Azure 資訊安全中心的權限Permissions in Azure Security Center

Azure 資訊安全中心會使用角色型存取控制 (RBAC),以提供可在 Azure 中指派給使用者、群組與服務的內建角色Azure Security Center uses Role-Based Access Control (RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure.

資訊安全中心會評估資源的組態,以識別安全性問題與弱點。Security Center assesses the configuration of your resources to identify security issues and vulnerabilities. 在「資訊安全中心」中,當您獲指派為資源所屬的訂用帳戶或資源群組「擁有者」、「參與者」或「讀取者」角色時,您只會看到與資源相關的項目。In Security Center, you only see information related to a resource when you are assigned the role of Owner, Contributor, or Reader for the subscription or resource group that a resource belongs to.

除了這些角色,有兩個特定的資訊安全中心角色:In addition to these roles, there are two specific Security Center roles:

  • 安全性讀取者:屬於此角色的使用者有檢視資訊安全中心的權限。Security Reader: A user that belongs to this role has viewing rights to Security Center. 使用者可以檢視建議、警示、安全性原則和安全性狀態,但無法進行變更。The user can view recommendations, alerts, a security policy, and security states, but cannot make changes.
  • 安全性系統管理員:屬於此角色的使用者和「安全性讀取者」有相同的權限,而且還能更新安全性原則,以及解除警示和建議。Security Administrator: A user that belongs to this role has the same rights as the Security Reader and can also update the security policy and dismiss alerts and recommendations.


安全性角色 (安全讀取者和安全性系統管理員) 只在資訊安全中心內有存取權。The security roles, Security Reader and Security Administrator, have access only in Security Center. 上述安全性角色無法存取 Azure 的其他服務區域,例如儲存體、Web 和行動或物聯網。The security roles do not have access to other service areas of Azure such as Storage, Web & Mobile, or Internet of Things.

角色和允許的動作Roles and allowed actions

下表會顯示資訊安全中心的角色和允許的動作。The following table displays roles and allowed actions in Security Center. X 表示該角色允許的動作。An X indicates that the action is allowed for that role.

RoleRole 編輯安全性原則Edit security policy 針對資源套用安全性建議Apply security recommendations for a resource 關閉警示和建議Dismiss alerts and recommendations 檢視警示和建議View alerts and recommendations
訂用帳戶擁有者Subscription Owner XX XX XX XX
訂用帳戶參與者Subscription Contributor -- XX XX XX
資源群組擁有者Resource Group Owner -- XX -- XX
資源群組參與者Resource Group Contributor -- XX -- XX
讀取者Reader -- -- -- XX
安全性系統管理員Security Administrator XX -- XX XX
安全性讀取者Security Reader -- -- -- XX


我們建議您指派所需的最寬鬆角色,以便使用者完成其工作。We recommend that you assign the least permissive role needed for users to complete their tasks. 例如,將「讀取者」角色指派給只需要檢視資源安全性狀態的相關資訊,但不採取行動的使用者,例如套用建議或編輯原則。For example, assign the Reader role to users who only need to view information about the security health of a resource but not take action, such as applying recommendations or editing policies.

後續步驟Next steps

本文說明資訊安全中心如何使用 RBAC,將權限指派給使用者,並識別每個角色允許的動作。This article explained how Security Center uses RBAC to assign permissions to users and identified the allowed actions for each role. 現在,您已熟悉監視您的訂用帳戶的安全性狀態所需的角色指派,編輯安全性原則和套用建議,接著了解如何︰Now that you're familiar with the role assignments needed to monitor the security state of your subscription, edit security policies, and apply recommendations, learn how to: