使用 RBAC 和 Azure 入口網站管理對 Azure 資源的存取Manage access to Azure resources using RBAC and the Azure portal

角色型存取控制 (RBAC) 是您管理對 Azure 資源存取的機制。Role-based access control (RBAC) is the way that you manage access to Azure resources. 本文將告訴您如何管理使用 Azure 入口網站的存取。This article describes how you manage access using the Azure portal. 如果您需要管理 Azure Active Directory 存取權,請參閱Azure Active Directory 中的檢視,並指派系統管理員角色If you need to manage access to Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

必要條件Prerequisites

若要新增和移除角色指派,您必須具有:To add and remove role assignments, you must have:

存取控制 (IAM) 的概觀Overview of Access control (IAM)

存取控制 (IAM) 是您用來管理 Azure 資源的存取權 刀鋒視窗。Access control (IAM) is the blade that you use to manage access to Azure resources. 它亦稱為身分識別和存取管理,並顯示在 Azure 入口網站中的數個位置。It's also known as identity and access management and appears in several locations in the Azure portal. 下面顯示某訂用帳戶之 [存取控制 (IAM)] 刀鋒視窗的範例。The following shows an example of the Access control (IAM) blade for a subscription.

訂用帳戶的存取控制 (IAM) 刀鋒視窗

下表說明的某些元素是適用於:The following table describes what some of the elements are use for:

# 項目Element 您將它用於What you use it for
11 資源的存取控制 (IAM) 開啟的位置Resource where Access control (IAM) is opened 識別範圍 (在此範例中的訂閱)Identify scope (subscription in this example)
22 新增按鈕Add button 新增角色指派Add role assignments
33 檢查存取 索引標籤Check access tab 檢視單一使用者的角色指派View the role assignments for a single user
44 角色指派 索引標籤Role assignments tab 檢視目前範圍的角色指派View the role assignments at the current scope
55 角色 索引標籤Roles tab 檢視所有的角色和權限View all roles and permissions

若要最有效的存取控制 (IAM) 刀鋒視窗,將有所助益時想要管理存取權,您可以回答下列三個問題:To be the most effective with the Access control (IAM) blade, it helps if you can answer the following three questions when you are trying to manage access:

  1. 誰需要存取?Who needs access?

    誰是指使用者、 群組、 服務主體或受管理的身分識別。Who refers to a user, group, service principal, or managed identity. 這也稱為安全性主體This is also called a security principal.

  2. 他們需要什麼權限?What permissions do they need?

    權限會分組放入角色。Permissions are grouped together into roles. 您可以從數個內建角色清單中選取。You can select from a list of several built-in roles.

  3. 他們需要在其中存取?Where do they need access?

    其中是指一組存取權會套用到的資源。Where refers to the set of resources that the access applies to. 其中可以是管理群組、 訂用帳戶、 資源群組或單一資源,例如儲存體帳戶。Where can be a management group, subscription, resource group, or a single resource such as a storage account. 這就叫做範圍This is called the scope.

開啟存取控制 (IAM)Open Access control (IAM)

您必須決定的第一件事就是開啟存取控制 (IAM) 刀鋒視窗的位置。The first thing you need to decide is where to open the Access control (IAM) blade. 這取決於您想要何種的資源管理的存取權。It depends on what resources you want to manage access for. 若要管理存取權管理群組、 訂用帳戶、 資源群組或單一資源中的所有項目中的所有項目中的所有項目嗎?Do you want to manage access for everything in a management group, everything in a subscription, everything in a resource group, or a single resource?

  1. 在 Azure 入口網站中,按一下所有服務,然後選取範圍。In the Azure portal, click All services and then select the scope. 例如,您可以選取 [管理群組] 、[訂用帳戶] 、[資源群組] 或資源。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. 按一下特定的資源。Click the specific resource.

  3. 按一下 [存取控制 (IAM)] 。Click Access control (IAM).

    下面顯示某訂用帳戶之 [存取控制 (IAM)] 刀鋒視窗的範例。The following shows an example of the Access control (IAM) blade for a subscription. 如果您在任何存取控制此變更,它們會套用到整個訂用帳戶。If you make any access control changes here, they would apply to the entire subscription.

