混合式 + 多重雲端的 Azure 內建角色

文章
04/30/2024

本文列出混合式 + 多重雲端類別中的 Azure 內建角色。

Azure 資源橋接器部署角色

動作	描述
Microsoft.Authorization/roleassignments/read	取得角色指派的相關信息。
Microsoft.AzureStackHCI/Register/Action	註冊 Azure Stack HCI 資源提供者的訂用帳戶，並啟用 Azure Stack HCI 資源的建立。
Microsoft.Resource 連線 or/register/action	註冊設備資源提供者的訂用帳戶，並啟用設備建立。
Microsoft.Resource 連線 or/appliance/read	取得設備資源
Microsoft.Resource 連線 or/appliance/write	建立或更新設備資源
Microsoft.Resource 連線 or/appliance/delete	刪除設備資源
Microsoft.Resource 連線 or/locations/operationresults/read	取得設備作業的結果
Microsoft.Resource 連線 or/locations/operationsstatus/read	取得設備作業的結果
Microsoft.Resource 連線 or/appliance/listClusterUserCredential/action	取得設備叢集用戶認證
Microsoft.Resource 連線 or/appliance/listKeys/action	取得設備叢集客戶用戶金鑰
Microsoft.Resource 連線 or/appliance/upgradeGraphs/read	取得設備叢集的升級圖表
Microsoft.Resource 連線 or/telemetryconfig/read	取得設備 CLI 所使用的設備遙測設定
Microsoft.Resource 連線 or/operations/read	取得設備可用的作業清單
Microsoft.ExtendedLocation/register/action	註冊自定義位置資源提供者的訂用帳戶，並啟用自定義位置的建立。
Microsoft.ExtendedLocation/customLocations/deploy/action	將許可權部署至自定義位置資源
Microsoft.ExtendedLocation/customLocations/read	取得自定義位置資源
Microsoft.ExtendedLocation/customLocations/write	建立或更新自定義位置資源
Microsoft.ExtendedLocation/customLocations/delete	刪除自訂位置資源
Microsoft.Hybrid 連線 ivity/register/action	註冊 Microsoft.Hybrid 的訂用帳戶連線 ivity
Microsoft.Kubernetes/register/action	向 Microsoft.Kubernetes 資源提供者註冊訂用帳戶
Microsoft.KubernetesConfiguration/register/action	向 Microsoft.KubernetesConfiguration 資源提供者註冊訂用帳戶。
Microsoft.KubernetesConfiguration/extensions/write	建立或更新延伸模組資源。
Microsoft.KubernetesConfiguration/extensions/read	取得擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/delete	刪除擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/operations/read	取得異步操作狀態。
Microsoft.KubernetesConfiguration/namespaces/read	取得命名空間資源
Microsoft.KubernetesConfiguration/operations/read	取得 Microsoft.KubernetesConfiguration 資源提供者的可用作業。
Microsoft.GuestConfiguration/guestConfigurationAssignments/read	取得來賓設定指派。
Microsoft.HybridContainerService/register/action	註冊 Microsoft.HybridContainerService 的訂用帳戶
Microsoft.HybridContainerService/kubernetesVersions/read	列出基礎自定義位置支援的 kubernetes 版本
Microsoft.HybridContainerService/kubernetesVersions/write	放置 kubernetes 版本資源類型
Microsoft.HybridContainerService/skus/read	列出基礎自定義位置中支援的 VM SKU
Microsoft.HybridContainerService/skus/write	放置 VM SKU 資源類型
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.AzureStackHCI/儲存體 Containers/Write	建立/更新記憶體容器資源
Microsoft.AzureStackHCI/儲存體 Containers/Read	取得/列出記憶體容器資源
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Resource Bridge Deployment Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7b1f81f9-4196-4058-8aae-762e593270df",
  "name": "7b1f81f9-4196-4058-8aae-762e593270df",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleassignments/read",
        "Microsoft.AzureStackHCI/Register/Action",
        "Microsoft.ResourceConnector/register/action",
        "Microsoft.ResourceConnector/appliances/read",
        "Microsoft.ResourceConnector/appliances/write",
        "Microsoft.ResourceConnector/appliances/delete",
        "Microsoft.ResourceConnector/locations/operationresults/read",
        "Microsoft.ResourceConnector/locations/operationsstatus/read",
        "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
        "Microsoft.ResourceConnector/appliances/listKeys/action",
        "Microsoft.ResourceConnector/appliances/upgradeGraphs/read",
        "Microsoft.ResourceConnector/telemetryconfig/read",
        "Microsoft.ResourceConnector/operations/read",
        "Microsoft.ExtendedLocation/register/action",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.ExtendedLocation/customLocations/write",
        "Microsoft.ExtendedLocation/customLocations/delete",
        "Microsoft.HybridConnectivity/register/action",
        "Microsoft.Kubernetes/register/action",
        "Microsoft.KubernetesConfiguration/register/action",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.KubernetesConfiguration/namespaces/read",
        "Microsoft.KubernetesConfiguration/operations/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
        "Microsoft.HybridContainerService/register/action",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStackHCI/StorageContainers/Write",
        "Microsoft.AzureStackHCI/StorageContainers/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Resource Bridge Deployment Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI 管理員 istrator

