Espacio de nombres: microsoft.graph
Importante
Las API de la versión /beta de Microsoft Graph están sujetas a cambios. No se admite el uso de estas API en aplicaciones de producción. Para determinar si una API está disponible en la versión 1.0, use el selector de Versión.
Cree una solicitud de asignación de roles para representar la operación que desee en una asignación de roles. En la tabla siguiente se enumeran las operaciones.
| Operación |
Tipo |
| Asignación de una asignación de roles |
AdminAdd |
| Activación de una asignación de roles apta |
UserAdd |
| Desactivación de una asignación de roles activada |
UserRemove |
| Eliminación de una asignación de roles |
AdminRemove |
| Actualización de una asignación de roles |
AdminUpdate |
| Solicitud para ampliar mi asignación de roles |
UserExtend |
| Extensión de una asignación de roles |
AdminExtend |
| Solicitud para renovar mi asignación de roles expirada |
UserRenew |
| Renovación de una asignación de roles expirada |
AdminRenew |
Esta API está disponible en las siguientes implementaciones nacionales de nube.
| Servicio global |
Gobierno de EE. UU. L4 |
Us Government L5 (DOD) |
China operada por 21Vianet |
| ✅ |
✅ |
✅ |
❌ |
Permissions
En la tabla siguiente se muestran los permisos o permisos con privilegios mínimos necesarios para llamar a esta API en cada tipo de recurso admitido. Siga los procedimientos recomendados para solicitar permisos con privilegios mínimos. Para obtener más información sobre los permisos delegados y de aplicación, consulte Tipos de permisos. Para obtener más información sobre estos permisos, consulte la referencia de permisos.
| Recurso admitido |
Delegado (cuenta profesional o educativa) |
Delegado (cuenta de Microsoft personal) |
Aplicación |
| Microsoft Entra ID |
PrivilegedAccess.ReadWrite.AzureAD |
No admitida. |
No admitida. |
| Recursos de Azure |
PrivilegedAccess.ReadWrite.AzureResources |
No admitida. |
No admitida. |
|
group |
PrivilegedAccess.ReadWrite.AzureADGroup |
No admitida. |
No admitida. |
Solicitud HTTP
POST /privilegedAccess/azureResources/roleAssignmentRequests
Cuerpo de la solicitud
En el cuerpo de la solicitud, proporcione una representación JSON de un objeto governanceRoleAssignmentRequest .
| Propiedad |
Tipo |
Descripción |
| resourceId |
Cadena |
Identificador único del recurso de Azure asociado a la solicitud de asignación de roles. Azure recursos pueden incluir suscripciones, grupos de recursos, máquinas virtuales y bases de datos SQL. Obligatorio. |
| roleDefinitionId |
Cadena |
Identificador de la definición de rol Azure a la que está asociada la solicitud de asignación de roles. Obligatorio. |
| subjectId |
Cadena |
Identificador único de la entidad de seguridad o asunto al que está asociada la solicitud de asignación de roles. Las entidades de seguridad pueden ser usuarios, grupos o entidades de servicio. Obligatorio. |
| assignmentState |
Cadena |
Estado de la asignación. El valor puede ser Eligible y Active. Obligatorio. |
| type |
Cadena |
Tipo de solicitud. El valor puede ser AdminAdd, UserAdd, AdminUpdate, AdminRemove, UserRemove, UserExtend, UserRenewAdminRenewy AdminExtend. Obligatorio. |
| motivo |
Cadena |
El motivo debe proporcionarse para la solicitud de asignación de roles con fines de auditoría y revisión. |
| schedule |
governanceSchedule |
Programación de la solicitud de asignación de roles. Para el tipo de solicitud , UserAddAdminAdd, AdminUpdatey AdminExtend, es necesario. |
Respuesta
Si se ejecuta correctamente, este método devuelve un 201 Created código de respuesta y un objeto governanceRoleAssignmentRequest en el cuerpo de la respuesta.
