你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn

Azure 内置角色

  • 项目

Azure 基于角色的访问控制 (Azure RBAC) 拥有多个 Azure 内置角色,可将其分配给用户、组、服务主体和托管标识。 角色分配是控制对 Azure 资源的访问的方式。 如果内置角色不能满足组织的特定需求,你可以创建自己的 Azure 自定义角色。 有关如何分配角色的信息,请参阅分配 Azure 角色的步骤

本文列出了 Azure 内置角色。 如果你正在寻找 Azure Active Directory (Azure AD) 的管理员角色,请参阅 Azure AD 内置角色

下表提供了每个内置角色的简短说明。 单击角色名称,查看每个角色的 ActionsNotActionsDataActionsNotDataActions 列表。 有关这些操作的含义以及它们如何应用于控制和数据平面的信息,请参阅了解 Azure 角色定义

全部

内置角色 说明 ID
常规
参与者 授予完全访问权限来管理所有资源,但不允许在 Azure RBAC 中分配角色或在 Azure 蓝图中管理分配,也不允许共享映像库。 b24988ac-6180-42a0-ab88-20f7382dd24c
所有者 授予管理所有资源的完全访问权限,包括允许在 Azure RBAC 中分配角色。 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
读者 查看所有资源,但不允许进行任何更改。 acdd72a7-3385-48ef-bd42-f606fba81ae7
基于角色访问控制 管理员istrator 通过使用 Azure RBAC 分配角色来管理对 Azure 资源的访问。 此角色不允许使用其他方式(如 Azure Policy)管理访问权限。 f58310d9-a9f6-439a-9e8d-f62e7b41a168
用户访问管理员 允许管理用户对 Azure 资源的访问权限。 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
计算
经典虚拟机参与者 允许管理经典虚拟机,但不允许访问这些虚拟机及其连接到的虚拟网络或存储帐户。 d73bb868-a0df-4d4d-bd69-98a00b01fccb
托管磁盘的数据操作员 提供使用 SAS URI 和 Azure AD 身份验证将数据上传到空托管磁盘、读取或导出托管磁盘(未附加到正在运行的 VM)的数据和快照的权限。 959f8984-c045-4866-89c7-12bf9737be2e
磁盘备份读取者 向备份保管库提供执行磁盘备份的权限。 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24
磁盘池操作员 向 StoragePool 资源提供程序提供管理添加到磁盘池的磁盘的权限。 60fc6e62-5479-42d4-8bf4-67625fcc2840
磁盘还原操作员 向备份保管库提供执行磁盘还原的权限。 b50d9833-a0cb-478e-945f-707fcc997c13
磁盘快照参与者 向备份保管库提供管理磁盘快照的权限。 7efff54f-a5b4-42b5-a1c5-5411624893ce
虚拟机管理员登录 在门户中查看虚拟机并以管理员身份登录 1c0163c0-47e6-4577-8991-ea5c82e286e4
虚拟机参与者 创建并管理虚拟机、管理磁盘、安装并运行软件、使用 VM 扩展重置虚拟机根用户的密码,以及使用 VM 扩展管理本地用户帐户。 此角色不会授予你对虚拟机连接到的虚拟网络或存储帐户的管理访问权限。 此角色不允许在 Azure RBAC 中分配角色。 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
虚拟机数据访问管理员(预览版) 通过添加或删除虚拟机管理员istrator 登录角色和虚拟机用户登录角色的角色分配来管理对虚拟机的访问权限。 包括用于约束角色分配的 ABAC 条件。 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04
虚拟机用户登录 在门户中查看虚拟机并以普通用户身份登录。 fb879df8-f326-4884-b1cf-06f3ad86be52
Windows Admin Center 管理员登录 允许以管理员身份通过 Windows Admin Center 管理资源的 OS。 a6333a3e-0164-44c3-b281-7a577aff287f
联网
Azure Front Door 域参与者 可以管理 Azure Front Door 域,但不能向其他用户授予访问权限。 0ab34830-df19-4f8c-b84e-aa85b8afa6e8
Azure Front Door 域读取器 可以查看 Azure Front Door 域,但无法进行更改。 0f99d363-226e-4dca-9920-b807cf8e1a5f
Azure Front Door 配置文件读取器 可以查看 AFD 标准和高级配置文件及其终结点,但无法进行更改。 662802e2-50f6-46b0-aed2-e834bacc6d12
Azure Front Door 机密参与者 可以管理 Azure Front Door 机密,但不能向其他用户授予访问权限。 3f2eb865-5811-4578-b90a-6fc6fa0df8e5
Azure Front Door 机密读取器 可以查看 Azure Front Door 机密,但无法进行更改。 0db238c4-885e-4c4f-a933-aa2cef684fca
CDN 终结点参与者 可以管理 CDN 终结点,但不能向其他用户授予访问权限。 426e0c7f-0c7e-4658-b36f-ff54d6c29b45
CDN 终结点读者 可以查看 CDN 终结点,但不能进行更改。 871e35f6-b5c1-49cc-a043-bde969a0f2cd
CDN 配置文件参与者 可以管理 CDN 配置文件及其终结点,但不能向其他用户授予访问权限。 ec156ff8-a8d1-4d15-830c-5b80698ca432
CDN 配置文件读者 可以查看 CDN 配置文件及其终结点,但不能进行更改。 8f96442b-4075-438f-813d-ad51ab4019af
经典网络参与者 允许管理经典网络,但不允许访问这些网络。 b34d265f-36f7-4a0d-a4d4-e158ca92e90f
DNS 区域参与者 允许管理 Azure DNS 中的 DNS 区域和记录集,但不允许控制对其访问的人员。 befefa01-2a29-4197-83a8-272ff33ce314
网络参与者 允许管理网络,但不允许访问这些网络。 4d97b98b-1d4f-4787-a291-c67834d212e7
专用 DNS 区域参与者 允许管理专用 DNS 区域资源,但不允许管理它们所链接到的虚拟网络。 b12aa53e-6015-4669-85d0-8515ebb3ae7f
流量管理器参与者 允许管理流量管理器配置文件,但不允许控制谁可以访问它们。 a4b10055-b0c7-44c2-b00f-c7b5b3550cf7
存储
Avere 参与者 可以创建和管理 Avere vFXT 群集。 4f8fab4f-1852-4a58-a46a-8eaf358af14a
Avere 操作员 Avere vFXT 群集用来管理群集 c025889f-8102-4ebf-b32c-fc0c6f0c6bd9
备份参与者 允许管理备份服务,但不允许创建保管库以及授予其他人访问权限 5e467623-bb1f-42f4-a55d-6e525e11384b
备份操作员 允许管理备份服务,但删除备份、创建保管库以及授予其他人访问权限除外 00c29273-979b-4161-815c-10b084fb9324
备份读者 可以查看备份服务,但是不能进行更改 a795c7a0-d4a2-40c1-ae25-d81f01202912
经典存储帐户参与者 允许管理经典存储帐户,但不允许对其进行访问。 86e8f5dc-a6e9-4c67-9d15-de283e8eac25
经典存储帐户密钥操作员服务角色 允许经典存储帐户密钥操作员在经典存储帐户上列出和再生成密钥 985d6b00-f706-48f5-a6fe-d0ca12fb668d
Data Box 参与者 可让你管理 Data Box 服务下的所有内容,但不能向其他人授予访问权限。 add466c9-e687-43fc-8d98-dfcf8d720be5
Data Box 读者 可让你管理 Data Box 服务,但不能创建订单或编辑订单详细信息,以及向其他人授予访问权限。 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027
Data Lake Analytics 开发人员 允许提交、监视和管理自己的作业,但是不允许创建或删除 Data Lake Analytics 帐户。 47b7735b-770e-4598-a7da-8b91488b4c88
Defender for 存储 数据扫描程序 授予对读取 blob 和更新索引标记的访问权限。 此角色由 Defender 的数据扫描程序用于存储。 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40
弹性 SAN 所有者 享有对 Azure 弹性 SAN 下所有资源的完全访问权限,包括更改网络安全策略以取消阻止数据路径访问 80dcbedb-47ef-405d-95bd-188a1b4ac406
弹性 SAN 读取者 允许控制对 Azure 弹性 SAN 的路径读取访问权限 af6a70f8-3c9f-4105-acf1-d719e9fca4ca
弹性 SAN 卷组所有者 享有对 Azure 弹性 SAN 中的卷组的完全访问权限,包括更改网络安全策略以取消阻止数据路径访问 a8281131-f312-4f34-8d98-ae12be9f0d23
读取器和数据访问 允许查看所有内容,但不允许删除或创建存储帐户或包含的资源。 它还允许使用存储帐户密钥对存储帐户中包含的所有数据进行读/写访问。 c12c1c16-33a1-487b-954d-41c89c60f349
存储帐户备份参与者 可在存储帐户上使用 Azure 备份执行备份和还原操作。 e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1
存储帐户参与者 允许管理存储帐户。 提供对帐户密钥的访问权限,而帐户密钥可以用来通过共享密钥授权对数据进行访问。 17d1049b-9a84-46fb-8f53-869881c3d3ab
存储帐户密钥操作员服务角色 允许列出和重新生成存储帐户访问密钥。 81a9662b-bebf-436f-a333-f67b29880f12
存储 Blob 数据参与者 读取、写入和删除 Azure 存储容器和 Blob。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限 ba92f5b4-2d11-453d-a403-e96b0029c9fe
存储 Blob 数据所有者 提供对 Azure 存储 Blob 容器和数据的完全访问权限,包括分配 POSIX 访问控制。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限 b7e6dc6d-f1e8-4753-8033-0f276bb0955b
存储 Blob 数据读者 读取和列出 Azure 存储容器和 Blob。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
存储 Blob 委托者 获取用户委托密钥,该密钥随后可用于为使用 Azure AD 凭据签名的容器或 Blob 创建共享访问签名。 有关详细信息,请参阅创建用户委托 SAS db58b8e5-c6ad-4a2a-8342-4190687cbf4a
存储文件数据特权参与者 通过重写现有的 ACL/NTFS 权限,允许读取、写入、删除和修改 Azure 文件共享中文件/目录上的 ACL。 在 Windows 文件服务器上,此角色没有内置的等效角色。 69566ab7-960f-475b-8e7c-b3118f30c6bd
存储文件数据特权读取者 通过重写现有的 ACL/NTFS 权限,允许对 Azure 文件共享中的文件/目录进行读取访问。 在 Windows 文件服务器上,此角色没有内置的等效角色。 b8eda974-7b85-4f76-af95-65846b26df6d
存储文件数据 SMB 共享参与者 允许针对 Azure 文件共享中的文件/目录的读取、写入和删除权限。 在 Windows 文件服务器上,此角色没有内置的等效角色。 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb
存储文件数据 SMB 共享提升参与者 允许读取、写入、删除和修改 Azure 文件共享中文件/目录上的 ACL。 此角色等效于 Windows 文件服务器上更改的文件共享 ACL。 a7264617-510b-434b-a828-9731dc254ea7
存储文件数据 SMB 共享读取者 允许针对 Azure 文件共享中的文件/目录的读取权限。 此角色等效于 Windows 文件服务器上的文件共享读取 ACL。 aba4ae5f-2193-4029-9191-0cb91df5e314
存储队列数据参与者 读取、写入和删除 Azure 存储队列和队列消息。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限 974c5e8b-45b9-4653-ba55-5f855dd0fb88
存储队列数据消息处理器 速览、检索和删除 Azure 存储队列中的消息。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限 8a0f0c08-91a1-4084-bc3d-661d67233fed
存储队列数据消息发送方 将消息添加到 Azure 存储队列。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限 c6a89b2d-59bc-44d0-9896-0f6e12d7b80a
存储队列数据读取者 读取并列出 Azure 存储队列和队列消息。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限 19e7f393-937e-4f77-808e-94535e297925
存储表数据参与者 用于对 Azure 存储表和实体进行读取、写入和删除访问 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3
存储表数据读取者 用于对 Azure 存储表和实体进行读取访问 76199698-9eea-4c19-bc75-cec21354c6b6
Web
Azure Maps 数据参与者 从 Azure Maps 帐户中授予地图相关数据的读取、写入和删除权限。 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204
Azure Maps 数据读取器 授予从 Azure Maps 帐户中读取地图相关数据的权限。 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa
Azure Spring Cloud Config Server 参与者 允许对 Azure Spring Cloud Config Server 进行读取、写入和删除访问 a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b
