列出 Azure 角色定義

角色定義是可以執行的許可權限集合,例如讀取、寫入和刪除。 一般會直接稱之為角色。 Azure 角色型存取控制 (Azure RBAC) 有超過 120 個內建角色 ,或者您可以建立自己的自訂角色。 本文說明如何列出您可以用來授與 Azure 資源的存取權的內建和自訂角色。

若要查看Azure Active Directory的系統管理員角色清單,請參閱Azure Active Directory中的系統管理員角色許可權

Azure 入口網站

列出所有角色

請遵循下列步驟來列出Azure 入口網站中的所有角色。

  1. 在Azure 入口網站中,按一下 [所有服務],然後選取任何範圍。 例如,您可以選取 [管理群組]、[訂用帳戶]、[資源群組]或資源。

  2. 按一下特定資源。

  3. 按一下 [存取控制 (IAM)]。

  4. 按一下 [角色] 索引標籤以查看所有內建與自訂角色清單。

    Screenshot showing Roles list using new experience.

  5. 若要查看特定角色的許可權,請在 [ 詳細 資料] 資料行中,按一下 [ 檢視 ] 連結。

    [許可權] 窗格隨即出現。

  6. 按一下 [ 許可權] 索引標籤,以檢視並搜尋所選角色的許可權。

    Screenshot showing role permissions using new experience.

Azure PowerShell

列出所有角色

若要列出Azure PowerShell中的所有角色,請使用Get-AzRoleDefinition

Get-AzRoleDefinition | FT Name, Description
AcrImageSigner                                    acr image signer
AcrQuarantineReader                               acr quarantine data reader
AcrQuarantineWriter                               acr quarantine data writer
API Management Service Contributor                Can manage service and the APIs
API Management Service Operator Role              Can manage service but not the APIs
API Management Service Reader Role                Read-only access to service and APIs
Application Insights Component Contributor        Can manage Application Insights components
Application Insights Snapshot Debugger            Gives user permission to use Application Insights Snapshot Debugge...
Automation Job Operator                           Create and Manage Jobs using Automation Runbooks.
Automation Operator                               Automation Operators are able to start, stop, suspend, and resume ...
...

列出角色定義

若要列出特定角色的詳細資料,請使用 Get-AzRoleDefinition

Get-AzRoleDefinition <role_name>
PS C:\> Get-AzRoleDefinition "Contributor"

Name             : Contributor
Id               : b24988ac-6180-42a0-ab88-20f7382dd24c
IsCustom         : False
Description      : Lets you manage everything except access to resources.
Actions          : {*}
NotActions       : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
                   Microsoft.Authorization/elevateAccess/Action}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/}

以 JSON 格式列出角色定義

若要以 JSON 格式列出角色,請使用 Get-AzRoleDefinition

Get-AzRoleDefinition <role_name> | ConvertTo-Json
PS C:\> Get-AzRoleDefinition "Contributor" | ConvertTo-Json

{
  "Name": "Contributor",
  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "IsCustom": false,
  "Description": "Lets you manage everything except access to resources.",
  "Actions": [
    "*"
  ],
  "NotActions": [
    "Microsoft.Authorization/*/Delete",
    "Microsoft.Authorization/*/Write",
    "Microsoft.Authorization/elevateAccess/Action",
    "Microsoft.Blueprint/blueprintAssignments/write",
    "Microsoft.Blueprint/blueprintAssignments/delete"
  ],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

列出角色定義的許可權

若要列出特定角色的許可權,請使用 Get-AzRoleDefinition

Get-AzRoleDefinition <role_name> | FL Actions, NotActions
PS C:\> Get-AzRoleDefinition "Contributor" | FL Actions, NotActions

Actions    : {*}
NotActions : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
             Microsoft.Authorization/elevateAccess/Action,
             Microsoft.Blueprint/blueprintAssignments/write...}
(Get-AzRoleDefinition <role_name>).Actions
PS C:\> (Get-AzRoleDefinition "Virtual Machine Contributor").Actions

Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
...

Azure CLI

列出所有角色

若要列出 Azure CLI 中的所有角色,請使用 az role definition list

az role definition list

下列範例會列出所有可用角色定義的名稱和描述:

az role definition list --output json --query '[].{roleName:roleName, description:description}'
[
  {
    "description": "Can manage service and the APIs",
    "roleName": "API Management Service Contributor"
  },
  {
    "description": "Can manage service but not the APIs",
    "roleName": "API Management Service Operator Role"
  },
  {
    "description": "Read-only access to service and APIs",
    "roleName": "API Management Service Reader Role"
  },

  ...

]

下列範例會列出所有內建角色。

az role definition list --custom-role-only false --output json --query '[].{roleName:roleName, description:description, roleType:roleType}'
[
  {
    "description": "Can manage service and the APIs",
    "roleName": "API Management Service Contributor",
    "roleType": "BuiltInRole"
  },
  {
    "description": "Can manage service but not the APIs",
    "roleName": "API Management Service Operator Role",
    "roleType": "BuiltInRole"
  },
  {
    "description": "Read-only access to service and APIs",
    "roleName": "API Management Service Reader Role",
    "roleType": "BuiltInRole"
  },
  
  ...