授與叢集及其資源的完整存取權，包括註冊 Azure Stack HCI 的能力，並將其他人指派為 Azure Arc HCI VM 參與者和/或 Azure Arc HCI VM 讀取器

深入了解

動作	描述
Microsoft.AzureStackHCI/register/action	註冊 Azure Stack HCI 資源提供者的訂用帳戶，並啟用 Azure Stack HCI 資源的建立。
Microsoft.AzureStackHCI/Unregister/Action	取消註冊 Azure Stack HCI 資源提供者的訂用帳戶。
Microsoft.AzureStackHCI/clusters/*
Microsoft.HybridCompute/register/action	註冊 Microsoft.HybridCompute 資源提供者的訂用帳戶
Microsoft.GuestConfiguration/register/action	註冊 Microsoft.GuestConfiguration 資源提供者的訂用帳戶。
Microsoft.GuestConfiguration/guestConfigurationAssignments/read	取得來賓設定指派。
Microsoft.Resources/subscriptions/resourceGroups/write	建立或更新資源群組。
Microsoft.Resources/subscriptions/resourceGroups/delete	刪除資源群組及其所有資源。
Microsoft.Hybrid 連線 ivity/register/action	註冊 Microsoft.Hybrid 的訂用帳戶連線 ivity
Microsoft.Authorization/roleAssignments/write	在指定的範圍建立角色指派。
Microsoft.Authorization/roleAssignments/delete	刪除指定範圍的角色指派。
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Resources/subscriptions/read	取得訂用帳戶的清單。
Microsoft.Management/managementGroups/read	列出已驗證使用者的管理群組。
Microsoft.Support/*	建立及更新支援票證
Microsoft.AzureStackHCI/*
Microsoft.Insights/AlertRules/Write	建立或更新傳統計量警示
Microsoft.Insights/AlertRules/Delete	刪除傳統計量警示
Microsoft.Insights/AlertRules/Read	讀取傳統計量警示
Microsoft.Insights/AlertRules/Activated/Action	已啟動傳統計量警示
Microsoft.Insights/AlertRules/Resolved/Action	已解決傳統計量警示
Microsoft.Insights/AlertRules/Throttled/Action	傳統計量警示規則已節流
Microsoft.Insights/AlertRules/Incidents/Read	讀取傳統計量警示事件
Microsoft.Resources/subscriptions/resourcegroups/deployments/read	取得或列出部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/write	建立或更新部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read	取得或列出部署作業。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read	取得或列出部署作業狀態。
Microsoft.ResourceHealth/availabilityStatuses/read	取得指定範圍中所有資源的可用性狀態
Microsoft.Resources/subscriptions/read	取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/operationresults/read	取得訂用帳戶作業結果。
Microsoft.HybridCompute/machines/read	讀取任何 Azure Arc 機器
Microsoft.HybridCompute/machines/write	寫入 Azure Arc 機器
Microsoft.HybridCompute/machines/delete	刪除 Azure Arc 機器
Microsoft.HybridCompute/machines/UpgradeExtensions/action	升級 Azure Arc 機器上的擴充功能
Microsoft.HybridCompute/machines/assessPatches/action	評估任何 Azure Arc 機器以取得遺漏的軟體修補程式
Microsoft.HybridCompute/machines/installPatches/action	在任何 Azure Arc 計算機上安裝修補程式
Microsoft.HybridCompute/machines/extensions/read	讀取任何 Azure Arc 擴充功能
Microsoft.HybridCompute/machines/extensions/write	安裝或更新 Azure Arc 擴充功能
Microsoft.HybridCompute/machines/extensions/delete	刪除 Azure Arc 擴充功能
Microsoft.HybridCompute/operations/read	讀取適用於伺服器的 Azure Arc 的所有作業
Microsoft.HybridCompute/locations/operationresults/read	讀取 Microsoft.HybridCompute 資源提供者上作業的狀態
Microsoft.HybridCompute/locations/operationstatus/read	讀取 Microsoft.HybridCompute 資源提供者上作業的狀態
Microsoft.HybridCompute/machines/patchAssessmentResults/read	讀取任何 Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read	讀取任何 Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read	讀取任何 Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read	讀取任何 Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/locations/updateCenterOperationResults/read	讀取電腦上更新中心作業的狀態
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read	讀取任何 Azure Arc 機器的混合式身分識別元數據