    訂用帳戶的存取控制 (IAM) 刀鋒視窗

檢視角色與權限View roles and permissions

角色定義是您用於角色指派的權限集合。A role definition is a collection of permissions that you use for role assignments. Azure 具有超過 70 個適用於 Azure 資源的內建角色Azure has over 70 built-in roles for Azure resources. 請遵循下列步驟來檢視可用的角色和權限。Follow these steps to view the available roles and permissions.

  1. 開啟存取控制 (IAM) 在任何範圍。Open Access control (IAM) at any scope.

  2. 按一下 [角色] 索引標籤以查看所有內建與自訂角色清單。Click the Roles tab to see a list of all the built-in and custom roles.

    您可以看到使用者和群組指派給在目前的範圍內的每個角色的數目。You can see the number of users and groups that are assigned to each role at the current scope.

    角色清單

  3. 按一下個別角色以檢視誰已獲指派此角色,以及檢視該角色的權限。Click an individual role to see who has been assigned this role and also view the permissions for the role.

    角色指派

檢視角色指派View role assignments

管理存取權,當您想要知道誰可以存取,什麼是其權限,以及在何種範圍內。When managing access, you want to know who has access, what are their permissions, and at what scope. 清單存取使用者、 群組、 服務主體或受控身分識別,以檢視其角色指派。To list access for a user, group, service principal, or managed identity, you view their role assignments.

檢視單一使用者的角色指派View role assignments for a single user

依照這些步驟檢視特定範圍中單一使用者、群組、服務主體或受控識別的存取權。Follow these steps to view the access for a single user, group, service principal, or managed identity at a particular scope.

  1. 針對您要檢視存取權的範圍 (例如管理群組、訂用帳戶、資源群組或資源) 開啟 [存取控制 (IAM)] 。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to view access.

  2. 按一下 [檢查存取權] 索引標籤。Click the Check access tab.

    存取控制 - [檢查存取權] 索引標籤

  3. 在 [尋找] 清單中,選取您要檢查其存取權的安全性主體類型。In the Find list, select the type of security principal you want to check access for.

  4. 在搜尋方塊中,輸入字串以在目錄中搜尋顯示名稱、電子郵件地址或物件識別碼。In the search box, enter a string to search the directory for display names, email addresses, or object identifiers.

    檢查存取權選取清單

  5. 按一下安全性主體以開啟 [指派] 窗格。Click the security principal to open the assignments pane.

    [指派] 窗格

    在此窗格上,您可以看到已指派所選安全性主體的角色與範圍。On this pane, you can see the roles assigned to the selected security principal and the scope. 若此範圍中有任何拒絕指派,或有任何拒絕指派繼承到此範圍,它們將會被列出。If there are any deny assignments at this scope or inherited to this scope, they will be listed.

檢視某範圍的角色指派View all role assignments at a scope

  1. 針對您要檢視存取權的範圍 (例如管理群組、訂用帳戶、資源群組或資源) 開啟 [存取控制 (IAM)] 。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to view access.

  2. 按一下 [角色指派] 索引標籤以檢視此範圍中的所有角色指派。Click the Role assignments tab to view all the role assignments at this scope.

    存取控制︰[角色指派] 索引標籤

    在 [角色指派] 索引標籤上,您可以看到誰在此範圍中有存取權。On the Role assignments tab, you can see who has access at this scope. 請注意,某些角色的範圍限於此資源,而有些角色則是來自 (繼承自) 另一個範圍。Notice that some roles are scoped to This resource while others are (Inherited) from another scope. 存取權不是特別指派給此資源群組,就是繼承自父範圍的指派。Access is either assigned specifically to this resource or inherited from an assignment to the parent scope.

新增角色指派Add a role assignment

在 RBAC 中,若要授與存取權,您必須將角色指派給使用者、群組、服務主體或受控識別。In RBAC, to grant access, you assign a role to a user, group, service principal, or managed identity. 依照下列步驟來授與不同範圍的存取權。Follow these steps to grant access at different scopes.

在某個範圍中指派角色Assign a role at a scope

  1. 針對您要授與存取權的範圍 (例如管理群組、訂用帳戶、資源群組或資源) 開啟 [存取控制 (IAM)] 。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to grant access.

  2. 按一下 [角色指派] 索引標籤以檢視此範圍中的所有角色指派。Click the Role assignments tab to view all the role assignments at this scope.

  3. 按一下 [新增] > [新增角色指派] ,以開啟 [新增角色指派] 窗格。Click Add > Add role assignment to open the Add role assignment pane.

