使用 Azure RBAC 和 Azure 入口網站新增或移除角色指派Add or remove role assignments using Azure RBAC and the Azure portal

Azure 角色型存取控制(RBAC)是您用來管理 azure 資源存取權的授權系統。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要授與存取權,您可以將角色指派給特定範圍的使用者、群組、服務主體或受控識別。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. 本文說明如何使用 Azure 入口網站指派角色。Azure 角色型存取控制(RBAC)是您用來管理 azure 資源存取權的授權系統。Azure role-based access control (RBAC) is the authorization system you use to manage access to Azure resources. 若要授與存取權,您可以將角色指派給特定範圍的使用者、群組、服務主體或受控識別。To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope. This article describes how to assign roles using the Azure portal.

如果您需要在 Azure Active Directory 中指派系統管理員角色,請參閱在 Azure Active Directory 中查看和指派系統管理員角色If you need to assign administrator roles in Azure Active Directory, see View and assign administrator roles in Azure Active Directory.

必要條件Prerequisites

若要新增或移除角色指派,您必須具有:To add or remove role assignments, you must have:

存取控制(IAM)總覽Overview of Access control (IAM)

存取控制(IAM) 是您用來指派角色的 blade。Access control (IAM) is the blade that you use to assign roles. 這也稱為身分識別和存取管理,並會出現在 Azure 入口網站中的數個位置。It's also known as identity and access management and appears in several locations in the Azure portal. 下面顯示某訂用帳戶之 [存取控制 (IAM)] 刀鋒視窗的範例。The following shows an example of the Access control (IAM) blade for a subscription.

訂用帳戶的存取控制 (IAM) 刀鋒視窗

若要使用「存取控制(IAM)」分頁來達到最有效的效果,當您嘗試指派角色時,可協助您回答下列三個問題:To be the most effective with the Access control (IAM) blade, it helps if you can answer the following three questions when you are trying to assign a role:

  1. 誰需要存取權?Who needs access?

    誰指的是使用者、群組、服務主體或受控識別。Who refers to a user, group, service principal, or managed identity. 這也稱為「安全性主體」(security principal)。This is also called a security principal.

  2. 他們需要什麼角色?What role do they need?

    許可權會群組在一起成為角色。Permissions are grouped together into roles. 您可以從數個內建角色的清單中選取,或使用您自己的自訂角色。You can select from a list of several built-in roles or you use your own custom roles.

  3. 他們需要存取的位置?Where do they need access?

    其中,是指存取適用的一組資源。Where refers to the set of resources that the access applies to. 其中可以是管理群組、訂用帳戶、資源群組,或單一資源(例如儲存體帳戶)。Where can be a management group, subscription, resource group, or a single resource such as a storage account. 這稱為「範圍」。This is called the scope.

新增角色指派Add a role assignment

請遵循下列步驟,在不同的範圍指派角色。Follow these steps to assign a role at different scopes.

  1. 在 Azure 入口網站中,按一下 所有服務,然後選取範圍。In the Azure portal, click All services and then select the scope. 例如,您可以選取 [管理群組]、[訂用帳戶]、[資源群組]或資源。For example, you can select Management groups, Subscriptions, Resource groups, or a resource.

  2. 按一下特定的資源。Click the specific resource.

  3. 按一下 [存取控制 (IAM)]。Click Access control (IAM).

  4. 按一下 [角色指派] 索引標籤以檢視此範圍中的所有角色指派。Click the Role assignments tab to view all the role assignments at this scope.

  5. 按一下 [新增] > [新增角色指派],以開啟 [新增角色指派] 窗格。Click Add > Add role assignment to open the Add role assignment pane.

    若您沒有指派角色的權限,[新增角色指派] 選項將會被停用。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    [新增] 功能表

    [新增角色指派] 窗格

  6. 在 [角色] 下拉式清單中選取角色,例如 [虛擬機器參與者]。In the Role drop-down list, select a role such as Virtual Machine Contributor.

  7. 在 [選取] 清單中,選取使用者、群組、服務主體或受控識別。In the Select list, select a user, group, service principal, or managed identity. 如果在清單中未看到安全性主體,您可以在 [選取] 方塊中輸入,以在目錄中搜尋顯示名稱、電子郵件地址和物件識別碼。If you don't see the security principal in the list, you can type in the Select box to search the directory for display names, email addresses, and object identifiers.

