomVision/projects/tags/*
Microsoft. CognitiveServices/accounts/CustomVision/projects/images/suggested/*
Microsoft. CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action 此 API 會針對未標記影像的陣列/批次,以及標記的 confidences 取得建議的標記和區域。 如果找不到標記,則會傳回空陣列。
NotDataActions
Microsoft. CognitiveServices/accounts/CustomVision/projects/export/read 匯出專案。
{
  "assignableScopes": [
    "/"
  ],
  "description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c",
  "name": "88424f51-ebe7-446f-bc41-7fa16989e96c",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Labeler",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺讀者

專案中的唯讀動作。 讀者無法建立或更新專案。 深入了解

動作 描述
CognitiveServices/*/read
NotActions
DataActions
Microsoft. CognitiveServices/accounts/CustomVision/*/read
Microsoft. CognitiveServices/accounts/CustomVision/projects/predictions/query/action 取得已傳送至您預測端點的影像。
NotDataActions
Microsoft. CognitiveServices/accounts/CustomVision/projects/export/read 匯出專案。
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only actions in the project. Readers can't create or update the project.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73",
  "name": "93586559-c37d-4a6b-ba08-b9f0940c2d73",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺講師

查看、編輯專案和定型模型,包括發行、取消發行、匯出模型的功能。 講師無法建立或刪除專案。 深入了解

動作 描述
CognitiveServices/*/read
NotActions
DataActions
Microsoft. CognitiveServices/accounts/CustomVision/*
NotDataActions
Microsoft. CognitiveServices/accounts/CustomVision/projects/action 建立專案。
Microsoft. CognitiveServices/accounts/CustomVision/projects/delete 刪除特定的專案。
Microsoft. CognitiveServices/accounts/CustomVision/projects/import/action 匯入專案。
Microsoft. CognitiveServices/accounts/CustomVision/projects/export/read 匯出專案。
{
  "assignableScopes": [
    "/"
  ],
  "description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
  "name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/delete",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Trainer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務資料讀者 (預覽)

可讓您讀取認知服務資料。

動作 描述
NotActions
DataActions
CognitiveServices/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read Cognitive Services data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c",
  "name": "b59867f0-fa02-499b-be73-45a86b5b3e1c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Data Reader (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務臉部辨識器

可讓您在臉部 API 上執行偵測、驗證、識別、群組和尋找類似的作業。 此角色不允許建立或刪除作業,這項作業非常適合只需要推斷功能的端點,遵循「最低許可權」的最佳作法。

動作 描述
NotActions
DataActions
Microsoft. CognitiveServices/accounts/Face/detect/action 偵測影像中的人臉、退回臉部矩形,以及選擇性地使用 faceIds、地標和屬性。
Microsoft. CognitiveServices/accounts/Face/verify/action 確認兩個臉部屬於同一個人,還是一個臉部屬於某個人。
Microsoft. CognitiveServices/accounts/Face/identify/action 一對多識別,以找出人員群組或大型人員群組中特定查詢人員臉部的最相符專案。
Microsoft. CognitiveServices/accounts/Face/group/action 根據臉部相似性將候選臉部分割成群組。
Microsoft. CognitiveServices/accounts/Face/findsimilars/action 指定查詢臉部的 faceId,從 faceId 陣列、臉部清單或大型臉部清單中搜尋類似外觀的臉部。 faceId
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7",
  "name": "9894cab4-e18a-44aa-828b-cb588cd6f2d7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/Face/detect/action",
        "Microsoft.CognitiveServices/accounts/Face/verify/action",
        "Microsoft.CognitiveServices/accounts/Face/identify/action",
        "Microsoft.CognitiveServices/accounts/Face/group/action",
        "Microsoft.CognitiveServices/accounts/Face/findsimilars/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Face Recognizer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務計量顧問系統管理員

專案的完整存取權,包括系統層級設定。 深入了解

動作 描述
CognitiveServices/*/read
NotActions
DataActions
Microsoft. CognitiveServices/accounts/MetricsAdvisor/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to the project, including the system level configuration.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a",
  "name": "cb43c632-a144-4ec5-977c-e80c4affc34a",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Metrics Advisor Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務 QnA Maker 編輯器

讓您建立、編輯、匯入和匯出 KB。 您無法發行或刪除知識庫。 深入了解

動作 描述
CognitiveServices/*/read
Microsoft 授權/roleAssignments/read 取得關於角色指派的資訊。
Microsoft 授權/roleDefinitions/read 取得關於角色定義的資訊。
NotActions
DataActions
Microsoft. CognitiveServices/accounts/QnAMaker/knowledgebases/read 取得特定 knowledgebaser 的知識庫清單或詳細資料。
Microsoft. CognitiveServices/accounts/QnAMaker/knowledgebases/download/read 下載知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker/knowledgebases/create/write 建立新知識庫的非同步作業。
Microsoft. CognitiveServices/accounts/QnAMaker/knowledgebases/write 用來修改知識庫或取代知識庫內容的非同步作業。
Microsoft. CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker/knowledgebases/train/action 將呼叫定型以將建議新增至知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker/alterations/read 從執行時間下載變更。
Microsoft. CognitiveServices/accounts/QnAMaker/alterations/write 取代變更資料。
Microsoft. CognitiveServices/accounts/QnAMaker/endpointkeys/read 取得端點的端點金鑰
Microsoft. CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action 重新產生端點金鑰。
Microsoft. CognitiveServices/accounts/QnAMaker/endpointsettings/read 取得端點的端點設定
Microsoft. CognitiveServices/accounts/QnAMaker/endpointsettings/write 更新端點的端點 seettings。
Microsoft. CognitiveServices/accounts/QnAMaker/operations/read 取得特定長時間執行作業的詳細資料。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read 取得特定 knowledgebaser 的知識庫清單或詳細資料。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read 下載知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write 建立新知識庫的非同步作業。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write 用來修改知識庫或取代知識庫內容的非同步作業。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action 將呼叫定型以將建議新增至知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/alterations/read 從執行時間下載變更。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/alterations/write 取代變更資料。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read 取得端點的端點金鑰
Microsoft. CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action 重新產生端點金鑰。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read 取得端點的端點設定
Microsoft. CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write 更新端點的端點 seettings。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/operations/read 取得特定長時間執行作業的詳細資料。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read 取得特定 knowledgebaser 的知識庫清單或詳細資料。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read 下載知識庫。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write 建立新知識庫的非同步作業。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write 用來修改知識庫或取代知識庫內容的非同步作業。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action 將呼叫定型以將建議新增至知識庫。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read 從執行時間下載變更。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write 取代變更資料。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read 取得端點的端點金鑰
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action 重新產生端點金鑰。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read 取得端點的端點設定
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write 更新端點的端點 seettings。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read 取得特定長時間執行作業的詳細資料。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Let's you create, edit, import and export a KB. You cannot publish or delete a KB.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025",
  "name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/operations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services QnA Maker Editor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務 QnA Maker 讀者

讓您讀取並測試 KB。 深入了解

動作 描述
CognitiveServices/*/read
Microsoft 授權/roleAssignments/read 取得關於角色指派的資訊。
Microsoft 授權/roleDefinitions/read 取得關於角色定義的資訊。
NotActions
DataActions
Microsoft. CognitiveServices/accounts/QnAMaker/knowledgebases/read 取得特定 knowledgebaser 的知識庫清單或詳細資料。
Microsoft. CognitiveServices/accounts/QnAMaker/knowledgebases/download/read 下載知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker/alterations/read 從執行時間下載變更。
Microsoft. CognitiveServices/accounts/QnAMaker/endpointkeys/read 取得端點的端點金鑰
Microsoft. CognitiveServices/accounts/QnAMaker/endpointsettings/read 取得端點的端點設定
Microsoft. CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read 取得特定 knowledgebaser 的知識庫清單或詳細資料。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read 下載知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/alterations/read 從執行時間下載變更。
Microsoft. CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read 取得端點的端點金鑰
Microsoft. CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read 取得端點的端點設定
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read 取得特定 knowledgebaser 的知識庫清單或詳細資料。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read 下載知識庫。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read 從執行時間下載變更。
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read 取得端點的端點金鑰
Microsoft. CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read 取得端點的端點設定
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Let's you read and test a KB only.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126",
  "name": "466ccd10-b268-4a11-b098-b4849f024126",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services QnA Maker Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務使用者

可讓您讀取和列出認知服務的金鑰。 深入了解

動作 描述
CognitiveServices/*/read
Microsoft. CognitiveServices/accounts/listkeys/action 列出金鑰
Microsoft Insights/alertRules/read 讀取傳統計量警示
Microsoft Insights/diagnosticSettings/read 讀取資源診斷設定
Microsoft Insights/logDefinitions/read 讀取記錄定義
Microsoft Insights/metricdefinitions/read 讀取計量定義
Microsoft Insights/metrics/read 讀取計量
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/operations/read 取得或列出部署作業。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
CognitiveServices/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read and list keys of Cognitive Services.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908",
  "name": "a97b65f3-24c7-4388-baec-2e87135dc908",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.CognitiveServices/accounts/listkeys/action",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Insights/logDefinitions/read",
        "Microsoft.Insights/metricdefinitions/read",
        "Microsoft.Insights/metrics/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Internet of things

IoT 中樞資料參與者

允許完整存取 IoT 中樞資料平面作業。

動作 描述
NotActions
DataActions
/IotHubs/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to IoT Hub data plane operations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f",
  "name": "4fc6c259-987e-4a07-842e-c321cc9d413f",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中樞資料讀取器

允許對 IoT 中樞資料平面屬性進行完整讀取存取

動作 描述
NotActions
DataActions
/IotHubs/*/read的裝置
Microsoft. 裝置/IotHubs/fileUpload/notifications/action 接收、完成或放棄檔案上傳通知
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full read access to IoT Hub data-plane properties",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3",
  "name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*/read",
        "Microsoft.Devices/IotHubs/fileUpload/notifications/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中樞登錄參與者

允許完整存取 IoT 中樞裝置登錄。

動作 描述
NotActions
DataActions
/IotHubs/devices/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to IoT Hub device registry.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
  "name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/devices/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Registry Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中樞對應項參與者

允許對所有 IoT 中樞裝置和模組 twins 的讀取和寫入權限。

動作 描述
NotActions
DataActions
/IotHubs/twins/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read and write access to all IoT Hub device and module twins.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c",
  "name": "494bdba2-168f-4f31-a0a1-191d2f7c028c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/twins/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Twin Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新系統管理員

提供您完整的管理和內容作業存取權 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft. DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
Microsoft. DeviceUpdate/accounts/instances/updates/write 執行與更新相關的寫入操作
Microsoft. DeviceUpdate/accounts/instances/updates/delete 執行與更新相關的刪除操作
Microsoft. DeviceUpdate/accounts/instances/management/read 執行與管理相關的讀取作業
Microsoft. DeviceUpdate/accounts/instances/management/write 執行與管理相關的寫入操作
Microsoft. DeviceUpdate/accounts/instances/management/delete 執行與管理相關的刪除操作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to management and content operations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a",
  "name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete",
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新內容系統管理員

提供您完整的內容作業存取權 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft. DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
Microsoft. DeviceUpdate/accounts/instances/updates/write 執行與更新相關的寫入操作
Microsoft. DeviceUpdate/accounts/instances/updates/delete 執行與更新相關的刪除操作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to content operations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98",
  "name": "0378884a-3af5-44ab-8323-f5b22f9f3c98",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Content Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新內容讀取程式

為您提供內容作業的讀取存取權,但不允許進行變更 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft. DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to content operations, but does not allow making changes",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
  "name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Content Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新部署系統管理員

提供您完整的管理作業存取權 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft. DeviceUpdate/accounts/instances/management/read 執行與管理相關的讀取作業
Microsoft. DeviceUpdate/accounts/instances/management/write 執行與管理相關的寫入操作
Microsoft. DeviceUpdate/accounts/instances/management/delete 執行與管理相關的刪除操作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to management operations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432",
  "name": "e4237640-0e3d-4a46-8fda-70bc94856432",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Deployments Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新部署讀者

提供管理作業的讀取權限,但不允許進行變更 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft. DeviceUpdate/accounts/instances/management/read 執行與管理相關的讀取作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to management operations, but does not allow making changes",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f",
  "name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Deployments Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新讀取器

可讓您讀取管理和內容作業的存取權,但不允許進行變更 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft. DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
Microsoft. DeviceUpdate/accounts/instances/management/read 執行與管理相關的讀取作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to management and content operations, but does not allow making changes",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
  "name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