    若您沒有指派角色的權限,[新增角色指派] 選項將會被停用。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    [新增] 功能表

    [新增角色指派] 窗格

  4. 在 [角色] 下拉式清單中選取角色,例如 [虛擬機器參與者] 。In the Role drop-down list, select a role such as Virtual Machine Contributor.

  5. 在 [選取] 清單中,選取使用者、群組、服務主體或受控識別。In the Select list, select a user, group, service principal, or managed identity. 如果在清單中未看到安全性主體,您可以在 [選取] 方塊中輸入,以在目錄中搜尋顯示名稱、電子郵件地址和物件識別碼。If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

  6. 按一下 [儲存] 以指派角色。Click Save to assign the role.

    在幾分鐘之後,即會在所選範圍中指派安全性主體的角色。After a few moments, the security principal is assigned the role at the selected scope.

指派使用者做為訂用帳戶的系統管理員Assign a user as an administrator of a subscription

若要將使用者設定為 Azure 訂用帳戶的系統管理員,請在訂用帳戶範圍為其指派擁有者角色。To make a user an administrator of an Azure subscription, assign them the Owner role at the subscription scope. 「擁有者」角色可授與使用者訂用帳戶中所有資源的完整存取權,包括將存取權委派給其他人的權限。The Owner role gives the user full access to all resources in the subscription, including the right to delegate access to others. 針對任何其他角色指派,這些步驟都相同。These steps are the same as any other role assignment.

  1. 在 Azure 入口網站中,按一下 [所有服務] ,然後按一下 [訂用帳戶] 。In the Azure portal, click All services and then Subscriptions.

  2. 選擇您想要授與存取權的訂用帳戶。Click the subscription where you want to grant access.

  3. 按一下 [存取控制 (IAM)] 。Click Access control (IAM).

  4. 按一下 [角色指派] 索引標籤以檢視此訂用帳戶的所有角色指派。Click the Role assignments tab to view all the role assignments for this subscription.

  5. 按一下 [新增] > [新增角色指派] ,以開啟 [新增角色指派] 窗格。Click Add > Add role assignment to open the Add role assignment pane.

    若您沒有指派角色的權限,[新增角色指派] 選項將會被停用。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    [新增] 功能表

    [新增角色指派] 窗格

  6. 在 [角色] 下拉式清單中,選取 [擁有者] 角色。In the Role drop-down list, select the Owner role.

  7. 在 [選取] 清單中,選取使用者。In the Select list, select a user. 如果在清單中未看到使用者,您可以在 [選取] 方塊中輸入,以在目錄中搜尋顯示名稱與電子郵件地址。If you don't see the user in the list, you can type in the Select box to search the directory for display names and email addresses.

  8. 按一下 [儲存] 以指派角色。Click Save to assign the role.

    在幾分鐘之後,即會在訂用帳戶範圍將「擁有者」角色指派給使用者。After a few moments, the user is assigned the Owner role at the subscription scope.

移除角色指派Remove role assignments

在 RBAC 中,若要移除存取權,您可以移除角色指派。In RBAC, to remove access, you remove a role assignment. 依照下列步驟來移除存取權。Follow these steps to remove access.

  1. 針對您要移除存取權的範圍 (例如管理群組、訂用帳戶、資源群組或資源) 開啟 [存取控制 (IAM)] 。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

  2. 按一下 [角色指派] 索引標籤以檢視此訂用帳戶的所有角色指派。Click the Role assignments tab to view all the role assignments for this subscription.

  3. 在角色指派清單中,在具有您要移除的角色指派安全性主體旁加上核取記號。In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.

    移除角色指派訊息

  4. 按一下 [移除] 。Click Remove.

    移除角色指派訊息

  5. 在顯示的移除角色指派訊息中,按一下 [是] 。In the remove role assignment message that appears, click Yes.

    繼承的角色指派無法移除。Inherited role assignments cannot be removed. 如果您需要移除繼承的角色指派,您必須在建立角色指派的範圍中進行移除。If you need to remove an inherited role assignment, you must do it at the scope where the role assignment was created. 在 [範圍] 資料行中 [(繼承)] 的旁邊有一個連結,會將您帶往已指派該角色的範圍。In the Scope column, next to (Inherited) there is a link that takes you to the scope where this role was assigned. 移至該處所列的範圍來移除角色指派。Go to the scope listed there to remove the role assignment.

    移除角色指派訊息

後續步驟Next steps