Azure Spring Cloud Config Server 读者 允许对 Azure Spring Cloud Config Server 进行读取访问 d04c6db6-4947-4782-9e91-30a88feb7be7
Azure Spring Cloud 数据读取者 允许对 Azure Spring Cloud 进行读取访问 b5537268-8956-4941-a8f0-646150406f0c
Azure Spring Cloud 服务注册表参与者 允许对 Azure Spring Cloud 服务注册表进行读取、写入和删除访问 f5880b48-c26d-48be-b172-7927bfa1c8f1
Azure Spring Cloud 服务注册表读者 允许对 Azure Spring Cloud 服务注册表进行读取访问 cff1b556-2399-4e7e-856d-a8f754be7b65
媒体服务帐户管理员 创建、读取、修改和删除媒体服务帐户;对其他媒体服务资源的只读访问权限。 054126f8-9a2b-4f1c-a9ad-eca461f08466
媒体服务实时事件管理员 创建、读取、修改和删除实时事件、资产、资产筛选器和流式处理定位符;对其他媒体服务资源的只读访问权限。 532bc159-b25e-42c0-969e-a1d439f60d77
媒体服务媒体操作员 创建、读取、修改和删除资产、资产筛选器、流式处理定位符和作业;对其他媒体服务资源的只读访问权限。 e4395492-1534-4db2-bedf-88c14621589c
媒体服务策略管理员 创建、读取、修改和删除帐户筛选器、流式处理策略、内容密钥策略和转换;对其他媒体服务资源的只读访问权限。 不能创建作业、资产或流式处理资源。 c4bba371-dacd-4a26-b320-7250bca963ae
媒体服务流式处理终结点管理员 创建、读取、修改和删除流式处理终结点;对其他媒体服务资源的只读访问权限。 99dba123-b5fe-44d5-874c-ced7199a5804
搜索索引数据参与者 授予对 Azure 认知搜索索引数据的完全访问权限。 8ebe5a00-799e-43f5-93ac-243d3dce84a7
搜索索引数据读取者 授予对 Azure 认知搜索索引数据的读取访问权限。 1407120a-92aa-4202-b7e9-c0e197c71c8f
搜索服务参与者 允许管理搜索服务,但不允许访问这些服务。 7ca78c08-252a-4471-8644-bb5ff32d4ba0
SignalR AccessKey 读取者 读取 SignalR 服务访问密钥 04165923-9d83-45d5-8227-78b77b0a687e
SignalR 应用服务器 允许应用服务器使用 AAD 身份验证选项访问 SignalR 服务。 420fcaa2-552c-430f-98ca-3264be4806c7
SignalR REST API 所有者 完全访问 Azure Signal 服务 REST API fd53cd77-2268-407a-8f46-7e7863d0f521
SignalR REST API 读者 以只读方式访问 Azure Signal 服务 REST API ddde6b66-c0df-4114-a159-3618637b3035
SignalR 服务所有者 完全访问 Azure Signal 服务 REST API 7e4f1700-ea5a-4f59-8f37-079cfe29dce3
SignalR/Web PubSub 参与者 创建、读取、更新和删除 SignalR 服务资源 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761
Web 计划参与者 管理网站的 web 计划。 不允许在 Azure RBAC 中分配角色。 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b
网站参与者 管理网站,但不管理 web 计划。 不允许在 Azure RBAC 中分配角色。 de139f84-1756-47ae-9be6-808fbbe84772
容器
AcrDelete 从容器注册表中删除存储库、标记或清单。 c2f4ef07-c644-48eb-af81-4b1b4947fb11
AcrImageSigner 将受信任的映像推送到为内容信任启用的容器注册表中或从中拉取受信任的映像。 6cef56e8-d556-48e5-a04f-b8e64114680f
AcrPull 从容器注册表中拉取项目。 7f951dda-4ed3-4680-a7ca-43fe172d538d
AcrPush 将项目推送到容器注册表或从中拉取项目。 8311e382-0749-4cb8-b61a-304f252e45ec
AcrQuarantineReader 从容器注册表中拉取已隔离的映像。 cdda3590-29a3-44f6-95f2-9f980659eb04
AcrQuarantineWriter 将已隔离的映像推送到容器注册表或从中拉取已隔离的映像。 c8d4ff99-41c3-41a8-9f60-21dfdad59608
Azure Kubernetes 舰队管理器 RBAC 管理员 此角色授予管理员访问权限 - 提供对命名空间中大多数对象的写入权限,但 ResourceQuota 对象和命名空间对象本身除外。 在群集范围内应用此角色将提供对所有命名空间的访问权限。 434fb43a-c01c-447e-9f67-c3ad923cfaba
Azure Kubernetes 舰队管理器 RBAC 群集管理员 允许管理舰队管理器群集中的所有资源。 18ab4d3d-a1bf-4477-8ad9-8359bc988f69
Azure Kubernetes 舰队管理器 RBAC 读者 允许进行只读访问并查看命名空间中的大多数对象。 不允许查看角色或角色绑定。 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。 在群集范围内应用此角色将提供对所有命名空间的访问权限。 30b27cfc-9c84-438e-b0ce-70e35255df80
Azure Kubernetes 舰队管理器 RBAC 编写者 允许对命名空间中的大多数对象进行读/写访问。 此角色不允许查看或修改角色或角色绑定。 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。 在群集范围内应用此角色将提供对所有命名空间的访问权限。 5af6afb3-c06c-4fa4-8848-71a8aee05683
Azure Kubernetes 服务群集管理员角色 列出群集管理员凭据操作。 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8
Azure Kubernetes 服务群集监视用户 列出群集监视用户凭据操作。 1afdec4b-e479-420e-99e7-f82237c7c5e6
Azure Kubernetes 服务群集用户角色 列出群集用户凭据操作。 4abbcc35-e782-43d8-92c5-2d3f1bd2253f
Azure Kubernetes 服务参与者角色 授予对 Azure Kubernetes 服务群集的读写访问权限 ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8
Azure Kubernetes 服务 RBAC 管理员 允许管理群集/命名空间下的所有资源,但不能更新或删除资源配额和命名空间。 3498e952-d568-435e-9b2c-8d77e338d7f7
Azure Kubernetes 服务 RBAC 群集管理员 允许管理群集中的所有资源。 b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b
Azure Kubernetes 服务 RBAC 读取者 允许进行只读访问并查看命名空间中的大多数对象。 不允许查看角色或角色绑定。 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。 在群集范围内应用此角色将提供对所有命名空间的访问权限。 7f6c6a51-bcf8-42ba-9220-52d62157d7db
Azure Kubernetes 服务 RBAC 写入者 允许对命名空间中的大多数对象进行读/写访问。 此角色不允许查看或修改角色或角色绑定。 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密和运行 Pod,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。 在群集范围内应用此角色将提供对所有命名空间的访问权限。 a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb
数据库
连接到 Azure 的 SQL Server 载入 对于已启用 Arc 的服务器上的 SQL Server,允许对 Azure 资源的读取和写入访问。 e8113dce-c529-4d33-91fa-e9b972617508
Cosmos DB 帐户读者角色 可以读取 Azure Cosmos DB 帐户数据。 请参阅 Cosmos DB 帐户参与者,了解如何管理 Azure Cosmos DB 帐户。 fbdf93bf-df7d-467e-a4d2-9458aa1360c8
Cosmos DB 操作员 允许管理 Azure Cosmos DB 帐户,但不能访问其中的数据。 阻止访问帐户密钥和连接字符串。 230815da-be43-4aae-9cb4-875f7bd000aa
CosmosBackupOperator 可以为帐户提交 Cosmos DB 数据库或容器的还原请求 db7b14f2-5adf-42da-9f96-f2ee17bab5cb
CosmosRestoreOperator 可以对连续备份模式下的 Cosmos DB 数据库帐户执行还原操作 5432c526-bc82-444a-b7ba-57c5b0b5b34f
DocumentDB 帐户参与者 可管理 Azure Cosmos DB 帐户。 Azure Cosmos DB 以前称为 DocumentDB。 5bd9cd88-fe45-4216-938b-f97437e15450
Redis 缓存参与者 允许管理 Redis 缓存,但不允许访问这些缓存。 e0f68234-74aa-48ed-b826-c38b57376e17
SQL DB 参与者 允许管理 SQL 数据库,但不允许访问这些数据库。 此外,不允许管理其安全相关的策略或其父 SQL 服务器。 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec
SQL 托管实例参与者 允许你管理 SQL 托管实例和必需的网络配置,但无法向其他人授予访问权限。 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d
SQL 安全管理器 允许管理 SQL 服务器和数据库的安全相关策略,但不允许访问它们。 056cd41c-7e88-42e1-933e-88ba6a50c9c3
SQL Server 参与者 允许管理SQL 服务器和数据库,但不允许访问它们及其安全相关策略。 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437
分析
Azure 事件中心数据所有者 允许完全访问 Azure 事件中心资源。 f526a384-b230-433a-b45c-95f59c4a2dec
Azure 事件中心数据接收方 允许接收对 Azure 事件中心资源的访问权限。 a638d3c7-ab3a-418d-83e6-5f17a39d4fde
Azure 事件中心数据发送方 允许以发送方式访问 Azure 事件中心资源。 2b629674-e913-4c01-ae53-ef4638d8f975
数据工厂参与者 创建和管理数据工厂,以及其中的子资源。 673868aa-7521-48a0-acc6-0f60742d39f5
数据清除程序 从 Log Analytics 工作区中删除专用数据。 150f5e0c-0603-4f03-8c7f-cf70034c4e90
HDInsight 群集操作员 允许你读取和修改 HDInsight 群集配置。 61ed4efc-fab3-44fd-b111-e24485cc132a
HDInsight 域服务参与者 可以读取、创建、修改和删除 HDInsight 企业安全性套餐所需的域服务相关操作 8d8d5a11-05d3-4bda-a417-a08778121c7c
Log Analytics 参与者 Log Analytics 参与者可以读取所有监视数据并编辑监视设置。 编辑监视设置包括向 VM 添加 VM 扩展、读取存储帐户密钥以便能够从 Azure 存储配置日志收集、添加解决方案以及配置所有 Azure 资源上的 Azure 诊断。 92aaf0da-9dab-42b6-94a3-d43ce8d16293
Log Analytics 读者 Log Analytics 读者可以查看和搜索所有监视数据并查看监视设置,其中包括查看所有 Azure 资源上的 Azure 诊断的配置。 73c42c96-874c-492b-b04d-ab87d138a893
架构注册表参与者(预览) 读取、写入和删除架构注册表组和架构。 5dffeca3-4936-4216-b2bc-10343a5abb25
架构注册表读取器(预览版) 读取和列出架构注册表组和架构。 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2
流分析查询测试者 可以执行查询测试,而无需先创建流分析作业 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf
AI + 机器学习
AzureML 计算操作员 可以在 机器学习 服务托管计算资源(包括笔记本 VM)上访问和执行 CRUD 操作。 e503ece1-11d0-4e8e-8e2c-7a6c3bf38815
AzureML 数据科学家 可以在 Azure 机器学习工作区中执行所有操作,但创建或删除计算资源及修改工作区本身除外。 f6c7c914-8db3-469d-8ca1-694a8f32e121
认知服务参与者 允许创建、读取、更新、删除和管理认知服务的密钥。 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68
认知服务自定义视觉参与者 对项目的完全访问权限,包括可以查看、创建、编辑或删除项目。 c1ff6cc2-c111-46fe-8896-e0ef812ad9f3
认知服务自定义视觉部署 发布、取消发布或导出模型。 部署可以查看项目,但不能更新项目。 5c4089e1-6d96-4d2f-b296-c1bc7137275f
认知服务自定义视觉标记者 查看、编辑训练图像,创建、添加、移除或删除图像标记。 标记者可以查看项目,但不能更新除训练图像和标记以外的任何内容。 88424f51-ebe7-446f-bc41-7fa16989e96c
认知服务自定义视觉读取者 只读项目中的操作。 读取者不能创建或更新项目。 93586559-c37d-4a6b-ba08-b9f0940c2d73
认知服务自定义视觉训练者 查看、编辑项目和训练模型,包括可以发布、取消发布、导出模型。 训练者不能创建或删除项目。 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b
认知服务数据读取者(预览版) 允许读取认知服务数据。 b59867f0-fa02-499b-be73-45a86b5b3e1c