混合實境

遠端呈現系統管理員

提供使用者轉換、管理會話、轉譯和診斷功能,以 Azure 遠端轉譯 深入瞭解

動作 描述
NotActions
DataActions
Microsoft. MixedReality/RemoteRenderingAccounts/convert/action 開始資產轉換
Microsoft. MixedReality/RemoteRenderingAccounts/convert/read 取得資產轉換屬性
Microsoft. MixedReality/RemoteRenderingAccounts/convert/delete 停止資產轉換
Microsoft. MixedReality/RemoteRenderingAccounts/managesessions/read 取得會話屬性
Microsoft. MixedReality/RemoteRenderingAccounts/managesessions/action 開始會話
Microsoft. MixedReality/RemoteRenderingAccounts/managesessions/delete 停止會話
Microsoft. MixedReality/RemoteRenderingAccounts/render/read 連接至會話
Microsoft. MixedReality/RemoteRenderingAccounts/diagnostic/read 連接至遠端轉譯檢查
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
  "name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Remote Rendering Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

遠端呈現用戶端

為使用者提供 Azure 遠端轉譯管理會話、轉譯及診斷功能。 深入了解

動作 描述
NotActions
DataActions
Microsoft. MixedReality/RemoteRenderingAccounts/managesessions/read 取得會話屬性
Microsoft. MixedReality/RemoteRenderingAccounts/managesessions/action 開始會話
Microsoft. MixedReality/RemoteRenderingAccounts/managesessions/delete 停止會話
Microsoft. MixedReality/RemoteRenderingAccounts/render/read 連接至會話
Microsoft. MixedReality/RemoteRenderingAccounts/diagnostic/read 連接至遠端轉譯檢查
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a",
  "name": "d39065c4-c120-43c9-ab0a-63eed9795f0a",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Remote Rendering Client",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

空間錨點帳戶參與者

可讓您管理帳戶中的空間錨點,但不能刪除它們。 深入瞭解

動作 描述
NotActions
DataActions
Microsoft. MixedReality/SpatialAnchorsAccounts/create/action 建立空間錨點
Microsoft. MixedReality/SpatialAnchorsAccounts/discovery/read 探索附近的空間錨點
Microsoft. MixedReality/SpatialAnchorsAccounts/properties/read 取得空間錨點的屬性
Microsoft. MixedReality/SpatialAnchorsAccounts/query/read 找出空間錨點
Microsoft. MixedReality/SpatialAnchorsAccounts/submitdiag/read 提交診斷資料,以協助改善 Azure 空間錨點服務的品質
Microsoft. MixedReality/SpatialAnchorsAccounts/write 更新空間錨點屬性
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage spatial anchors in your account, but not delete them",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
  "name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Spatial Anchors Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

空間錨點帳戶擁有者

可讓您管理帳戶中的空間錨點,包括刪除它們。 深入瞭解

動作 描述
NotActions
DataActions
Microsoft. MixedReality/SpatialAnchorsAccounts/create/action 建立空間錨點
Microsoft. MixedReality/SpatialAnchorsAccounts/delete 刪除空間錨點
Microsoft. MixedReality/SpatialAnchorsAccounts/discovery/read 探索附近的空間錨點
Microsoft. MixedReality/SpatialAnchorsAccounts/properties/read 取得空間錨點的屬性
Microsoft. MixedReality/SpatialAnchorsAccounts/query/read 找出空間錨點
Microsoft. MixedReality/SpatialAnchorsAccounts/submitdiag/read 提交診斷資料,以協助改善 Azure 空間錨點服務的品質
Microsoft. MixedReality/SpatialAnchorsAccounts/write 更新空間錨點屬性
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage spatial anchors in your account, including deleting them",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c",
  "name": "70bbe301-9835-447d-afdd-19eb3167307c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/delete",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Spatial Anchors Account Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

空間錨點帳戶讀者

讓您找出並讀取帳戶中空間錨點的屬性 瞭解更多

動作 描述
NotActions
DataActions
Microsoft. MixedReality/SpatialAnchorsAccounts/discovery/read 探索附近的空間錨點
Microsoft. MixedReality/SpatialAnchorsAccounts/properties/read 取得空間錨點的屬性
Microsoft. MixedReality/SpatialAnchorsAccounts/query/read 找出空間錨點
Microsoft. MixedReality/SpatialAnchorsAccounts/submitdiag/read 提交診斷資料,以協助改善 Azure 空間錨點服務的品質
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you locate and read properties of spatial anchors in your account",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413",
  "name": "5d51204f-eb77-4b1c-b86a-2ec626c49413",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Spatial Anchors Account Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

整合

API 管理服務參與者

可以管理服務和 Api 深入瞭解

動作 描述
Microsoft. ApiManagement/service/* 建立和管理 API 管理服務
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage service and the APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c",
  "name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理服務操作員角色

可管理服務,但 Api 無法 深入瞭解

動作 描述
Microsoft. ApiManagement/service/*/read 讀取 API 管理服務執行個體
Microsoft. ApiManagement/service/backup/action 將 API 管理服務備份到使用者所提供之儲存體帳戶中的指定容器
Microsoft. ApiManagement/service/delete 刪除 API 管理服務執行個體
Microsoft. ApiManagement/service/managedeployments/action 變更 SKU/單位、新增/移除 API 管理服務的區域部署
Microsoft. ApiManagement/service/read 讀取 API 管理服務執行個體的中繼資料
Microsoft. ApiManagement/service/restore/action 從使用者所提供之儲存體帳戶中的指定容器來還原 API 管理服務
Microsoft. ApiManagement/service/updatecertificate/action 上傳 API 管理服務的 TLS/SSL 憑證
Microsoft. ApiManagement/service/updatehostname/action 設定、更新或移除 API 管理服務的自訂網域名稱
Microsoft. ApiManagement/service/write 建立或更新 API 管理服務執行個體
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
Microsoft. ApiManagement/service/users/keys/read 取得與使用者相關聯的金鑰
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage service but not the APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61",
  "name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/backup/action",
        "Microsoft.ApiManagement/service/delete",
        "Microsoft.ApiManagement/service/managedeployments/action",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.ApiManagement/service/restore/action",
        "Microsoft.ApiManagement/service/updatecertificate/action",
        "Microsoft.ApiManagement/service/updatehostname/action",
        "Microsoft.ApiManagement/service/write",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Operator Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理服務讀取者角色

服務和 Api 的唯讀存取權 深入瞭解

動作 描述
Microsoft. ApiManagement/service/*/read 讀取 API 管理服務執行個體
Microsoft. ApiManagement/service/read 讀取 API 管理服務執行個體的中繼資料
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
Microsoft. ApiManagement/service/users/keys/read 取得與使用者相關聯的金鑰
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only access to service and APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d",
  "name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

應用程式組態資料擁有者

允許完整存取應用程式組態資料。 深入了解

動作 描述
NotActions
DataActions
Microsoft. AppConfiguration/configurationStores/*/read
Microsoft. AppConfiguration/configurationStores/*/write
Microsoft. AppConfiguration/configurationStores/*/delete
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows full access to App Configuration data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
  "name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read",
        "Microsoft.AppConfiguration/configurationStores/*/write",
        "Microsoft.AppConfiguration/configurationStores/*/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

應用程式組態資料讀者

允許讀取應用程式組態資料。 深入了解

動作 描述
NotActions
DataActions
Microsoft. AppConfiguration/configurationStores/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read access to App Configuration data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071",
  "name": "516239f1-63e1-4d78-a4de-a74fb236a071",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 服務匯流排資料擁有者

允許完整存取 Azure 服務匯流排資源。 深入了解

動作 描述
Microsoft。/*
NotActions
DataActions
Microsoft。/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Service Bus resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
  "name": "090c5cfd-751d-490a-894a-3ce6f1109419",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 服務匯流排資料接收者

允許接收 Azure 服務匯流排資源。 深入了解

動作 描述
Microsoft/queues/read
Microsoft/topics/read
Microsoft/topics/subscriptions/read
NotActions
DataActions
Microsoft/receive/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for receive access to Azure Service Bus resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
  "name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/receive/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Receiver",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 服務匯流排資料傳送者

允許傳送 Azure 服務匯流排資源。 深入了解

動作 描述
Microsoft/queues/read
Microsoft/topics/read
Microsoft/topics/subscriptions/read
NotActions
DataActions
Microsoft/send/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for send access to Azure Service Bus resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack 註冊擁有者

可讓您管理 Azure Stack 註冊。

動作 描述
Microsoft. AzureStack/edgeSubscriptions/read 取得 Azure Stack Edge 訂用帳戶的屬性
Microsoft. AzureStack/registrations/products/*/action
Microsoft. AzureStack/registrations/products/read 取得 Azure Stack Marketplace 產品的屬性
Microsoft. AzureStack/registrations/read 取得 Azure Stack 註冊的屬性
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Stack registrations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStack/edgeSubscriptions/read",
        "Microsoft.AzureStack/registrations/products/*/action",
        "Microsoft.AzureStack/registrations/products/read",
        "Microsoft.AzureStack/registrations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack Registration Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid 參與者

可讓您管理 EventGrid 作業。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
EventGrid/* 建立和管理事件方格資源
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage EventGrid operations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de",
  "name": "1e241071-0855-49ea-94dc-649edcd759de",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription 參與者

可讓您管理 EventGrid 事件訂用帳戶作業。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. EventGrid/eventSubscriptions/* 建立及管理區域事件訂閱
Microsoft. EventGrid/topicTypes/eventSubscriptions/read 依主題類型列出全域事件訂用帳戶
Microsoft. EventGrid/locations/eventSubscriptions/read 列出區域事件訂用帳戶
Microsoft. EventGrid/locations/topicTypes/eventSubscriptions/read 依主題類型列出區域事件訂用帳戶
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage EventGrid event subscription operations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
  "name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/*",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid EventSubscription Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription 讀者

可讓您讀取 EventGrid 事件訂用帳戶。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. EventGrid/eventSubscriptions/read 讀取 eventSubscription
Microsoft. EventGrid/topicTypes/eventSubscriptions/read 依主題類型列出全域事件訂用帳戶
Microsoft. EventGrid/locations/eventSubscriptions/read 列出區域事件訂用帳戶
Microsoft. EventGrid/locations/topicTypes/eventSubscriptions/read 依主題類型列出區域事件訂用帳戶
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read EventGrid event subscriptions.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405",
  "name": "2414bbcf-6497-4faf-8c65-045460748405",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid EventSubscription Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 資料參與者

角色可讓使用者或主體完整存取 FHIR 資料。 深入瞭解

動作 描述
NotActions
DataActions
HealthcareApis/services/fhir/resources/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal full access to FHIR Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd",
  "name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 資料匯出工具

角色可讓使用者或主體讀取和匯出 FHIR 資料 深入瞭解

動作 描述
NotActions
DataActions
HealthcareApis/services/fhir/resources/read 讀取 FHIR 資源 (包括搜尋和建立版本的歷程記錄) 。
HealthcareApis/services/fhir/resources/export/action ($export) 的匯出作業。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and export FHIR Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",
  "name": "3db33094-8700-4567-8da5-1501d4e7e843",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/services/fhir/resources/export/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Exporter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 資料讀取器

角色可讓使用者或主體讀取 FHIR 資料 瞭解更多

動作 描述
NotActions
DataActions
HealthcareApis/services/fhir/resources/read 讀取 FHIR 資源 (包括搜尋和建立版本的歷程記錄) 。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read FHIR Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508",
  "name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 資料寫入器外掛程式

角色可讓使用者或主體讀取和寫入 FHIR 資料 深入瞭解

動作 描述
NotActions
DataActions
HealthcareApis/services/fhir/resources/*
NotDataActions
HealthcareApis/services/fhir/resources/hardDelete/action 實刪除 (包括版本歷程記錄) 。
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and write FHIR Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913",
  "name": "3f88fce4-5892-4214-ae73-ba5294559913",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/*"
      ],
      "notDataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action"
      ]
    }
  ],
  "roleName": "FHIR Data Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

整合服務環境參與者

可讓您管理整合服務環境,但無法存取它們。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft 支援/* 建立和更新支援票證
Microsoft. 邏輯/integrationServiceEnvironments/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage integration service environments, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
  "name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*",
        "Microsoft.Logic/integrationServiceEnvironments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Integration Service Environment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

整合服務環境開發人員

可讓開發人員在整合服務環境中建立和更新工作流程、整合帳戶和 API 連接。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft 支援/* 建立和更新支援票證
Microsoft. 邏輯/integrationServiceEnvironments/read 讀取整合服務環境。
/IntegrationServiceEnvironments/*/join/action
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
  "name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*",
        "Microsoft.Logic/integrationServiceEnvironments/read",
        "Microsoft.Logic/integrationServiceEnvironments/*/join/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Integration Service Environment Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Intelligent Systems 帳戶參與者

可讓您管理「智慧型系統」帳戶,但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.IntelligentSystems/accounts/* 建立及管理 Intelligent Systems 帳戶
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Intelligent Systems accounts, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e",
  "name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.IntelligentSystems/accounts/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Intelligent Systems Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

