了解適用於 Azure 資源的角色定義Understand role definitions for Azure resources

如果您想要嘗試了解角色的運作方式,或是想要自行建立適用於 Azure 資源的自訂角色,了解角色的定義方式將會很有幫助。If you are trying to understand how a role works or if you are creating your own custom role for Azure resources, it's helpful to understand how roles are defined. 本文詳細描述角色定義並提供一些範例。This article describes the details of role definitions and provides some examples.

角色定義結構Role definition structure

「角色定義」是權限集合。A role definition is a collection of permissions. 有時簡稱為「角色」。It's sometimes just called a role. 角色定義會列出可執行的作業,例如讀取、寫入和刪除。A role definition lists the operations that can be performed, such as read, write, and delete. 也可能列出無法執行的作業或與基礎資料相關的作業。It can also list the operations that can't be performed or operations related to underlying data. 角色定義的結構如下:A role definition has the following structure:

Name
Id
IsCustom
Description
Actions []
NotActions []
DataActions []
NotDataActions []
AssignableScopes []

用來指定作業的字串具有下列格式:Operations are specified with strings that have the following format:

  • {Company}.{ProviderName}/{resourceType}/{action}

作業字串的 {action} 部分指定您可以對資源類型執行的作業類型。The {action} portion of an operation string specifies the type of operations you can perform on a resource type. 例如,您將會在 {action} 中看到下列子字串:For example, you will see the following substrings in {action}:

動作子字串Action substring 描述Description
* 此萬用字元會授與所有符合字串之作業的存取權。The wildcard character grants access to all operations that match the string.
read 啟用讀取作業 (GET)。Enables read operations (GET).
write 啟用寫入作業(PUT 或 PATCH)。Enables write operations (PUT or PATCH).
action 啟用像是重新開機虛擬機器(POST)之類的自訂作業。Enables custom operations like restart virtual machines (POST).
delete 啟用刪除作業 (DELETE)。Enables delete operations (DELETE).

以下是 JSON 格式的參與者角色定義。Here's the Contributor role definition in JSON format. Actions 下的萬用字元 (*) 作業表示指派給這個角色的主體可以執行所有動作;換句話說,它可以管理所有項目。The wildcard (*) operation under Actions indicates that the principal assigned to this role can perform all actions, or in other words, it can manage everything. 這包括未來 Azure 新增資源類型時所定義的動作。This includes actions defined in the future, as Azure adds new resource types. NotActions 下的作業會從 Actions 扣除。The operations under NotActions are subtracted from Actions. 如果是參與者角色,NotActions 會移除此角色管理資源存取權及指派資源存取權的功能。In the case of the Contributor role, NotActions removes this role's ability to manage access to resources and also assign access to resources.

{
  "Name": "Contributor",
  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "IsCustom": false,
  "Description": "Lets you manage everything except access to resources.",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Authorization/*/Delete",
    "Microsoft.Authorization/*/Write",
    "Microsoft.Authorization/elevateAccess/Action"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

管理和資料作業Management and data operations

管理作業的角色型存取控制是在角色定義的 ActionsNotActions 屬性中指定。Role-based access control for management operations is specified in the Actions and NotActions properties of a role definition. 以下是 Azure 中的一些管理作業範例:Here are some examples of management operations in Azure:

  • 管理儲存體帳戶的存取權Manage access to a storage account
  • 建立、更新或刪除 Blob 容器Create, update, or delete a blob container
  • 刪除資源群組及其所有資源Delete a resource group and all of its resources

如果容器驗證方法設定為「Azure AD 使用者帳戶」而非「存取金鑰」,則不會將管理存取權繼承至您的資料。Management access is not inherited to your data provided that the container authentication method is set to "Azure AD User Account" and not "Access Key". 此隔離可防止具有萬用字元 (*) 的角色不受限地存取您的資料。This separation prevents roles with wildcards (*) from having unrestricted access to your data. 例如,如果使用者具有訂用帳戶的讀取者角色,則可以檢視儲存體帳戶,但預設為無法檢視基礎資料。For example, if a user has a Reader role on a subscription, then they can view the storage account, but by default they can't view the underlying data.

在此之前,資料作業不可使用角色型存取控制。Previously, role-based access control was not used for data operations. 資料作業的授權會因為資源提供者不同而有差異。Authorization for data operations varied across resource providers. 用於管理作業的相同角色型存取控制授權模型已擴充至資料作業。The same role-based access control authorization model used for management operations has been extended to data operations.