Microsoft.HybridCompute/osType/agentVersions/read	讀取所有可用的 Azure 連線 Machine Agent 版本
Microsoft.HybridCompute/osType/agentVersions/latest/read	閱讀最新的 Azure 連線機器代理程式版本
Microsoft.HybridCompute/machines/runcommands/read	讀取任何 Azure Arc Runcommands
Microsoft.HybridCompute/machines/runcommands/write	安裝或更新 Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/delete	刪除 Azure Arc Runcommands
Microsoft.HybridCompute/machines/licenseProfiles/read	讀取任何 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write	安裝或更新 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/delete	刪除 Azure Arc licenseProfiles
Microsoft.HybridCompute/licenses/read	讀取任何 Azure Arc 授權
Microsoft.HybridCompute/licenses/write	安裝或更新 Azure Arc 授權
Microsoft.HybridCompute/licenses/delete	刪除 Azure Arc 授權
Microsoft.Resource 連線 or/register/action	註冊設備資源提供者的訂用帳戶，並啟用設備建立。
Microsoft.Resource 連線 or/appliance/read	取得設備資源
Microsoft.Resource 連線 or/appliance/write	建立或更新設備資源
Microsoft.Resource 連線 or/appliance/delete	刪除設備資源
Microsoft.Resource 連線 or/locations/operationresults/read	取得設備作業的結果
Microsoft.Resource 連線 or/locations/operationsstatus/read	取得設備作業的結果
Microsoft.Resource 連線 or/appliance/listClusterUserCredential/action	取得設備叢集用戶認證
Microsoft.Resource 連線 or/appliance/listKeys/action	取得設備叢集客戶用戶金鑰
Microsoft.Resource 連線 or/operations/read	取得設備可用的作業清單
Microsoft.ExtendedLocation/register/action	註冊自定義位置資源提供者的訂用帳戶，並啟用自定義位置的建立。
Microsoft.ExtendedLocation/customLocations/read	取得自定義位置資源
Microsoft.ExtendedLocation/customLocations/deploy/action	將許可權部署至自定義位置資源
Microsoft.ExtendedLocation/customLocations/write	建立或更新自定義位置資源
Microsoft.ExtendedLocation/customLocations/delete	刪除自訂位置資源
Microsoft.EdgeMarketplace/offers/read	取得供應專案
Microsoft.EdgeMarketplace/publishers/read	取得發行者
Microsoft.Kubernetes/register/action	向 Microsoft.Kubernetes 資源提供者註冊訂用帳戶
Microsoft.KubernetesConfiguration/register/action	向 Microsoft.KubernetesConfiguration 資源提供者註冊訂用帳戶。
Microsoft.KubernetesConfiguration/extensions/write	建立或更新延伸模組資源。
Microsoft.KubernetesConfiguration/extensions/read	取得擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/delete	刪除擴充實例資源。
Microsoft.KubernetesConfiguration/extensions/operations/read	取得異步操作狀態。
Microsoft.KubernetesConfiguration/namespaces/read	取得命名空間資源
Microsoft.KubernetesConfiguration/operations/read	取得 Microsoft.KubernetesConfiguration 資源提供者的可用作業。
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.AzureStackHCI/儲存體 Containers/Write	建立/更新記憶體容器資源
Microsoft.AzureStackHCI/儲存體 Containers/Read	取得/列出記憶體容器資源
Microsoft.HybridContainerService/register/action	註冊 Microsoft.HybridContainerService 的訂用帳戶
NotActions
none
DataActions
none
NotDataActions
none
Condition
((!（ActionMatches{'Microsoft.Authorization/roleAssignments/write'}））OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}）OR （@Resource[Microsoft.Authorization/roleAssignments：RoleDefinitionId] ForAnyOfAnyValues：GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c， cd570a14-e51a-42ad-bac8-bafd67325302， b64e21ea-ac4e-4cdf-9dc9-5b892992bee7， 4b3fe76c-f777-4d24-a2d7-b027b0f7b273， 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df，4633458b-17de-408a-b874-0445c86b69e6}））	新增或移除下列角色的角色指派： Azure Connected Machine Resource Manager Azure Connected Machine 資源管理員 Azure Connected Machine 上線 Azure Stack HCI VM 讀取器 Azure Stack HCI VM 參與者 Azure Stack HCI 裝置管理角色 Azure 資源橋接器部署角色 Key Vault 祕密使用者