认知服务人脸识别者 让你可以在人脸 API 上执行“检测”、“验证”、“识别”、“分组”和“查找相似”等操作。 此角色不允许创建或删除操作,因此非常适合只需要对功能进行推理、遵循“最小特权”最佳做法的终结点。 9894cab4-e18a-44aa-828b-cb588cd6f2d7
认知服务指标顾问管理员 拥有对项目的完全访问权限,包括系统级配置。 cb43c632-a144-4ec5-977c-e80c4affc34a
认知服务 OpenAI 参与者 完全访问权限,包括微调、部署和生成文本的功能 a001fd3d-188f-4b5d-821b-7da978bf7442
认知服务 OpenAI 用户 查看文件、模型、部署的读取访问权限。 创建完成操作和嵌入调用的功能。 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd
认知服务 QnA Maker 编辑者 允许你创建、编辑、导入和导出知识库。 但不能发布或删除知识库。 f4cc2bf9-21be-47a1-bdf1-5c5804381025
认知服务 QnA Maker 读取者 只能读取和测试知识库。 466ccd10-b268-4a11-b098-b4849f024126
认知服务使用情况读取者 查看认知服务使用情况的最小权限。 bba48692-92b0-4667-a9ad-c31c7b334ac2
认知服务用户 允许读取和列出认知服务的密钥。 a97b65f3-24c7-4388-baec-2e87135dc908
物联网
设备更新管理员 授予你对管理操作和内容操作的完全访问权限 02ca0879-e8e4-47a5-a61e-5c618b76e64a
设备更新内容管理员 授予你对内容操作的完全访问权限 0378884a-3af5-44ab-8323-f5b22f9f3c98
设备更新内容读取者 授予你对内容操作的读取访问权限,但不允许进行更改 d1ee9a80-8b14-47f0-bdc2-f4a351625a7b
设备更新部署管理员 授予你对管理操作的完全访问权限 e4237640-0e3d-4a46-8fda-70bc94856432
设备更新部署读取者 授予你对管理操作的读取访问权限,但不允许进行更改 49e2f5d2-7741-4835-8efa-19e1fe35e47f
设备更新读取者 授予你对管理操作和内容操作的读取访问权限,但不允许进行更改 e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f
IoT 中心数据参与者 具有 IoT 中心数据平面操作的完全访问权限。 4fc6c259-987e-4a07-842e-c321cc9d413f
IoT 中心数据读取者 具有 IoT 中心数据平面属性的完全读取访问权限 b447c946-2db7-41ec-983d-d8bf3b1c77e3
IoT 中心注册表参与者 具有 IoT 中心设备注册表的完全访问权限。 4ea46cd5-c1b2-4a8e-910b-273211f9ce47
IoT 中心孪生参与者 具有所有 IoT 中心设备和模块孪生的读写访问权限。 494bdba2-168f-4f31-a0a1-191d2f7c028c
混合现实
远程渲染管理员 为用户提供 Azure 远程渲染的转换、管理会话、渲染和诊断功能 3df8b902-2a6f-47c7-8cc5-360e9b272a7e
远程渲染客户端 为用户提供 Azure 远程渲染的管理会话、渲染和诊断功能。 d39065c4-c120-43c9-ab0a-63eed9795f0a
空间定位点帐户参与者 允许管理帐户中的空间定位点,但不能删除它们 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827
空间定位点帐户所有者 允许管理帐户中的空间定位点,包括删除它们 70bbe301-9835-447d-afdd-19eb3167307c
空间定位点帐户读取者 允许查找并读取帐户中的空间定位点的属性 5d51204f-eb77-4b1c-b86a-2ec626c49413
集成
API 管理服务参与者 可以管理服务和 API 312a565d-c81f-4fd8-895a-4e21e48d571c
API 管理服务操作员角色 可以管理服务,但不可管理 API e022efe7-f5ba-4159-bbe4-b44f577e9b61
API 管理服务读者角色 对服务和 API 的只读访问权限 71522526-b88f-4d52-b57f-d31fc3546d0d
API Management 服务工作区 API 开发人员 对标记和产品拥有读取访问权限,并拥有以下写入访问权限:将 API 分配到产品、将标记分配到产品和 API。 应在服务范围内分配此角色。 9565a273-41b9-4368-97d2-aeb0c976a9b3
API 管理服务工作区 API 产品经理 具有与 API 管理服务工作区 API 开发人员相同的访问权限,对用户具有读取访问权限,并且具有写入访问权限,可允许将用户分配给组。 应在服务范围内分配此角色。 d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da
API 管理工作区 API 开发人员 对工作区中的实体具有读取访问权限,并对用于编辑 API 的实体具有读写访问权限。 应在工作区范围内分配此角色。 56328988-075d-4c6a-8766-d93edd6725b6
API 管理工作区 API 产品经理 对工作区中的实体具有读取访问权限,并对用于发布 API 的实体具有读写访问权限。 应在工作区范围内分配此角色。 73c2c328-d004-4c5e-938c-35c6f5679a1f
API 管理工作区参与者 可以管理工作区和视图,但不能修改其成员。 应在工作区范围内分配此角色。 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799
API 管理工作区读者 对工作区中的实体具有只读访问权限。 应在工作区范围内分配此角色。 ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2
应用程序配置数据所有者 允许对应用程序配置数据进行完全访问。 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b
应用程序配置数据读取者 允许对应用程序配置数据进行读取访问。 516239f1-63e1-4d78-a4de-a74fb236a071
Azure 中继侦听器 允许侦听对 Azure 中继资源的访问。 26e0b698-aa6d-4085-9386-aadae190014d
Azure 中继所有者 允许完全访问 Azure 中继资源。 2787bf04-f1f5-4bfe-8383-c8a24483ee38
Azure 中继发送方 允许发送对 Azure 中继资源的访问权限。 26baccc8-eea7-41f1-98f4-1762cc7f685d
Azure 服务总线数据所有者 允许完全访问 Azure 服务总线资源。 090c5cfd-751d-490a-894a-3ce6f1109419
Azure 服务总线数据接收方 允许对 Azure 服务总线资源进行接收访问。 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0
Azure 服务总线数据发送方 允许对 Azure 服务总线资源进行发送访问。 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39
Azure Stack 注册所有者 允许管理 Azure Stack 注册。 6f12a6df-dd06-4f3e-bcb1-ce8be600526a
EventGrid 参与者 可以管理 EventGrid 操作。 1e241071-0855-49ea-94dc-649edcd759de
EventGrid 数据发送方 允许发送对事件网格事件的访问权限。 d5a91429-5739-47e2-a06b-3470a27159e7
EventGrid EventSubscription 参与者 可以管理 EventGrid 事件订阅操作。 428e0ff0-5e57-4d9c-a221-2c70d0e0a443
EventGrid EventSubscription 读者 可以读取 EventGrid 事件订阅。 2414bbcf-6497-4faf-8c65-045460748405
FHIR 数据参与者 角色允许用户或主体完全访问 FHIR 数据 5a1fc7df-4bf1-4951-a576-89034ee01acd
FHIR 数据导出者 角色允许用户或主体读取和导出 FHIR 数据 3db33094-8700-4567-8da5-1501d4e7e843
FHIR 数据导入者 该角色允许用户或主体读取和导入 FHIR 数据 4465e953-8ced-4406-a58e-0f6e3f3b530b
FHIR 数据读取者 角色允许用户或主体读取 FHIR 数据 4c8d0bbc-75d3-4935-991f-5f3c56d81508
FHIR 数据写入者 角色允许用户或主体读取和写入 FHIR 数据 3f88fce4-5892-4214-ae73-ba5294559913
集成服务环境参与者 允许管理集成服务环境,但不允许访问这些环境。 a41e2c5b-bd99-4a07-88f4-9bf657a760b8
集成服务环境开发人员 允许开发人员在集成服务环境中创建和更新工作流、集成帐户与 API 连接。 c7aa55d3-1abb-444a-a5ca-5e51e485d6ec
Intelligent Systems 帐户参与者 允许管理智能系统帐户,但不允许访问这些帐户。 03a6d094-3444-4b3d-88af-7477090a9e5e
逻辑应用参与者 允许管理逻辑应用,但不允许更改其访问权限。 87a39d53-fc1b-424a-814c-f7e04687dc9e
逻辑应用操作员 允许读取、启用和禁用逻辑应用,但不允许编辑或更新它们。 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe
标识
域服务参与者 可以管理 Azure AD 域服务和相关网络配置 eeaeda52-9324-47f6-8069-5d5bade478b2
域服务读取者 可以查看 Azure AD 域服务和相关网络配置 361898ef-9ed1-48c2-849c-a832951106bb
托管的标识参与者 创建、读取、更新和删除用户分配的标识 e40ec5ca-96e0-45a2-b4ff-59039f2c2b59
托管的标识操作员 读取和分配用户分配的标识 f1a07417-d97a-45cb-824c-7a7467783830
安全性
应用合规性自动化管理员 创建、读取、下载、修改和删除报表对象及其他相关的资源对象。 0f37683f-2463-46b6-9ce7-9b788b988ba2
应用合规性自动化读取者 读取和下载报表对象及其他相关的资源对象。 ffc6bbe0-e443-4c3b-bf54-26581bb2f78e
证明参与者 可读写或删除证明提供者实例 bbf86eb8-f7b4-4cce-96e4-18cddf81d86e
证明读取者 可以读取证明提供程序属性 fd1bd22b-8476-40bc-a0bc-69b95687b9f3
Key Vault 管理员 对密钥保管库以及其中的所有对象(包括证书、密钥和机密)执行所有数据平面操作。 无法管理密钥保管库资源或管理角色分配。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 00482a5a-887f-4fb3-b363-3b7fe8e74483
Key Vault 证书管理人员 对密钥保管库的证书执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 a4417e6f-fecd-4de8-b567-7b0420556985
密钥保管库参与者 管理密钥保管库,但不允许在 Azure RBAC 中分配角色,也不允许访问机密、密钥或证书。 f25e0fa2-a7c8-4377-a976-54943a77a395
Key Vault 加密管理人员 对密钥保管库的密钥执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 14b46e9e-c2b7-41b4-b07b-48a6ebf60603
密钥保管库加密服务加密用户 读取密钥的元数据并执行包装/展开操作。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 e147488a-f6f5-4113-8e2d-b22465e65bf6
Key Vault 加密用户 使用密钥执行加密操作。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 12338af0-0e69-4776-bea7-57ae8d297424
密钥保管库数据访问管理员(预览版) 通过添加或删除 Key Vault 管理员、Key Vault 证书主管、Key Vault 加密管理人员、Key Vault 加密服务加密用户、Key Vault 加密用户、Key Vault 加密用户、Key Vault 读取者、Key Vault 机密主管或 Key Vault 机密用户角色来管理对 Azure Key Vault 的访问。 包括用于约束角色分配的 ABAC 条件。 8b54135c-b56d-4d72-a534-26097cfdc8d8
Key Vault 读取者 读取密钥保管库及其证书、密钥和机密的元数据。 无法读取机密内容或密钥材料等敏感值。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 21090545-7ca7-4776-b22c-e363652d74d2
Key Vault 机密管理人员 对密钥保管库的机密执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 b86a8fe4-44ce-4948-aee5-eccb2c155cd7
Key Vault 机密用户 读取机密内容。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 4633458b-17de-408a-b874-0445c86b69e6
托管 HSM 参与者 允许你管理托管 HSM 池,但不允许访问这些池。 18500a29-7fe2-46b2-a342-b16a415e101d
Microsoft Sentinel 自动化参与者 Microsoft Sentinel 自动化参与者 f4c81013-99ee-4d62-a7ee-b3f1f648599a
Microsoft Sentinel 参与者 Microsoft Sentinel 参与者 ab8e14d6-4a74-4a29-9ba8-549422addade
Microsoft Sentinel Playbook 操作员 Microsoft Sentinel Playbook 操作员 51d6186e-6489-4900-b93f-92e23144cca5
Microsoft Sentinel 读取者 Microsoft Sentinel 读取者 8d289c81-5878-46d4-8554-54e1e3d8b5cb
Microsoft Sentinel 响应者 Microsoft Sentinel 响应者 3e150937-b8fe-4cfb-8069-0eaf05ecd056
安全管理员 查看和更新 Microsoft Defender for Cloud 的权限。 与安全读取者角色具有相同的权限,还可以更新安全策略并关闭警报和建议。