為支援資料作業,已新增資料屬性到角色定義結構中。To support data operations, new data properties have been added to the role definition structure. 資料作業會在 DataActionsNotDataActions 屬性中指定。Data operations are specified in the DataActions and NotDataActions properties. 藉由新增這些資料屬性,可繼續維持管理和資料之間的分隔。By adding these data properties, the separation between management and data is maintained. 這可避免目前具有萬用字元 (*) 的角色指派突然存取資料。This prevents current role assignments with wildcards (*) from suddenly having accessing to data. 以下是可在 DataActionsNotDataActions中指定的一些資料作業:Here are some data operations that can be specified in DataActions and NotDataActions:

  • 讀取容器中的 Blob 清單Read a list of blobs in a container
  • 將儲存體 Blob 寫入容器中Write a storage blob in a container
  • 刪除佇列中的訊息Delete a message in a queue

以下是儲存體 Blob 資料讀取器角色定義,其中包含ActionsDataActions屬性中的作業。Here's the Storage Blob Data Reader role definition, which includes operations in both the Actions and DataActions properties. 此角色可讓您讀取 Blob 容器和基礎 Blob 資料。This role allows you to read the blob container and also the underlying blob data.

{
  "Name": "Storage Blob Data Reader",
  "Id": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "IsCustom": false,
  "Description": "Allows for read access to Azure Storage blob containers and data",
  "Actions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/read"
  ],
  "NotActions": [],
  "DataActions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
  ],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

您只能將資料作業新增至 DataActionsNotDataActions 屬性。Only data operations can be added to the DataActions and NotDataActions properties. 資源提供者會藉由將 isDataAction 屬性設為 true,來識別哪些作業是資料作業。Resource providers identify which operations are data operations, by setting the isDataAction property to true. 若要查看 isDataActiontrue 的作業清單,請參閱資源提供者作業To see a list of the operations where isDataAction is true, see Resource provider operations. 在角色定義中,沒有資料作業的角色不需要有 DataActionsNotDataActions 屬性。Roles that do not have data operations are not required to have DataActions and NotDataActions properties within the role definition.

所有管理作業 API 呼叫的授權都會由 Azure Resource Manager 處理。Authorization for all management operation API calls is handled by Azure Resource Manager. 資料作業 API 呼叫的授權是由資源提供者或 Azure Resource Manager 處理。Authorization for data operation API calls is handled by either a resource provider or Azure Resource Manager.

資料作業範例Data operations example

若要進一步了解管理和資料作業如何運作,我們來看特定範例。To better understand how management and data operations work, let's consider a specific example. Alice 已在訂用帳戶範圍上獲得擁有者角色的指派。Alice has been assigned the Owner role at the subscription scope. Bob 已獲指派儲存體帳戶範圍的儲存體 Blob 資料參與者角色。Bob has been assigned the Storage Blob Data Contributor role at a storage account scope. 此範例如下圖所示。The following diagram shows this example.

角色型存取控制已延伸為可支援管理和資料作業

Alice 的「擁有者」角色和 Bob 的「儲存體 Blob 資料參與者」角色具有下列動作:The Owner role for Alice and the Storage Blob Data Contributor role for Bob have the following actions:

擁有者Owner

    Actions    Actions
    *    *

儲存體 Blob 資料參與者Storage Blob Data Contributor

    Actions    Actions
    Microsoft.Storage/storageAccounts/blobServices/containers/delete    Microsoft.Storage/storageAccounts/blobServices/containers/delete
    Microsoft.Storage/storageAccounts/blobServices/containers/read    Microsoft.Storage/storageAccounts/blobServices/containers/read
    Microsoft.Storage/storageAccounts/blobServices/containers/write    Microsoft.Storage/storageAccounts/blobServices/containers/write
    DataActions    DataActions
    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write    Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write

由於 Alice 在訂用帳戶*範圍有萬用字元()動作,因此其許可權會向下繼承,讓他們能夠執行所有管理動作。Since Alice has a wildcard (*) action at a subscription scope, their permissions inherit down to enable them to perform all management actions. Alice 可以讀取、寫入和刪除容器。Alice can read, write, and delete containers. 不過,Alice 無法在未採取額外步驟的情況下執行資料作業。However, Alice cannot perform data operations without taking additional steps. 例如,根據預設,Alice 無法讀取容器內的 Blob。For example, by default, Alice cannot read the blobs inside a container. 若要讀取 Blob,Alice 必須擷取儲存體存取金鑰,並使用它們來存取 Blob。To read the blobs, Alice would have to retrieve the storage access keys and use them to access the blobs.