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06",
  "name": "bda0d508-adf1-4af0-9c28-88919fc3ae06",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/register/action",
        "Microsoft.AzureStackHCI/Unregister/Action",
        "Microsoft.AzureStackHCI/clusters/*",
        "Microsoft.HybridCompute/register/action",
        "Microsoft.GuestConfiguration/register/action",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.HybridConnectivity/register/action",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Support/*",
        "Microsoft.AzureStackHCI/*",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/assessPatches/action",
        "Microsoft.HybridCompute/machines/installPatches/action",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.HybridCompute/locations/operationresults/read",
        "Microsoft.HybridCompute/locations/operationstatus/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
        "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
        "Microsoft.HybridCompute/osType/agentVersions/read",
        "Microsoft.HybridCompute/osType/agentVersions/latest/read",
        "Microsoft.HybridCompute/machines/runcommands/read",
        "Microsoft.HybridCompute/machines/runcommands/write",
        "Microsoft.HybridCompute/machines/runcommands/delete",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/write",
        "Microsoft.HybridCompute/machines/licenseProfiles/delete",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/licenses/write",
        "Microsoft.HybridCompute/licenses/delete",
        "Microsoft.ResourceConnector/register/action",
        "Microsoft.ResourceConnector/appliances/read",
        "Microsoft.ResourceConnector/appliances/write",
        "Microsoft.ResourceConnector/appliances/delete",
        "Microsoft.ResourceConnector/locations/operationresults/read",
        "Microsoft.ResourceConnector/locations/operationsstatus/read",
        "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
        "Microsoft.ResourceConnector/appliances/listKeys/action",
        "Microsoft.ResourceConnector/operations/read",
        "Microsoft.ExtendedLocation/register/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/write",
        "Microsoft.ExtendedLocation/customLocations/delete",
        "Microsoft.EdgeMarketplace/offers/read",
        "Microsoft.EdgeMarketplace/publishers/read",
        "Microsoft.Kubernetes/register/action",
        "Microsoft.KubernetesConfiguration/register/action",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.KubernetesConfiguration/namespaces/read",
        "Microsoft.KubernetesConfiguration/operations/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStackHCI/StorageContainers/Write",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.HybridContainerService/register/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6}))"
    }
  ],
  "roleName": "Azure Stack HCI Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI 裝置管理角色

Microsoft.AzureStackHCI 裝置管理角色

深入了解

動作	描述
Microsoft.AzureStackHCI/Clusters/*
Microsoft.AzureStackHCI/EdgeDevices/*
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft.AzureStackHCI Device Management Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
  "name": "865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/Clusters/*",
        "Microsoft.AzureStackHCI/EdgeDevices/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI Device Management Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI VM 參與者