对于 Microsoft Defender for IoT,请参阅用于 OT 和企业 IoT 监视的 Azure 用户角色		 fb1c8493-542b-48eb-b624-b4c8fea62acd
安全评估参与者 可将评估推送到 Microsoft Defender for Cloud 612c2aa1-cb24-443b-ac28-3ab7272de6f5
安全管理器(旧版) 这是旧角色。 请改用安全管理员。 e3d13bf0-dd5a-482e-ba6b-9b8433878d10
安全读取者 查看 Microsoft Defender for Cloud 的权限。 可以查看但不能更改建议、警报、安全策略和安全状态。

对于 Microsoft Defender for IoT,请参阅用于 OT 和企业 IoT 监视的 Azure 用户角色		 39bc4728-0917-49c7-9d2c-d95423bc2eb4
DevOps
DevTest 实验室用户 允许连接、启动、重启和关闭 Azure 开发测试实验室中的虚拟机。 76283e04-6283-4c54-8f91-bcf1374a3c64
实验室助理 允许查看现有实验室、在实验室 VM 上执行操作,以及向实验室发送邀请。 ce40b423-cede-4313-a93f-9b28290b72e1
实验室参与者 适用于实验室级别,允许管理实验室。 适用于资源组,允许创建和管理实验室。 5daaa2af-1fe8-407c-9122-bba179798270
实验室创建者 允许在 Azure 实验室帐户下新建实验室。 b97fb8bc-a8b2-4522-a38b-dd33c7e65ead
实验室操作员 允许有限地管理现有实验室。 a36e6959-b6be-4b12-8e9f-ef4b474d304d
实验室服务参与者 允许完全控制资源组中的所有实验室服务方案。 f69b8690-cc87-41d6-b77a-a4bc3c0a966f
实验室服务读取者 允许查看所有实验室计划和实验室资源,但不允许更改。 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc
监视
Application Insights 组件参与者 可管理 Application Insights 组件 ae349356-3a1b-4a5e-921d-050484c6347e
Application Insights 快照调试器 授予用户查看和下载使用 Application Insights Snapshot Debugger 收集的调试快照的权限。 请注意,所有者参与者角色不包括这些权限。 在向用户授予 Application Insights Snapshot Debugger 角色时,必须将该角色直接授予用户。 将角色添加到自定义角色时,无法识别该角色。 08954f03-6346-4c2e-81c0-ec3a5cfae23b
监视参与者 可以读取所有监视数据和编辑监视设置。 另请参阅 Azure Monitor 的角色、权限和安全入门 749f88d5-cbae-40b8-bcfc-e573ddc772fa
监视指标发布者 允许针对 Azure 资源发布指标 3913510d-42f4-4e42-8a64-420c390055eb
监视读取者 可以读取所有监视数据(指标、日志等)。 另请参阅 Azure Monitor 的角色、权限和安全入门 43d0d8ad-25c7-4714-9337-8ba259a9fe05
工作簿参与者 可以保存共享的工作簿。 e8ddcd69-c73f-4f9f-9844-4100522f16ad
工作簿读者 可以读取工作簿。 b279062a-9be3-42a0-92ae-8b3cf002ec4d
管理和治理
自动化参与者 使用 Azure 自动化管理 Azure 自动化资源和其他资源。 f353d9bd-d4a6-484e-a77a-8050b599b867
自动化作业操作员 使用自动化 Runbook 创建和管理作业。 4fe576fe-1146-4730-92eb-48519fa6bf9f
自动化操作员 自动化操作员能够启动、停止、暂停和恢复作业 d3881f73-407a-4167-8283-e981cbba0404
自动化 Runbook 操作员 读取 Runbook 属性 - 以能够创建 runbook 的作业。 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5
已启用 Azure Arc 的 Kubernetes 群集用户角色 列出群集用户凭据操作。 00493d72-78f6-4148-b6c5-d3ce8e4799dd
Azure Arc Kubernetes 管理员 允许管理群集/命名空间下的所有资源,但不能更新或删除资源配额和命名空间。 dffb1e0c-446f-4dde-a09f-99eb5cc68b96
Azure Arc Kubernetes 群集管理员 允许管理群集中的所有资源。 8393591c-06b9-48a2-a542-1bd6b377f6a2
Azure Arc Kubernetes 查看者 允许查看群集/命名空间中除密码之外的所有资源。 63f0a09d-1495-4db4-a681-037d84835eb4
Azure Arc Kubernetes 写入者 允许更新群集/命名空间中的所有内容,但 (cluster)role 和 (cluster)role 绑定除外。 5b999177-9696-4545-85c7-50de3797e5a1
Azure Connected Machine 加入 可以加入 Azure Connected Machine。 b64e21ea-ac4e-4cdf-9dc9-5b892992bee7
Azure Connected Machine 资源管理员 可以读取、写入、删除和重新加入 Azure Connected Machine。 cd570a14-e51a-42ad-bac8-bafd67325302
计费读者 允许对帐单数据进行读取访问 fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
蓝图参与者 可以管理蓝图定义,但不能对其进行分配。 41077137-e803-4205-871c-5a86e6a753b4
蓝图操作员 可以指定现有已发布的蓝图,但不能创建新的蓝图。 请注意:仅当使用用户分配的托管标识完成分配时,此分配才有效。 437d2ced-4a38-4302-8479-ed2bcb43d090
成本管理参与者 可以查看成本和管理成本配置(例如预算、导出) 434105ed-43f6-45c7-a02f-909b2ba83430
成本管理读者 可以查看成本数据和配置(例如预算、导出) 72fafb9e-0641-4937-9268-a91bfd8191a3
层次结构设置管理员 允许用户编辑和删除层次结构设置 350f8d15-c687-4448-8ae1-157740a3936d
Kubernetes 群集 - Azure Arc 载入 授权任何用户/服务创建 connectedClusters 资源的角色定义 34e09817-6cbe-4d01-b1a2-e0eac5743d41
Kubernetes 扩展参与者 可以创建、更新、获取、列出和删除 Kubernetes 扩展,以及获取扩展异步操作 85cb6faf-e071-4c9b-8136-154b5a04f717
托管应用程序参与者角色 允许创建托管应用程序资源。 641177b8-a67a-45b9-a033-47bc880bb21e
托管应用程序操作员角色 可让你在托管应用程序资源上读取和执行操作 c7393b34-138c-406f-901b-d8cf2b17e6ae
托管应用程序读者 允许读取托管应用中的资源并请求 JIT 访问。 b9331d33-8a36-4f8c-b097-4f54124fdb44
托管服务注册分配删除角色 托管服务注册分配删除角色允许管理租户用户删除分配给其租户的注册分配。 91c1777a-f3dc-4fae-b103-61d183457e46
管理组参与者 管理组参与者角色 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c
管理组读取者 管理组读取者角色 ac63b705-f282-497d-ac71-919bf39d939d
New elic APM 帐户参与者 允许管理 New Relic 应用程序性能管理帐户和应用程序,但不允许访问它们。 5d28c62d-5b37-4476-8438-e587778df237
策略见解数据编写者(预览) 允许对资源策略进行读取访问,并允许对资源组件策略事件进行写入访问。 66bb4e9e-b016-4a94-8249-4c0511c2be84
配额请求操作员 读取和创建配额请求,获取配额请求状态并创建支持票证。 0e5f05e5-9ab9-446b-b98d-1e2157c94125
预留买方 允许你购买预留 f7b75c60-3036-4b75-91c3-6b41c27c1689
资源策略参与者 有权创建/修改资源策略、创建支持票证和读取资源/层次结构的用户。 36243c78-bf99-498c-9df9-86d9f8d28608
Site Recovery 参与者 允许管理除保管库创建和角色分配外的 Site Recovery 服务 6670b86e-a3f7-4917-ac9b-5d6ab1be4567
Site Recovery 操作员 允许进行故障转移和故障回复,但不允许执行其他 Site Recovery 管理操作 494ae006-db33-4328-bf46-533a6560a3ca
Site Recovery 读取者 允许查看 Site Recovery 状态,但不允许执行其他管理操作 dbaa88c4-0c30-4179-9fb3-46319faa6149
支持请求参与者 允许创建和管理支持请求 cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e
标记参与者 允许你管理实体上的标记,而无需提供对实体本身的访问权限。 4a9ae827-6dc8-4573-8ac7-8239d42aa03f
模板规格参与者 允许在分配的范围内对模板规格操作进行完全访问。 1c9b6475-caf0-4164-b5a1-2142a7116f4b
模板规格读取者 允许在分配的范围内对模板规格进行读取访问。 392ae280-861d-42bd-9ea5-08ee6d83b80e
虚拟桌面基础结构
桌面虚拟化应用程序组参与者 桌面虚拟化应用程序组参与者。 86240b0e-9422-4c43-887b-b61143f32ba8
桌面虚拟化应用程序组读取者 桌面虚拟化应用程序组读取者。 aebf23d0-b568-4e86-b8f9-fe83a2c6ab55
桌面虚拟化参与者 桌面虚拟化参与者。 082f0a83-3be5-4ba1-904c-961cca79b387
桌面虚拟化主机池参与者 桌面虚拟化主机池参与者。 e307426c-f9b6-4e81-87de-d99efb3c32bc
桌面虚拟化主机池读取者 桌面虚拟化主机池读取者。 ceadfde2-b300-400a-ab7b-6143895aa822
桌面虚拟化读取者 桌面虚拟化读取者。 49a72310-ab8d-41df-bbb0-79b649203868
桌面虚拟化会话主机操作员 桌面虚拟化会话主机操作员。 2ad6aaab-ead9-4eaa-8ac5-da422f562408
桌面虚拟化用户 允许用户使用应用程序组中的应用程序。 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63
桌面虚拟化用户会话操作员 桌面虚拟化用户会话操作员。 ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6
桌面虚拟化工作区参与者 桌面虚拟化工作区参与者。 21efdde3-836f-432b-bf3d-3e8e734d4b2b
桌面虚拟化工作区读取者 桌面虚拟化工作区读取者。 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d
其他
Azure 数字孪生数据所有者 对数字孪生数据平面具有完全访问权限的角色 bcd981a7-7f74-457b-83e1-cceb9e632ffe
Azure 数字孪生数据读者 对数字孪生数据平面具有只读权限的角色 d57506d4-4c8d-48b1-8587-93c323f6a5a3
BizTalk 参与者 允许管理 BizTalk 服务,但不允许访问这些服务。 5e3c6656-6cfa-4708-81fe-0de47ac73342
Grafana 管理员 执行所有 Grafana 操作,包括在 Grafana 中管理数据源、创建仪表板和管理角色分配。 22926164-76b3-42b3-bc55-97df8dab3e41
Grafana 编辑者 查看和编辑 Grafana 实例,包括其仪表板和警报。 a79a5197-3a5c-4973-a920-486035ffd60f
Grafana 查看者 查看 Grafana 实例,包括其仪表板和警报。 60921a7e-fef1-4a43-9b16-a26c52ad4769
负载测试参与者 查看、创建、更新、删除和执行负载测试。 查看并列出负载测试资源,但不能进行任何更改。 749a398d-560b-491b-bb21-08924219302e
负载测试所有者 对负载测试资源和负载测试执行所有操作 45bb0b16-2f0c-4e78-afaa-a07599b003f6
负载测试读取者 查看并列出所有负载测试和负载测试资源,但不能进行任何更改 3ae3fb29-0000-4ccd-bf80-542e7b26e081
计划程序作业集合参与者 允许管理计划程序作业集合,但不允许访问这些集合。 188a0f2f-5c9e-469b-ae67-2aa5ce574b94
服务中心操作员 “服务中心操作员”允许你执行与服务中心连接器相关的所有读取、写入和删除操作。 82200a5b-e217-47a5-b665-6d8765ee745b

常规

参与者

授予完全访问权限来管理所有资源,但不允许在 Azure RBAC 中分配角色或在 Azure 蓝图中管理分配,也不允许共享映像库。 了解详细信息

操作 描述
* 创建和管理所有类型的资源
不操作
Microsoft.Authorization/*/Delete 删除角色、策略分配、策略定义和策略集定义
Microsoft.Authorization/*/Write 创建角色、角色分配、策略分配、策略定义和策略集定义
Microsoft.Authorization/elevateAccess/Action 向调用方授予租户范围的“用户访问管理员”访问权限
Microsoft.Blueprint/blueprintAssignments/write 创建或更新任何蓝图分配
Microsoft.Blueprint/blueprintAssignments/delete 删除任何蓝图分配
Microsoft.Compute/galleries/share/action 将库共享到不同的范围
Microsoft.Purview/consents/write 创建或更新同意资源。
Microsoft.Purview/consents/delete 删除同意资源。
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
  "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.Compute/galleries/share/action",
        "Microsoft.Purview/consents/write",
        "Microsoft.Purview/consents/delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

所有者

授予管理所有资源的完全访问权限,包括允许在 Azure RBAC 中分配角色。 了解详细信息

操作 描述
* 创建和管理所有类型的资源
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

读取器

查看所有资源,但不允许进行任何更改。 了解详细信息

操作 描述
*/read 读取除密码外的所有类型的资源。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "View all resources, but does not allow you to make any changes.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

基于角色访问控制 管理员istrator

通过使用 Azure RBAC 分配角色来管理对 Azure 资源的访问。 此角色不允许使用其他方式(如 Azure Policy)管理访问权限。

操作 说明
Microsoft.Authorization/roleAssignments/write 创建指定范围的角色分配。
Microsoft.Authorization/roleAssignments/delete 删除指定范围的角色分配。
*/read 读取除密码外的所有类型的资源。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
  "name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Role Based Access Control Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

用户访问管理员

允许管理用户对 Azure 资源的访问权限。 了解详细信息

操作 描述
*/read 读取除密码外的所有类型的资源。
Microsoft.Authorization/* 管理授权
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage user access to Azure resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "User Access Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