Bob 的許可權僅限於Actions 儲存體 Blob 資料參與者角色中所指定的和DataActionsBob's permissions are restricted to just the Actions and DataActions specified in the Storage Blob Data Contributor role. 以此角色為基礎,Bob 可以執行管理和資料作業。Based on the role, Bob can perform both management and data operations. 例如,Bob 可以在指定的儲存體帳戶中讀取、寫入和刪除容器,也可以讀取、寫入和刪除 blob。For example, Bob can read, write, and delete containers in the specified storage account and can also read, write, and delete the blobs.

如需適用於儲存體之管理及資料平面安全性的詳細資訊,請參閱 Azure 儲存體安全性指南For more information about management and data plane security for storage, see the Azure Storage security guide.

哪些工具支援對資料作業使用 RBAC?What tools support using RBAC for data operations?

若要檢視及使用資料作業,您必須有正確版本的工具或 SDK:To view and work with data operations, you must have the correct versions of the tools or SDKs:

ToolTool VersionVersion
Azure PowerShellAzure PowerShell 1.1.0 或更新版本1.1.0 or later
Azure CLIAzure CLI 2.0.30 或更新版本2.0.30 or later
Azure for .NETAzure for .NET 2.8.0-預覽或更新版本2.8.0-preview or later
Azure SDK for GoAzure SDK for Go 15.0.0 或更新版本15.0.0 or later
Azure for JavaAzure for Java 1.9.0 或更新版本1.9.0 or later
Azure for PythonAzure for Python 0.40.0 或更新版本0.40.0 or later
Azure SDK for RubyAzure SDK for Ruby 0.17.1 或更新版本0.17.1 or later

若要在 REST API 中檢視及使用資料作業,您必須將 api-version 參數設為下列版本或更新版本:To view and use the data operations in the REST API, you must set the api-version parameter to the following version or later:

  • 2018-07-012018-07-01

個動作Actions

Actions 權限會指定角色所允許執行的管理作業。The Actions permission specifies the management operations that the role allows to be performed. 它是識別 Azure 資源提供者的安全性實體作業的作業字串集合。It is a collection of operation strings that identify securable operations of Azure resource providers. 以下是可用於 Actions 中的一些管理作業範例。Here are some examples of management operations that can be used in Actions.

作業字串Operation string 描述Description
*/read 授與所有 Azure 資源提供者的所有資源類型之讀取作業的存取權。Grants access to read operations for all resource types of all Azure resource providers.
Microsoft.Compute/* 授與對 Microsoft.Compute 資源提供者中所有資源類型之所有作業的存取權。Grants access to all operations for all resource types in the Microsoft.Compute resource provider.
Microsoft.Network/*/read 授與 Microsoft.Network 資源提供者的所有資源類型之讀取作業的存取權。Grants access to read operations for all resource types in the Microsoft.Network resource provider.
Microsoft.Compute/virtualMachines/* 授與虛擬機器及其子資源類型之所有作業的存取權。Grants access to all operations of virtual machines and its child resource types.
microsoft.web/sites/restart/Action 授與重新啟動 Web 應用程式的存取權。Grants access to restart a web app.

NotActionsNotActions

NotActions 權限指定從所允許 Actions 中排除的管理作業。The NotActions permission specifies the management operations that are excluded from the allowed Actions. 如果排除限制的作業可更輕鬆地定義您要允許的作業集合,請使用 NotActions 權限。Use the NotActions permission if the set of operations that you want to allow is more easily defined by excluding restricted operations. 角色 (有效權限) 所授與之存取權的計算方式是將 Actions 作業扣除 NotActions 作業。The access granted by a role (effective permissions) is computed by subtracting the NotActions operations from the Actions operations.