授與執行所有 VM 動作的許可權

深入了解

動作	描述
Microsoft.AzureStackHCI/VirtualMachines/*
Microsoft.AzureStackHCI/virtualMachineInstances/*
Microsoft.AzureStackHCI/NetworkInterfaces/*
Microsoft.AzureStackHCI/VirtualHardDisks/*
Microsoft.AzureStackHCI/VirtualNetworks/Read	取得/列出虛擬網路資源
Microsoft.AzureStackHCI/VirtualNetworks/join/action	聯結虛擬網路資源
Microsoft.AzureStackHCI/LogicalNetworks/Read	取得/列出邏輯網路資源
Microsoft.AzureStackHCI/LogicalNetworks/join/action	聯結邏輯網路資源
Microsoft.AzureStackHCI/GalleryImages/Read	取得/列出資源庫映像資源
Microsoft.AzureStackHCI/GalleryImages/deploy/action	部署資源庫映像資源
Microsoft.AzureStackHCI/儲存體 Containers/Read	取得/列出記憶體容器資源
Microsoft.AzureStackHCI/儲存體 Containers/deploy/action	部署記憶體容器資源
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read	取得/列出市場位置資源庫映射資源
Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action	部署市場位置資源庫映像資源
Microsoft.AzureStackHCI/Clusters/Read	取得叢集
Microsoft.AzureStackHCI/Clusters/Arc 設定/Read	取得 HCI 叢集的弧線資源
Microsoft.Insights/AlertRules/Write	建立或更新傳統計量警示
Microsoft.Insights/AlertRules/Delete	刪除傳統計量警示
Microsoft.Insights/AlertRules/Read	讀取傳統計量警示
Microsoft.Insights/AlertRules/Activated/Action	已啟動傳統計量警示
Microsoft.Insights/AlertRules/Resolved/Action	已解決傳統計量警示
Microsoft.Insights/AlertRules/Throttled/Action	傳統計量警示規則已節流
Microsoft.Insights/AlertRules/Incidents/Read	讀取傳統計量警示事件
Microsoft.Resources/deployments/read	取得或列出部署。
Microsoft.Resources/deployments/write	建立或更新部署。
Microsoft.Resources/deployments/delete	刪除部署。
Microsoft.Resources/deployments/cancel/action	取消部署。
Microsoft.Resources/deployments/validate/action	驗證部署。
Microsoft.Resources/deployments/whatIf/action	預測範本部署變更。
Microsoft.Resources/deployments/exportTemplate/action	匯出部署的範本
Microsoft.Resources/deployments/operations/read	取得或列出部署作業。
Microsoft.Resources/deployments/operationstatuses/read	取得或列出部署作業狀態。
Microsoft.Resources/subscriptions/resourcegroups/deployments/read	取得或列出部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/write	建立或更新部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read	取得或列出部署作業。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read	取得或列出部署作業狀態。
Microsoft.ResourceHealth/availabilityStatuses/read	取得指定範圍中所有資源的可用性狀態
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Resources/subscriptions/read	取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Resources/subscriptions/operationresults/read	取得訂用帳戶作業結果。
Microsoft.HybridCompute/machines/read	讀取任何 Azure Arc 機器
Microsoft.HybridCompute/machines/write	寫入 Azure Arc 機器
Microsoft.HybridCompute/machines/delete	刪除 Azure Arc 機器
Microsoft.HybridCompute/machines/UpgradeExtensions/action	升級 Azure Arc 機器上的擴充功能
Microsoft.HybridCompute/machines/assessPatches/action	評估任何 Azure Arc 機器以取得遺漏的軟體修補程式
Microsoft.HybridCompute/machines/installPatches/action	在任何 Azure Arc 計算機上安裝修補程式
Microsoft.HybridCompute/machines/extensions/read	讀取任何 Azure Arc 擴充功能
Microsoft.HybridCompute/machines/extensions/write	安裝或更新 Azure Arc 擴充功能
Microsoft.HybridCompute/machines/extensions/delete	刪除 Azure Arc 擴充功能
Microsoft.HybridCompute/operations/read	讀取適用於伺服器的 Azure Arc 的所有作業
Microsoft.HybridCompute/locations/operationresults/read	讀取 Microsoft.HybridCompute 資源提供者上作業的狀態
Microsoft.HybridCompute/locations/operationstatus/read	讀取 Microsoft.HybridCompute 資源提供者上作業的狀態
Microsoft.HybridCompute/machines/patchAssessmentResults/read	讀取任何 Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read	讀取任何 Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read	讀取任何 Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read	讀取任何 Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/locations/updateCenterOperationResults/read	讀取電腦上更新中心作業的狀態
