適用於 Azure 資源的自訂角色Custom roles for Azure resources

如果適用於 Azure 資源的內建角色無法滿足您組織的特定需求,您可以建立自己的自訂角色。If the built-in roles for Azure resources don't meet the specific needs of your organization, you can create your own custom roles. 就像內建角色一樣,您可以將自訂角色指派給訂用帳戶、資源群組和資源範圍的使用者、群組和服務主體。Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.

自訂角色是存放在 Azure Active Directory (Azure AD) 目錄中,而且可以跨訂用帳戶共用。Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. 每個目錄可以有多達5000自訂角色。Each directory can have up to 5000 custom roles. (若為特製化的雲端,例如 Azure Government、Azure 德國和 Azure 中國 21Vianet,則限制為 2000 個自訂角色)。可以使用 Azure PowerShell、Azure CLI 和 REST API 建立自訂角色。(For specialized clouds, such as Azure Government, Azure Germany, and Azure China 21Vianet, the limit is 2000 custom roles.) Custom roles can be created using Azure PowerShell, Azure CLI, or the REST API.

自訂角色範例Custom role example

以下顯示自訂角色以 JSON 格式顯示時的外觀。The following shows what a custom role looks like as displayed in JSON format. 此自訂角色可用於監視和重新啟動虛擬機器。This custom role can be used for monitoring and restarting virtual machines.

{
  "Name": "Virtual Machine Operator",
  "Id": "88888888-8888-8888-8888-888888888888",
  "IsCustom": true,
  "Description": "Can monitor and restart virtual machines.",
  "Actions": [
    "Microsoft.Storage/*/read",
    "Microsoft.Network/*/read",
    "Microsoft.Compute/*/read",
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action",
    "Microsoft.Authorization/*/read",
    "Microsoft.ResourceHealth/availabilityStatuses/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Insights/diagnosticSettings/*",
    "Microsoft.Support/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}",
    "/subscriptions/{subscriptionId3}"
  ]
}

建立自訂角色時,它會以橙色資源圖示顯示在 Azure 入口網站中。When you create a custom role, it appears in the Azure portal with an orange resource icon.

自訂角色圖示

建立自訂角色的步驟Steps to create a custom role

  1. 決定您要建立自訂角色的方式Decide how you want to create the custom role

    您可以建立使用自訂角色Azure PowerShellAzure CLI,或有REST APIYou can create custom roles using Azure PowerShell, Azure CLI, or the REST API.

  2. 判斷您所需的權限Determine the permissions you need

    在建立自訂角色時,您必須知道可用來定義權限的資源提供者作業。When you create a custom role, you need to know the resource provider operations that are available to define your permissions. 若要檢視作業清單,請參閱Azure Resource Manager 資源提供者作業To view the list of operations, see the Azure Resource Manager resource provider operations. 您將新增至作業Actions或是NotActions的屬性角色定義You will add the operations to the Actions or NotActions properties of the role definition. 如果您有資料作業時,您會將它們新增至DataActionsNotDataActions屬性。If you have data operations, you will add those to the DataActions or NotDataActions properties.

  3. 建立自訂角色Create the custom role

    一般而言,您可以從使用現有的內建角色開始,然後針對您的需求進行修改。Typically, you start with an existing built-in role and then modify it for your needs. 接著,您可以使用 New-AzRoleDefinitionaz role definition create 命令來建立自訂角色。Then you use the New-AzRoleDefinition or az role definition create commands to create the custom role. 若要建立自訂角色,您必須擁有所有 AssignableScopesMicrosoft.Authorization/roleDefinitions/write 權限,例如擁有者使用者存取系統管理員To create a custom role, you must have the Microsoft.Authorization/roleDefinitions/write permission on all AssignableScopes, such as Owner or User Access Administrator.

  4. 測試自訂角色Test the custom role

    一旦具有自訂角色,您必須測試它來驗證是否如預期般運作。Once you have your custom role, you have to test it to verify that it works as you expect. 稍後如需進行調整,您可以更新自訂角色。If you need to make adjustments later, you can update the custom role.

如需如何建立自訂角色的逐步教學課程,請參閱教學課程:使用 Azure PowerShell 建立自訂角色教學課程:使用 Azure CLI 建立自訂角色For a step-by-step tutorial on how to create a custom role, see Tutorial: Create a custom role using Azure PowerShell or Tutorial: Create a custom role using Azure CLI.

自訂角色屬性Custom role properties

自訂角色具有下列屬性。A custom role has the following properties.

