什麼是 Azure 資源的角色型存取控制 (RBAC)?What is role-based access control (RBAC) for Azure resources?

對於使用雲端的任何組織而言,雲端資源的存取管理是非常重要的功能。Access management for cloud resources is a critical function for any organization that is using the cloud. 角色型存取控制 (RBAC) 協助您管理可存取 Azure 資源的人員、這些人員如何使用資源,以及他們存取的區域。Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

RBAC 是建置於 Azure Resource Manager 上的授權系統,可提供更細緻的 Azure 資源存取管理。RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

RBAC 有何用途?What can I do with RBAC?

以下是 RBAC 用途的一些例子:Here are some examples of what you can do with RBAC:

  • 允許一位使用者管理訂用帳戶中的虛擬機器,而另一位使用者管理虛擬網路Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
  • 允許 DBA 群組管理訂用帳戶中的 SQL 資料庫Allow a DBA group to manage SQL databases in a subscription
  • 允許使用者管理資源群組中的所有資源,例如虛擬機器、網站和子網路Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
  • 允許應用程式存取資源群組中的所有資源Allow an application to access all resources in a resource group

使用 RBAC 的最佳做法Best practice for using RBAC

RBAC 可讓您區隔小組內的職責,而僅授與使用者執行作業所需的存取權。Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. 您可以不授與每個人 Azure 訂用帳戶或資源中無限制的權限,而是只允許在特定範圍執行特定的動作。Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.

在規劃存取控制策略時,最佳做法是授與使用者完成其工作的最低權限。When planning your access control strategy, it's a best practice to grant users the least privilege to get their work done. 下圖顯示使用 RBAC 的建議模式。The following diagram shows a suggested pattern for using RBAC.

RBAC 和最低權限

RBAC 的運作方式How RBAC works

您利用 RBAC 來控制資源存取權的方式就是建立角色指派。The way you control access to resources using RBAC is to create role assignments. 這是很重要的概念 – 可讓您了解如何強制執行權限。This is a key concept to understand – it’s how permissions are enforced. 角色指派由三項元素所組成:安全性主體、角色定義和範圍。A role assignment consists of three elements: security principal, role definition, and scope.

安全性主體Security principal

「安全性主體」 是一個物件,代表要求存取 Azure 資源的使用者、群組、服務主體或受控識別。A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.

角色指派的安全性主體

  • 使用者 - 在 Azure Active Directory 中具有設定檔的個人。User - An individual who has a profile in Azure Active Directory. 您也可以指派角色給其他租用戶中的使用者。You can also assign roles to users in other tenants. 如需有關其他組織中使用者的資訊,請參閱 Azure Active Directory B2BFor information about users in other organizations, see Azure Active Directory B2B.
  • 群組 - 在 Azure Active Directory 中建立的一組使用者。Group - A set of users created in Azure Active Directory. 當您將角色指派給群組時,該群組內的所有使用者都具有該角色。When you assign a role to a group, all users within that group have that role.
  • 服務主體 - 應用程式或服務用來存取特定 Azure 資源的安全性身分識別。Service principal - A security identity used by applications or services to access specific Azure resources. 您可以將它視為應用程式的「使用者身分識別」 (使用者名稱和密碼或憑證)。You can think of it as a user identity (username and password or certificate) for an application.
  • 受控識別 (MSI) - 在 Azure Active Directory 中由 Azure 自動管理的身分識別。Managed identity - An identity in Azure Active Directory that is automatically managed by Azure. 您通常會在開發雲端應用程式來管理 Azure 服務驗證所需的認證時,使用受控識別You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.

角色定義Role definition

「角色定義」 是權限集合。A role definition is a collection of permissions. 有時簡稱為「角色」 。It's sometimes just called a role. 角色定義會列出可執行的作業,例如讀取、寫入和刪除。A role definition lists the operations that can be performed, such as read, write, and delete. 角色可為高層級,例如擁有者或特定,例如虛擬機器讀取器。Roles can be high-level, like owner, or specific, like virtual machine reader.

角色指派的角色定義

Azure 包含數個您可使用的內建角色Azure includes several built-in roles that you can use. 以下列出四個基本內建角色。The following lists four fundamental built-in roles. 前三個適用於所有資源類型。The first three apply to all resource types.

  • 擁有者 - 具有所有資源的完整存取權,包括將存取權委派給其他人的權限。Owner - Has full access to all resources including the right to delegate access to others.
  • 參與者 - 可以建立和管理所有類型的 Azure 資源,但是不能將存取權授與其他人。Contributor - Can create and manage all types of Azure resources but can’t grant access to others.
  • 讀者 - 可以檢視現有的 Azure 資源。Reader - Can view existing Azure resources.
  • 使用者存取管理員 - 讓您管理使用者對 Azure 資源的存取權。User Access Administrator - Lets you manage user access to Azure resources.