  8. 按一下 [儲存] 以指派角色。Click Save to assign the role.

    在幾分鐘之後,即會在所選範圍中指派安全性主體的角色。After a few moments, the security principal is assigned the role at the selected scope.

指派使用者做為訂用帳戶的系統管理員Assign a user as an administrator of a subscription

若要將使用者設定為 Azure 訂用帳戶的系統管理員,請在訂用帳戶範圍為其指派擁有者角色。To make a user an administrator of an Azure subscription, assign them the Owner role at the subscription scope. 「擁有者」角色可讓使用者完整存取訂用帳戶中的所有資源,包括授與存取權給其他人的許可權。The Owner role gives the user full access to all resources in the subscription, including the permission to grant access to others. 針對任何其他角色指派,這些步驟都相同。These steps are the same as any other role assignment.

  1. 在 Azure 入口網站中,按一下 [所有服務],然後按一下 [訂用帳戶]。In the Azure portal, click All services and then Subscriptions.

  2. 按一下您要新增角色指派的訂用帳戶。Click the subscription where you want to add a role assignment.

  3. 按一下 [存取控制 (IAM)]。Click Access control (IAM).

  4. 按一下 [角色指派] 索引標籤以檢視此訂用帳戶的所有角色指派。Click the Role assignments tab to view all the role assignments for this subscription.

  5. 按一下 [新增] > [新增角色指派],以開啟 [新增角色指派] 窗格。Click Add > Add role assignment to open the Add role assignment pane.

    若您沒有指派角色的權限,[新增角色指派] 選項將會被停用。If you don't have permissions to assign roles, the Add role assignment option will be disabled.

    [新增] 功能表

    [新增角色指派] 窗格

  6. 在 [角色] 下拉式清單中,選取 [擁有者] 角色。In the Role drop-down list, select the Owner role.

  7. 在 [選取] 清單中,選取使用者。In the Select list, select a user. 如果在清單中未看到使用者,您可以在 [選取] 方塊中輸入,以在目錄中搜尋顯示名稱與電子郵件地址。If you don't see the user in the list, you can type in the Select box to search the directory for display names and email addresses.

  8. 按一下 [儲存] 以指派角色。Click Save to assign the role.

    在幾分鐘之後,即會在訂用帳戶範圍將「擁有者」角色指派給使用者。After a few moments, the user is assigned the Owner role at the subscription scope.

移除角色指派Remove a role assignment

在 RBAC 中,若要移除存取權,您可以移除角色指派。In RBAC, to remove access, you remove a role assignment. 請遵循下列步驟來移除角色指派。Follow these steps to remove a role assignment.

  1. 針對您要移除存取權的範圍 (例如管理群組、訂用帳戶、資源群組或資源) 開啟 [存取控制 (IAM)]。Open Access control (IAM) at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.

  2. 按一下 [角色指派] 索引標籤以檢視此訂用帳戶的所有角色指派。Click the Role assignments tab to view all the role assignments for this subscription.

  3. 在角色指派清單中,在具有您要移除的角色指派安全性主體旁加上核取記號。In the list of role assignments, add a checkmark next to the security principal with the role assignment you want to remove.

    移除角色指派訊息

  4. 按一下 [移除]。Click Remove.

    移除角色指派訊息

  5. 在顯示的移除角色指派訊息中,按一下 [是]。In the remove role assignment message that appears, click Yes.

    繼承的角色指派無法移除。Inherited role assignments cannot be removed. 如果您需要移除繼承的角色指派,您必須在建立角色指派的範圍中進行移除。If you need to remove an inherited role assignment, you must do it at the scope where the role assignment was created. 在 [範圍] 資料行中 [(繼承)] 的旁邊有一個連結,會將您帶往已指派該角色的範圍。In the Scope column, next to (Inherited) there is a link that takes you to the scope where this role was assigned. 移至該處所列的範圍來移除角色指派。Go to the scope listed there to remove the role assignment.

    移除角色指派訊息

後續步驟Next steps