Azure 自訂角色 (機器翻譯)Azure custom roles

重要

將管理群組新增至的 AssignableScopes 功能目前為預覽狀態。Adding a management group to AssignableScopes is currently in preview. 此預覽版本是在沒有服務等級協定的情況下提供,不建議用於生產工作負載。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 可能不支援特定功能,或可能已經限制功能。Certain features might not be supported or might have constrained capabilities. 如需詳細資訊,請參閱 Microsoft Azure 預覽版增補使用條款For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

如果 Azure 內建的角色無法滿足您組織的特定需求,您可以建立自己的自訂角色。If the Azure built-in roles don't meet the specific needs of your organization, you can create your own custom roles. 就像內建角色一樣,您可以在管理群組、訂用帳戶和資源群組範圍中,將自訂角色指派給使用者、群組和服務主體。Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.

自訂角色可以在信任相同 Azure AD 目錄的訂用帳戶之間共用。Custom roles can be shared between subscriptions that trust the same Azure AD directory. 每個目錄的自訂角色限制為 5000There is a limit of 5,000 custom roles per directory. (Azure 德國和 Azure 中國的世紀,限制為2000個自訂角色。您可以使用 Azure 入口網站、Azure PowerShell、Azure CLI 或 REST API 來建立 ) 自訂角色。(For Azure Germany and Azure China 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.

自訂角色範例Custom role example

以下顯示使用 JSON 格式 Azure PowerShell 的自訂角色看起來的樣子。The following shows what a custom role looks like as displayed using Azure PowerShell in JSON format. 此自訂角色可用於監視和重新啟動虛擬機器。This custom role can be used for monitoring and restarting virtual machines.

{
  "Name": "Virtual Machine Operator",
  "Id": "88888888-8888-8888-8888-888888888888",
  "IsCustom": true,
  "Description": "Can monitor and restart virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*",
    "Microsoft.Support/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}",
    "/providers/Microsoft.Management/managementGroups/{groupId1}"
  ]
}

以下顯示使用 Azure CLI 所顯示的相同自訂角色。The following shows the same custom role as displayed using Azure CLI.

[
  {
    "assignableScopes": [
      "/subscriptions/{subscriptionId1}",
      "/subscriptions/{subscriptionId2}",
      "/providers/Microsoft.Management/managementGroups/{groupId1}"
    ],
    "description": "Can monitor and restart virtual machines.",
    "id": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/88888888-8888-8888-8888-888888888888",
    "name": "88888888-8888-8888-8888-888888888888",
    "permissions": [
      {
        "actions": [
          "Microsoft.Storage/*/read",
          "Microsoft.Network/*/read",
          "Microsoft.Compute/*/read",
          "Microsoft.Compute/virtualMachines/start/action",
          "Microsoft.Compute/virtualMachines/restart/action",
          "Microsoft.Authorization/*/read",
          "Microsoft.ResourceHealth/availabilityStatuses/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Insights/alertRules/*",
          "Microsoft.Insights/diagnosticSettings/*",
          "Microsoft.Support/*"
        ],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "Virtual Machine Operator",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

建立自訂角色時,它會以橙色資源圖示顯示在 Azure 入口網站中。When you create a custom role, it appears in the Azure portal with an orange resource icon.

自訂角色圖示

自訂角色屬性Custom role properties

下表說明自訂角色屬性的意義。The following table describes what the custom role properties mean.