屬性Property 必要項Required 類型Type 描述Description
Name Yes 字串String 自訂角色的顯示名稱。The display name of the custom role. 當角色定義是訂用帳戶層級資源時,角色定義可在多個共用相同 Azure AD 目錄的訂用帳戶中使用。While a role definition is a subscription-level resource, a role definition can be used in multiple subscriptions that share the same Azure AD directory. 此顯示名稱在 Azure AD 目錄範圍中必須是唯一的。This display name must be unique at the scope of the Azure AD directory. 可以包含字母、數字、空格和特殊字元。Can include letters, numbers, spaces, and special characters. 字元數目上限是 128。Maximum number of characters is 128.
Id Yes 字串String 自訂角色的唯一識別碼。The unique ID of the custom role. 針對 Azure PowerShell 和 Azure CLI,當您建立新角色時,會自動產生這個識別碼。For Azure PowerShell and Azure CLI, this ID is automatically generated when you create a new role.
IsCustom Yes 字串String 表示這是否為自訂角色。Indicates whether this is a custom role. 若為自訂角色,請設定為 trueSet to true for custom roles.
Description Yes 字串String 自訂角色的描述。The description of the custom role. 可以包含字母、數字、空格和特殊字元。Can include letters, numbers, spaces, and special characters. 字元數目上限是 1024。Maximum number of characters is 1024.
Actions Yes String[]String[] 字串陣列,指定角色允許執行的管理作業。An array of strings that specifies the management operations that the role allows to be performed. 如需詳細資訊,請參閱 ActionsFor more information, see Actions.
NotActions No String[]String[] 字串陣列,指定從所允許 Actions 中排除的管理作業。An array of strings that specifies the management operations that are excluded from the allowed Actions. 如需詳細資訊,請參閱 NotActionsFor more information, see NotActions.
DataActions No String[]String[] 字串陣列,指定角色允許對物件內資料執行的管理作業。An array of strings that specifies the data operations that the role allows to be performed to your data within that object. 如需詳細資訊,請參閱 < DataActionsFor more information, see DataActions.
NotDataActions No String[]String[] 字串陣列,指定從所允許 DataActions 中排除的資料作業。An array of strings that specifies the data operations that are excluded from the allowed DataActions. 如需詳細資訊,請參閱 < NotDataActionsFor more information, see NotDataActions.
AssignableScopes Yes String[]String[] 字串陣列,指定自訂角色可用於指派的範圍。An array of strings that specifies the scopes that the custom role is available for assignment. 自訂角色,您目前無法設定AssignableScopes至根範圍 ("/") 或管理群組範圍。For custom roles, you currently cannot set AssignableScopes to the root scope ("/") or a management group scope. 如需詳細資訊,請參閱 AssignableScopes使用 Azure 管理群組來組織資源For more information, see AssignableScopes and Organize your resources with Azure management groups.

誰可以建立、刪除、更新或檢視自訂角色Who can create, delete, update, or view a custom role

就像內建角色一樣,AssignableScopes 屬性會指定角色可用於指派的範圍。Just like built-in roles, the AssignableScopes property specifies the scopes that the role is available for assignment. 自訂角色的 AssignableScopes 屬性也會控制誰可以建立、刪除、更新或檢視自訂角色。The AssignableScopes property for a custom role also controls who can create, delete, update, or view the custom role.

TaskTask 作業Operation 描述Description
建立/刪除自訂角色Create/delete a custom role Microsoft.Authorization/ roleDefinitions/write 獲得授權可對自訂角色的所有 AssignableScopes 執行此作業的使用者,可以建立 (或刪除) 用於這些範圍的自訂角色。Users that are granted this operation on all the AssignableScopes of the custom role can create (or delete) custom roles for use in those scopes. 例如,訂用帳戶、資源群組和資源的擁有者使用者存取系統管理員For example, Owners and User Access Administrators of subscriptions, resource groups, and resources.
更新自訂角色Update a custom role Microsoft.Authorization/ roleDefinitions/write 獲得授權可對自訂角色的所有 AssignableScopes 執行此作業的使用者,可以在這些範圍中更新自訂角色。Users that are granted this operation on all the AssignableScopes of the custom role can update custom roles in those scopes. 例如,訂用帳戶、資源群組和資源的擁有者使用者存取系統管理員For example, Owners and User Access Administrators of subscriptions, resource groups, and resources.
檢視自訂角色View a custom role Microsoft.Authorization/ roleDefinitions/read 獲得授權可在範圍中執行此作業的使用者,可以檢視可指派給該範圍的自訂角色。Users that are granted this operation at a scope can view the custom roles that are available for assignment at that scope. 所有內建角色都允許指派自訂角色。All built-in roles allow custom roles to be available for assignment.

後續步驟Next steps