邏輯應用程式參與者

可讓您管理邏輯應用程式,但無法變更對邏輯應用程式的存取。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Microsoft.classicstorage/storageAccounts/listKeys/action 列出儲存體帳戶的存取金鑰。
Microsoft. Microsoft.classicstorage/storageAccounts/read 傳回具有給定帳戶的儲存體帳戶。
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft Insights/metricAlerts/*
Microsoft Insights/diagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft Insights/logdefinitions/* 此為使用者需要透過入口網站存取活動記錄時所需的權限。 列出活動記錄檔中的記錄檔分類。
Microsoft Insights/metricDefinitions/* 讀取度量定義 (可用資源的度量類型清單)。
Microsoft. 邏輯/* 管理 Logic Apps 資源。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 儲存體/storageAccounts/listkeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft. 儲存體/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft 支援/* 建立和更新支援票證
Microsoft. Web/connectionGateways/* 建立及管理「連線閘道」。
Microsoft. Web/connections/* 建立及管理「連線」。
Microsoft. Web/customApis/* 建立及管理「自訂 API」。
Microsoft. Web/serverFarms/join/action 加入 App Service 計畫
Microsoft. Web/serverFarms/read 取得 App Service 方案的屬性
Microsoft. Web/sites/functions/listSecrets/action 列出函式秘密。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage logic app, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e",
  "name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.ClassicStorage/storageAccounts/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metricAlerts/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Insights/logdefinitions/*",
        "Microsoft.Insights/metricDefinitions/*",
        "Microsoft.Logic/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*",
        "Microsoft.Web/connectionGateways/*",
        "Microsoft.Web/connections/*",
        "Microsoft.Web/customApis/*",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/functions/listSecrets/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic App Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

邏輯應用程式操作員

可讓您讀取、啟用及停用邏輯應用程式,但無法編輯或更新邏輯應用程式。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
/AlertRules/*/read 讀取 Insights 警示規則
/MetricAlerts/*/read
/DiagnosticSettings/*/read 取得 Logic Apps 的診斷設定
/MetricDefinitions/*/read 取得 Logic Apps 的可用計量。
Microsoft. 邏輯/*/read 讀取 Logic Apps 資源。
Microsoft. 邏輯/workflows/disable/action 停用工作流程。
Microsoft. 邏輯/workflows/enable/action 啟用工作流程。
Microsoft. 邏輯/workflows/validate/action 驗證工作流程。
Microsoft .resources/deployments/operations/read 取得或列出部署作業。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. Web/connectionGateways/*/read 讀取「連線閘道」。
Microsoft. Web/connections/*/read 讀取「連線」。
Microsoft. Web/customApis/*/read 讀取「自訂 API」。
Microsoft. Web/serverFarms/read 取得 App Service 方案的屬性
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read, enable and disable logic app.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
  "name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*/read",
        "Microsoft.Insights/metricAlerts/*/read",
        "Microsoft.Insights/diagnosticSettings/*/read",
        "Microsoft.Insights/metricDefinitions/*/read",
        "Microsoft.Logic/*/read",
        "Microsoft.Logic/workflows/disable/action",
        "Microsoft.Logic/workflows/enable/action",
        "Microsoft.Logic/workflows/validate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/connectionGateways/*/read",
        "Microsoft.Web/connections/*/read",
        "Microsoft.Web/customApis/*/read",
        "Microsoft.Web/serverFarms/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic App Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

身分識別

受控身分識別參與者

建立、讀取、更新及刪除使用者指派的身分識別 深入瞭解

動作 描述
Microsoft. ManagedIdentity/userAssignedIdentities/read 取得現有已指派使用者的身分識別
Microsoft. ManagedIdentity/userAssignedIdentities/write 建立新的已指派使用者的身分識別,或更新與現有已指派使用者之身分識別相關聯的標記
Microsoft. ManagedIdentity/userAssignedIdentities/delete 刪除現有已指派使用者的身分識別
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete User Assigned Identity",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控身分識別操作員

讀取及指派使用者指派的身分識別 深入瞭解

動作 描述
Microsoft. ManagedIdentity/userAssignedIdentities/*/read
Microsoft. ManagedIdentity/userAssignedIdentities/*/assign/action
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and Assign User Assigned Identity",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
  "name": "f1a07417-d97a-45cb-824c-7a7467783830",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性

證明參與者

可以讀取寫入或刪除證明提供者實例 深入瞭解

動作 描述
Microsoft.Attestation/attestationProviders/attestation/read
Microsoft.Attestation/attestationProviders/attestation/write
Microsoft.Attestation/attestationProviders/attestation/delete
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read write or delete the attestation provider instance",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/attestation/write",
        "Microsoft.Attestation/attestationProviders/attestation/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

證明讀者

可以閱讀證明提供者屬性 瞭解更多

動作 描述
Microsoft.Attestation/attestationProviders/attestation/read
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read the attestation provider properties",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Sentinel 自動化參與者

Azure Sentinel Automation 參與者 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. 邏輯/workflows/triggers/read 讀取觸發程序。
Microsoft. 邏輯/workflows/triggers/listCallbackUrl/action 取得觸發程序的回呼 URL。
Microsoft. 邏輯/workflows/runs/read 讀取工作流程的執行。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Sentinel Automation Contributor",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Logic/workflows/triggers/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Logic/workflows/runs/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Sentinel Automation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Sentinel 參與者

Azure Sentinel 參與者 深入瞭解

動作 描述
SecurityInsights/*
Microsoft. OperationalInsights/workspaces/analytics/query/action 使用新的引擎進行搜尋。
Microsoft. OperationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft. OperationalInsights/workspaces/savedSearches/*
Microsoft. microsoft.operationsmanagement/solutions/read 取得現有的 OMS 解決方案
Microsoft. OperationalInsights/workspaces/query/read 針對工作區中的資料執行查詢
Microsoft. OperationalInsights/workspaces/query/*/read
Microsoft. OperationalInsights/workspaces/dataSources/read 取得工作區下的資料來源。
Microsoft Insights/workbooks/*
Microsoft Insights/myworkbooks/read 讀取私用活頁簿
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Sentinel Contributor",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
  "name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Sentinel Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Sentinel 讀者

Azure Sentinel 讀者 深入瞭解

動作 描述
SecurityInsights/*/read
Microsoft. SecurityInsights/dataConnectorsCheckRequirements/action 檢查使用者授權和使用權
Microsoft. SecurityInsights/threatIntelligence/indicators/query/action 查詢威脅情報指標
Microsoft. SecurityInsights/threatIntelligence/queryIndicators/action 查詢威脅情報指標
Microsoft. OperationalInsights/workspaces/analytics/query/action 使用新的引擎進行搜尋。
Microsoft. OperationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft. OperationalInsights/workspaces/LinkedServices/read 取得指定工作區下已連結的服務。
Microsoft. OperationalInsights/workspaces/savedSearches/read 取得已儲存的搜尋查詢
Microsoft. microsoft.operationsmanagement/solutions/read 取得現有的 OMS 解決方案
Microsoft. OperationalInsights/workspaces/query/read 針對工作區中的資料執行查詢
Microsoft. OperationalInsights/workspaces/query/*/read
Microsoft. OperationalInsights/workspaces/dataSources/read 取得工作區下的資料來源。
Microsoft Insights/workbooks/read 讀取活頁簿
Microsoft Insights/myworkbooks/read 讀取私用活頁簿
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Sentinel Reader",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Sentinel Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Sentinel 回應者

Azure Sentinel 回應者 深入瞭解

動作 描述
SecurityInsights/*/read
Microsoft. SecurityInsights/dataConnectorsCheckRequirements/action 檢查使用者授權和使用權
Microsoft. SecurityInsights/automationRules/*
Microsoft. SecurityInsights/cases/*
Microsoft. SecurityInsights/incidents/*
Microsoft. SecurityInsights/threatIntelligence/indicators/appendTags/action 將標記附加至威脅情報指標
Microsoft. SecurityInsights/threatIntelligence/indicators/query/action 查詢威脅情報指標
Microsoft. SecurityInsights/threatIntelligence/bulkTag/action 大量標記威脅情報
Microsoft. SecurityInsights/threatIntelligence/indicators/appendTags/action 將標記附加至威脅情報指標
Microsoft. SecurityInsights/threatIntelligence/indicators/replaceTags/action 取代威脅情報指標的標記
Microsoft. SecurityInsights/threatIntelligence/queryIndicators/action 查詢威脅情報指標
Microsoft. OperationalInsights/workspaces/analytics/query/action 使用新的引擎進行搜尋。
Microsoft. OperationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft. OperationalInsights/workspaces/dataSources/read 取得工作區下的資料來源。
Microsoft. OperationalInsights/workspaces/savedSearches/read 取得已儲存的搜尋查詢
Microsoft. microsoft.operationsmanagement/solutions/read 取得現有的 OMS 解決方案
Microsoft. OperationalInsights/workspaces/query/read 針對工作區中的資料執行查詢
Microsoft. OperationalInsights/workspaces/query/*/read
Microsoft. OperationalInsights/workspaces/dataSources/read 取得工作區下的資料來源。
Microsoft Insights/workbooks/read 讀取活頁簿
Microsoft Insights/myworkbooks/read 讀取私用活頁簿
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
Microsoft. SecurityInsights/Cases/*/delete
Microsoft. SecurityInsights/Incidents/*/delete
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Sentinel Responder",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/automationRules/*",
        "Microsoft.SecurityInsights/cases/*",
        "Microsoft.SecurityInsights/incidents/*",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/cases/*/Delete",
        "Microsoft.SecurityInsights/incidents/*/Delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Sentinel Responder",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 系統管理員

在金鑰保存庫和其中的所有物件上執行所有資料平面作業,包括憑證、金鑰和秘密。 無法管理金鑰保存庫資源或管理角色指派。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft. KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft. KeyVault/locations/*/read
Microsoft. KeyVault/vaults/*/read
Microsoft. KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft. KeyVault/vaults/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 憑證官員

對金鑰保存庫的憑證執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft. KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft. KeyVault/locations/*/read
Microsoft. KeyVault/vaults/*/read
Microsoft. KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft. KeyVault/vaults/certificatecas/*
Microsoft. KeyVault/vaults/certificates/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
  "name": "a4417e6f-fecd-4de8-b567-7b0420556985",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificatecas/*",
        "Microsoft.KeyVault/vaults/certificates/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Certificates Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 參與者

管理金鑰保存庫,但不允許您在 Azure RBAC 中指派角色,也不允許您存取秘密、金鑰或憑證。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
KeyVault/*
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
Microsoft. KeyVault/locations/deletedVaults/purge/action 清除虛刪除的 Key Vault
Microsoft. KeyVault/hsmPools/*
Microsoft. KeyVault/managedHsms/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage key vaults, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
  "name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.KeyVault/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.KeyVault/locations/deletedVaults/purge/action",
        "Microsoft.KeyVault/hsmPools/*",
        "Microsoft.KeyVault/managedHsms/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 加密長

在金鑰保存庫的金鑰上執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft. KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft. KeyVault/locations/*/read
Microsoft. KeyVault/vaults/*/read
Microsoft. KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft. KeyVault/vaults/keys/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 加密服務加密使用者

讀取金鑰的中繼資料,並執行包裝/解除包裝作業。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。

動作 描述
Microsoft. EventGrid/eventSubscriptions/write 建立或更新 eventSubscription
Microsoft. EventGrid/eventSubscriptions/read 讀取 eventSubscription
Microsoft. EventGrid/eventSubscriptions/delete 刪除 eventSubscription
NotActions
DataActions
Microsoft. KeyVault/vaults/keys/read 列出指定保存庫中的金鑰,或讀取索引鍵的屬性和公開內容。 若為非對稱金鑰,這項作業會公開公開金鑰,並包含執行公開金鑰演算法的能力,例如加密和驗證簽章。 私用金鑰和對稱金鑰永遠不會公開。
Microsoft. KeyVault/vaults/keys/wrap/action 使用 Key Vault 金鑰包裝對稱金鑰。 請注意,如果 Key Vault 的金鑰是非對稱的,則可透過具有讀取存取權的主體來執行此作業。
Microsoft. KeyVault/vaults/keys/unwrap/action 使用 Key Vault 金鑰解除包裝對稱金鑰。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventGrid/eventSubscriptions/write",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/eventSubscriptions/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Service Encryption User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 加密使用者