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read	讀取任何 Azure Arc 機器的混合式身分識別元數據
Microsoft.HybridCompute/osType/agentVersions/read	讀取所有可用的 Azure 連線 Machine Agent 版本
Microsoft.HybridCompute/osType/agentVersions/latest/read	閱讀最新的 Azure 連線電腦代理程式版本
Microsoft.HybridCompute/machines/runcommands/read	讀取任何 Azure Arc Runcommands
Microsoft.HybridCompute/machines/runcommands/write	安裝或更新 Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/delete	刪除 Azure Arc Runcommands
Microsoft.HybridCompute/machines/licenseProfiles/read	讀取任何 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write	安裝或更新 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/delete	刪除 Azure Arc licenseProfiles
Microsoft.HybridCompute/licenses/read	讀取任何 Azure Arc 授權
Microsoft.HybridCompute/licenses/write	安裝或更新 Azure Arc 授權
Microsoft.HybridCompute/licenses/delete	刪除 Azure Arc 授權
Microsoft.ExtendedLocation/customLocations/Read	取得自定義位置資源
Microsoft.ExtendedLocation/customLocations/deploy/action	將許可權部署至自定義位置資源
Microsoft.KubernetesConfiguration/extensions/read	取得擴充實例資源。
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permissions to perform all VM actions",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/874d1c73-6003-4e60-a13a-cb31ea190a85",
  "name": "874d1c73-6003-4e60-a13a-cb31ea190a85",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/VirtualMachines/*",
        "Microsoft.AzureStackHCI/virtualMachineInstances/*",
        "Microsoft.AzureStackHCI/NetworkInterfaces/*",
        "Microsoft.AzureStackHCI/VirtualHardDisks/*",
        "Microsoft.AzureStackHCI/VirtualNetworks/Read",
        "Microsoft.AzureStackHCI/VirtualNetworks/join/action",
        "Microsoft.AzureStackHCI/LogicalNetworks/Read",
        "Microsoft.AzureStackHCI/LogicalNetworks/join/action",
        "Microsoft.AzureStackHCI/GalleryImages/Read",
        "Microsoft.AzureStackHCI/GalleryImages/deploy/action",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.AzureStackHCI/StorageContainers/deploy/action",
        "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
        "Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action",
        "Microsoft.AzureStackHCI/Clusters/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/deployments/whatIf/action",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/assessPatches/action",
        "Microsoft.HybridCompute/machines/installPatches/action",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.HybridCompute/locations/operationresults/read",
        "Microsoft.HybridCompute/locations/operationstatus/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
        "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
        "Microsoft.HybridCompute/osType/agentVersions/read",
        "Microsoft.HybridCompute/osType/agentVersions/latest/read",
        "Microsoft.HybridCompute/machines/runcommands/read",
        "Microsoft.HybridCompute/machines/runcommands/write",
        "Microsoft.HybridCompute/machines/runcommands/delete",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/write",
        "Microsoft.HybridCompute/machines/licenseProfiles/delete",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/licenses/write",
        "Microsoft.HybridCompute/licenses/delete",
        "Microsoft.ExtendedLocation/customLocations/Read",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.KubernetesConfiguration/extensions/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI VM Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI VM 讀取器