计算

经典虚拟机参与者

允许管理经典虚拟机,但不允许访问这些虚拟机及其连接到的虚拟网络或存储帐户。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.ClassicCompute/domainNames/* 创建和管理经典计算域名
Microsoft.ClassicCompute/virtualMachines/* 创建和管理虚拟机
Microsoft.ClassicNetwork/networkSecurityGroups/join/action
Microsoft.ClassicNetwork/reservedIps/link/action 链接保留 IP
Microsoft.ClassicNetwork/reservedIps/read 获取保留 IP
Microsoft.ClassicNetwork/virtualNetworks/join/action 加入虚拟网络。
Microsoft.ClassicNetwork/virtualNetworks/read 获取虚拟网络。
Microsoft.ClassicStorage/storageAccounts/disks/read 返回存储帐户磁盘。
Microsoft.ClassicStorage/storageAccounts/images/read 返回存储帐户映像。 (已弃用。请使用“Microsoft.ClassicStorage/storageAccounts/vmImages”)
Microsoft.ClassicStorage/storageAccounts/listKeys/action 列出存储帐户的访问密钥。
Microsoft.ClassicStorage/storageAccounts/read 返回包含给定帐户的存储帐户。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
  "name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/domainNames/*",
        "Microsoft.ClassicCompute/virtualMachines/*",
        "Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
        "Microsoft.ClassicNetwork/reservedIps/link/action",
        "Microsoft.ClassicNetwork/reservedIps/read",
        "Microsoft.ClassicNetwork/virtualNetworks/join/action",
        "Microsoft.ClassicNetwork/virtualNetworks/read",
        "Microsoft.ClassicStorage/storageAccounts/disks/read",
        "Microsoft.ClassicStorage/storageAccounts/images/read",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.ClassicStorage/storageAccounts/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Virtual Machine Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管磁盘的数据操作员

提供使用 SAS URI 和 Azure AD 身份验证将数据上传到空托管磁盘、读取或导出托管磁盘(未附加到正在运行的 VM)的数据和快照的权限。

操作 描述
不操作
DataActions
Microsoft.Compute/disks/download/action 对磁盘 SAS URI 执行读取数据操作
Microsoft.Compute/disks/upload/action 对磁盘 SAS URI 执行写入数据操作
Microsoft.Compute/snapshots/download/action 对快照 SAS URI 执行读取数据操作
Microsoft.Compute/snapshots/upload/action 对快照 SAS URI 执行写入数据操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e",
  "name": "959f8984-c045-4866-89c7-12bf9737be2e",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/disks/download/action",
        "Microsoft.Compute/disks/upload/action",
        "Microsoft.Compute/snapshots/download/action",
        "Microsoft.Compute/snapshots/upload/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Data Operator for Managed Disks",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁盘备份读取者

向备份保管库提供执行磁盘备份的权限。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Compute/disks/read 获取磁盘的属性
Microsoft.Compute/disks/beginGetAccess/action 获取用于 Blob 访问的磁盘 SAS URI
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permission to backup vault to perform disk backup.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
  "name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/beginGetAccess/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Backup Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁盘池操作员

向 StoragePool 资源提供程序提供管理添加到磁盘池的磁盘的权限。

操作 说明
Microsoft.Compute/disks/write 创建新的磁盘,或更新现有的磁盘
Microsoft.Compute/disks/read 获取磁盘的属性
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840",
  "name": "60fc6e62-5479-42d4-8bf4-67625fcc2840",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Pool Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁盘还原操作员

向备份保管库提供执行磁盘还原的权限。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Compute/disks/write 创建新的磁盘,或更新现有的磁盘
Microsoft.Compute/disks/read 获取磁盘的属性
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permission to backup vault to perform disk restore.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13",
  "name": "b50d9833-a0cb-478e-945f-707fcc997c13",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Restore Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁盘快照参与者

向备份保管库提供管理磁盘快照的权限。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Compute/snapshots/delete 删除快照
Microsoft.Compute/snapshots/write 创建新的快照,或更新现有的快照
Microsoft.Compute/snapshots/read 获取快照的属性
Microsoft.Compute/snapshots/beginGetAccess/action 获取用于 blob 访问的快照 SAS URI
Microsoft.Compute/snapshots/endGetAccess/action 撤销快照的 SAS URI
Microsoft.Compute/disks/beginGetAccess/action 获取用于 Blob 访问的磁盘 SAS URI
Microsoft.Storage/storageAccounts/listkeys/action 返回指定存储帐户的访问密钥。
Microsoft.Storage/storageAccounts/write 使用指定的参数创建存储帐户、更新指定存储帐户的属性或标记,或者为其添加自定义域。
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
Microsoft.Storage/storageAccounts/delete 删除现有的存储帐户。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permission to backup vault to manage disk snapshots.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce",
  "name": "7efff54f-a5b4-42b5-a1c5-5411624893ce",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Compute/snapshots/delete",
        "Microsoft.Compute/snapshots/write",
        "Microsoft.Compute/snapshots/read",
        "Microsoft.Compute/snapshots/beginGetAccess/action",
        "Microsoft.Compute/snapshots/endGetAccess/action",
        "Microsoft.Compute/disks/beginGetAccess/action",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Snapshot Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

虚拟机管理员登录

在门户中查看虚拟机并以管理员身份登录 了解详细信息

操作 描述
Microsoft.Network/publicIPAddresses/read 获取公共 IP 地址定义。
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/loadBalancers/read 获取负载均衡器定义
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Compute/virtualMachines/*/read
Microsoft.HybridCompute/machines/*/read
Microsoft.HybridConnectivity/endpoints/listCredentials/action 列出资源的终结点访问凭据。
不操作
DataActions
Microsoft.Compute/virtualMachines/login/action 以普通用户身份登录虚拟机
Microsoft.Compute/virtualMachines/loginAsAdmin/action 以 Windows 管理员身份或 Linux 根用户权限登录虚拟机
Microsoft.HybridCompute/machines/login/action 以普通用户身份登录 Azure Arc 计算机
Microsoft.HybridCompute/machines/loginAsAdmin/action 使用 Windows 管理员或 Linux 根用户权限登录 Azure Arc 计算机
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "View Virtual Machines in the portal and login as administrator",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4",
  "name": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.HybridCompute/machines/*/read",
        "Microsoft.HybridConnectivity/endpoints/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/virtualMachines/login/action",
        "Microsoft.Compute/virtualMachines/loginAsAdmin/action",
        "Microsoft.HybridCompute/machines/login/action",
        "Microsoft.HybridCompute/machines/loginAsAdmin/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Virtual Machine Administrator Login",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

虚拟机参与者

创建并管理虚拟机、管理磁盘、安装并运行软件、使用 VM 扩展重置虚拟机根用户的密码,以及使用 VM 扩展管理本地用户帐户。 此角色不会授予你对虚拟机连接到的虚拟网络或存储帐户的管理访问权限。 此角色不允许在 Azure RBAC 中分配角色。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Compute/availabilitySets/* 创建和管理计算可用性集
Microsoft.Compute/locations/* 创建和管理计算位置
Microsoft.Compute/virtualMachines/* 执行所有虚拟机操作,包括创建、更新、删除、启动、重新启动和关闭虚拟机。 在虚拟机上执行脚本。
Microsoft.Compute/virtualMachineScaleSets/* 创建和管理虚拟机规模集
Microsoft.Compute/cloudServices/*
Microsoft.Compute/disks/write 创建新的磁盘,或更新现有的磁盘
Microsoft.Compute/disks/read 获取磁盘的属性
Microsoft.Compute/disks/delete 删除磁盘
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Network/applicationGateways/backendAddressPools/join/action 加入应用程序网关后端地址池。 不可发出警报。
Microsoft.Network/loadBalancers/backendAddressPools/join/action 加入负载均衡器后端地址池。 不可发出警报。
Microsoft.Network/loadBalancers/inboundNatPools/join/action 加入负载均衡器入站 NAT 池。 不可发出警报。
Microsoft.Network/loadBalancers/inboundNatRules/join/action 加入负载均衡器入站 NAT 规则。 不可发出警报。
Microsoft.Network/loadBalancers/probes/join/action 允许使用负载均衡器的探测。 例如,使用此权限,VM 规模集的 healthProbe 属性可以引用探测。 不可发出警报。
Microsoft.Network/loadBalancers/read 获取负载均衡器定义
Microsoft.Network/locations/* 创建和管理网络位置
Microsoft.Network/networkInterfaces/* 创建和管理网络接口
Microsoft.Network/networkSecurityGroups/join/action 加入网络安全组。 不可发出警报。
Microsoft.Network/networkSecurityGroups/read 获取网络安全组定义
Microsoft.Network/publicIPAddresses/join/action 加入公共 IP 地址。 不可发出警报。
Microsoft.Network/publicIPAddresses/read 获取公共 IP 地址定义。
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/virtualNetworks/subnets/join/action 加入虚拟网络。 不可发出警报。
Microsoft.RecoveryServices/locations/*
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write 创建备份保护意向
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read 返回受保护项的对象详细信息
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write 创建备份受保护项
Microsoft.RecoveryServices/Vaults/backupPolicies/read 返回所有保护策略
Microsoft.RecoveryServices/Vaults/backupPolicies/write 创建保护策略
Microsoft.RecoveryServices/Vaults/read “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象
Microsoft.RecoveryServices/Vaults/usages/read 返回恢复服务保管库的使用情况详细信息。
Microsoft.RecoveryServices/Vaults/write “创建保管库”操作创建“vault”类型的 Azure 资源
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.SerialConsole/serialPorts/connect/action 连接到串行端口
Microsoft.SqlVirtualMachine/*
Microsoft.Storage/storageAccounts/listKeys/action 返回指定存储帐户的访问密钥。
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
  "name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/availabilitySets/*",
        "Microsoft.Compute/locations/*",
        "Microsoft.Compute/virtualMachines/*",
        "Microsoft.Compute/virtualMachineScaleSets/*",
        "Microsoft.Compute/cloudServices/*",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/delete",
        "Microsoft.DevTestLab/schedules/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/loadBalancers/probes/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/locations/*",
        "Microsoft.Network/networkInterfaces/*",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.RecoveryServices/locations/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/write",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/write",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.SerialConsole/serialPorts/connect/action",
        "Microsoft.SqlVirtualMachine/*",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Virtual Machine Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

虚拟机数据访问管理员(预览版)

通过添加或删除虚拟机管理员istrator 登录角色和虚拟机用户登录角色的角色分配来管理对虚拟机的访问权限。 包括用于约束角色分配的 ABAC 条件。

操作 说明
Microsoft.Authorization/roleAssignments/write 创建指定范围的角色分配。
Microsoft.Authorization/roleAssignments/delete 删除指定范围的角色分配。
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.Network/publicIPAddresses/read 获取公共 IP 地址定义。
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/loadBalancers/read 获取负载均衡器定义
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Compute/virtualMachines/*/read
Microsoft.HybridCompute/machines/*/read
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions
条件
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) 或 (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) 和 ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) 或 (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) 添加或移除以下角色的角色分配:
虚拟机管理员登录
虚拟机用户登录		 
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
    "properties": {
        "roleName": "Virtual Machine Data Access Administrator (preview)",
        "description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Authorization/roleAssignments/delete",
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Management/managementGroups/read",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/virtualNetworks/read",
                    "Microsoft.Network/loadBalancers/read",
                    "Microsoft.Network/networkInterfaces/read",
                    "Microsoft.Compute/virtualMachines/*/read",
                    "Microsoft.HybridCompute/machines/*/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Support/*"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": [],
                "conditionVersion": "2.0",
                "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52}))"
            }
        ]
    }
}

虚拟机用户登录

在门户中查看虚拟机并以普通用户身份登录。 了解详细信息

操作 描述
Microsoft.Network/publicIPAddresses/read 获取公共 IP 地址定义。
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/loadBalancers/read 获取负载均衡器定义
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Compute/virtualMachines/*/read
Microsoft.HybridCompute/machines/*/read
Microsoft.HybridConnectivity/endpoints/listCredentials/action 列出资源的终结点访问凭据。
不操作
DataActions
Microsoft.Compute/virtualMachines/login/action 以普通用户身份登录虚拟机
Microsoft.HybridCompute/machines/login/action 以普通用户身份登录 Azure Arc 计算机
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "View Virtual Machines in the portal and login as a regular user.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52",
  "name": "fb879df8-f326-4884-b1cf-06f3ad86be52",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.HybridCompute/machines/*/read",
        "Microsoft.HybridConnectivity/endpoints/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/virtualMachines/login/action",
        "Microsoft.HybridCompute/machines/login/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Virtual Machine User Login",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Windows Admin Center 管理员登录