注意

如果為使用者指派會排除 NotActions 中作業的角色,並指派授與相同作業存取權的第二個角色,即會允許使用者執行該作業。If a user is assigned a role that excludes an operation in NotActions, and is assigned a second role that grants access to the same operation, the user is allowed to perform that operation. NotActions 不是拒絕規則 - 它只是一個便利的方式,可以在需要排除特定作業時建立允許的作業集合。NotActions is not a deny rule – it is simply a convenient way to create a set of allowed operations when specific operations need to be excluded.

DataActionsDataActions

DataActions 權限會指定角色允許對物件內資料執行的管理作業。The DataActions permission specifies the data operations that the role allows to be performed to your data within that object. 例如,如果使用者有儲存體帳戶的讀取 Blob 資料存取權,則他們可讀取該儲存體帳戶中的 Blob。For example, if a user has read blob data access to a storage account, then they can read the blobs within that storage account. 以下是可用於 DataActions 中的一些資料作業範例。Here are some examples of data operations that can be used in DataActions.

作業字串Operation string 描述Description
Microsoft.Storage/storageAccounts/ blobServices/containers/blobs/read 傳回 Blob 或 Blob 清單。Returns a blob or a list of blobs.
Microsoft.Storage/storageAccounts/ blobServices/containers/blobs/write 傳回寫入 Blob 的結果。Returns the result of writing a blob.
Microsoft.Storage/storageAccounts/ queueServices/queues/messages/read 傳回訊息。Returns a message.
Microsoft.Storage/storageAccounts/ queueServices/queues/messages/* 傳回訊息或寫入或刪除訊息的結果。Returns a message or the result of writing or deleting a message.

NotDataActionsNotDataActions

NotDataActions 權限可指定從所允許 DataActions 中排除的資料作業。The NotDataActions permission specifies the data operations that are excluded from the allowed DataActions. 角色 (有效權限) 所授與之存取權的計算方式是將 DataActions 作業扣除 NotDataActions 作業。The access granted by a role (effective permissions) is computed by subtracting the NotDataActions operations from the DataActions operations. 每個資源提供者會提供個別的一組 API 來完成資料作業。Each resource provider provides its respective set of APIs to fulfill data operations.

注意

如果為使用者指派的角色已在 NotDataActions 中排除一個資料作業,並且指派授與相同資料作業存取權的第二個角色給使用者,即會允許使用者執行該資料作業。If a user is assigned a role that excludes a data operation in NotDataActions, and is assigned a second role that grants access to the same data operation, the user is allowed to perform that data operation. NotDataActions 不是拒絕規則 - 它只是一個便利的方式,可以在需要排除特定資料作業時建立允許的資料作業集合。NotDataActions is not a deny rule – it is simply a convenient way to create a set of allowed data operations when specific data operations need to be excluded.

AssignableScopesAssignableScopes

AssignableScopes屬性會指定具有此角色定義的範圍(管理群組、訂用帳戶、資源群組或資源)。The AssignableScopes property specifies the scopes (management groups, subscriptions, resource groups, or resources) that have this role definition available. 您可以只將角色指派給需要它的管理群組、訂用帳戶或資源群組。You can make the role available for assignment in only the management groups, subscriptions, or resource groups that require it. 您至少必須使用一個管理群組、訂用帳戶、資源群組或資源識別碼。You must use at least one management group, subscription, resource group, or resource ID.

內建角色的 AssignableScopes 設定為根目錄範圍 ("/")。Built-in roles have AssignableScopes set to the root scope ("/"). 根目錄範圍表示角色可指派給所有範圍。The root scope indicates that the role is available for assignment in all scopes. 有效的可指派範圍範例包括:Examples of valid assignable scopes include:

角色可供指派Role is available for assignment 範例Example
一個訂用帳戶One subscription "/subscriptions/{subscriptionId1}"
兩個訂閱Two subscriptions "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}"
網路資源群組Network resource group "/subscriptions/{subscriptionId1}/resourceGroups/Network"
一個管理群組One management group "/providers/Microsoft.Management/managementGroups/{groupId1}"
管理群組和訂用帳戶Management group and a subscription "/providers/Microsoft.Management/managementGroups/{groupId1}", /subscriptions/{subscriptionId1}",
所有範圍(僅適用于內建角色)All scopes (applies only to built-in roles) "/"

如需適用於自訂角色之 AssignableScopes 的相關資訊,請參閱適用於 Azure 資源的自訂角色For information about AssignableScopes for custom roles, see Custom roles for Azure resources.

後續步驟Next steps