其餘的 RBAC 角色可以管理特定 Azure 資源。The rest of the built-in roles allow management of specific Azure resources. 例如,虛擬機器參與者角色可讓使用者建立和管理虛擬機器。For example, the Virtual Machine Contributor role allows a user to create and manage virtual machines. 如果內建角色無法滿足您組織的特定需求,您可以建立自己的 Azure 資源自訂角色If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles for Azure resources.

Azure 引進了可讓您授與物件內資料存取權的資料作業 (目前處於預覽狀態)。Azure has introduced data operations (currently in preview) that enable you to grant access to data within an object. 例如,如果使用者有儲存體帳戶的讀取資料存取權,則他們可讀取該儲存體帳戶中的 Blob 或訊息。For example, if a user has read data access to a storage account, then they can read the blobs or messages within that storage account. 如需詳細資訊,請參閱了解 Azure 資源的角色定義For more information, see Understand role definitions for Azure resources.

影響範圍Scope

「範圍」 是要套用存取權的一組資源。Scope is the set of resources that the access applies to. 當您指派角色時,可以藉由定義範圍來進一步限制動作。When you assign a role, you can further limit the actions allowed by defining a scope. 如果您想要讓某位使用者成為網站參與者,但僅限於某個資源群組,這會很實用。This is helpful if you want to make someone a Website Contributor, but only for one resource group.

在 Azure 中,您可以在多個層級指定範圍:管理群組、訂用帳戶、資源群組或資源。In Azure, you can specify a scope at multiple levels: management group, subscription, resource group, or resource. 範圍的結構為父子式關聯性。Scopes are structured in a parent-child relationship.

角色指派的範圍

當您在父範圍授與存取權時,子範圍將會繼承這些權限。When you grant access at a parent scope, those permissions are inherited to the child scopes. 例如︰For example:

  • 如果您在管理群組範圍將擁有者角色指派給使用者,該使用者將可對管理群組中所有訂用帳戶的所有項目進行管理。If you assign the Owner role to a user at the management group scope, that user can manage everything in all subscriptions in the management group.
  • 如果您將讀者角色指派給訂用帳戶範圍的群組,則該群組的成員可以檢視訂用帳戶中的每個資源群組和資源。If you assign the Reader role to a group at the subscription scope, the members of that group can view every resource group and resource in the subscription.
  • 如果您將參與者角色指派給資源群組範圍的應用程式,則該應用程式可以管理該資源群組中所有類型的資源,但是無法管理訂用帳戶中的其他資源群組。If you assign the Contributor role to an application at the resource group scope, it can manage resources of all types in that resource group, but not other resource groups in the subscription.

角色指派Role assignments

「角色指派」 是一個連結程序,其為了授與存取權,而將角色定義連結至特定範圍的使用者、群組、服務主體或受控識別。A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. 建立角色指派可授與存取權,而移除角色指派則可撤銷存取權。Access is granted by creating a role assignment, and access is revoked by removing a role assignment.

下圖顯示角色指派的範例。The following diagram shows an example of a role assignment. 在此範例中,行銷群組已被指派醫藥銷售資源群組的參與者角色。In this example, the Marketing group has been assigned the Contributor role for the pharma-sales resource group. 這表示行銷群組中的使用者可以建立或管理醫藥銷售資源群組中的任何 Azure 資源。This means that users in the Marketing group can create or manage any Azure resource in the pharma-sales resource group. 行銷使用者無法存取醫藥銷售資源群組外的資源,除非他們具有另一個角色指派。Marketing users do not have access to resources outside the pharma-sales resource group, unless they are part of another role assignment.

角色指派可控制存取權

您可以使用 Azure 入口網站、Azure CLI、Azure PowerShell、Azure SDK 或 REST API 建立角色指派。You can create role assignments using the Azure portal, Azure CLI, Azure PowerShell, Azure SDKs, or REST APIs. 您在每個訂用帳戶中可以有最多 2000 個角色指派。You can have up to 2000 role assignments in each subscription. 若要建立和移除角色指派,您必須具有 Microsoft.Authorization/roleAssignments/* 權限。To create and remove role assignments, you must have Microsoft.Authorization/roleAssignments/* permission. 此權限是透過擁有者使用者存取管理員角色來授與。This permission is granted through the Owner or User Access Administrator roles.