允许以管理员身份通过 Windows Admin Center 管理资源的 OS。 了解详细信息

操作 说明
Microsoft.HybridCompute/machines/*/read
Microsoft.HybridCompute/machines/extensions/*
Microsoft.HybridCompute/machines/upgradeExtensions/action 升级 Azure Arc 计算机上的扩展
Microsoft.HybridCompute/operations/read 读取适用于服务器的 Azure Arc 的所有操作
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Network/loadBalancers/read 获取负载均衡器定义
Microsoft.Network/publicIPAddresses/read 获取公共 IP 地址定义。
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/networkSecurityGroups/read 获取网络安全组定义
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read 获取默认的安全规则定义
Microsoft.Network/networkWatchers/securityGroupView/action 查看 VM 上应用的已配置和有效的网络安全组规则。
Microsoft.Network/networkSecurityGroups/securityRules/read 获取安全规则定义
Microsoft.Network/networkSecurityGroups/securityRules/write 创建安全规则,或更新现有的安全规则
Microsoft.HybridConnectivity/endpoints/write 创建或更新目标资源的终结点。
Microsoft.HybridConnectivity/endpoints/read 获取或列出目标资源的终结点。
Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action 获取资源的托管代理详细信息。
Microsoft.Compute/virtualMachines/read 获取虚拟机的属性
Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read 检索最新补丁评估操作的摘要
Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read 检索上次补丁评估操作期间评估的补丁列表
Microsoft.Compute/virtualMachines/patchInstallationResults/read 检索最新补丁安装操作的摘要
Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read 检索上次补丁安装操作期间尝试安装的补丁列表
Microsoft.Compute/virtualMachines/extensions/read 获取虚拟机扩展的属性
Microsoft.Compute/virtualMachines/instanceView/read 获取虚拟机的详细运行时状态及其资源
Microsoft.Compute/virtualMachines/runCommands/read 获取虚拟机运行命令的属性
Microsoft.Compute/virtualMachines/vmSizes/read 列出可将虚拟机更新到的大小
Microsoft.Compute/locations/publishers/artifacttypes/types/read 获取 VMExtension 类型的属性
Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read 获取 VMExtension 版本的属性
Microsoft.Compute/diskAccesses/read 获取 DiskAccess 资源的属性
Microsoft.Compute/galleries/images/read 获取库映像的属性
Microsoft.Compute/images/read 获取映像的属性
Microsoft.AzureStackHCI/Clusters/Read 获取群集
Microsoft.AzureStackHCI/Clusters/ArcSettings/Read 获取 HCI 群集的 Arc 资源
Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read 获取 HCI 群集的扩展资源
Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write 创建或更新 HCI 群集的扩展资源
Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete 删除 HCI 群集的扩展资源
Microsoft.AzureStackHCI/Operations/Read Get 操作
Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read 读取 virtualmachines
Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write 写入扩展资源
Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read 获取扩展资源
不操作
DataActions
Microsoft.HybridCompute/machines/WACLoginAsAdmin/action 允许以管理员身份通过 Windows Admin Center 管理资源的 OS。
Microsoft.Compute/virtualMachines/WACloginAsAdmin/action 允许以管理员身份通过 Windows Admin Center 管理资源的 OS
Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action 以管理员身份通过 Windows Admin Center 管理 HCI 资源的 OS
Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action 允许以管理员身份通过 Windows Admin Center 管理资源的 OS。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Let's you manage the OS of your resource via Windows Admin Center as an administrator.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f",
  "name": "a6333a3e-0164-44c3-b281-7a577aff287f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/*/read",
        "Microsoft.HybridCompute/machines/extensions/*",
        "Microsoft.HybridCompute/machines/upgradeExtensions/action",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkWatchers/securityGroupView/action",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/write",
        "Microsoft.HybridConnectivity/endpoints/write",
        "Microsoft.HybridConnectivity/endpoints/read",
        "Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read",
        "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read",
        "Microsoft.Compute/virtualMachines/patchInstallationResults/read",
        "Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read",
        "Microsoft.Compute/virtualMachines/extensions/read",
        "Microsoft.Compute/virtualMachines/instanceView/read",
        "Microsoft.Compute/virtualMachines/runCommands/read",
        "Microsoft.Compute/virtualMachines/vmSizes/read",
        "Microsoft.Compute/locations/publishers/artifacttypes/types/read",
        "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
        "Microsoft.Compute/diskAccesses/read",
        "Microsoft.Compute/galleries/images/read",
        "Microsoft.Compute/images/read",
        "Microsoft.AzureStackHCI/Clusters/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete",
        "Microsoft.AzureStackHCI/Operations/Read",
        "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read",
        "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write",
        "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.HybridCompute/machines/WACLoginAsAdmin/action",
        "Microsoft.Compute/virtualMachines/WACloginAsAdmin/action",
        "Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action",
        "Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Windows Admin Center Administrator Login",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

网络

Azure Front Door 域参与者

可以管理 Azure Front Door 域,但不能向其他用户授予访问权限。

操作 说明
Microsoft.Cdn/operationresults/profileresults/customdomainresults/read
Microsoft.Cdn/profiles/customdomains/read
Microsoft.Cdn/profiles/customdomains/write
Microsoft.Cdn/profiles/customdomains/delete
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage Azure Front Door domains, but can't grant access to other users.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8",
  "name": "0ab34830-df19-4f8c-b84e-aa85b8afa6e8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Cdn/operationresults/profileresults/customdomainresults/read",
        "Microsoft.Cdn/profiles/customdomains/read",
        "Microsoft.Cdn/profiles/customdomains/write",
        "Microsoft.Cdn/profiles/customdomains/delete",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Front Door Domain Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Front Door 域读取器

可以查看 Azure Front Door 域,但无法进行更改。

操作 说明
Microsoft.Cdn/operationresults/profileresults/customdomainresults/read
Microsoft.Cdn/profiles/customdomains/read
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view Azure Front Door domains, but can't make changes.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f",
  "name": "0f99d363-226e-4dca-9920-b807cf8e1a5f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Cdn/operationresults/profileresults/customdomainresults/read",
        "Microsoft.Cdn/profiles/customdomains/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Front Door Domain Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Front Door 配置文件读取器

可以查看 AFD 标准和高级配置文件及其终结点,但无法进行更改。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Cdn/edgenodes/read
Microsoft.Cdn/operationresults/*
Microsoft.Cdn/profiles/*/read
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action
Microsoft.Cdn/profiles/queryloganalyticsmetrics/action
Microsoft.Cdn/profiles/queryloganalyticsrankings/action
Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action
Microsoft.Cdn/profiles/querywafloganalyticsrankings/action
Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view AFD standard and premium profiles and their endpoints, but can't make changes.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/662802e2-50f6-46b0-aed2-e834bacc6d12",
  "name": "662802e2-50f6-46b0-aed2-e834bacc6d12",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action",
        "Microsoft.Cdn/profiles/queryloganalyticsmetrics/action",
        "Microsoft.Cdn/profiles/queryloganalyticsrankings/action",
        "Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action",
        "Microsoft.Cdn/profiles/querywafloganalyticsrankings/action",
        "Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Front Door Profile Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Front Door 机密参与者

可以管理 Azure Front Door 机密,但不能向其他用户授予访问权限。

操作 说明
Microsoft.Cdn/operationresults/profileresults/secretresults/read
Microsoft.Cdn/profiles/secrets/read
Microsoft.Cdn/profiles/secrets/write
Microsoft.Cdn/profiles/secrets/delete
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage Azure Front Door secrets, but can't grant access to other users.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5",
  "name": "3f2eb865-5811-4578-b90a-6fc6fa0df8e5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Cdn/operationresults/profileresults/secretresults/read",
        "Microsoft.Cdn/profiles/secrets/read",
        "Microsoft.Cdn/profiles/secrets/write",
        "Microsoft.Cdn/profiles/secrets/delete",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Front Door Secret Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Front Door 机密读取器

可以查看 Azure Front Door 机密,但无法进行更改。

操作 说明
Microsoft.Cdn/operationresults/profileresults/secretresults/read
Microsoft.Cdn/profiles/secrets/read
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view Azure Front Door secrets, but can't make changes.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca",
  "name": "0db238c4-885e-4c4f-a933-aa2cef684fca",
  "permissions": [
    {
      "actions": [
        "Microsoft.Cdn/operationresults/profileresults/secretresults/read",
        "Microsoft.Cdn/profiles/secrets/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Front Door Secret Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 终结点参与者

可以管理 CDN 终结点,但不能向其他用户授予访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Cdn/edgenodes/read
Microsoft.Cdn/operationresults/*
Microsoft.Cdn/profiles/endpoints/*
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage CDN endpoints, but can't grant access to other users.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
  "name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/endpoints/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Endpoint Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 终结点读者

可以查看 CDN 终结点,但不能进行更改。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Cdn/edgenodes/read
Microsoft.Cdn/operationresults/*
Microsoft.Cdn/profiles/endpoints/*/read
Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view CDN endpoints, but can't make changes.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd",
  "name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/endpoints/*/read",
        "Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Endpoint Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 配置文件参与者

可以管理 CDN 配置文件及其终结点,但不能向其他用户授予访问权限。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Cdn/edgenodes/read
Microsoft.Cdn/operationresults/*
Microsoft.Cdn/profiles/*
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage CDN profiles and their endpoints, but can't grant access to other users.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432",
  "name": "ec156ff8-a8d1-4d15-830c-5b80698ca432",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Profile Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 配置文件读者

可以查看 CDN 配置文件及其终结点,但不能进行更改。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Cdn/edgenodes/read
Microsoft.Cdn/operationresults/*
Microsoft.Cdn/profiles/*/read
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view CDN profiles and their endpoints, but can't make changes.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af",
  "name": "8f96442b-4075-438f-813d-ad51ab4019af",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Profile Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

经典网络参与者

允许管理经典网络,但不允许访问这些网络。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.ClassicNetwork/* 创建和管理经典网络
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic networks, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
  "name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicNetwork/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Network Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DNS 区域参与者

允许管理 Azure DNS 中的 DNS 区域和记录集,但不允许控制对其访问的人员。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Network/dnsZones/* 创建和管理 DNS 区域和记录
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314",
  "name": "befefa01-2a29-4197-83a8-272ff33ce314",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/dnsZones/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "DNS Zone Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

网络参与者

允许管理网络,但不允许访问这些网络。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Network/* 创建并管理网络
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage networks, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
  "name": "4d97b98b-1d4f-4787-a291-c67834d212e7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Network Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

专用 DNS 区域参与者

允许管理专用 DNS 区域资源,但不允许管理它们所链接到的虚拟网络。 了解详细信息

操作 描述
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Network/privateDnsZones/*
Microsoft.Network/privateDnsOperationResults/*
Microsoft.Network/privateDnsOperationStatuses/*
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/virtualNetworks/join/action 加入虚拟网络。 不可发出警报。
Microsoft.Authorization/*/read 读取角色和角色分配
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
  "name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/privateDnsZones/*",
        "Microsoft.Network/privateDnsOperationResults/*",
        "Microsoft.Network/privateDnsOperationStatuses/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Private DNS Zone Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

流量管理器参与者

允许管理流量管理器配置文件,但不允许控制谁可以访问它们。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Network/trafficManagerProfiles/*
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
  "name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/trafficManagerProfiles/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Traffic Manager Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储

Avere 参与者

可以创建和管理 Avere vFXT 群集。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Compute/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/proximityPlacementGroups/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/disks/*
Microsoft.Network/*/read
Microsoft.Network/networkInterfaces/*
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/virtualNetworks/subnets/read 获取虚拟网络子网定义
Microsoft.Network/virtualNetworks/subnets/join/action 加入虚拟网络。 不可发出警报。
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。
Microsoft.Network/networkSecurityGroups/join/action 加入网络安全组。 不可发出警报。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/*/read
Microsoft.Storage/storageAccounts/* 创建和管理存储帐户
Microsoft.Support/* 创建和更新支持票证
Microsoft.Resources/subscriptions/resourceGroups/resources/read 获取资源组的资源。
不操作
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete 返回删除 blob 的结果
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read 返回 blob 或 blob 列表
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write 返回写入 blob 的结果
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create and manage an Avere vFXT cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a",
  "name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/*/read",
        "Microsoft.Compute/availabilitySets/*",
        "Microsoft.Compute/proximityPlacementGroups/*",
        "Microsoft.Compute/virtualMachines/*",
        "Microsoft.Compute/disks/*",
        "Microsoft.Network/*/read",
        "Microsoft.Network/networkInterfaces/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/*/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Avere Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Avere 操作员

由 Avere vFXT 群集用来管理群集 了解详细信息

操作 描述
Microsoft.Compute/virtualMachines/read 获取虚拟机的属性
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Network/networkInterfaces/write 创建网络接口,或更新现有的网络接口。
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/virtualNetworks/subnets/read 获取虚拟网络子网定义
Microsoft.Network/virtualNetworks/subnets/join/action 加入虚拟网络。 不可发出警报。
Microsoft.Network/networkSecurityGroups/join/action 加入网络安全组。 不可发出警报。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/storageAccounts/blobServices/containers/delete 返回删除容器的结果
Microsoft.Storage/storageAccounts/blobServices/containers/read 返回容器列表
Microsoft.Storage/storageAccounts/blobServices/containers/write 返回放置 blob 容器的结果
不操作
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete 返回删除 blob 的结果
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read 返回 blob 或 blob 列表
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write 返回写入 blob 的结果
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Used by the Avere vFXT cluster to manage the cluster",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
  "name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Avere Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