]

列出角色定義

若要列出角色的詳細資料,請使用 az role definition list

az role definition list --name {roleName}

下列範例會列出「參與者」的角色定義:

az role definition list --name "Contributor"
[
  {
    "assignableScopes": [
      "/"
    ],
    "description": "Lets you manage everything except access to resources.",
    "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
    "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "dataActions": [],
        "notActions": [
          "Microsoft.Authorization/*/Delete",
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action",
          "Microsoft.Blueprint/blueprintAssignments/write",
          "Microsoft.Blueprint/blueprintAssignments/delete"
        ],
        "notDataActions": []
      }
    ],
    "roleName": "Contributor",
    "roleType": "BuiltInRole",
    "type": "Microsoft.Authorization/roleDefinitions"
  }
]

列出角色定義的許可權

下列範例只會列出參與者角色的動作notActions

az role definition list --name "Contributor" --output json --query '[].{actions:permissions[0].actions, notActions:permissions[0].notActions}'
[
  {
    "actions": [
      "*"
    ],
    "notActions": [
      "Microsoft.Authorization/*/Delete",
      "Microsoft.Authorization/*/Write",
      "Microsoft.Authorization/elevateAccess/Action",
      "Microsoft.Blueprint/blueprintAssignments/write",
      "Microsoft.Blueprint/blueprintAssignments/delete"
    ]
  }
]

下列範例只會列出 虛擬機器參與者 角色的動作。

az role definition list --name "Virtual Machine Contributor" --output json --query '[].permissions[0].actions'
[
  [
    "Microsoft.Authorization/*/read",
    "Microsoft.Compute/availabilitySets/*",
    "Microsoft.Compute/locations/*",
    "Microsoft.Compute/virtualMachines/*",
    "Microsoft.Compute/virtualMachineScaleSets/*",
    "Microsoft.Compute/disks/write",
    "Microsoft.Compute/disks/read",
    "Microsoft.Compute/disks/delete",
    "Microsoft.DevTestLab/schedules/*",
    "Microsoft.Insights/alertRules/*",
    "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
    "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

    ...

    "Microsoft.Storage/storageAccounts/listKeys/action",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Support/*"
  ]
]

REST API

列出角色定義

若要列出角色定義,請使用 角色定義 - 列出 REST API。 若要精簡您的結果,請指定範圍和選擇性篩選條件。

  1. 從下列要求著手:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?$filter={$filter}&api-version=2015-07-01
    
  2. 在 URI 中,將 {scope} 取代為您要列出角色定義的範圍。

    影響範圍 類型
    providers/Microsoft.Management/managementGroups/{groupId1} 管理群組
    subscriptions/{subscriptionId1} 訂用帳戶
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 資源群組
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 資源

    在上一個範例中,microsoft.web 是參考 App Service 實例的資源提供者。 同樣地,您可以使用任何其他資源提供者並指定範圍。 如需詳細資訊,請參閱 Azure 資源提供者和類型和 支援的 Azure 資源提供者作業

  3. {filter} 取代為您想要套用以篩選角色定義清單的條件。

    篩選 Description
    $filter=atScopeAndBelow() 列出指定範圍和任何子範圍的角色定義。
    $filter=type+eq+'{type}' 列出指定型別的角色定義。 角色的類型可以是 CustomRoleBuiltInRole

下列要求會列出訂用帳戶範圍的自訂角色定義:

GET https://management.azure.com/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01&$filter=type+eq+'CustomRole'

以下顯示輸出的範例:

{
    "value": [
        {
            "properties": {
                "roleName": "Billing Reader Plus",
                "type": "CustomRole",
                "description": "Read billing data and download invoices",
                "assignableScopes": [
                    "/subscriptions/{subscriptionId1}"
                ],
                "permissions": [
                    {
                        "actions": [
                            "Microsoft.Authorization/*/read",
                            "Microsoft.Billing/*/read",
                            "Microsoft.Commerce/*/read",
                            "Microsoft.Consumption/*/read",
                            "Microsoft.Management/managementGroups/read",
                            "Microsoft.CostManagement/*/read",
                            "Microsoft.Billing/invoices/download/action",
                            "Microsoft.CostManagement/exports/*"
                        ],
                        "notActions": [
                            "Microsoft.CostManagement/exports/delete"
                        ]
                    }
                ],
                "createdOn": "2020-02-21T04:49:13.7679452Z",
                "updatedOn": "2020-02-21T04:49:13.7679452Z",
                "createdBy": "{createdByObjectId1}",
                "updatedBy": "{updatedByObjectId1}"
            },
            "id": "/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId1}",
            "type": "Microsoft.Authorization/roleDefinitions",
            "name": "{roleDefinitionId1}"
        }
    ]
}

列出角色定義

若要列出特定角色的詳細資料,請使用 角色定義 - 取得角色定義 - 依識別碼取得 REST API。

  1. 從下列要求著手:

    GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2015-07-01
    

    針對目錄層級角色定義,您可以使用此要求:

    GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2015-07-01
    
  2. 在 URI 中,將 {scope} 取代為您要列出角色定義的範圍。

    影響範圍 類型
    providers/Microsoft.Management/managementGroups/{groupId1} 管理群組
    subscriptions/{subscriptionId1} 訂用帳戶
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 資源群組
    subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 資源
  3. {roleDefinitionId} 取代為角色定義識別碼。

下列要求會列出 讀者 角色定義:

GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7?api-version=2015-07-01

以下顯示輸出的範例:

{
    "properties": {
        "roleName": "Reader",
        "type": "BuiltInRole",
        "description": "Lets you view everything, but not make any changes.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*/read"
                ],
                "notActions": []
            }
        ],
        "createdOn": "2015-02-02T21:55:09.8806423Z",
        "updatedOn": "2019-02-05T21:24:35.7424745Z",
        "createdBy": null,
        "updatedBy": null
    },
    "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "type": "Microsoft.Authorization/roleDefinitions",
    "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7"
}

後續步驟