使用金鑰執行密碼編譯作業。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。

動作 描述
NotActions
DataActions
Microsoft. KeyVault/vaults/keys/read 列出指定保存庫中的金鑰,或讀取索引鍵的屬性和公開內容。 若為非對稱金鑰,這項作業會公開公開金鑰,並包含執行公開金鑰演算法的能力,例如加密和驗證簽章。 私用金鑰和對稱金鑰永遠不會公開。
Microsoft. KeyVault/vaults/keys/update/action 更新與指定索引鍵相關聯的指定屬性。
Microsoft. KeyVault/vaults/keys/backup/action 建立金鑰的備份檔案。 檔案可以用來還原相同訂用帳戶 Key Vault 中的金鑰。 可能適用限制。
Microsoft. KeyVault/vaults/keys/encrypt/action 使用金鑰加密純文字。 請注意,如果金鑰為非對稱金鑰,則可透過具有讀取存取權的主體來執行此作業。
Microsoft. KeyVault/vaults/keys/decrypt/action 使用金鑰來解密加密文字。
Microsoft. KeyVault/vaults/keys/wrap/action 使用 Key Vault 金鑰包裝對稱金鑰。 請注意,如果 Key Vault 的金鑰是非對稱的,則可透過具有讀取存取權的主體來執行此作業。
Microsoft. KeyVault/vaults/keys/unwrap/action 使用 Key Vault 金鑰解除包裝對稱金鑰。
Microsoft. KeyVault/vaults/keys/sign/action 使用索引鍵 (雜湊) 來簽署訊息摘要。
Microsoft. KeyVault/vaults/keys/verify/action 使用金鑰來驗證訊息摘要 (雜湊) 的簽章。 請注意,如果金鑰為非對稱金鑰,則可透過具有讀取存取權的主體來執行此作業。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
  "name": "12338af0-0e69-4776-bea7-57ae8d297424",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/update/action",
        "Microsoft.KeyVault/vaults/keys/backup/action",
        "Microsoft.KeyVault/vaults/keys/encrypt/action",
        "Microsoft.KeyVault/vaults/keys/decrypt/action",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action",
        "Microsoft.KeyVault/vaults/keys/sign/action",
        "Microsoft.KeyVault/vaults/keys/verify/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 讀者

讀取金鑰保存庫的中繼資料及其憑證、金鑰和秘密。 無法讀取敏感性值,例如秘密內容或金鑰內容。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft. KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft. KeyVault/locations/*/read
Microsoft. KeyVault/vaults/*/read
Microsoft. KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft. KeyVault/vaults/*/read
Microsoft. KeyVault/vaults/secrets/readMetadata/action 列出或查看秘密的屬性,而不是其值。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "name": "21090545-7ca7-4776-b22c-e363652d74d2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 秘密長

對金鑰保存庫的秘密執行任何動作,但管理許可權除外。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft. KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft. KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft. KeyVault/locations/*/read
Microsoft. KeyVault/vaults/*/read
Microsoft. KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft. KeyVault/vaults/secrets/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 秘密使用者

讀取秘密內容。 僅適用于使用「Azure 角色型存取控制」許可權模型的金鑰保存庫。

動作 描述
NotActions
DataActions
Microsoft. KeyVault/vaults/secrets/getSecret/action 取得秘密的值。
Microsoft. KeyVault/vaults/secrets/readMetadata/action 列出或查看秘密的屬性,而不是其值。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
  "name": "4633458b-17de-408a-b874-0445c86b69e6",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控 HSM 參與者

可讓您管理受管理的 HSM 集區,但無法存取它們。 深入了解

動作 描述
Microsoft. KeyVault/managedHSMs/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage managed HSM pools, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
  "name": "18500a29-7fe2-46b2-a342-b16a415e101d",
  "permissions": [
    {
      "actions": [
        "Microsoft.KeyVault/managedHSMs/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed HSM contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性系統管理員

資訊安全中心的檢視和更新權限。 與「安全性讀者」角色的權限相同,還可以更新安全性原則及關閉警示和建議。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft 授權/policyAssignments/* 建立及管理原則指派
Microsoft 授權/policyDefinitions/* 建立及管理原則定義
Microsoft 授權/policyExemptions/* 建立及管理原則豁免
Microsoft 授權/policySetDefinitions/* 建立及管理原則集合
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. 管理/managementGroups/read 列出已驗證之使用者的管理群組。
Microsoft. operationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 安全性/* 建立和管理安全性元件和原則
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Admin Role",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/policyAssignments/*",
        "Microsoft.Authorization/policyDefinitions/*",
        "Microsoft.Authorization/policyExemptions/*",
        "Microsoft.Authorization/policySetDefinitions/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性評量參與者

可讓您將評量推送至資訊安全中心

動作 描述
Microsoft. 安全性/assessments/write 在您的訂用帳戶上建立或更新安全性評量
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you push assessments to Security Center",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Security/assessments/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Assessment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性管理員 (舊版)

此為舊版角色。 請改用「安全性系統管理員」。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft.classiccompute/*/read 讀取傳統虛擬機器的設定資訊
Microsoft. Microsoft.classiccompute/virtualMachines/*/write 撰寫傳統虛擬機器的設定
Microsoft.classicnetwork/*/read 讀取傳統網路的組態資訊
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 安全性/* 建立和管理安全性元件和原則
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "This is a legacy role. Please use Security Administrator instead",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/*/read",
        "Microsoft.ClassicCompute/virtualMachines/*/write",
        "Microsoft.ClassicNetwork/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Manager (Legacy)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性讀取者

資訊安全中心的檢視權限。 可以檢視建議、警示、安全性原則和安全性狀態,但無法變更。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/read 讀取傳統計量警示
Microsoft. operationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft .resources/deployments/*/read
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. Security/*/read 讀取安全性元件和原則
Microsoft. Support/*/read
Microsoft. 安全性/iotDefenderSettings/packageDownloads/action 取得可下載的 IoT Defender 套件資訊
Microsoft. 安全性/iotDefenderSettings/downloadManagerActivation/action 下載管理員啟用檔案與訂用帳戶配額資料
Microsoft. 安全性/iotSensors/downloadResetPassword/action 下載 IoT 感應器的重設密碼檔案
Microsoft. 管理/managementGroups/read 列出已驗證之使用者的管理群組。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Reader Role",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*/read",
        "Microsoft.Support/*/read",
        "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
        "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
        "Microsoft.Security/iotSensors/downloadResetPassword/action",
        "Microsoft.Management/managementGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DevOps

DevTest Labs 使用者

可讓您連線、啟動、重新啟及關閉您 Azure DevTest Labs 中的虛擬機器。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. 計算/availabilitySets/read 取得可用性設定組的屬性
Microsoft. Compute/virtualMachines/*/read 讀取虛擬機器的屬性 (VM 大小、執行階段狀態、VM 擴充功能等)
Microsoft. 計算/virtualMachines/deallocate/action 關閉虛擬機器的電源,並將計算資源釋出
Microsoft. 計算/virtualMachines/read 取得虛擬機器的屬性
Microsoft. 計算/virtualMachines/restart/action 重新啟動虛擬機器
Microsoft. 計算/virtualMachines/start/action 啟動虛擬機器
Microsoft.devtestlab/*/read 讀取實驗室的屬性
Microsoft. Microsoft.devtestlab/labs/claimAnyVm/action 在實驗室中宣告隨機的可宣告虛擬機器。
Microsoft. Microsoft.devtestlab/labs/createEnvironment/action 在實驗室中建立虛擬機器。
Microsoft. Microsoft.devtestlab/labs/ensureCurrentUserProfile/action 請確認目前的使用者在實驗室中具備有效的設定檔。
Microsoft. microsoft.devtestlab/labs/formulas/delete 刪除公式。
Microsoft. microsoft.devtestlab/labs/formulas/read 讀取公式。
Microsoft. microsoft.devtestlab/labs/formulas/write 新增或修改公式。
Microsoft. Microsoft.devtestlab/labs/policySets/evaluatePolicies/action 評估實驗室原則。
Microsoft. Microsoft.devtestlab/labs/virtualMachines/claim/action 取得現有虛擬機器的擁有權
Microsoft. Microsoft.devtestlab/labs/virtualmachines/listApplicableSchedules/action 列出適用的啟動/停止排程 (若有的話)。
Microsoft. Microsoft.devtestlab/labs/virtualMachines/getRdpFileContents/action 取得代表虛擬機器 RDP 檔案內容的字串
Microsoft. Network/loadBalancers/backendAddressPools/join/action 加入負載平衡器後端位址集區。 不可警示。
Microsoft. Network/loadBalancers/inboundNatRules/join/action 加入負載平衡器輸入 nat 規則。 不可警示。
Microsoft. Network/networkInterfaces/*/read 讀取網路介面的屬性 (例如網路介面所屬的所有負載平衡器)
Microsoft. Network/networkInterfaces/join/action 將虛擬機器加入網路介面。 不可警示。
Microsoft. Network/networkInterfaces/read 取得網路介面定義。
Microsoft. Network/networkInterfaces/write 建立網路介面,或更新現有的網路介面。
Microsoft. Network/publicIPAddresses/*/read 讀取公用 IP 位址的屬性
Microsoft. Network/publicIPAddresses/join/action 加入公用 IP 位址。 不可警示。
Microsoft. Network/publicIPAddresses/read 取得公用 IP 位址定義。
Microsoft. Network/virtualNetworks/subnets/join/action 加入虛擬網路。 不可警示。
Microsoft .resources/deployments/operations/read 取得或列出部署作業。
Microsoft .resources/deployments/read 取得或列出部署。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 儲存體/storageAccounts/listKeys/action 傳回指定儲存體帳戶的存取金鑰。
NotActions
Microsoft. 計算/virtualMachines/vmSizes/read 列出虛擬機器所能更新成的大小
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64",
  "name": "76283e04-6283-4c54-8f91-bcf1374a3c64",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/availabilitySets/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.Compute/virtualMachines/deallocate/action",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.DevTestLab/*/read",
        "Microsoft.DevTestLab/labs/claimAnyVm/action",
        "Microsoft.DevTestLab/labs/createEnvironment/action",
        "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action",
        "Microsoft.DevTestLab/labs/formulas/delete",
        "Microsoft.DevTestLab/labs/formulas/read",
        "Microsoft.DevTestLab/labs/formulas/write",
        "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action",
        "Microsoft.DevTestLab/labs/virtualMachines/claim/action",
        "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action",
        "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/networkInterfaces/*/read",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/publicIPAddresses/*/read",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/listKeys/action"
      ],
      "notActions": [
        "Microsoft.Compute/virtualMachines/vmSizes/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "DevTest Labs User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

實驗室建立者

可讓您在 Azure 實驗室帳戶下建立新的實驗室。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. LabServices/labAccounts/*/read
Microsoft. LabServices/labAccounts/createLab/action 在實驗室帳戶中建立實驗室。
Microsoft. LabServices/labAccounts/getPricingAndAvailability/action 依大小、地理位置和作業系統的各種組合,取得實驗室帳戶的價格和可用性。
Microsoft. LabServices/labAccounts/getRestrictionsAndUsage/action 取得此訂用帳戶的核心限制及使用量
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you create new labs under your Azure Lab Accounts.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead",
  "name": "b97fb8bc-a8b2-4522-a38b-dd33c7e65ead",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.LabServices/labAccounts/*/read",
        "Microsoft.LabServices/labAccounts/createLab/action",
        "Microsoft.LabServices/labAccounts/getPricingAndAvailability/action",
        "Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Lab Creator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

監視

Application Insights 元件參與者

可以管理 Application Insights 元件 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統警示規則
Microsoft Insights/generateLiveToken/read 即時計量取得權杖
Microsoft Insights/metricAlerts/* 建立和管理新的警示規則
Microsoft Insights/components/* 建立和管理 Insights 元件
Microsoft Insights/scheduledqueryrules/*
Microsoft Insights/topology/read 讀取拓撲
Microsoft Insights/transactions/read 讀取交易
Microsoft Insights/webtests/* 建立和管理 Insights web 測試
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage Application Insights components",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e",
  "name": "ae349356-3a1b-4a5e-921d-050484c6347e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/generateLiveToken/read",
        "Microsoft.Insights/metricAlerts/*",
        "Microsoft.Insights/components/*",
        "Microsoft.Insights/scheduledqueryrules/*",
        "Microsoft.Insights/topology/read",
        "Microsoft.Insights/transactions/read",
        "Microsoft.Insights/webtests/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Application Insights Component Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Application Insights 快照集偵錯工具

給予使用者權限,以便檢視及下載使用 Application Insights 快照偵錯工具所收集的偵錯快照。 請注意,擁有者參與者角色未包含這些權限。 將 Application Insights 快照偵錯者角色指派給使用者時,您必須直接將此角色授與使用者。 此角色若新增至自訂角色,則無法辨識。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
/Components/*/read
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives user permission to use Application Insights Snapshot Debugger features",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b",
  "name": "08954f03-6346-4c2e-81c0-ec3a5cfae23b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Application Insights Snapshot Debugger",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

