管理管理員存取權Manage admin access

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

重要

Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

Microsoft Cloud App Security 支援角色型存取控制。Microsoft Cloud App Security supports role-based access control. 本文提供為管理員設定 Cloud App Security 入口網站存取權的指示。This article provides instructions for setting access to the Cloud App Security portal for your admins. 如需指派系統管理員角色的詳細資訊,請參閱 Azure Active DirectoryOffice 365的文章。For more information about assigning administrator roles, see the articles for Azure Active Directory and Office 365.

可存取 Cloud App Security 的 Office 365 和 Azure AD 角色Office 365 and Azure AD roles with access to Cloud App Security

根據預設,下列 Office 365 和 Azure Active Directory (Azure AD) 管理員角色可存取 Cloud App Security:By default, the following Office 365 and Azure Active Directory (Azure AD) admin roles have access to Cloud App Security:

  • 全域管理員和安全性系統管理員: 具有 [完整存取]**** 的管理員在 Cloud App Security 中會擁有完整權限。Global administrator and Security administrator: Admins with Full access have full permissions in Cloud App Security. 他們可以新增管理員、新增原則和設定、上傳記錄及執行治理動作。They can add admins, add policies and settings, upload logs and perform governance actions.

  • 規範管理員: 具有唯讀權限,且可以管理警示。Compliance administrator: Has read-only permissions and can manage alerts. 無法存取雲端平臺的安全性建議。Cannot access Security recommendations for cloud platforms. 可以建立和修改檔案原則、允許檔案控管動作,以及檢視 [資料管理] 下所有的內建報表。Can create and modify file policies, allow file governance actions, and view all the built-in reports under Data Management.

  • 合規性資料管理員: 具有唯讀許可權,可建立和修改檔案原則、允許檔案治理動作,以及查看所有探索報告。Compliance data administrator: Has read-only permissions, can create and modify file policies, allow file governance actions, and view all discovery reports. 無法存取雲端平臺的安全性建議。Cannot access Security recommendations for cloud platforms.

  • 安全性操作員: 具有唯讀許可權,而且可以管理警示。Security operator: Has read-only permissions and can manage alerts.

  • 安全性讀取者: 具有唯讀許可權,而且可以管理警示。Security reader: Has read-only permissions and can manage alerts. 安全性讀取者受到限制而無法執行下列動作:The Security reader is restricted from doing the following actions:

    • 建立原則或編輯和變更現有原則Create policies or edit and change existing ones
    • 執行任何管理動作Performing any governance actions
    • 上傳探索記錄Uploading discovery logs
    • 禁用或核准協力廠商應用程式Banning or approving third-party apps
    • 存取和檢視 IP 位址範圍設定頁面Accessing and viewing the IP address range settings page
    • 存取和檢視任何設定頁面Accessing and viewing any settings pages
    • 存取和檢視 Discovery 設定Accessing and viewing the Discovery settings
    • 存取和檢視 App 連線程式頁面Accessing and viewing the App connectors page
    • 存取和檢視管理記錄檔Accessing and viewing the Governance log
    • 存取和檢視管理快照集報告頁面Accessing and viewing the Manage snapshot reports page
    • 存取和編輯 SIEM 代理程式Accessing and editing the SIEM agent
  • 全域讀取者: 具有 Microsoft Cloud App Security 的所有層面的完整唯讀存取權。Global reader: Has full read-only access to all aspects of Microsoft Cloud App Security. 無法變更任何設定或採取任何動作。Cannot change any settings or take any actions.

注意

Office 365 和 Azure AD 角色不會列在 [ 管理管理存取 ] 頁面中。Office 365 and Azure AD roles do are not listed in the Manage admin access page.

此外,您可以在 Cloud App Security 入口網站中設定下列 Cloud App Security 特定的系統管理員角色:Additionally, the following Cloud App Security specific admin roles can be configured in the Cloud App Security portal:

  • 應用程式/實例管理員: 具有 Microsoft Cloud App Security 中所有資料的完整或唯讀許可權,這些資料只會與所選應用程式的特定應用程式或實例進行處理。App/instance admin: Has full or read-only permissions to all of the data in Microsoft Cloud App Security that deals exclusively with the specific app or instance of an app selected. 例如,您可以將 Box European 執行個體的管理權限提供給使用者。For example, you give a user admin permission to your Box European instance. 系統管理員只能看見與 Box European 執行個體相關的資料 (不論它是檔案、活動、原則或警示):The admin will see only data that relates to the Box European instance, whether it's files, activities, policies, or alerts:

    • 活動頁面 - 僅限於特定應用程式的相關活動Activities page - Only activities about the specific app
    • 警示 - 僅限於與特定應用程式相關的警示Alerts - Only alerts relating to the specific app
    • 原則-可以查看所有原則,而且如果已指派完整許可權,則只能編輯或建立僅處理應用程式/實例的原則Policies - Can view all policies and if assigned full permissions can edit or create only policies that deal exclusively with the app/instance
    • [帳戶] 頁面 - 僅限特定應用程式/執行個體的帳戶Accounts page - Only accounts for the specific app/instance
    • 應用程式權限 - 僅限於特定應用程式/執行個體的權限App permissions - Only permissions for the specific app/instance
    • 檔案頁面 - 僅限於特定應用程式/執行個體中的檔案Files page - Only files from the specific app/instance
    • 條件式存取應用程式控制 - 沒有權限Conditional Access App Control - No permissions
    • 雲端探索活動 - 沒有權限Cloud Discovery activity - No permissions
    • 安全性延伸模組 - 僅適用於與使用者權限搭配使用之 API 權杖的權限Security extensions - Permissions only for API token with user permissions
    • 治理動作 - 僅適用於特定應用程式/執行個體Governance actions - Only for the specific app/instance
    • 雲端平臺的安全性建議-沒有許可權Security recommendations for cloud platforms - No permissions
  • 使用者群組系統管理員: 具有 Microsoft Cloud App Security 中所有資料的完整或唯讀許可權,這些資料只會與此處選取的特定群組進行處理。User group admin: Has full or read-only permissions to all of the data in Microsoft Cloud App Security that deals exclusively with the specific group selected here. 例如,如果將 [德國 - 所有使用者] 群組的管理權限授與使用者,則系統管理員只能檢視及修改該使用者群組在 Microsoft Cloud App Security 中的所有資訊:For example, if you give a user admin permission to the group "Germany - all users", the admin can view and modify information in Microsoft Cloud App Security only for that user group:

    • 活動頁面 - 僅限於群組中使用者的相關活動Activities page - Only activities about the users in the group
    • 警示 - 僅限於與群組中使用者相關的警示Alerts - Only alerts relating to the users in the group
    • 原則-可以查看所有原則,而且如果已指派完整許可權,則只能編輯或建立僅處理群組中使用者的原則Policies - Can view all policies and if assigned full permissions can edit or create only policies that deal exclusively with users in the group
    • [帳戶] 頁面 - 僅限群組中特定使用者的帳戶Accounts page - Only accounts for the specific users in the group
    • 應用程式權限 - 沒有權限App permissions – No permissions
    • 檔案頁面 - 沒有權限Files page – No permissions
    • 條件式存取應用程式控制 - 沒有權限Conditional Access App Control - No permissions
    • 雲端探索活動 - 沒有權限Cloud Discovery activity - No permissions
    • 安全性延伸模組 - 僅適用於與群組中使用者搭配使用之 API 權杖的權限Security extensions - Permissions only for API token with users in the group
    • 治理動作 - 僅適用於群組中的特定使用者Governance actions - Only for the specific users in the group
    • 雲端平臺的安全性建議-沒有許可權Security recommendations for cloud platforms - No permissions
  • Cloud Discovery 全域管理員: 具有可查看和編輯所有 Cloud Discovery 設定和資料的許可權。Cloud Discovery global admin: Has permission to view and edit all Cloud Discovery settings and data. 全域探索系統管理員有對下列項目的存取權:The Global Discovery admin has access as follows:

    • 設定Settings
      • 系統設定 - 僅檢視System settings - View only
      • Cloud Discovery 設定 - 檢視及編輯所有 (匿名權限取決於在角色指派期間是否允許它而定)Cloud Discovery settings - View and edit all (anonymization permissions depend on whether it was allowed during role assignment)
    • Cloud Discovery 活動 - 完整權限Cloud Discovery activity - full permissions
    • 警示 - 只有與 Cloud Discovery 資料相關的警示Alerts - only alerts related to Cloud Discovery data
    • 原則 - 可以檢視所有原則,而且只能編輯或建立 Cloud Discovery 原則Policies - Can view all policies and can edit or create only Cloud Discovery policies
    • [活動] 頁面 - 沒有權限Activities page - No permissions
    • [帳戶] 頁面 - 沒有權限Accounts page - No permissions
    • 應用程式權限 - 沒有權限App permissions – No permissions
    • 檔案頁面 - 沒有權限Files page – No permissions
    • 條件式存取應用程式控制 - 沒有權限Conditional Access App Control - No permissions
    • 安全性延伸模組 - 沒有權限Security extensions - No permissions
    • 治理動作 - 僅限 Cloud Discovery 相關動作Governance actions - Only Cloud Discovery related actions
    • 雲端平臺的安全性建議-沒有許可權Security recommendations for cloud platforms - No permissions
  • Cloud Discovery 報告管理員: 具有在 Cloud App Security 中查看所有資料的許可權,這些資料只會在選取的特定 Cloud Discovery 報表中處理。Cloud Discovery report admin: Has permissions to view all the data in Cloud App Security that deals exclusively with the specific Cloud Discovery reports selected. 例如,您可以將 Microsoft Defender ATP 連續報告的許可權授與其他人。For example, you can give someone admin permission to the continuous report from Microsoft Defender ATP. 探索系統管理員只會查看與該資料來源相關的 Cloud Discovery 資料,以及與應用程式類別目錄相關聯的資料。The Discovery admin will see only the Cloud Discovery data that relates to that data source and to the app catalog. 此系統管理員將無法存取活動、檔案或安全性建議****頁面,以及對原則的有限存取權。This admin will not have access to the Activities, Files, or Security recommendations pages and limited access to policies.