Códigos de error
Esta API devuelve los códigos de error HTTP estándar. Además, también devuelve los códigos de error enumerados en la tabla siguiente.
| Código de error |
Mensaje de error |
Detalles |
| 400 BadRequest |
RoleNotFound |
No roleDefinitionId se puede encontrar el proporcionado en el cuerpo de la solicitud. |
| 400 BadRequest |
ResourceIsLocked |
El recurso proporcionado en el cuerpo de la solicitud está en estado y no puede crear solicitudes de Locked asignación de roles. |
| 400 BadRequest |
SubjectNotFound |
No subjectId se puede encontrar el proporcionado en el cuerpo de la solicitud. |
| 400 BadRequest |
PendingRoleAssignmentRequest |
Ya existe una governanceRoleAssignmentRequest pendiente en el sistema. |
| 400 BadRequest |
RoleAssignmentExists |
El governanceRoleAssignment solicitado para crearse ya existe en el sistema. |
| 400 BadRequest |
RoleAssignmentDoesNotExist |
El governanceRoleAssignment solicitado para actualizarse o extenderse no existe en el sistema. |
| 400 BadRequest |
RoleAssignmentRequestPolicyValidationFailed |
GovernanceRoleAssignmentRequest no cumple las directivas internas y no se puede crear. |
Ejemplos
En los ejemplos siguientes se muestra cómo usar esta API.
Ejemplo 1: El administrador asigna un usuario a un rol
En este ejemplo, un administrador asigna un usuario nawu@contoso.com al rol Lector de facturación.
Nota: Además del permiso, este ejemplo requiere que el solicitante tenga al menos una Active asignación de roles de administrador (owner o user access administrator) en el recurso.
| Propiedad |
Tipo |
Obligatorio |
Valor |
| resourceId |
Cadena |
Sí |
<resourceId> |
| roleDefinitionId |
Cadena |
Sí |
<roleDefinitionId> |
| subjectId |
Cadena |
Sí |
<subjectId> |
| assignmentState |
Cadena |
Sí |
Apto/activo |
| type |
Cadena |
Sí |
AdminAdd |
| motivo |
Cadena |
depende de la configuración del rol |
|
| schedule |
governanceSchedule |
Sí |
|
Solicitud
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Eligible",
"type": "AdminAdd",
"reason": "Assign an eligible role",
"schedule": {
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"type": "Once"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Eligible",
Type = "AdminAdd",
Reason = "Assign an eligible role",
Schedule = new GovernanceSchedule
{
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:37:43.356Z"),
EndDateTime = DateTimeOffset.Parse("2018-11-08T23:37:43.356Z"),
Type = "Once",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminAdd"
requestBody.SetType(&type)
reason := "Assign an eligible role"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:37:43.356Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-11-08T23:37:43.356Z")
schedule.SetEndDateTime(&endDateTime)
type := "Once"
schedule.SetType(&type)
requestBody.SetSchedule(schedule)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("ea48ad5e-e3b0-4d10-af54-39a45bbfe68d");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminAdd");
governanceRoleAssignmentRequest.setReason("Assign an eligible role");
GovernanceSchedule schedule = new GovernanceSchedule();
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:37:43.356Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-11-08T23:37:43.356Z");
schedule.setEndDateTime(endDateTime);
schedule.setType("Once");
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'ea48ad5e-e3b0-4d10-af54-39a45bbfe68d',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Eligible',
type: 'AdminAdd',
reason: 'Assign an eligible role',
schedule: {
startDateTime: '2018-05-12T23:37:43.356Z',
endDateTime: '2018-11-08T23:37:43.356Z',
type: 'Once'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('ea48ad5e-e3b0-4d10-af54-39a45bbfe68d');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminAdd');
$requestBody->setReason('Assign an eligible role');
$schedule = new GovernanceSchedule();
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:37:43.356Z'));
$schedule->setEndDateTime(new \DateTime('2018-11-08T23:37:43.356Z'));
$schedule->setType('Once');
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Eligible"
type = "AdminAdd"
reason = "Assign an eligible role"
schedule = @{
startDateTime = [System.DateTime]::Parse("2018-05-12T23:37:43.356Z")
endDateTime = [System.DateTime]::Parse("2018-11-08T23:37:43.356Z")
type = "Once"
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Eligible",
type = "AdminAdd",
reason = "Assign an eligible role",
schedule = GovernanceSchedule(
start_date_time = "2018-05-12T23:37:43.356Z",
end_date_time = "2018-11-08T23:37:43.356Z",
type = "Once",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Respuesta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "1232e4ea-741a-4be5-8044-5edabdd61672",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminAdd",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate Only",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"duration": "PT0S"
}
}
Ejemplo 2: El usuario activa el rol apto
En este ejemplo, el usuario nawu@contoso.com activa el rol lector de facturación apto.