監視參與者

可以讀取所有監視資料並編輯監視設定。 請參閱開始使用 Azure 監視器的角色、權限和安全性深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft. microsoft.alertsmanagement/alerts/*
Microsoft. Microsoft.alertsmanagement/alertsSummary/*
Microsoft Insights/actiongroups/*
Microsoft Insights/activityLogAlerts/*
Microsoft Insights/AlertRules/* 建立和管理傳統計量警示
Microsoft Insights/components/* 建立和管理 Insights 元件
Microsoft Insights/dataCollectionRules/*
Microsoft Insights/dataCollectionRuleAssociations/*
Microsoft.Insights/DiagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft Insights/eventtypes/* 列出訂用帳戶中的活動記錄檔事件 (管理事件)。 此權限適用於以程式設計方式存取和入口網站存取活動記錄檔。
Microsoft Insights/LogDefinitions/* 此為使用者需要透過入口網站存取活動記錄時所需的權限。 列出活動記錄檔中的記錄檔分類。
Microsoft Insights/metricalerts/*
Microsoft Insights/MetricDefinitions/* 讀取度量定義 (可用資源的度量類型清單)。
Microsoft Insights/Metrics/* 讀取資源的度量。
Microsoft Insights/Register/Action 註冊 Microsoft Insights 提供者
Microsoft Insights/scheduledqueryrules/*
Microsoft Insights/webtests/* 建立和管理 Insights web 測試
Microsoft Insights/workbooks/*
Microsoft Insights/privateLinkScopes/*
Microsoft Insights/privateLinkScopeOperationStatuses/*
Microsoft. OperationalInsights/workspaces/write 建立新的工作區,或藉由提供來自現有工作區的客戶識別碼來連結至現有工作區。
Microsoft. OperationalInsights/workspaces/intelligencepacks/* 讀取/寫入/刪除記錄分析解決方案套件。
Microsoft. OperationalInsights/workspaces/savedSearches/* 讀取/寫入/刪除記錄分析已儲存的搜尋。
Microsoft. OperationalInsights/workspaces/search/action 執行搜尋查詢
Microsoft. OperationalInsights/workspaces/sharedKeys/action 擷取工作區的共用金鑰。 這些金鑰可用來將 Microsoft Operational Insights 代理程式連線到工作區。
Microsoft. OperationalInsights/workspaces/storageinsightconfigs/* 讀取/寫入/刪除記錄分析儲存體深入解析設定。
Microsoft 支援/* 建立和更新支援票證
Microsoft. WorkloadMonitor/monitors/* 取得來賓 VM 健康情況監視的相關資訊。
Microsoft. Microsoft.alertsmanagement/smartDetectorAlertRules/*
Microsoft. Microsoft.alertsmanagement/actionRules/*
Microsoft. Microsoft.alertsmanagement/smartGroups/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read all monitoring data and update monitoring settings.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
  "name": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.AlertsManagement/alerts/*",
        "Microsoft.AlertsManagement/alertsSummary/*",
        "Microsoft.Insights/actiongroups/*",
        "Microsoft.Insights/activityLogAlerts/*",
        "Microsoft.Insights/AlertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.Insights/dataCollectionRules/*",
        "Microsoft.Insights/dataCollectionRuleAssociations/*",
        "Microsoft.Insights/DiagnosticSettings/*",
        "Microsoft.Insights/eventtypes/*",
        "Microsoft.Insights/LogDefinitions/*",
        "Microsoft.Insights/metricalerts/*",
        "Microsoft.Insights/MetricDefinitions/*",
        "Microsoft.Insights/Metrics/*",
        "Microsoft.Insights/Register/Action",
        "Microsoft.Insights/scheduledqueryrules/*",
        "Microsoft.Insights/webtests/*",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/privateLinkScopes/*",
        "Microsoft.Insights/privateLinkScopeOperationStatuses/*",
        "Microsoft.OperationalInsights/workspaces/write",
        "Microsoft.OperationalInsights/workspaces/intelligencepacks/*",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
        "Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*",
        "Microsoft.Support/*",
        "Microsoft.WorkloadMonitor/monitors/*",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/*",
        "Microsoft.AlertsManagement/actionRules/*",
        "Microsoft.AlertsManagement/smartGroups/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Monitoring Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

監視計量發行者

針對 Azure 資源啟用發佈計量 深入瞭解

動作 描述
Microsoft Insights/Register/Action 註冊 Microsoft Insights 提供者
Microsoft 支援/* 建立和更新支援票證
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
Microsoft Insights/Metrics/Write 寫入計量
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Enables publishing metrics against Azure resources",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb",
  "name": "3913510d-42f4-4e42-8a64-420c390055eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/Register/Action",
        "Microsoft.Support/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Insights/Metrics/Write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Monitoring Metrics Publisher",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

監視讀取器

可以讀取所有監視資料 (計量、記錄等等)。 請參閱開始使用 Azure 監視器的角色、權限和安全性深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft. OperationalInsights/workspaces/search/action 執行搜尋查詢
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read all monitoring data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05",
  "name": "43d0d8ad-25c7-4714-9337-8ba259a9fe05",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Monitoring Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

活頁簿參與者

可以儲存共用活頁簿。 深入了解

動作 描述
Microsoft Insights/workbooks/write 建立或更新活頁簿
Microsoft Insights/workbooks/delete 刪除活頁簿
Microsoft Insights/workbooks/read 讀取活頁簿
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can save shared workbooks.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad",
  "name": "e8ddcd69-c73f-4f9f-9844-4100522f16ad",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/workbooks/write",
        "Microsoft.Insights/workbooks/delete",
        "Microsoft.Insights/workbooks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Workbook Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

活頁簿讀者

可以讀取活頁簿。 深入了解

動作 描述
microsoft insights/workbooks/read 讀取活頁簿
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read workbooks.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d",
  "name": "b279062a-9be3-42a0-92ae-8b3cf002ec4d",
  "permissions": [
    {
      "actions": [
        "microsoft.insights/workbooks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Workbook Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

管理和治理

自動化作業運算子

使用「自動化 Runbook」來建立及管理作業。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Automation/automationAccounts/hybridRunbookWorkerGroups/read 讀取混合式 Runbook 背景工作角色資源
Microsoft. Automation/automationAccounts/jobs/read 取得 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobs/resume/action 繼續 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobs/stop/action 停止 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobs/streams/read 取得 Azure 自動化作業串流
Microsoft. Automation/automationAccounts/jobs/suspend/action 暫止 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobs/write 建立 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobs/output/read 取得作業的輸出
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create and Manage Jobs using Automation Runbooks.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f",
  "name": "4fe576fe-1146-4730-92eb-48519fa6bf9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
        "Microsoft.Automation/automationAccounts/jobs/read",
        "Microsoft.Automation/automationAccounts/jobs/resume/action",
        "Microsoft.Automation/automationAccounts/jobs/stop/action",
        "Microsoft.Automation/automationAccounts/jobs/streams/read",
        "Microsoft.Automation/automationAccounts/jobs/suspend/action",
        "Microsoft.Automation/automationAccounts/jobs/write",
        "Microsoft.Automation/automationAccounts/jobs/output/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Job Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

自動化運算子

自動化操作員能夠啟動、停止、暫停及繼續作業, 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Automation/automationAccounts/hybridRunbookWorkerGroups/read 讀取混合式 Runbook 背景工作角色資源
Microsoft. Automation/automationAccounts/jobs/read 取得 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobs/resume/action 繼續 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobs/stop/action 停止 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobs/streams/read 取得 Azure 自動化作業串流
Microsoft. Automation/automationAccounts/jobs/suspend/action 暫止 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobs/write 建立 Azure 自動化作業
Microsoft. Automation/automationAccounts/jobSchedules/read 取得 Azure 自動化作業排程
Microsoft. Automation/automationAccounts/jobSchedules/write 建立 Azure 自動化作業排程
Microsoft. Automation/automationAccounts/linkedWorkspace/read 取得連結至自動化帳戶的工作區
Microsoft. Automation/automationAccounts/read 取得 Azure 自動化帳戶
Microsoft. Automation/automationAccounts/runbooks/read 取得 Azure 自動化 Runbook
Microsoft. Automation/automationAccounts/schedules/read 取得 Azure 自動化排程資產
Microsoft. Automation/automationAccounts/schedules/write 建立或更新 Azure 自動化排程資產
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft. Automation/automationAccounts/jobs/output/read 取得作業的輸出
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Automation Operators are able to start, stop, suspend, and resume jobs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404",
  "name": "d3881f73-407a-4167-8283-e981cbba0404",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
        "Microsoft.Automation/automationAccounts/jobs/read",
        "Microsoft.Automation/automationAccounts/jobs/resume/action",
        "Microsoft.Automation/automationAccounts/jobs/stop/action",
        "Microsoft.Automation/automationAccounts/jobs/streams/read",
        "Microsoft.Automation/automationAccounts/jobs/suspend/action",
        "Microsoft.Automation/automationAccounts/jobs/write",
        "Microsoft.Automation/automationAccounts/jobSchedules/read",
        "Microsoft.Automation/automationAccounts/jobSchedules/write",
        "Microsoft.Automation/automationAccounts/linkedWorkspace/read",
        "Microsoft.Automation/automationAccounts/read",
        "Microsoft.Automation/automationAccounts/runbooks/read",
        "Microsoft.Automation/automationAccounts/schedules/read",
        "Microsoft.Automation/automationAccounts/schedules/write",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Automation/automationAccounts/jobs/output/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

自動化 Runbook 運算子

讀取 Runbook 屬性 - 以便能夠建立 Runbook 的作業。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Automation/automationAccounts/runbooks/read 取得 Azure 自動化 Runbook
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read Runbook properties - to be able to create Jobs of the runbook.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5",
  "name": "5fb5aef8-1081-4b8e-bb16-9d5d0385bab5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/runbooks/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Runbook Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc 啟用的 Kubernetes 叢集使用者角色

列出叢集使用者認證動作。

動作 描述
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. Kubernetes/connectedClusters/listClusterUserCredentials/action 列出 clusterUser 認證
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credentials action.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 管理員

可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft. Kubernetes/connectedClusters/apps/controllerrevisions/read 讀取 controllerrevisions
Microsoft. Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft. Kubernetes/connectedClusters/apps/deployments/*
Microsoft. Kubernetes/connectedClusters/apps/replicasets/*
Microsoft. Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft. Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write 寫入 localsubjectaccessreviews
Microsoft. Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft. Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft. Kubernetes/connectedClusters/batch/jobs/*
Microsoft. Kubernetes/connectedClusters/configmaps/*
Microsoft. Kubernetes/connectedClusters/endpoints/*
Microsoft. Kubernetes/connectedClusters/events.k8s.io/events/read 讀取事件
Microsoft. Kubernetes/connectedClusters/events/read 讀取事件
Microsoft. Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft. Kubernetes/connectedClusters/extensions/deployments/*
Microsoft. Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft. Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft. Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft. Kubernetes/connectedClusters/limitranges/read 讀取 limitranges
Microsoft. Kubernetes/connectedClusters/namespaces/read 讀取命名空間
Microsoft. Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft. Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft. Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft. Kubernetes/connectedClusters/pods/*
Microsoft. Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft. Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
Microsoft. Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
Microsoft. Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft. Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft. Kubernetes/connectedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft. Kubernetes/connectedClusters/secrets/*
Microsoft. Kubernetes/connectedClusters/serviceaccounts/*
Microsoft. Kubernetes/connectedClusters/services/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes Cluster Admin

可讓您管理叢集中的所有資源。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft. Kubernetes/connectedClusters/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 檢視器

可讓您查看叢集/命名空間中的所有資源,但秘密除外。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft. Kubernetes/connectedClusters/apps/controllerrevisions/read 讀取 controllerrevisions
Microsoft. Kubernetes/connectedClusters/apps/daemonsets/read 讀取 daemonset
Microsoft. Kubernetes/connectedClusters/apps/deployments/read 讀取部署
Microsoft. Kubernetes/connectedClusters/apps/replicasets/read 讀取 replicaset
Microsoft. Kubernetes/connectedClusters/apps/statefulsets/read 讀取 statefulset
Microsoft. Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read 讀取 horizontalpodautoscalers
Microsoft. Kubernetes/connectedClusters/batch/cronjobs/read 讀取 cronjobs
Microsoft. Kubernetes/connectedClusters/batch/jobs/read 讀取作業
Microsoft. Kubernetes/connectedClusters/configmaps/read 讀取 configmaps
Microsoft. Kubernetes/connectedClusters/endpoints/read 讀取端點
Microsoft. Kubernetes/connectedClusters/events.k8s.io/events/read 讀取事件
Microsoft. Kubernetes/connectedClusters/events/read 讀取事件
Microsoft. Kubernetes/connectedClusters/extensions/daemonsets/read 讀取 daemonset
Microsoft. Kubernetes/connectedClusters/extensions/deployments/read 讀取部署
Microsoft. Kubernetes/connectedClusters/extensions/ingresses/read 讀取 ingresses
Microsoft. Kubernetes/connectedClusters/extensions/networkpolicies/read 讀取 networkpolicies
Microsoft. Kubernetes/connectedClusters/extensions/replicasets/read 讀取 replicaset
Microsoft. Kubernetes/connectedClusters/limitranges/read 讀取 limitranges
Microsoft. Kubernetes/connectedClusters/namespaces/read 讀取命名空間
Microsoft. Kubernetes/connectedClusters/networking.k8s.io/ingresses/read 讀取 ingresses
Microsoft. Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read 讀取 networkpolicies
Microsoft. Kubernetes/connectedClusters/persistentvolumeclaims/read 讀取 persistentvolumeclaims
Microsoft. Kubernetes/connectedClusters/pods/read 讀取 pod
Microsoft. Kubernetes/connectedClusters/policy/poddisruptionbudgets/read 讀取 poddisruptionbudgets
Microsoft. Kubernetes/connectedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft. Kubernetes/connectedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft. Kubernetes/connectedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft. Kubernetes/connectedClusters/serviceaccounts/read 讀取 serviceaccounts
Microsoft. Kubernetes/connectedClusters/services/read 讀取服務
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
  "name": "63f0a09d-1495-4db4-a681-037d84835eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Viewer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 寫入器