授與檢視 VM 的許可權

深入了解

動作	描述
Microsoft.AzureStackHCI/VirtualMachines/Read	取得/列出虛擬機資源
Microsoft.AzureStackHCI/virtualMachineInstances/Read	取得/列出虛擬機實例資源
Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read	取得/列出虛擬機擴充功能資源
Microsoft.AzureStackHCI/VirtualNetworks/Read	取得/列出虛擬網路資源
Microsoft.AzureStackHCI/LogicalNetworks/Read	取得/列出邏輯網路資源
Microsoft.AzureStackHCI/NetworkInterfaces/Read	取得/列出網路介面資源
Microsoft.AzureStackHCI/VirtualHardDisks/Read	取得/列出虛擬硬碟資源
Microsoft.AzureStackHCI/儲存體 Containers/Read	取得/列出記憶體容器資源
Microsoft.AzureStackHCI/GalleryImages/Read	取得/列出資源庫映像資源
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read	取得/列出市場位置資源庫映射資源
Microsoft.HybridCompute/licenses/read	讀取任何 Azure Arc 授權
Microsoft.HybridCompute/machines/extensions/read	讀取任何 Azure Arc 擴充功能
Microsoft.HybridCompute/machines/licenseProfiles/read	讀取任何 Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/patchAssessmentResults/read	讀取任何 Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read	讀取任何 Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read	讀取任何 Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read	讀取任何 Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/machines/read	讀取任何 Azure Arc 機器
Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read	讀取任何 Azure Arc networkSecurityPerimeterConfigurations
Microsoft.HybridCompute/privateLinkScopes/privateEndpoint 連線 ions/read	讀取任何 Azure Arc privateEndpoint 連線 ions
Microsoft.HybridCompute/privateLinkScopes/read	讀取任何 Azure Arc privateLinkScopes
Microsoft.Insights/AlertRules/Write	建立或更新傳統計量警示
Microsoft.Insights/AlertRules/Delete	刪除傳統計量警示
Microsoft.Insights/AlertRules/Read	讀取傳統計量警示
Microsoft.Insights/AlertRules/Activated/Action	已啟動傳統計量警示
Microsoft.Insights/AlertRules/Resolved/Action	已解決傳統計量警示
Microsoft.Insights/AlertRules/Throttled/Action	傳統計量警示規則已節流
Microsoft.Insights/AlertRules/Incidents/Read	讀取傳統計量警示事件
Microsoft.Resources/deployments/read	取得或列出部署。
Microsoft.Resources/deployments/exportTemplate/action	匯出部署的範本
Microsoft.Resources/deployments/operations/read	取得或列出部署作業。
Microsoft.Resources/deployments/operationstatuses/read	取得或列出部署作業狀態。
Microsoft.Resources/subscriptions/resourcegroups/deployments/read	取得或列出部署。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read	取得或列出部署作業。
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read	取得或列出部署作業狀態。
Microsoft.ResourceHealth/availabilityStatuses/read	取得指定範圍中所有資源的可用性狀態
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Resources/subscriptions/read	取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Resources/subscriptions/operationresults/read	取得訂用帳戶作業結果。
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permissions to view VMs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
  "name": "4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/VirtualMachines/Read",
        "Microsoft.AzureStackHCI/virtualMachineInstances/Read",
        "Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read",
        "Microsoft.AzureStackHCI/VirtualNetworks/Read",
        "Microsoft.AzureStackHCI/LogicalNetworks/Read",
        "Microsoft.AzureStackHCI/NetworkInterfaces/Read",
        "Microsoft.AzureStackHCI/VirtualHardDisks/Read",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.AzureStackHCI/GalleryImages/Read",
        "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read",
        "Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read",
        "Microsoft.HybridCompute/privateLinkScopes/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/operationresults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI VM Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack 註冊擁有者

可讓您管理 Azure Stack 註冊。

動作	描述
Microsoft.AzureStack/edgeSubscriptions/read
Microsoft.AzureStack/registrations/products/*/action
Microsoft.AzureStack/registrations/products/read	取得 Azure Stack Marketplace 產品的屬性
Microsoft.AzureStack/registrations/read	取得 Azure Stack 註冊的屬性
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Stack registrations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStack/edgeSubscriptions/read",
        "Microsoft.AzureStack/registrations/products/*/action",
        "Microsoft.AzureStack/registrations/products/read",
        "Microsoft.AzureStack/registrations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack Registration Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

下一步

使用 Azure 入口網站指派 Azure 角色

混合式 + 多重雲端的 Azure 內建角色

Azure 資源橋接器部署角色

Azure Stack HCI 管理員 istrator

Azure Stack HCI 裝置管理 角色

Azure Stack HCI VM 參與者

Azure Stack HCI VM 讀取器

Azure Stack 註冊擁有者

下一步

更多資源

Azure Stack HCI 裝置管理角色