屬性Property 必要Required 類型Type 描述Description
Name
roleName
Yes StringString 自訂角色的顯示名稱。The display name of the custom role. 當角色定義是管理群組或訂用帳戶層級資源時,角色定義可以用於多個共用相同 Azure AD 目錄的訂用帳戶。While a role definition is a management group or subscription-level resource, a role definition can be used in multiple subscriptions that share the same Azure AD directory. 此顯示名稱在 Azure AD 目錄範圍中必須是唯一的。This display name must be unique at the scope of the Azure AD directory. 可以包含字母、數字、空格和特殊字元。Can include letters, numbers, spaces, and special characters. 字元數目上限是 128。Maximum number of characters is 128.
Id
name
Yes StringString 自訂角色的唯一識別碼。The unique ID of the custom role. 針對 Azure PowerShell 和 Azure CLI,當您建立新角色時,會自動產生這個識別碼。For Azure PowerShell and Azure CLI, this ID is automatically generated when you create a new role.
IsCustom
roleType
Yes StringString 表示這是否為自訂角色。Indicates whether this is a custom role. true CustomRole 針對自訂角色設定為或。Set to true or CustomRole for custom roles. false BuiltInRole 針對內建角色設定為或。Set to false or BuiltInRole for built-in roles.
Description
description
Yes StringString 自訂角色的描述。The description of the custom role. 可以包含字母、數字、空格和特殊字元。Can include letters, numbers, spaces, and special characters. 字元數目上限是 1024。Maximum number of characters is 1024.
Actions
actions
Yes String[]String[] 字串陣列,指定角色允許執行的管理作業。An array of strings that specifies the management operations that the role allows to be performed. 如需詳細資訊,請參閱 ActionsFor more information, see Actions.
NotActions
notActions
No String[]String[] 字串陣列,指定從所允許 Actions 中排除的管理作業。An array of strings that specifies the management operations that are excluded from the allowed Actions. 如需詳細資訊,請參閱 NotActionsFor more information, see NotActions.
DataActions
dataActions
No String[]String[] 字串陣列,指定角色允許對物件內資料執行的管理作業。An array of strings that specifies the data operations that the role allows to be performed to your data within that object. 如果您使用建立自訂角色 DataActions ,則無法在管理群組範圍指派該角色。If you create a custom role with DataActions, that role cannot be assigned at the management group scope. 如需詳細資訊,請參閱 DataActionsFor more information, see DataActions.
NotDataActions
notDataActions
No String[]String[] 字串陣列,指定從所允許 DataActions 中排除的資料作業。An array of strings that specifies the data operations that are excluded from the allowed DataActions. 如需詳細資訊,請參閱 NotDataActionsFor more information, see NotDataActions.
AssignableScopes
assignableScopes
Yes String[]String[] 字串陣列,指定自訂角色可用於指派的範圍。An array of strings that specifies the scopes that the custom role is available for assignment. 您只能在自訂角色中定義一個管理群組 AssignableScopesYou can only define one management group in AssignableScopes of a custom role. 將管理群組新增至的 AssignableScopes 功能目前為預覽狀態。Adding a management group to AssignableScopes is currently in preview. 如需詳細資訊,請參閱 AssignableScopesFor more information, see AssignableScopes.

萬用字元許可權Wildcard permissions

ActionsNotActionsDataActionsNotDataActions 支援萬用字元 (*) 來定義許可權。Actions, NotActions, DataActions, and NotDataActions support wildcards (*) to define permissions. 萬用字元 () 會將 * 許可權延伸到符合您提供之動作字串的所有專案。A wildcard (*) extends a permission to everything that matches the action string you provide. 例如,假設您想要加入與 Azure 成本管理和匯出相關的擁有權限。For example, suppose that you wanted to add all the permissions related to Azure Cost Management and exports. 您可以加入所有這些動作字串:You could add all of these action strings:

Microsoft.CostManagement/exports/action
Microsoft.CostManagement/exports/read
Microsoft.CostManagement/exports/write
Microsoft.CostManagement/exports/delete
Microsoft.CostManagement/exports/run/action

您可以只新增萬用字元字串,而不是加入所有這些字串。Instead of adding all of these strings, you could just add a wildcard string. 例如,下列萬用字元字串相當於前五個字串。For example, the following wildcard string is equivalent to the previous five strings. 這也包含任何未來可能新增的匯出許可權。This would also include any future export permissions that might be added.

Microsoft.CostManagement/exports/*

您也可以在字串中使用多個萬用字元。You can also have multiple wildcards in a string. 例如,下列字串代表成本管理的所有查詢許可權。For example, the following string represents all query permissions for Cost Management.