可讓您更新叢集/命名空間中的所有專案,但 (叢集) 角色和 (叢集) 角色系結除外。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft. Kubernetes/connectedClusters/apps/controllerrevisions/read 讀取 controllerrevisions
Microsoft. Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft. Kubernetes/connectedClusters/apps/deployments/*
Microsoft. Kubernetes/connectedClusters/apps/replicasets/*
Microsoft. Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft. Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft. Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft. Kubernetes/connectedClusters/batch/jobs/*
Microsoft. Kubernetes/connectedClusters/configmaps/*
Microsoft. Kubernetes/connectedClusters/endpoints/*
Microsoft. Kubernetes/connectedClusters/events.k8s.io/events/read 讀取事件
Microsoft. Kubernetes/connectedClusters/events/read 讀取事件
Microsoft. Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft. Kubernetes/connectedClusters/extensions/deployments/*
Microsoft. Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft. Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft. Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft. Kubernetes/connectedClusters/limitranges/read 讀取 limitranges
Microsoft. Kubernetes/connectedClusters/namespaces/read 讀取命名空間
Microsoft. Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft. Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft. Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft. Kubernetes/connectedClusters/pods/*
Microsoft. Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft. Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft. Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft. Kubernetes/connectedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft. Kubernetes/connectedClusters/secrets/*
Microsoft. Kubernetes/connectedClusters/serviceaccounts/*
Microsoft. Kubernetes/connectedClusters/services/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
  "name": "5b999177-9696-4545-85c7-50de3797e5a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine 上線

可以讓 Azure Connected Machine 上線。 深入了解

動作 描述
Microsoft. HybridCompute/machines/read 讀取任何 Azure Arc 機器
Microsoft. HybridCompute/machines/write 寫入 Azure Arc 機器
Microsoft. HybridCompute/privateLinkScopes/read 讀取任何 Azure Arc privateLinkScopes
Microsoft. >microsoft.guestconfiguration/guestConfigurationAssignments/read 取得來賓組態指派。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can onboard Azure Connected Machines.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7",
  "name": "b64e21ea-ac4e-4cdf-9dc9-5b892992bee7",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/privateLinkScopes/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Connected Machine Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine 資源管理員

可以讀取、寫入、刪除 Azure Connected Machine 及使之重新上線。

動作 描述
Microsoft. HybridCompute/machines/read 讀取任何 Azure Arc 機器
Microsoft. HybridCompute/machines/write 寫入 Azure Arc 機器
Microsoft. HybridCompute/machines/delete 刪除 Azure Arc 機器
Microsoft. HybridCompute/machines/extensions/write 安裝或更新 Azure Arc 擴充
Microsoft. HybridCompute/privateLinkScopes/*
HybridCompute/*/read
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read, write, delete and re-onboard Azure Connected Machines.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302",
  "name": "cd570a14-e51a-42ad-bac8-bafd67325302",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/privateLinkScopes/*",
        "Microsoft.HybridCompute/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Connected Machine Resource Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

帳單讀取器

允許帳單資料的讀取存取權 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft 帳單/*/read 讀取帳單資訊
Microsoft Commerce/*/read
Microsoft. 耗用量/*/read
Microsoft. 管理/managementGroups/read 列出已驗證之使用者的管理群組。
CostManagement/*/read
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read access to billing data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64",
  "name": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Billing/*/read",
        "Microsoft.Commerce/*/read",
        "Microsoft.Consumption/*/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.CostManagement/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Billing Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

藍圖參與者

可以管理藍圖定義,但不能加以指派。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft 藍圖/blueprints/* 建立和管理藍圖定義或藍圖成品。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage blueprint definitions, but not assign them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4",
  "name": "41077137-e803-4205-871c-5a86e6a753b4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Blueprint/blueprints/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Blueprint Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

藍圖操作員

可以指派現有已發佈的藍圖,但無法建立新的藍圖。 請注意,只有在以使用者指派的受控識別來指派時才有效。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft 藍圖/blueprintAssignments/* 建立和管理藍圖指派。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090",
  "name": "437d2ced-4a38-4302-8479-ed2bcb43d090",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Blueprint/blueprintAssignments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Blueprint Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

成本管理參與者

可以查看成本及管理成本設定 (例如預算、匯出) 深入瞭解

動作 描述
Microsoft 耗用量/*
CostManagement/*
Microsoft 帳單/billingPeriods/read
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft Advisor/configurations/read 取得組態
Microsoft Advisor/recommendations/read 讀取建議
Microsoft. 管理/managementGroups/read 列出已驗證之使用者的管理群組。
Microsoft 帳單/billingProperty/read
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view costs and manage cost configuration (e.g. budgets, exports)",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430",
  "name": "434105ed-43f6-45c7-a02f-909b2ba83430",
  "permissions": [
    {
      "actions": [
        "Microsoft.Consumption/*",
        "Microsoft.CostManagement/*",
        "Microsoft.Billing/billingPeriods/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Advisor/configurations/read",
        "Microsoft.Advisor/recommendations/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Billing/billingProperty/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cost Management Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

成本管理讀者

可以查看成本資料和設定 (例如預算、匯出) 深入瞭解

動作 描述
Microsoft. 耗用量/*/read
CostManagement/*/read
Microsoft 帳單/billingPeriods/read
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
Microsoft Advisor/configurations/read 取得組態
Microsoft Advisor/recommendations/read 讀取建議
Microsoft. 管理/managementGroups/read 列出已驗證之使用者的管理群組。
Microsoft 帳單/billingProperty/read
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view cost data and configuration (e.g. budgets, exports)",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3",
  "name": "72fafb9e-0641-4937-9268-a91bfd8191a3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Consumption/*/read",
        "Microsoft.CostManagement/*/read",
        "Microsoft.Billing/billingPeriods/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Advisor/configurations/read",
        "Microsoft.Advisor/recommendations/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Billing/billingProperty/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cost Management Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

階層設定管理員

允許使用者編輯和刪除階層設定

動作 描述
Microsoft. 管理/managementGroups/settings/write 建立或更新管理群組階層設定。
Microsoft. 管理/managementGroups/settings/delete 刪除管理群組階層設定。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows users to edit and delete Hierarchy Settings",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d",
  "name": "350f8d15-c687-4448-8ae1-157740a3936d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Management/managementGroups/settings/write",
        "Microsoft.Management/managementGroups/settings/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Hierarchy Settings Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes Cluster-Azure Arc 上架

角色定義,用以授權任何使用者/服務建立 connectedClusters 資源, 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/write 建立或更新部署。
Microsoft .resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. Kubernetes/connectedClusters/Write 寫入 connectedClusters
Microsoft. Kubernetes/connectedClusters/read 讀取 connectedClusters
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role definition to authorize any user/service to create connectedClusters resource",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/Write",
        "Microsoft.Kubernetes/connectedClusters/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Kubernetes Cluster - Azure Arc Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控應用程式參與者角色

允許建立受控應用程式資源。

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft 方案/applications/*
Microsoft 方案/register/action 向 Solutions 註冊。
Microsoft .Resources/subscriptions/resourceGroups/*
Microsoft .resources/deployments/* 建立和管理部署
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for creating managed application resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e",
  "name": "641177b8-a67a-45b9-a033-47bc880bb21e",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Solutions/applications/*",
        "Microsoft.Solutions/register/action",
        "Microsoft.Resources/subscriptions/resourceGroups/*",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Application Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控應用程式操作員角色

可讓您讀取受控應用程式資源及對其執行動作

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft 方案/applications/read 擷取應用程式清單。
Microsoft 解決方案/*/action
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read and perform actions on Managed Application resources",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae",
  "name": "c7393b34-138c-406f-901b-d8cf2b17e6ae",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Solutions/applications/read",
        "Microsoft.Solutions/*/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Application Operator Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控應用程式讀者

可讓您讀取受控應用程式中的資源及要求 JIT 存取權。

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 方案/jitRequests/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read resources in a managed app and request JIT access.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44",
  "name": "b9331d33-8a36-4f8c-b097-4f54124fdb44",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Solutions/jitRequests/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Applications Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控服務註冊指派刪除角色

「受控服務註冊指派刪除角色」可讓管理租用戶使用者刪除指派給其租用戶的註冊指派。 深入了解

動作 描述
Microsoft. >microsoft.managedservices/registrationAssignments/read 取出受控服務註冊指派的清單。
Microsoft. >microsoft.managedservices/registrationAssignments/delete 移除受控服務註冊指派。
Microsoft. >microsoft.managedservices/operationStatuses/read 讀取資源的作業狀態。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46",
  "name": "91c1777a-f3dc-4fae-b103-61d183457e46",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedServices/registrationAssignments/read",
        "Microsoft.ManagedServices/registrationAssignments/delete",
        "Microsoft.ManagedServices/operationStatuses/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Services Registration assignment Delete Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

管理群組參與者

管理群組參與者角色 深入瞭解

動作 描述
Microsoft. 管理/managementGroups/delete 刪除管理群組。
Microsoft. 管理/managementGroups/read 列出已驗證之使用者的管理群組。
Microsoft. 管理/managementGroups/subscriptions/delete 從管理群組中取消訂用帳戶的關聯。
Microsoft. 管理/managementGroups/subscriptions/write 將現有的訂用帳戶關聯至管理群組。
Microsoft. 管理/managementGroups/write 建立或更新管理群組。
Microsoft. 管理/managementGroups/subscriptions/read 列出指定管理群組底下的訂用帳戶。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Management Group Contributor Role",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c",
  "name": "5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Management/managementGroups/delete",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Management/managementGroups/subscriptions/delete",
        "Microsoft.Management/managementGroups/subscriptions/write",
        "Microsoft.Management/managementGroups/write",
        "Microsoft.Management/managementGroups/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Management Group Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

管理群組讀者

管理群組讀者角色

動作 描述
Microsoft. 管理/managementGroups/read 列出已驗證之使用者的管理群組。
Microsoft. 管理/managementGroups/subscriptions/read 列出指定管理群組底下的訂用帳戶。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Management Group Reader Role",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d",
  "name": "ac63b705-f282-497d-ac71-919bf39d939d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Management/managementGroups/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Management Group Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

New Relic APM 帳戶參與者

可讓您管理 New Relic Application Performance Management 帳戶及應用程式,但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NewRelic.APM/accounts/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage New Relic Application Performance Management accounts and applications, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237",
  "name": "5d28c62d-5b37-4476-8438-e587778df237",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "NewRelic.APM/accounts/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "New Relic APM Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

原則深入解析資料寫入者 (預覽)

允許讀取資源原則及寫入資源元件原則事件。 深入了解

動作 描述
Microsoft 授權/policyassignments/read 取得關於原則指派的資訊。
Microsoft 授權/policydefinitions/read 取得關於原則定義的資訊。
Microsoft 授權/policyexemptions/read 取得原則豁免的相關資訊。
Microsoft 授權/policysetdefinitions/read 取得原則集合定義的相關資訊。
NotActions
DataActions
Microsoft. Microsoft.policyinsights/checkDataPolicyCompliance/action 根據資料原則檢查給定元件的合規性狀態。
Microsoft. Microsoft.policyinsights/policyEvents/logDataEvents/action 記錄資源元件原則事件。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read access to resource policies and write access to resource component policy events.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84",
  "name": "66bb4e9e-b016-4a94-8249-4c0511c2be84",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/policyassignments/read",
        "Microsoft.Authorization/policydefinitions/read",
        "Microsoft.Authorization/policyexemptions/read",
        "Microsoft.Authorization/policysetdefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.PolicyInsights/checkDataPolicyCompliance/action",
        "Microsoft.PolicyInsights/policyEvents/logDataEvents/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Policy Insights Data Writer (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