备份参与者

允许管理备份服务,但不允许创建保管库及授予他人访问权限 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.RecoveryServices/locations/*
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* 管理备份管理操作的结果
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* 在恢复服务保管库的备份结构内创建和管理备份容器
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action 刷新容器列表
Microsoft.RecoveryServices/Vaults/backupJobs/* 创建和管理备份作业
Microsoft.RecoveryServices/Vaults/backupJobsExport/action 导出作业
Microsoft.RecoveryServices/Vaults/backupOperationResults/* 创建和管理备份管理操作的结果
Microsoft.RecoveryServices/Vaults/backupPolicies/* 创建和管理备份策略
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* 创建和管理可以备份的项
Microsoft.RecoveryServices/Vaults/backupProtectedItems/* 创建和管理备份项
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* 创建和管理保存备份项的容器
Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read 返回恢复服务的受保护项和受保护服务器的摘要。
Microsoft.RecoveryServices/Vaults/certificates/* 创建和管理与恢复服务保管库中的备份相关的证书
Microsoft.RecoveryServices/Vaults/extendedInformation/* 创建和管理与保管库相关的扩展信息
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read 获取恢复服务保管库的警报。
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft.RecoveryServices/Vaults/read “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象
Microsoft.RecoveryServices/Vaults/registeredIdentities/* 创建和管理已注册标识
Microsoft.RecoveryServices/Vaults/usages/* 创建和管理恢复服务保管库的使用情况
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
Microsoft.RecoveryServices/Vaults/backupconfig/*
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action 验证对受保护项的操作
Microsoft.RecoveryServices/Vaults/write “创建保管库”操作创建“vault”类型的 Azure 资源
Microsoft.RecoveryServices/Vaults/backupOperations/read 返回恢复服务保管库的备份操作状态。
Microsoft.RecoveryServices/Vaults/backupEngines/read 返回使用保管库注册的所有备份管理服务器。
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read 获取所有可保护的容器
Microsoft.RecoveryServices/vaults/operationStatus/read 获取给定操作的操作状态
Microsoft.RecoveryServices/vaults/operationResults/read “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果
Microsoft.RecoveryServices/locations/backupStatus/action 检查恢复服务保管库的备份状态
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
Microsoft.RecoveryServices/locations/backupValidateFeatures/action 验证功能
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write 解决警报。
Microsoft.RecoveryServices/operations/read 操作返回资源提供程序的操作列表
Microsoft.RecoveryServices/locations/operationStatus/read 获取给定操作的操作状态
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read 列出所有备份保护意向
Microsoft.Support/* 创建和更新支持票证
Microsoft.DataProtection/locations/getBackupStatus/action 检查恢复服务保管库的备份状态
Microsoft.DataProtection/backupVaults/backupInstances/write 创建备份实例
Microsoft.DataProtection/backupVaults/backupInstances/delete 删除备份实例
Microsoft.DataProtection/backupVaults/backupInstances/read 返回所有备份实例
Microsoft.DataProtection/backupVaults/backupInstances/read 返回所有备份实例
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read 列出备份保管库中软删除的备份实例。
Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action 执行对软删除的备份实例的取消删除操作。 备份实例从 SoftDeleted 状态转为 ProtectionStopped 状态。
Microsoft.DataProtection/backupVaults/backupInstances/backup/action 对备份实例执行备份
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action 验证是否已对备份实例执行还原
Microsoft.DataProtection/backupVaults/backupInstances/restore/action 触发对备份实例的还原操作
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action 在给定的备份实例上触发跨区域还原操作。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action 对跨区域还原操作执行验证。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action 列出次要区域中备份实例的跨区域还原作业。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action 从次要区域获取跨区域还原作业详细信息。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action 从次要区域返回已启用跨区域还原的备份保管库的恢复点。
Microsoft.DataProtection/backupVaults/backupPolicies/write 创建备份策略
Microsoft.DataProtection/backupVaults/backupPolicies/delete 删除备份策略
Microsoft.DataProtection/backupVaults/backupPolicies/read 返回所有备份策略
Microsoft.DataProtection/backupVaults/backupPolicies/read 返回所有备份策略
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read 返回全部恢复点
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read 返回全部恢复点
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action 查找可还原的时间范围
Microsoft.DataProtection/backupVaults/write “更新备份保管库”操作更新类型为“备份保管库”的 Azure 资源
Microsoft.DataProtection/backupVaults/read 获取资源组中备份保管库的列表
Microsoft.DataProtection/backupVaults/operationResults/read 获取备份保管库的修补操作的操作结果
Microsoft.DataProtection/backupVaults/operationStatus/read 返回备份保管库的备份操作状态。
Microsoft.DataProtection/locations/checkNameAvailability/action 检查请求获取的 BackupVault 名称是否可用
Microsoft.DataProtection/locations/checkFeatureSupport/action 验证功能是否受支持
Microsoft.DataProtection/backupVaults/read 获取资源组中备份保管库的列表
Microsoft.DataProtection/backupVaults/read 获取资源组中备份保管库的列表
Microsoft.DataProtection/locations/operationStatus/read 返回备份保管库的备份操作状态。
Microsoft.DataProtection/locations/operationResults/read 返回备份保管库的备份操作结果。
Microsoft.DataProtection/backupVaults/validateForBackup/action 验证是否已对备份实例执行备份
Microsoft.DataProtection/operations/read 操作返回资源提供程序的操作列表
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage backup service,but can't create vaults and give access to others",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
  "name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/*",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
        "Microsoft.RecoveryServices/Vaults/usages/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/write",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/vaults/operationStatus/read",
        "Microsoft.RecoveryServices/vaults/operationResults/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*",
        "Microsoft.DataProtection/locations/getBackupStatus/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/write",
        "Microsoft.DataProtection/backupVaults/backupInstances/delete",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
        "Microsoft.DataProtection/backupVaults/backupPolicies/write",
        "Microsoft.DataProtection/backupVaults/backupPolicies/delete",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/write",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/operationStatus/read",
        "Microsoft.DataProtection/locations/checkNameAvailability/action",
        "Microsoft.DataProtection/locations/checkFeatureSupport/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

备份操作员

允许管理备份服务,但删除备份、创建保管库及授予他人访问权限除外 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read 返回操作状态
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read 获取对保护容器执行的操作的结果。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action 对受保护的项执行备份。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read 获取对受保护项执行的操作的结果。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read 返回对受保护项执行的操作的状态。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read 返回受保护项的对象详细信息
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action 预配受保护项的即时项恢复
Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action 获取跨区域还原所需的 AccessToken。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read 获取受保护项的恢复点。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action 还原受保护项的恢复点。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action 吊销受保护项的即时项恢复
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write 创建备份受保护项
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read 返回所有已注册的容器
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action 刷新容器列表
Microsoft.RecoveryServices/Vaults/backupJobs/* 创建和管理备份作业
Microsoft.RecoveryServices/Vaults/backupJobsExport/action 导出作业
Microsoft.RecoveryServices/Vaults/backupOperationResults/* 创建和管理备份管理操作的结果
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read 获取策略操作的结果。
Microsoft.RecoveryServices/Vaults/backupPolicies/read 返回所有保护策略
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* 创建和管理可以备份的项
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read 返回所有受保护项的列表。
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read 返回属于订阅的所有容器
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read 返回恢复服务的受保护项和受保护服务器的摘要。
Microsoft.RecoveryServices/Vaults/certificates/write “更新资源证书”操作更新资源/保管库凭据证书。
Microsoft.RecoveryServices/Vaults/extendedInformation/read “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息
Microsoft.RecoveryServices/Vaults/extendedInformation/write “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read 获取恢复服务保管库的警报。
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft.RecoveryServices/Vaults/read “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果
Microsoft.RecoveryServices/Vaults/registeredIdentities/read “获取容器”操作可用于获取针对资源注册的容器。
Microsoft.RecoveryServices/Vaults/registeredIdentities/write “注册服务容器”操作可用于向恢复服务注册容器。
Microsoft.RecoveryServices/Vaults/usages/read 返回恢复服务保管库的使用情况详细信息。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action 验证对受保护项的操作
Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action 验证对受保护项的操作
Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read 验证对受保护项的操作
Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read 验证对受保护项的操作
Microsoft.RecoveryServices/Vaults/backupOperations/read 返回恢复服务保管库的备份操作状态。
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read 获取策略操作的状态。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write 创建已注册的容器
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action 在容器内进行工作负载的查询
Microsoft.RecoveryServices/Vaults/backupEngines/read 返回使用保管库注册的所有备份管理服务器。
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write 创建备份保护意向
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read 获取备份保护意向
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read 获取所有可保护的容器
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read 获取容器中的所有项
Microsoft.RecoveryServices/locations/backupStatus/action 检查恢复服务保管库的备份状态
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
Microsoft.RecoveryServices/locations/backupValidateFeatures/action 验证功能
Microsoft.RecoveryServices/locations/backupAadProperties/read 获取用于在第三区域进行身份验证的 AAD 属性,以便进行跨区域还原。
Microsoft.RecoveryServices/locations/backupCrrJobs/action 列出恢复服务保管库的次要区域中的跨区域还原作业。
Microsoft.RecoveryServices/locations/backupCrrJob/action 获取恢复服务保管库的次要区域中的跨区域还原作业详细信息。
Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action 触发跨区域还原。
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read 返回恢复服务保管库的 CRR 操作结果。
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read 返回恢复服务保管库的 CRR 操作状态。
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write 解决警报。
Microsoft.RecoveryServices/operations/read 操作返回资源提供程序的操作列表
Microsoft.RecoveryServices/locations/operationStatus/read 获取给定操作的操作状态
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read 列出所有备份保护意向
Microsoft.Support/* 创建和更新支持票证
Microsoft.DataProtection/backupVaults/backupInstances/read 返回所有备份实例
Microsoft.DataProtection/backupVaults/backupInstances/read 返回所有备份实例
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read 列出备份保管库中软删除的备份实例。
Microsoft.DataProtection/backupVaults/backupPolicies/read 返回所有备份策略
Microsoft.DataProtection/backupVaults/backupPolicies/read 返回所有备份策略
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read 返回全部恢复点
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read 返回全部恢复点
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action 查找可还原的时间范围
Microsoft.DataProtection/backupVaults/read 获取资源组中备份保管库的列表
Microsoft.DataProtection/backupVaults/operationResults/read 获取备份保管库的修补操作的操作结果
Microsoft.DataProtection/backupVaults/operationStatus/read 返回备份保管库的备份操作状态。
Microsoft.DataProtection/backupVaults/read 获取资源组中备份保管库的列表
Microsoft.DataProtection/backupVaults/read 获取资源组中备份保管库的列表
Microsoft.DataProtection/locations/operationStatus/read 返回备份保管库的备份操作状态。
Microsoft.DataProtection/locations/operationResults/read 返回备份保管库的备份操作结果。
Microsoft.DataProtection/operations/read 操作返回资源提供程序的操作列表
Microsoft.DataProtection/backupVaults/validateForBackup/action 验证是否已对备份实例执行备份
Microsoft.DataProtection/backupVaults/backupInstances/backup/action 对备份实例执行备份
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action 验证是否已对备份实例执行还原
Microsoft.DataProtection/backupVaults/backupInstances/restore/action 触发对备份实例的还原操作
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action 在给定的备份实例上触发跨区域还原操作。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action 对跨区域还原操作执行验证。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action 列出次要区域中备份实例的跨区域还原作业。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action 从次要区域获取跨区域还原作业详细信息。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action 从次要区域返回已启用跨区域还原的备份保管库的恢复点。
Microsoft.DataProtection/locations/checkFeatureSupport/action 验证功能是否受支持
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
  "name": "00c29273-979b-4161-815c-10b084fb9324",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
        "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/write",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/write",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/locations/backupAadProperties/read",
        "Microsoft.RecoveryServices/locations/backupCrrJobs/action",
        "Microsoft.RecoveryServices/locations/backupCrrJob/action",
        "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
        "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
        "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/operationStatus/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/operations/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
        "Microsoft.DataProtection/locations/checkFeatureSupport/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