Microsoft.CostManagement/*/query/*

建立自訂角色的步驟Steps to create a custom role

若要建立自訂角色,以下是您應該遵循的基本步驟。To create a custom role, here are basics steps you should follow.

  1. 決定您要如何建立自訂角色。Decide how you want to create the custom role.

    您可以使用 Azure 入口網站、Azure PowerShell、Azure CLI 或 REST API 來建立自訂角色。You can create custom roles using Azure portal, Azure PowerShell, Azure CLI, or the REST API.

  2. 判斷您需要的許可權。Determine the permissions you need.

    當您建立自訂角色時,您需要知道可用來定義許可權的作業。When you create a custom role, you need to know the operations that are available to define your permissions. 若要查看作業的清單,請參閱 Azure Resource Manager 資源提供者作業To view the list of operations, see the Azure Resource Manager resource provider operations. 您會將作業加入至 Actions NotActions 角色定義的或屬性。You will add the operations to the Actions or NotActions properties of the role definition. 如果您有資料作業,您會將它們加入至 DataActionsNotDataActions 屬性。If you have data operations, you will add those to the DataActions or NotDataActions properties.

  3. 建立自訂角色。Create the custom role.

    一般而言,您可以從使用現有的內建角色開始,然後針對您的需求進行修改。Typically, you start with an existing built-in role and then modify it for your needs. 最簡單的方式是使用 Azure 入口網站。The easiest way is to use the Azure portal. 如需有關如何使用 Azure 入口網站建立自訂角色的步驟,請參閱 使用 Azure 入口網站建立或更新 Azure 自訂角色For steps on how to create a custom role using the Azure portal, see Create or update Azure custom roles using the Azure portal.

  4. 測試自訂角色。Test the custom role.

    一旦具有自訂角色,您必須測試它來驗證是否如預期般運作。Once you have your custom role, you have to test it to verify that it works as you expect. 稍後如需進行調整,您可以更新自訂角色。If you need to make adjustments later, you can update the custom role.

誰可以建立、刪除、更新或檢視自訂角色Who can create, delete, update, or view a custom role

就像內建角色一樣,AssignableScopes 屬性會指定角色可用於指派的範圍。Just like built-in roles, the AssignableScopes property specifies the scopes that the role is available for assignment. 自訂角色的 AssignableScopes 屬性也會控制誰可以建立、刪除、更新或檢視自訂角色。The AssignableScopes property for a custom role also controls who can create, delete, update, or view the custom role.

TaskTask 作業Operation 描述Description
建立/刪除自訂角色Create/delete a custom role Microsoft.Authorization/ roleDefinitions/write 獲得授權可對自訂角色的所有 AssignableScopes 執行此作業的使用者,可以建立 (或刪除) 用於這些範圍的自訂角色。Users that are granted this operation on all the AssignableScopes of the custom role can create (or delete) custom roles for use in those scopes. 例如,管理群組、訂用帳戶和資源群組的 擁有 者和 使用者存取系統管理員For example, Owners and User Access Administrators of management groups, subscriptions, and resource groups.
更新自訂角色Update a custom role Microsoft.Authorization/ roleDefinitions/write 獲得授權可對自訂角色的所有 AssignableScopes 執行此作業的使用者,可以在這些範圍中更新自訂角色。Users that are granted this operation on all the AssignableScopes of the custom role can update custom roles in those scopes. 例如,管理群組、訂用帳戶和資源群組的 擁有 者和 使用者存取系統管理員For example, Owners and User Access Administrators of management groups, subscriptions, and resource groups.
檢視自訂角色View a custom role Microsoft.Authorization/ roleDefinitions/read 獲得授權可在範圍中執行此作業的使用者,可以檢視可指派給該範圍的自訂角色。Users that are granted this operation at a scope can view the custom roles that are available for assignment at that scope. 所有內建角色都允許自訂角色以供指派。All built-in roles allow custom roles to be available for assignment.

自訂角色限制Custom role limits

下列清單說明自訂角色的限制。The following list describes the limits for custom roles.