配額要求操作員

讀取及建立配額要求、取得配額要求狀態,以及建立支援票證。 深入了解

動作 描述
Microsoft. 容量/resourceProviders/locations/serviceLimits/read 取得指定資源和位置的目前服務限制或配額
Microsoft. 容量/resourceProviders/locations/serviceLimits/write 為指定的資源和位置建立服務限制或配額
Microsoft. 容量/resourceProviders/locations/serviceLimitsRequests/read 取得指定資源和位置的任何服務限制要求
Microsoft. 容量/register/action 註冊容量資源提供者,並讓您能夠建立容量資源。
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and create quota requests, get quota request status, and create support tickets.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125",
  "name": "0e5f05e5-9ab9-446b-b98d-1e2157c94125",
  "permissions": [
    {
      "actions": [
        "Microsoft.Capacity/resourceProviders/locations/serviceLimits/read",
        "Microsoft.Capacity/resourceProviders/locations/serviceLimits/write",
        "Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read",
        "Microsoft.Capacity/register/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Quota Request Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

保留購買者

讓您購買保留專案 深入瞭解

動作 描述
Microsoft .resources/subscriptions/read 取得訂用帳戶清單。
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 容量/register/action 註冊容量資源提供者,並讓您能夠建立容量資源。
Microsoft. 計算/register/action 向 Microsoft.Compute 資源提供者註冊訂用帳戶
MICROSOFT .sql/register/action 為 Microsoft SQL Database 資源提供者註冊訂用帳戶,並讓您能夠建立 Microsoft SQL Database。
/Register/action 向 Consumption RP 註冊
Microsoft. 容量/catalogs/read 讀取保留目錄
Microsoft 授權/roleAssignments/read 取得關於角色指派的資訊。
/ReservationRecommendations/read 列出訂用帳戶保留執行個體的單一或共用建議。
Microsoft. 支援/supporttickets/write 允許建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you purchase reservations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689",
  "name": "f7b75c60-3036-4b75-91c3-6b41c27c1689",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Capacity/register/action",
        "Microsoft.Compute/register/action",
        "Microsoft.SQL/register/action",
        "Microsoft.Consumption/register/action",
        "Microsoft.Capacity/catalogs/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Consumption/reservationRecommendations/read",
        "Microsoft.Support/supporttickets/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reservation Purchaser",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

資源原則參與者

有權建立/修改資源原則、建立支援票證及讀取資源/階層的使用者。 深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft 授權/policyassignments/* 建立及管理原則指派
Microsoft 授權/policydefinitions/* 建立及管理原則定義
Microsoft 授權/policyexemptions/* 建立及管理原則豁免
Microsoft 授權/policysetdefinitions/* 建立及管理原則集合
Microsoft.policyinsights/*
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608",
  "name": "36243c78-bf99-498c-9df9-86d9f8d28608",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/policyassignments/*",
        "Microsoft.Authorization/policydefinitions/*",
        "Microsoft.Authorization/policyexemptions/*",
        "Microsoft.Authorization/policysetdefinitions/*",
        "Microsoft.PolicyInsights/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Resource Policy Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Site Recovery 參與者

可讓您管理 Site Recovery 服務,但保存庫建立和角色指派 更深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. Az.recoveryservices/locations/allocatedStamp/read GetAllocatedStamp 是服務所使用的內部作業
Microsoft. Az.recoveryservices/locations/allocateStamp/action AllocateStamp 是服務所使用的內部作業
Microsoft. Az.recoveryservices/Vaults/certificates/write 「更新資源憑證」作業會更新資源/保存庫的認證憑證。
Microsoft. Az.recoveryservices/Vaults/extendedInformation/* 建立和管理與保存庫相關的擴充資訊
Microsoft. Az.recoveryservices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/refreshContainers/read
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/* 建立和管理註冊的身分識別
Microsoft. Az.recoveryservices/vaults/replicationAlertSettings/* 建立或更新複寫警示設定
Microsoft. Az.recoveryservices/vaults/replicationEvents/read 讀取任何事件
Microsoft. Az.recoveryservices/vaults/replicationFabrics/* 建立和管理複寫網狀架構
Microsoft. Az.recoveryservices/vaults/replicationJobs/* 建立和管理複寫作業
Microsoft. Az.recoveryservices/vaults/replicationPolicies/* 建立和管理複寫原則
Microsoft. Az.recoveryservices/vaults/replicationRecoveryPlans/* 建立和管理復原計劃
Microsoft. Az.recoveryservices/Vaults/storageConfig/* 建立和管理復原服務保存庫的儲存體設定
Microsoft. Az.recoveryservices/Vaults/tokenInfo/read
Microsoft. Az.recoveryservices/Vaults/usages/read 傳回復原服務保存庫的使用量詳細資料。
Microsoft. Az.recoveryservices/Vaults/vaultTokens/read 「保存庫權杖」作業可用來取得保存庫層級後端作業的保存庫權杖。
Microsoft. Az.recoveryservices/Vaults/monitoringAlerts/* 讀取復原服務保存庫的警示
Microsoft. Az.recoveryservices/Vaults/monitoringConfigurations/notificationConfiguration/read
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 儲存體/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft. Az.recoveryservices/vaults/replicationOperationStatus/read 讀取任何保存庫複寫作業狀態
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Site Recovery service except vault creation and role assignment",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567",
  "name": "6670b86e-a3f7-4917-ac9b-5d6ab1be4567",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/locations/allocateStamp/action",
        "Microsoft.RecoveryServices/Vaults/certificates/write",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/refreshContainers/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
        "Microsoft.RecoveryServices/vaults/replicationAlertSettings/*",
        "Microsoft.RecoveryServices/vaults/replicationEvents/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/*",
        "Microsoft.RecoveryServices/vaults/replicationJobs/*",
        "Microsoft.RecoveryServices/vaults/replicationPolicies/*",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*",
        "Microsoft.RecoveryServices/Vaults/storageConfig/*",
        "Microsoft.RecoveryServices/Vaults/tokenInfo/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/vaultTokens/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/vaults/replicationOperationStatus/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Site Recovery Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Site Recovery 操作員

可讓您容錯移轉和容錯回復,但無法執行其他 Site Recovery 管理作業 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. Network/virtualNetworks/read 取得虛擬網路定義
Microsoft. Az.recoveryservices/locations/allocatedStamp/read GetAllocatedStamp 是服務所使用的內部作業
Microsoft. Az.recoveryservices/locations/allocateStamp/action AllocateStamp 是服務所使用的內部作業
Microsoft. Az.recoveryservices/Vaults/extendedInformation/read 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/refreshContainers/read
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/operationResults/read 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/read 「取得容器」作業可用來取得為資源註冊的容器。
Microsoft. Az.recoveryservices/vaults/replicationAlertSettings/read 讀取任何警示設定
Microsoft. Az.recoveryservices/vaults/replicationEvents/read 讀取任何事件
Microsoft. Az.recoveryservices/vaults/replicationFabrics/checkConsistency/action 檢查網狀架構的一致性
Microsoft. Az.recoveryservices/vaults/replicationFabrics/read 讀取任何網狀架構
Microsoft. Az.recoveryservices/vaults/replicationFabrics/reassociateGateway/action 重新關聯閘道
Microsoft. Az.recoveryservices/vaults/replicationFabrics/renewcertificate/action 更新網狀架構的憑證
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationNetworks/read 讀取任何網路
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read 讀取任何網路對應
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/read 讀取任何保護容器
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read 讀取任何可保護的項目
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action 套用復原點
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action 容錯移轉認可
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action 計劃性容錯移轉
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read 讀取任何受保護的項目
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read 讀取任何複寫復原點
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action 修復複寫
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action 重新保護受保護的項目
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action 切換保護容器
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action Test Failover
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action 測試容錯移轉清理
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action 容錯移轉
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action 更新行動服務
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read 讀取任何保護容器對應
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read 讀取任何復原服務提供者
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action 重新整理提供者
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationStorageClassifications/read 讀取任何存放裝置分類
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read 讀取任何存放裝置分類對應
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationvCenters/read 讀取任何 vCenter
Microsoft. Az.recoveryservices/vaults/replicationJobs/* 建立和管理複寫作業
Microsoft. Az.recoveryservices/vaults/replicationPolicies/read 讀取任何原則
Microsoft. Az.recoveryservices/vaults/replicationRecoveryPlans/failoverCommit/action 容錯移轉認可復原方案
Microsoft. Az.recoveryservices/vaults/replicationRecoveryPlans/plannedFailover/action 計劃性容錯移轉復原方案
Microsoft. Az.recoveryservices/vaults/replicationRecoveryPlans/read 讀取任何復原方案
Microsoft. Az.recoveryservices/vaults/replicationRecoveryPlans/reProtect/action 重新保護復原方案
Microsoft. Az.recoveryservices/vaults/replicationRecoveryPlans/testFailover/action 測試容錯移轉復原方案
Microsoft. Az.recoveryservices/vaults/replicationRecoveryPlans/testFailoverCleanup/action 測試容錯移轉清理復原方案
Microsoft. Az.recoveryservices/vaults/replicationRecoveryPlans/unplannedFailover/action 容錯移轉復原方案
Microsoft. Az.recoveryservices/Vaults/monitoringAlerts/* 讀取復原服務保存庫的警示
Microsoft. Az.recoveryservices/Vaults/monitoringConfigurations/notificationConfiguration/read
Microsoft. Az.recoveryservices/Vaults/storageConfig/read
Microsoft. Az.recoveryservices/Vaults/tokenInfo/read
Microsoft. Az.recoveryservices/Vaults/usages/read 傳回復原服務保存庫的使用量詳細資料。
Microsoft. Az.recoveryservices/Vaults/vaultTokens/read 「保存庫權杖」作業可用來取得保存庫層級後端作業的保存庫權杖。
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 儲存體/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you failover and failback but not perform other Site Recovery management operations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca",
  "name": "494ae006-db33-4328-bf46-533a6560a3ca",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/locations/allocateStamp/action",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/refreshContainers/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read",
        "Microsoft.RecoveryServices/vaults/replicationEvents/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read",
        "Microsoft.RecoveryServices/vaults/replicationJobs/*",
        "Microsoft.RecoveryServices/vaults/replicationPolicies/read",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
        "Microsoft.RecoveryServices/Vaults/storageConfig/read",
        "Microsoft.RecoveryServices/Vaults/tokenInfo/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/vaultTokens/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Site Recovery Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Site Recovery 讀取者

可讓您查看 Site Recovery 狀態,但不能執行其他管理作業 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. Az.recoveryservices/locations/allocatedStamp/read GetAllocatedStamp 是服務所使用的內部作業
Microsoft. Az.recoveryservices/Vaults/extendedInformation/read 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/monitoringAlerts/read 取得復原服務保存庫的警示。
Microsoft. Az.recoveryservices/Vaults/monitoringConfigurations/notificationConfiguration/read
Microsoft. Az.recoveryservices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft. Az.recoveryservices/Vaults/refreshContainers/read
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/operationResults/read 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果
Microsoft. Az.recoveryservices/Vaults/registeredIdentities/read 「取得容器」作業可用來取得為資源註冊的容器。
Microsoft. Az.recoveryservices/vaults/replicationAlertSettings/read 讀取任何警示設定
Microsoft. Az.recoveryservices/vaults/replicationEvents/read 讀取任何事件
Microsoft. Az.recoveryservices/vaults/replicationFabrics/read 讀取任何網狀架構
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationNetworks/read 讀取任何網路
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read 讀取任何網路對應
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/read 讀取任何保護容器
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read 讀取任何可保護的項目
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read 讀取任何受保護的項目
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read 讀取任何複寫復原點
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read 讀取任何保護容器對應
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read 讀取任何復原服務提供者
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationStorageClassifications/read 讀取任何存放裝置分類
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read 讀取任何存放裝置分類對應
Microsoft. Az.recoveryservices/vaults/replicationFabrics/replicationvCenters/read 讀取任何 vCenter
Microsoft. Az.recoveryservices/vaults/replicationJobs/read 讀取任何作業
Microsoft. Az.recoveryservices/vaults/replicationPolicies/read 讀取任何原則
Microsoft. Az.recoveryservices/vaults/replicationRecoveryPlans/read 讀取任何復原方案
Microsoft. Az.recoveryservices/Vaults/storageConfig/read
Microsoft. Az.recoveryservices/Vaults/tokenInfo/read
Microsoft. Az.recoveryservices/Vaults/usages/read 傳回復原服務保存庫的使用量詳細資料。
Microsoft. Az.recoveryservices/Vaults/vaultTokens/read 「保存庫權杖」作業可用來取得保存庫層級後端作業的保存庫權杖。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view Site Recovery status but not perform other management operations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149",
  "name": "dbaa88c4-0c30-4179-9fb3-46319faa6149",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/refreshContainers/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read",
        "Microsoft.RecoveryServices/vaults/replicationEvents/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read",
        "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read",
        "Microsoft.RecoveryServices/vaults/replicationJobs/read",
        "Microsoft.RecoveryServices/vaults/replicationPolicies/read",
        "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read",
        "Microsoft.RecoveryServices/Vaults/storageConfig/read",
        "Microsoft.RecoveryServices/Vaults/tokenInfo/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/vaultTokens/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Site Recovery Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