多角色指派Multiple role assignments

所以,如果您有多個重疊的角色指派會發生什麼事?So what happens if you have multiple overlapping role assignments? RBAC 是加法模型,因此,您的有效權限就是角色指派的相加。RBAC is an additive model, so your effective permissions are the addition of your role assignments. 請參考下列範例,其中使用者在訂用帳戶範圍中獲派「參與者」角色,並在資源群組中獲派「讀者」角色。Consider the following example where a user is granted the Contributor role at the subscription scope and the Reader role on a resource group. 「參與者」權限和「讀者」權限實際上就是資源群組的參與者角色。The addition of the Contributor permissions and the Reader permissions is effectively the Contributor role for the resource group. 因此,在此情況下,「讀者」角色的指派並沒有作用。Therefore, in this case, the Reader role assignment has no impact.

多角色指派

拒絕指派Deny assignments

在以前,RBAC 為不含拒絕的僅允許模型,但現在,RBAC 會以有限方式支援拒絕指派。Previously, RBAC was an allow-only model with no deny, but now RBAC supports deny assignments in a limited way. 與角色指派相同,「拒絕指派」 也會基於拒絕存取權的目的來連結一組在特定範圍內拒絕使用者、群組、服務主體或受控識別的動作。Similar to a role assignment, a deny assignment attaches a set of deny actions to a user, group, service principal, or managed identity at a particular scope for the purpose of denying access. 角色指派會定義一組「允許」 的動作,而拒絕指派會定義一組「不允許」 的動作。A role assignment defines a set of actions that are allowed, while a deny assignment defines a set of actions that are not allowed. 換句話說,拒絕指派會封鎖使用者執行指定的動作,即使角色指派授與他們存取權也一樣。In other words, deny assignments block users from performing specified actions even if a role assignment grants them access. 拒絕指派的優先順序高於角色指派。Deny assignments take precedence over role assignments. 如需詳細資訊,請參閱了解 Azure 資源的拒絕指派使用 Azure 入口網站檢視 Azure 資源的拒絕指派For more information, see Understand deny assignments for Azure resources and View deny assignments for Azure resources using the Azure portal.

注意

目前,您可以新增自己的拒絕指派的唯一方式是使用 Azure 藍圖。At this time, the only way you can add your own deny assignments is by using Azure Blueprints. 如需詳細資訊,請參閱使用 Azure 藍圖資源鎖定保護新資源For more information, see Protect new resources with Azure Blueprints resource locks.

RBAC 如何判斷使用者是否有權存取資源How RBAC determines if a user has access to a resource

以下是 RBAC 在管理平面上用來判斷您是否有權存取資源的概要步驟。The following are the high-level steps that RBAC uses to determine if you have access to a resource on the management plane. 這有助於了解您是否正嘗試對存取問題進行疑難排解。This is helpful to understand if you are trying to troubleshoot an access issue.

  1. 使用者 (或服務主體) 會取得適用於 Azure Resource Manager 的權杖。A user (or service principal) acquires a token for Azure Resource Manager.

    權杖包含使用者的群組成員資格 (包括可轉移的群組成員資格)。The token includes the user's group memberships (including transitive group memberships).

  2. 使用者可以使用附加的權杖,來對 Azure Resource Manager 進行 REST API 呼叫。The user makes a REST API call to Azure Resource Manager with the token attached.

  3. Azure Resource Manager 會擷取所有角色指派和拒絕指派,以套用到要據以採取動作的資源。Azure Resource Manager retrieves all the role assignments and deny assignments that apply to the resource upon which the action is being taken.

  4. Azure Resource Manager 會縮小要套用到此使用者或其群組之角色指派的範圍,並判斷使用者針對此資源需具備哪些角色。Azure Resource Manager narrows the role assignments that apply to this user or their group and determines what roles the user has for this resource.

  5. Azure Resource Manager 會判斷 API 呼叫中的動作是否包含於使用者針對此資源所具備的角色中。Azure Resource Manager determines if the action in the API call is included in the roles the user has for this resource.

  6. 如果使用者在要求範圍內不具含有該動作的角色,則不會授與存取權。If the user doesn’t have a role with the action at the requested scope, access is not granted. 否則,Azure Resource Manager 會檢查拒絕指派是否適用。Otherwise, Azure Resource Manager checks if a deny assignment applies.

  7. 如果拒絕指派適用,則會封鎖存取。If a deny assignment applies, access is blocked. 否則會授與存取權。Otherwise access is granted.

授權需求License requirements

在您的 Azure 訂用帳戶中免費使用此功能。Using this feature is free and included in your Azure subscription.

後續步驟Next steps