  • 每個目錄最多可有 5000 個自訂角色。Each directory can have up to 5000 custom roles.
  • Azure 德國和 Azure 中國世紀最多可為每個目錄擁有2000個自訂角色。Azure Germany and Azure China 21Vianet can have up to 2000 custom roles for each directory.
  • 您無法 AssignableScopes () 設定為根範圍 "/"You cannot set AssignableScopes to the root scope ("/").
  • 您只能在自訂角色中定義一個管理群組 AssignableScopesYou can only define one management group in AssignableScopes of a custom role. 將管理群組新增至的 AssignableScopes 功能目前為預覽狀態。Adding a management group to AssignableScopes is currently in preview.
  • DataActions無法在管理群組範圍指派具有的自訂角色。Custom roles with DataActions cannot be assigned at the management group scope.
  • Azure Resource Manager 不會驗證管理群組是否存在角色定義的可指派範圍中。Azure Resource Manager doesn't validate the management group's existence in the role definition's assignable scope.

如需自訂角色和管理群組的詳細資訊,請參閱 使用 Azure 管理群組來組織您的資源For more information about custom roles and management groups, see Organize your resources with Azure management groups.

輸入和輸出格式Input and output formats

若要使用命令列建立自訂角色,您通常會使用 JSON 來指定您要用於自訂角色的屬性。To create a custom role using the command line, you typically use JSON to specify the properties you want for the custom role. 視您使用的工具而定,輸入和輸出格式看起來會稍有不同。Depending on the tools you use, the input and output formats will look slightly different. 此區段會根據工具列出輸入和輸出格式。This section lists the input and output formats depending on the tool.

Azure PowerShellAzure PowerShell

若要使用 Azure PowerShell 建立自訂角色,您必須提供下列輸入。To create a custom role using Azure PowerShell, you must provide following input.

{
  "Name": "",
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

若要使用 Azure PowerShell 更新自訂角色,您必須提供下列輸入。To update a custom role using Azure PowerShell, you must provide the following input. 請注意,已 Id 加入屬性。Note that the Id property has been added.

{
  "Name": "",
  "Id": "",
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

以下顯示當您使用 Azure PowerShell 和 ConvertTo-Json 命令列出自訂角色時的輸出範例。The following shows an example of the output when you list a custom role using Azure PowerShell and the ConvertTo-Json command.

{
  "Name": "",
  "Id": "",
  "IsCustom": true,
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

Azure CLIAzure CLI

若要使用 Azure CLI 建立或更新自訂角色,您必須提供下列輸入。To create or update a custom role using Azure CLI, you must provide following input. 當您使用 Azure PowerShell 建立自訂角色時,此格式會是相同的格式。This format is the same format when you create a custom role using Azure PowerShell.

{
  "Name": "",
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

以下顯示當您使用 Azure CLI 列出自訂角色時的輸出範例。The following shows an example of the output when you list a custom role using Azure CLI.

[
  {
    "assignableScopes": [],
    "description": "",
    "id": "",
    "name": "",
    "permissions": [
      {
        "actions": [],
        "dataActions": [],
        "notActions": [],
        "notDataActions": []
      }
    ],
    "roleName": "",
    "roleType": "CustomRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

REST APIREST API

若要使用 REST API 建立或更新自訂角色,您必須提供下列輸入。To create or update a custom role using the REST API, you must provide following input. 當您使用 Azure 入口網站建立自訂角色時,此格式會產生相同的格式。This format is the same format that gets generated when you create a custom role using the Azure portal.

{
  "properties": {
    "roleName": "",
    "description": "",
    "assignableScopes": [],
    "permissions": [
      {
        "actions": [],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

以下顯示當您使用 REST API 列出自訂角色時的輸出範例。The following shows an example of the output when you list a custom role using the REST API.

{
    "properties": {
        "roleName": "",
        "type": "CustomRole",
        "description": "",
        "assignableScopes": [],
        "permissions": [
            {
                "actions": [],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ],
        "createdOn": "",
        "updatedOn": "",
        "createdBy": "",
        "updatedBy": ""
    },
    "id": "",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": ""
}

接下來的步驟Next steps