| Propiedad |
Tipo |
Obligatorio |
Valor |
| resourceId |
Cadena |
Sí |
<resourceId> |
| roleDefinitionId |
Cadena |
Sí |
<roleDefinitionId> |
| subjectId |
Cadena |
Sí |
<subjectId> |
| assignmentState |
Cadena |
Sí |
Activo |
| type |
Cadena |
Sí |
UserAdd |
| motivo |
Cadena |
depende de la configuración del rol |
|
| schedule |
governanceSchedule |
Sí |
|
Solicitud
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserAdd",
"reason": "Activate the owner role",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"duration": "PT9H"
},
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserAdd",
Reason = "Activate the owner role",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:28:43.537Z"),
Duration = TimeSpan.Parse("PT9H"),
},
LinkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "8b4d1d51-08e9-4254-b0a6-b16177aae376"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserAdd"
requestBody.SetType(&type)
reason := "Activate the owner role"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:28:43.537Z")
schedule.SetStartDateTime(&startDateTime)
duration , err := abstractions.ParseISODuration("PT9H")
schedule.SetDuration(&duration)
requestBody.SetSchedule(schedule)
linkedEligibleRoleAssignmentId := "e327f4be-42a0-47a2-8579-0a39b025b394"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("8b4d1d51-08e9-4254-b0a6-b16177aae376");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserAdd");
governanceRoleAssignmentRequest.setReason("Activate the owner role");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:28:43.537Z");
schedule.setStartDateTime(startDateTime);
PeriodAndDuration duration = PeriodAndDuration.ofDuration(Duration.parse("PT9H"));
schedule.setDuration(duration);
governanceRoleAssignmentRequest.setSchedule(schedule);
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("e327f4be-42a0-47a2-8579-0a39b025b394");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '8b4d1d51-08e9-4254-b0a6-b16177aae376',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserAdd',
reason: 'Activate the owner role',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:28:43.537Z',
duration: 'PT9H'
},
linkedEligibleRoleAssignmentId: 'e327f4be-42a0-47a2-8579-0a39b025b394'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('8b4d1d51-08e9-4254-b0a6-b16177aae376');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserAdd');
$requestBody->setReason('Activate the owner role');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:28:43.537Z'));
$schedule->setDuration(new \DateInterval('PT9H'));
$requestBody->setSchedule($schedule);
$requestBody->setLinkedEligibleRoleAssignmentId('e327f4be-42a0-47a2-8579-0a39b025b394');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Active"
type = "UserAdd"
reason = "Activate the owner role"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-05-12T23:28:43.537Z")
duration = "PT9H"
}
linkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Active",
type = "UserAdd",
reason = "Activate the owner role",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-05-12T23:28:43.537Z",
duration = "PT9H",
),
linked_eligible_role_assignment_id = "e327f4be-42a0-47a2-8579-0a39b025b394",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Respuesta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "3ad49a7c-918e-4d86-9f84-fab28f8658c0",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394",
"type": "UserAdd",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Activate the owner role",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "EligibilityRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
},
{
"key": "JustificationRule",
"value": "Grant"
},
{
"key": "ActivationDayRule",
"value": "Grant"
},
{
"key": "ApprovalRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"endDateTime": "0001-01-01T00:00:00Z",
"duration": "PT9H"
}
}
Ejemplo 3: El usuario desactiva un rol asignado
En este ejemplo, el usuario nawu@contoso.com desactiva el rol lector de facturación activo.