覆寫管理員權限Override admin permissions

如果您想從 Azure Active Directory 或 Office 365 覆寫系統管理員的權限,可以手動將使用者新增至 Cloud App Security 並指派權限給該使用者來這麼做。If you want to override an administrator's permission from Azure Active Directory or Office 365, you can do so by manually adding the user to Cloud App Security and assigning the user permissions. 例如,如果您想要指派 Stephanie (其在 Azure Active Directory 中為安全性讀取者) 為具有 Cloud App Security 中的 [完整存取]****,您可以手動將她新增至 Cloud App Security,然後指派 [完整存取]**** 給她以覆寫其角色,並允許其在 Cloud App Security 中的必要權限。For example, if you want to assign Stephanie, who is a Security reader in Azure Active Directory to have Full access in Cloud App Security, you can add her manually to Cloud App Security and assign her Full access to override her role and allow her the necessary permissions in Cloud App Security.

新增其他管理員Add additional admins

您可以將其他管理員新增至 Cloud App Security,而不需要將使用者新增至 Azure Active Directory 系統管理角色。You can add additional admins to Cloud App Security without adding users to Azure Active Directory administrative roles. 若要新增其他系統管理員,請執行下列步驟:To add additional admins, perform the following steps:

重要

只有全域管理員或安全性系統管理員可以授權其他使用者存取 Cloud App Security。Only Global administrators or Security administrators can grant access to other users to Cloud App Security.

  1. 按一下 [設定] 齒輪 設定圖示 ,然後 管理系統管理員存取權Click the settings cog settings icon and then Manage admin access.

  2. 按一下 [加號] 新增應該可以存取 Cloud App Security 的管理員。Click the plus to add the admins who should have access to Cloud App Security. 您可以鍵入內部或外部電子郵件位址,讓組織內或外部受控安全性服務提供者 (MSSP) 的管理員管理安全性警示。You can type an internal or external email address to enable administrators from inside your organization or external Managed Security Service Providers (MSSPs) to administer your security alerts.

    新增管理員

  3. 接著,按一下下拉式清單,設定系統管理員擁有的角色類型、 全域管理員安全性讀取者合規性管理員應用程式/實例管理員使用者群組系統管理員、 Cloud Discovery 全域管理員Cloud Discovery 報表管理員。如果您選取 [ 應用程式/實例管理員],請選取要讓系統管理員擁有其許可權的應用程式與實例。Next, click the drop-down to set what type of role the admin has, Global admin, Security reader, Compliance admin, App/Instance admin, User group admin, Cloud Discovery global admin, or Cloud Discovery report admin. If you select App/Instance admin, select the app and instance for the admin to have permissions for.

    注意

    任何存取權受限的管理員,若嘗試存取限制的頁面或執行限制的動作,都會收到錯誤,指出其無權存取頁面或執行動作。Any admin, whose access is limited, that attempts to access a restricted page or perform a restricted action will receive an error that they don't have permission to access the page or perform the action.

  4. 按一下 [新增管理員]****。Click Add admin.

系統管理員活動稽核Admin activity auditing

Cloud App Security 可讓您匯出系統管理員登入活動的記錄,以及在調查過程中執行的特定使用者或警示的審核。Cloud App Security lets you export a log of admin sign-in activities and an audit of views of a specific user or alerts carried out as part of an investigation.

若要匯出記錄檔,請執行下列步驟:To export a log, perform the following steps:

  1. 在 [ 管理管理員存取權 ] 頁面中,選取 [ 匯出管理活動]。In the Manage admins access page, select Export admin activities.

  2. 指定所需的時間範圍。Specify the required time range.

  3. 按一下 [匯出] 。Click Export.

邀請外部管理員Invite external admins

Cloud App Security 可讓您以 Cloud App Security 入口網站的系統管理員身分, (Mssp) 邀請外部受控安全性服務提供者。Cloud App Security enables you to invite external Managed Security Service Providers (MSSPs) as administrators of your Cloud App Security portal. 您現在可以將外部使用者設定為系統管理員,並指派 Cloud App Security 中可用的任何角色。External users can now be configured as administrators and assigned any of the roles available in Cloud App Security. 若要新增外部使用者,請確定來源租使用者已啟用 Cloud App Security,然後在 [ 新增其他系統管理員] 下的步驟中提供外部電子郵件地址。To add external users, make sure Cloud App Security is enabled on the source tenant, and then provide an external email address in the steps under Add additional admins.

此外,若要讓 MSSP 跨多個客戶租用戶提供服務,則具有多個租用戶存取權的系統管理員現在可以在入口網站內輕鬆切換租用戶。Additionally, to enable MSSPs to provide services across multiple customer tenants, Administrators who have access rights to more than one tenant can now easily switch tenants within the portal. 若要切換租用戶,請在您具有多個租用戶的權限之後,按一下使用者圖示。To switch between tenants, after you have permissions to multiple tenants, click the user icon. 您會看到您具有權限的租用戶清單。You will see a list of the tenants for which you have permissions. 選取您想要管理的租用戶。Select the tenant you want to manage.

選擇租使用者choose tenant

下一步Next steps