支援要求參與者

可讓您建立及管理支援要求 深入瞭解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you create and manage Support requests",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
  "name": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Support Request Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

標記參與者

可讓您管理實體上的標記,無需提供對實體本身的存取。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .Resources/subscriptions/resourceGroups/resources/read 取得資源群組的資源。
Microsoft .resources/subscriptions/resources/read 取得訂用帳戶的資源。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 支援/* 建立和更新支援票證
Microsoft .resources/tags/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage tags on entities, without providing access to the entities themselves.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f",
  "name": "4a9ae827-6dc8-4573-8ac7-8239d42aa03f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
        "Microsoft.Resources/subscriptions/resources/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Resources/tags/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Tag Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

其他

Azure 數位 Twins 資料擁有者

數位 Twins 資料平面的完整存取角色 學習更多

動作 描述
NotActions
DataActions
Microsoft. DigitalTwins/eventroutes/* 讀取、刪除、建立或更新任何事件路由
Microsoft. DigitalTwins/digitaltwins/* 讀取、建立、更新或刪除任何數位對應項
Microsoft. DigitalTwins/digitaltwins/commands/* 在數位對應項上叫用任何命令
Microsoft. DigitalTwins/digitaltwins/relationships/* 讀取、建立、更新或刪除任何數位對應項關聯性
Microsoft. DigitalTwins/models/* 讀取、建立、更新或刪除任何模型
Microsoft. DigitalTwins/query/* 查詢任何數位 Twins 圖形
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access role for Digital Twins data-plane",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe",
  "name": "bcd981a7-7f74-457b-83e1-cceb9e632ffe",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.DigitalTwins/eventroutes/*",
        "Microsoft.DigitalTwins/digitaltwins/*",
        "Microsoft.DigitalTwins/digitaltwins/commands/*",
        "Microsoft.DigitalTwins/digitaltwins/relationships/*",
        "Microsoft.DigitalTwins/models/*",
        "Microsoft.DigitalTwins/query/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Digital Twins Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 數位 Twins 資料讀者

數位 Twins 資料平面屬性的唯讀角色 深入瞭解

動作 描述
NotActions
DataActions
Microsoft. DigitalTwins/digitaltwins/read 讀取任何數位對應項
Microsoft. DigitalTwins/digitaltwins/relationships/read 讀取任何數位對應項關聯性
Microsoft. DigitalTwins/eventroutes/read 讀取任何事件路由
Microsoft. DigitalTwins/models/read 讀取任何模型
Microsoft. DigitalTwins/query/action 查詢任何數位 Twins 圖形
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only role for Digital Twins data-plane properties",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3",
  "name": "d57506d4-4c8d-48b1-8587-93c323f6a5a3",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.DigitalTwins/digitaltwins/read",
        "Microsoft.DigitalTwins/digitaltwins/relationships/read",
        "Microsoft.DigitalTwins/eventroutes/read",
        "Microsoft.DigitalTwins/models/read",
        "Microsoft.DigitalTwins/query/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Digital Twins Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

BizTalk 參與者

可讓您管理 BizTalk 服務,但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft.BizTalkServices/BizTalk/* 建立和管理 BizTalk 服務
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage BizTalk services, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342",
  "name": "5e3c6656-6cfa-4708-81fe-0de47ac73342",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.BizTalkServices/BizTalk/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "BizTalk Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化應用程式群組參與者

桌面虛擬化應用程式群組的參與者。 深入了解

動作 描述
Microsoft. DesktopVirtualization/applicationgroups/*
Microsoft. DesktopVirtualization/hostpools/read 讀取 hostpools
Microsoft. DesktopVirtualization/hostpools/sessionhosts/read 讀取 hostpools/sessionhosts
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Contributor of the Desktop Virtualization Application Group.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8",
  "name": "86240b0e-9422-4c43-887b-b61143f32ba8",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/applicationgroups/*",
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization Application Group Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化應用程式群組讀者

桌面虛擬化應用程式群組的讀者。 深入了解

動作 描述
Microsoft. DesktopVirtualization/applicationgroups/*/read
Microsoft. DesktopVirtualization/applicationgroups/read 讀取 applicationgroups
Microsoft. DesktopVirtualization/hostpools/read 讀取 hostpools
Microsoft. DesktopVirtualization/hostpools/sessionhosts/read 讀取 hostpools/sessionhosts
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/read 取得或列出部署。
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/read 讀取傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Reader of the Desktop Virtualization Application Group.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55",
  "name": "aebf23d0-b568-4e86-b8f9-fe83a2c6ab55",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/applicationgroups/*/read",
        "Microsoft.DesktopVirtualization/applicationgroups/read",
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization Application Group Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化參與者

桌面虛擬化的參與者。 深入了解

動作 描述
DesktopVirtualization/*
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Contributor of Desktop Virtualization.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387",
  "name": "082f0a83-3be5-4ba1-904c-961cca79b387",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化主機集區參與者

桌面虛擬化主機集區的參與者。 深入了解

動作 描述
Microsoft. DesktopVirtualization/hostpools/*
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Contributor of the Desktop Virtualization Host Pool.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc",
  "name": "e307426c-f9b6-4e81-87de-d99efb3c32bc",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/hostpools/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization Host Pool Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化主機集區讀取器

桌面虛擬化主機集區的讀取器。 深入了解

動作 描述
Microsoft. DesktopVirtualization/hostpools/*/read
Microsoft. DesktopVirtualization/hostpools/read 讀取 hostpools
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/read 取得或列出部署。
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/read 讀取傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Reader of the Desktop Virtualization Host Pool.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822",
  "name": "ceadfde2-b300-400a-ab7b-6143895aa822",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/hostpools/*/read",
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization Host Pool Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌上型電腦虛擬化讀者

桌面虛擬化的讀者。 深入了解

動作 描述
DesktopVirtualization/*/read
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/read 取得或列出部署。
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/read 讀取傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Reader of Desktop Virtualization.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868",
  "name": "49a72310-ab8d-41df-bbb0-79b649203868",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化工作階段主機操作員

桌面虛擬化工作階段主機的操作員。 深入了解

動作 描述
Microsoft. DesktopVirtualization/hostpools/read 讀取 hostpools
Microsoft. DesktopVirtualization/hostpools/sessionhosts/*
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Operator of the Desktop Virtualization Session Host.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408",
  "name": "2ad6aaab-ead9-4eaa-8ac5-da422f562408",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization Session Host Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化使用者

允許使用者使用應用程式群組中的應用程式。 深入了解

動作 描述
NotActions
DataActions
Microsoft. DesktopVirtualization/applicationGroups/useApplications/action 使用 ApplicationGroup
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows user to use the applications in an application group.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
  "name": "1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.DesktopVirtualization/applicationGroups/useApplications/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化使用者會話操作員

桌面虛擬化 Uesr 會話的操作員。 深入了解

動作 描述
Microsoft. DesktopVirtualization/hostpools/read 讀取 hostpools
Microsoft. DesktopVirtualization/hostpools/sessionhosts/read 讀取 hostpools/sessionhosts
Microsoft. DesktopVirtualization/hostpools/sessionhosts/usersessions/*
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Operator of the Desktop Virtualization Uesr Session.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6",
  "name": "ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/hostpools/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
        "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization User Session Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化工作區參與者

桌面虛擬化工作區的參與者。 深入了解

動作 描述
Microsoft. DesktopVirtualization/workspaces/*
Microsoft. DesktopVirtualization/applicationgroups/read 讀取 applicationgroups
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Contributor of the Desktop Virtualization Workspace.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b",
  "name": "21efdde3-836f-432b-bf3d-3e8e734d4b2b",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/workspaces/*",
        "Microsoft.DesktopVirtualization/applicationgroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization Workspace Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

桌面虛擬化工作區讀者

桌面虛擬化工作區的讀者。 深入了解

動作 描述
Microsoft. DesktopVirtualization/workspaces/read 讀取工作區
Microsoft. DesktopVirtualization/applicationgroups/read 讀取 applicationgroups
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/read 取得或列出部署。
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/read 讀取傳統計量警示
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Reader of the Desktop Virtualization Workspace.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d",
  "name": "0fa44ee9-7a7d-466b-9bb2-2bf446b1204d",
  "permissions": [
    {
      "actions": [
        "Microsoft.DesktopVirtualization/workspaces/read",
        "Microsoft.DesktopVirtualization/applicationgroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Desktop Virtualization Workspace Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁片備份讀取器

提供備份保存庫執行磁片備份的許可權。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft. 計算/disks/read 取得磁碟的屬性
Microsoft. 計算/disks/beginGetAccess/action 取得磁碟用於 Blob 存取的 SAS URI
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permission to backup vault to perform disk backup.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
  "name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/beginGetAccess/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Backup Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁片還原操作員

提供備份保存庫執行磁片還原的許可權。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 計算/disks/write 建立新的磁碟,或更新現有磁碟
Microsoft. 計算/disks/read 取得磁碟的屬性
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permission to backup vault to perform disk restore.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13",
  "name": "b50d9833-a0cb-478e-945f-707fcc997c13",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Restore Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁片快照集參與者

提供備份保存庫管理磁片快照集的許可權。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft. 計算/snapshots/delete 刪除快照集
Microsoft. 計算/snapshots/write 建立新的快照集,或更新現有快照集
Microsoft. 計算/snapshots/read 取得快照集的屬性
Microsoft. 計算/snapshots/beginGetAccess/action 取得快照集的 SAS URI 以用於 Blob 存取
Microsoft. 計算/snapshots/endGetAccess/action 撤銷快照集的 SAS URI
Microsoft. 計算/disks/beginGetAccess/action 取得磁碟用於 Blob 存取的 SAS URI
Microsoft. 儲存體/storageAccounts/listkeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft. 儲存體/storageAccounts/write 使用指定參數來建立儲存體帳戶、更新指定儲存體帳戶的屬性或標記,或新增指定儲存體帳戶的自訂網域。
Microsoft. 儲存體/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft. 儲存體/storageAccounts/delete 刪除現有的儲存體帳戶。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permission to backup vault to manage disk snapshots.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce",
  "name": "7efff54f-a5b4-42b5-a1c5-5411624893ce",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Compute/snapshots/delete",
        "Microsoft.Compute/snapshots/write",
        "Microsoft.Compute/snapshots/read",
        "Microsoft.Compute/snapshots/beginGetAccess/action",
        "Microsoft.Compute/snapshots/endGetAccess/action",
        "Microsoft.Compute/disks/beginGetAccess/action",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Snapshot Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

排程器工作集合參與者

可讓您管理「排程器」工作集合,但無法存取它們。

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft Insights/alertRules/* 建立和管理傳統計量警示
Microsoft. ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft .resources/deployments/* 建立和管理部署
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.排程器/jobcollections/* 建立和管理工作集合
Microsoft 支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Scheduler job collections, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94",
  "name": "188a0f2f-5c9e-469b-ae67-2aa5ce574b94",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Scheduler/jobcollections/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Scheduler Job Collections Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

服務中樞操作員

服務中樞操作員可讓您執行與服務中樞連接器相關的所有讀取、寫入和刪除作業。 深入了解

動作 描述
Microsoft 授權/*/read 讀取角色和角色指派
Microsoft .Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft .resources/deployments/* 建立和管理部署
Microsoft. ServicesHub/connectors/write 建立或更新服務中樞連接器
Microsoft. ServicesHub/connectors/read 查看或列出服務中樞連接器
Microsoft. ServicesHub/connectors/delete 刪除服務中樞連接器
Microsoft. ServicesHub/connectors/checkAssessmentEntitlement/action 列出指定服務中樞工作區的評定權利
Microsoft. ServicesHub/supportOfferingEntitlement/read 查看指定服務中樞工作區的支援服務權利
Microsoft. ServicesHub/workspaces/read 列出指定使用者的服務中樞工作區
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b",
  "name": "82200a5b-e217-47a5-b665-6d8765ee745b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.ServicesHub/connectors/write",
        "Microsoft.ServicesHub/connectors/read",
        "Microsoft.ServicesHub/connectors/delete",
        "Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action",
        "Microsoft.ServicesHub/supportOfferingEntitlement/read",
        "Microsoft.ServicesHub/workspaces/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Services Hub Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

後續步驟