| Propiedad |
Tipo |
Obligatorio |
Valor |
| resourceId |
Cadena |
Sí |
<resourceId> |
| roleDefinitionId |
Cadena |
Sí |
<roleDefinitionId> |
| subjectId |
Cadena |
Sí |
<subjectId> |
| assignmentState |
Cadena |
Sí |
Activo |
| type |
Cadena |
Sí |
UserRemove |
| motivo |
Cadena |
No |
|
| schedule |
governanceSchedule |
No |
|
Solicitud
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserRemove",
"reason": "Deactivate the role",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
ResourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserRemove",
Reason = "Deactivate the role",
LinkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "bc75b4e6-7403-4243-bf2f-d1f6990be122"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserRemove"
requestBody.SetType(&type)
reason := "Deactivate the role"
requestBody.SetReason(&reason)
linkedEligibleRoleAssignmentId := "cb8a533e-02d5-42ad-8499-916b1e4822ec"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("bc75b4e6-7403-4243-bf2f-d1f6990be122");
governanceRoleAssignmentRequest.setResourceId("fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserRemove");
governanceRoleAssignmentRequest.setReason("Deactivate the role");
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("cb8a533e-02d5-42ad-8499-916b1e4822ec");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'bc75b4e6-7403-4243-bf2f-d1f6990be122',
resourceId: 'fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserRemove',
reason: 'Deactivate the role',
linkedEligibleRoleAssignmentId: 'cb8a533e-02d5-42ad-8499-916b1e4822ec'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('bc75b4e6-7403-4243-bf2f-d1f6990be122');
$requestBody->setResourceId('fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserRemove');
$requestBody->setReason('Deactivate the role');
$requestBody->setLinkedEligibleRoleAssignmentId('cb8a533e-02d5-42ad-8499-916b1e4822ec');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122"
resourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Active"
type = "UserRemove"
reason = "Deactivate the role"
linkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
resource_id = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Active",
type = "UserRemove",
reason = "Deactivate the role",
linked_eligible_role_assignment_id = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Respuesta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "abfcdb57-8e5d-42a0-ae67-7598b96fddb1",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec",
"type": "UserRemove",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate only",
"schedule": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
}
}
Ejemplo 4: El administrador quita al usuario de un rol
En este ejemplo, un administrador quita al usuario nawu@contoso.com del rol Lector de facturación.
Nota: Además del permiso, este ejemplo requiere que el solicitante tenga al menos una Active asignación de roles de administrador (owner o user access administrator) en el recurso.
| Propiedad |
Tipo |
Obligatorio |
Valor |
| resourceId |
Cadena |
Sí |
<resourceId> |
| roleDefinitionId |
Cadena |
Sí |
<roleDefinitionId> |
| subjectId |
Cadena |
Sí |
<subjectId> |
| assignmentState |
Cadena |
Sí |
Apto/activo |
| type |
Cadena |
Sí |
AdminRemove |
| motivo |
Cadena |
No |
|
| schedule |
governanceSchedule |
No |
|
Solicitud
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminRemove"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminRemove",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "65bb4622-61f5-4f25-9d75-d0e20cf92019"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminRemove"
requestBody.SetType(&type)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("65bb4622-61f5-4f25-9d75-d0e20cf92019");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminRemove");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '65bb4622-61f5-4f25-9d75-d0e20cf92019',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminRemove'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('65bb4622-61f5-4f25-9d75-d0e20cf92019');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminRemove');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
assignmentState = "Eligible"
type = "AdminRemove"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
assignment_state = "Eligible",
type = "AdminRemove",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Respuesta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "c934fcb9-cf53-42ac-a8b4-6246f6726299",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminRemove",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
},
"schedule": null
}
Ejemplo 5: Asignación de roles de actualizaciones de administrador
En este ejemplo, los administradores actualizan la asignación de roles del usuario nawu@contoso.com al propietario.
Nota: Además del permiso, este ejemplo requiere que el solicitante tenga al menos una Active asignación de roles de administrador (owner o user access administrator) en el recurso.
| Propiedad |
Tipo |
Obligatorio |
Valor |
| resourceId |
Cadena |
Sí |
<resourceId> |
| roleDefinitionId |
Cadena |
Sí |
<roleDefinitionId> |
| subjectId |
Cadena |
Sí |
<subjectId> |
| assignmentState |
Cadena |
Sí |
Apto/activo |
| type |
Cadena |
Sí |
AdminUpdate |
| motivo |
Cadena |
depende de roleSettings |
|
| schedule |
governanceSchedule |
Sí |
|
Solicitud
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"assignmentState": "Eligible",
"type": "AdminUpdate",
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31.000Z"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "1566d11d-d2b6-444a-a8de-28698682c445",
AssignmentState = "Eligible",
Type = "AdminUpdate",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-03-08T05:42:45.317Z"),
EndDateTime = DateTimeOffset.Parse("2018-06-05T05:42:31.000Z"),
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "70521f3e-3b95-4e51-b4d2-a2f485b02103"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "1566d11d-d2b6-444a-a8de-28698682c445"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminUpdate"
requestBody.SetType(&type)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-03-08T05:42:45.317Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-06-05T05:42:31.000Z")
schedule.SetEndDateTime(&endDateTime)
requestBody.SetSchedule(schedule)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("70521f3e-3b95-4e51-b4d2-a2f485b02103");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("1566d11d-d2b6-444a-a8de-28698682c445");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminUpdate");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-03-08T05:42:45.317Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-06-05T05:42:31.000Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '70521f3e-3b95-4e51-b4d2-a2f485b02103',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '1566d11d-d2b6-444a-a8de-28698682c445',
assignmentState: 'Eligible',
type: 'AdminUpdate',
schedule: {
type: 'Once',
startDateTime: '2018-03-08T05:42:45.317Z',
endDateTime: '2018-06-05T05:42:31.000Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('70521f3e-3b95-4e51-b4d2-a2f485b02103');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('1566d11d-d2b6-444a-a8de-28698682c445');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminUpdate');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-03-08T05:42:45.317Z'));
$schedule->setEndDateTime(new \DateTime('2018-06-05T05:42:31.000Z'));
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "1566d11d-d2b6-444a-a8de-28698682c445"
assignmentState = "Eligible"
type = "AdminUpdate"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-03-08T05:42:45.317Z")
endDateTime = [System.DateTime]::Parse("2018-06-05T05:42:31.000Z")
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "1566d11d-d2b6-444a-a8de-28698682c445",
assignment_state = "Eligible",
type = "AdminUpdate",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-03-08T05:42:45.317Z",
end_date_time = "2018-06-05T05:42:31.000Z",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Respuesta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "4f6d4802-b3ac-4f5a-86d7-a6a4edd7d383",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminUpdate",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31Z",
"duration": "PT0S"
}
}
Ejemplo 6: El administrador extiende la asignación de roles que expira
En este ejemplo se amplía la asignación de roles que expira para el usuario ANUJCUSER a API Management colaborador del servicio.
Nota: Además del permiso, este ejemplo requiere que el solicitante tenga al menos una Active asignación de roles de administrador (owner o user access administrator) en el recurso.
| Propiedad |
Tipo |
Obligatorio |
Valor |
| resourceId |
Cadena |
Sí |
<resourceId> |
| roleDefinitionId |
Cadena |
Sí |
<roleDefinitionId> |
| subjectId |
Cadena |
Sí |
<subjectId> |
| assignmentState |
Cadena |
Sí |
Apto/activo |
| type |
Cadena |
Sí |
AdminExtend |
| motivo |
Cadena |
depende de roleSettings |
|
| schedule |
governanceSchedule |
Sí |
|
Solicitud
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminExtend",
"reason": "extend role assignment",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminExtend",
Reason = "extend role assignment",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:53:55.327Z"),
EndDateTime = DateTimeOffset.Parse("2018-08-10T23:53:55.327Z"),
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "0e88fd18-50f5-4ee1-9104-01c3ed910065"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminExtend"
requestBody.SetType(&type)
reason := "extend role assignment"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:53:55.327Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-08-10T23:53:55.327Z")
schedule.SetEndDateTime(&endDateTime)
requestBody.SetSchedule(schedule)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("0e88fd18-50f5-4ee1-9104-01c3ed910065");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminExtend");
governanceRoleAssignmentRequest.setReason("extend role assignment");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:53:55.327Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-08-10T23:53:55.327Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '0e88fd18-50f5-4ee1-9104-01c3ed910065',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminExtend',
reason: 'extend role assignment',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:53:55.327Z',
endDateTime: '2018-08-10T23:53:55.327Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('0e88fd18-50f5-4ee1-9104-01c3ed910065');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminExtend');
$requestBody->setReason('extend role assignment');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:53:55.327Z'));
$schedule->setEndDateTime(new \DateTime('2018-08-10T23:53:55.327Z'));
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
assignmentState = "Eligible"
type = "AdminExtend"
reason = "extend role assignment"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-05-12T23:53:55.327Z")
endDateTime = [System.DateTime]::Parse("2018-08-10T23:53:55.327Z")
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
assignment_state = "Eligible",
type = "AdminExtend",
reason = "extend role assignment",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-05-12T23:53:55.327Z",
end_date_time = "2018-08-10T23:53:55.327Z",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Respuesta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "486f0c05-47c8-4498-9c06-086a78c83004",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminExtend",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "extend role assignment",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z",
"duration": "PT0S"
}
}