备份读取器

可以查看备份服务,但不能进行更改 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp 是服务使用的内部操作
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read 返回操作状态
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read 获取对保护容器执行的操作的结果。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read 获取对受保护项执行的操作的结果。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read 返回对受保护项执行的操作的状态。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read 返回受保护项的对象详细信息
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read 获取受保护项的恢复点。
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read 返回所有已注册的容器
Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read 返回作业操作的结果。
Microsoft.RecoveryServices/Vaults/backupJobs/read 返回所有作业对象
Microsoft.RecoveryServices/Vaults/backupJobsExport/action 导出作业
Microsoft.RecoveryServices/Vaults/backupOperationResults/read 返回恢复服务保管库的备份操作结果。
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read 获取策略操作的结果。
Microsoft.RecoveryServices/Vaults/backupPolicies/read 返回所有保护策略
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read 返回所有受保护项的列表。
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read 返回属于订阅的所有容器
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read 返回恢复服务的受保护项和受保护服务器的摘要。
Microsoft.RecoveryServices/Vaults/extendedInformation/read “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read 获取恢复服务保管库的警报。
Microsoft.RecoveryServices/Vaults/read “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果
Microsoft.RecoveryServices/Vaults/registeredIdentities/read “获取容器”操作可用于获取针对资源注册的容器。
Microsoft.RecoveryServices/Vaults/backupstorageconfig/read 返回恢复服务保管库的存储配置。
Microsoft.RecoveryServices/Vaults/backupconfig/read 返回恢复服务保管库的配置。
Microsoft.RecoveryServices/Vaults/backupOperations/read 返回恢复服务保管库的备份操作状态。
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read 获取策略操作的状态。
Microsoft.RecoveryServices/Vaults/backupEngines/read 返回使用保管库注册的所有备份管理服务器。
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read 获取备份保护意向
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read 获取容器中的所有项
Microsoft.RecoveryServices/locations/backupStatus/action 检查恢复服务保管库的备份状态
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write 解决警报。
Microsoft.RecoveryServices/operations/read 操作返回资源提供程序的操作列表
Microsoft.RecoveryServices/locations/operationStatus/read 获取给定操作的操作状态
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read 列出所有备份保护意向
Microsoft.RecoveryServices/Vaults/usages/read 返回恢复服务保管库的使用情况详细信息。
Microsoft.RecoveryServices/locations/backupValidateFeatures/action 验证功能
Microsoft.RecoveryServices/locations/backupCrrJobs/action 列出恢复服务保管库的次要区域中的跨区域还原作业。
Microsoft.RecoveryServices/locations/backupCrrJob/action 获取恢复服务保管库的次要区域中的跨区域还原作业详细信息。
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read 返回恢复服务保管库的 CRR 操作结果。
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read 返回恢复服务保管库的 CRR 操作状态。
Microsoft.DataProtection/locations/getBackupStatus/action 检查恢复服务保管库的备份状态
Microsoft.DataProtection/backupVaults/backupInstances/write 创建备份实例
Microsoft.DataProtection/backupVaults/backupInstances/read 返回所有备份实例
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read 列出备份保管库中软删除的备份实例。
Microsoft.DataProtection/backupVaults/backupInstances/backup/action 对备份实例执行备份
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action 验证是否已对备份实例执行还原
Microsoft.DataProtection/backupVaults/backupInstances/restore/action 触发对备份实例的还原操作
Microsoft.DataProtection/backupVaults/backupPolicies/read 返回所有备份策略
Microsoft.DataProtection/backupVaults/backupPolicies/read 返回所有备份策略
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read 返回全部恢复点
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read 返回全部恢复点
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action 查找可还原的时间范围
Microsoft.DataProtection/backupVaults/read 获取资源组中备份保管库的列表
Microsoft.DataProtection/backupVaults/operationResults/read 获取备份保管库的修补操作的操作结果
Microsoft.DataProtection/backupVaults/operationStatus/read 返回备份保管库的备份操作状态。
Microsoft.DataProtection/backupVaults/read 获取资源组中备份保管库的列表
Microsoft.DataProtection/backupVaults/read 获取资源组中备份保管库的列表
Microsoft.DataProtection/locations/operationStatus/read 返回备份保管库的备份操作状态。
Microsoft.DataProtection/locations/operationResults/read 返回备份保管库的备份操作结果。
Microsoft.DataProtection/backupVaults/validateForBackup/action 验证是否已对备份实例执行备份
Microsoft.DataProtection/operations/read 操作返回资源提供程序的操作列表
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action 列出次要区域中备份实例的跨区域还原作业。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action 从次要区域获取跨区域还原作业详细信息。
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action 从次要区域返回已启用跨区域还原的备份保管库的恢复点。
Microsoft.DataProtection/locations/checkFeatureSupport/action 验证功能是否受支持
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view backup services, but can't make changes",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
  "name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/read",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/locations/backupCrrJobs/action",
        "Microsoft.RecoveryServices/locations/backupCrrJob/action",
        "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
        "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
        "Microsoft.DataProtection/locations/getBackupStatus/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/write",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/operationStatus/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/operations/read",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
        "Microsoft.DataProtection/locations/checkFeatureSupport/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

经典存储帐户参与者

允许管理经典存储帐户,但不允许对其进行访问。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.ClassicStorage/storageAccounts/* 创建和管理存储帐户
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic storage accounts, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
  "name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Storage Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

经典存储帐户密钥操作员服务角色

允许经典存储帐户密钥操作员在经典存储帐户上列出和再生成密钥 了解详细信息

操作 描述
Microsoft.ClassicStorage/storageAccounts/listkeys/action 列出存储帐户的访问密钥。
Microsoft.ClassicStorage/storageAccounts/regeneratekey/action 再生成存储帐户的现有访问密钥。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
  "name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ClassicStorage/storageAccounts/listkeys/action",
        "Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Storage Account Key Operator Service Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Box 参与者

可让你管理 Data Box 服务下的所有内容,但不能向其他人授予访问权限。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Databox/*
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage everything under Data Box Service except giving access to others.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
  "name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Databox/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Box Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Box 读者

可让你管理 Data Box 服务,但不能创建订单或编辑订单详细信息,以及向其他人授予访问权限。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Databox/*/read
Microsoft.Databox/jobs/listsecrets/action
Microsoft.Databox/jobs/listcredentials/action 列出与订单相关的未加密凭据。
Microsoft.Databox/locations/availableSkus/action 此方法返回可用 SKU 列表。
Microsoft.Databox/locations/validateInputs/action 此方法执行所有类型的验证。
Microsoft.Databox/locations/regionConfiguration/action 此方法返回区域的配置。
Microsoft.Databox/locations/validateAddress/action 验证送货地址,并提供备用地址(如有)。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
  "name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Databox/*/read",
        "Microsoft.Databox/jobs/listsecrets/action",
        "Microsoft.Databox/jobs/listcredentials/action",
        "Microsoft.Databox/locations/availableSkus/action",
        "Microsoft.Databox/locations/validateInputs/action",
        "Microsoft.Databox/locations/regionConfiguration/action",
        "Microsoft.Databox/locations/validateAddress/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Box Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Lake Analytics 开发人员

允许提交、监视和管理自己的作业,但是不允许创建或删除 Data Lake Analytics 帐户。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.BigAnalytics/accounts/*
Microsoft.DataLakeAnalytics/accounts/*
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
Microsoft.BigAnalytics/accounts/Delete
Microsoft.BigAnalytics/accounts/TakeOwnership/action
Microsoft.BigAnalytics/accounts/Write
Microsoft.DataLakeAnalytics/accounts/Delete 删除 DataLakeAnalytics 帐户。
Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action 授予取消由其他用户提交的作业的权限。
Microsoft.DataLakeAnalytics/accounts/Write 创建或更新 DataLakeAnalytics 帐户。
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write 获取或更新 DataLakeAnalytics 帐户的链接 DataLakeStore 帐户。
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete 从 DataLakeAnalytics 帐户取消链接 DataLakeStore 帐户。
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write 创建或更新 DataLakeAnalytics 帐户的链接存储帐户。
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete 从 DataLakeAnalytics 帐户取消链接存储帐户。
Microsoft.DataLakeAnalytics/accounts/firewallRules/Write 创建或更新防火墙规则。
Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete 删除防火墙规则。
Microsoft.DataLakeAnalytics/accounts/computePolicies/Write 创建或更新计算策略。
Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete 删除计算策略。
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
  "name": "47b7735b-770e-4598-a7da-8b91488b4c88",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.BigAnalytics/accounts/*",
        "Microsoft.DataLakeAnalytics/accounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.BigAnalytics/accounts/Delete",
        "Microsoft.BigAnalytics/accounts/TakeOwnership/action",
        "Microsoft.BigAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
        "Microsoft.DataLakeAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Lake Analytics Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Defender for 存储 数据扫描程序

授予对读取 blob 和更新索引标记的访问权限。 此角色由 Defender 的数据扫描程序用于存储。

操作 描述
Microsoft.Storage/storageAccounts/blobServices/containers/read 返回容器列表
不操作
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read 返回 blob 或 blob 列表
微软。存储/storageAccounts/blobServices/containers/blobs/tags/write 返回写入 blob 标记的结果
微软。存储/storageAccounts/blobServices/containers/blobs/tags/read 返回读取 blob 标记的结果
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
  "name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Defender for Storage Data Scanner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

弹性 SAN 所有者

享有对 Azure 弹性 SAN 下所有资源的完全访问权限,包括更改网络安全策略以取消阻止数据路径访问

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/*
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406",
  "name": "80dcbedb-47ef-405d-95bd-188a1b4ac406",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

弹性 SAN 读取者

允许控制对 Azure 弹性 SAN 的路径读取访问权限

操作 说明
Microsoft.Authorization/roleAssignments/read 获取有关角色分配的信息。
Microsoft.Authorization/roleDefinitions/read 获取有关角色定义的信息。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ElasticSan/elasticSans/*/read
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for control path read access to Azure Elastic SAN",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
  "name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ElasticSan/elasticSans/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

弹性 SAN 卷组所有者

享有对 Azure 弹性 SAN 中的卷组的完全访问权限,包括更改网络安全策略以取消阻止数据路径访问

操作 说明
Microsoft.Authorization/roleAssignments/read 获取有关角色分配的信息。
Microsoft.Authorization/roleDefinitions/read 获取有关角色定义的信息。
Microsoft.ElasticSan/elasticSans/volumeGroups/*
Microsoft.ElasticSan/locations/asyncoperations/read 轮询异步操作的状态。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23",
  "name": "a8281131-f312-4f34-8d98-ae12be9f0d23",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Volume Group Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

读取器和数据访问

允许查看所有内容,但不允许删除或创建存储帐户或包含的资源。 它还允许使用存储帐户密钥对存储帐户中包含的所有数据进行读/写访问。

操作 描述
Microsoft.Storage/storageAccounts/listKeys/action 返回指定存储帐户的访问密钥。
Microsoft.Storage/storageAccounts/ListAccountSas/action 返回指定存储帐户的帐户 SAS 令牌。
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
  "name": "c12c1c16-33a1-487b-954d-41c89c60f349",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/ListAccountSas/action",
        "Microsoft.Storage/storageAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader and Data Access",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储帐户备份参与者

可在存储帐户上使用 Azure 备份执行备份和还原操作。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Authorization/locks/read 获取指定范围的锁。
Microsoft.Authorization/locks/write 添加指定范围的锁。
Microsoft.Authorization/locks/delete 删除指定范围的锁。
Microsoft.Features/features/read 获取订阅的功能。
Microsoft.Features/providers/features/read 获取给定资源提供程序中某个订阅的功能。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/operations/read 轮询异步操作的状态。
Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete 删除对象复制策略
Microsoft.Storage/storageAccounts/objectReplicationPolicies/read 列出对象复制策略
Microsoft.Storage/storageAccounts/objectReplicationPolicies/write 创建或更新对象复制策略
Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write 创建对象复制还原点标记
Microsoft.Storage/storageAccounts/blobServices/containers/read 返回容器列表
Microsoft.Storage/storageAccounts/blobServices/containers/write 返回放置 blob 容器的结果
Microsoft.Storage/storageAccounts/blobServices/read 返回 blob 服务属性或统计信息
Microsoft.Storage/storageAccounts/blobServices/write 返回放置 blob 服务属性的结果
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
Microsoft.Storage/storageAccounts/restoreBlobRanges/action 将 Blob 范围还原到指定时间的状态
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you perform backup and restore operations using Azure Backup on the storage account.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
  "name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/locks/read",
        "Microsoft.Authorization/locks/write",
        "Microsoft.Authorization/locks/delete",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/operations/read",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.Storage/storageAccounts/blobServices/write",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/restoreBlobRanges/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Backup Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储帐户参与者

允许管理存储帐户。 提供对帐户密钥的访问权限,而帐户密钥可以用来通过共享密钥授权对数据进行访问。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/diagnosticSettings/* 创建、更新或读取 Analysis Server 的诊断设置
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/storageAccounts/* 创建和管理存储帐户
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
  "name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储帐户密钥操作员服务角色

允许列出和重新生成存储帐户访问密钥。 了解详细信息

操作 描述
Microsoft.Storage/storageAccounts/listkeys/action 返回指定存储帐户的访问密钥。
Microsoft.Storage/storageAccounts/regeneratekey/action 再生成指定存储帐户的访问密钥。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
  "name": "81a9662b-bebf-436f-a333-f67b29880f12",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Key Operator Service Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储 Blob 数据参与者

读取、写入和删除 Azure 存储容器和 Blob。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限了解详细信息

操作 描述
Microsoft.Storage/storageAccounts/blobServices/containers/delete 删除容器。
Microsoft.Storage/storageAccounts/blobServices/containers/read 返回容器或容器列表。
Microsoft.Storage/storageAccounts/blobServices/containers/write 修改容器的元数据或属性。
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action 返回 Blob 服务的用户委托密钥。
不操作
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete 删除 Blob。
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read 返回 Blob 或 Blob 列表。
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write 写入到 Blob。
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action 将 Blob 从一个路径移到另一个路径
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action 返回添加 blob 内容的结果
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write and delete access to Azure Storage blob containers and data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
  "name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储 Blob 数据所有者

提供对 Azure 存储 Blob 容器和数据的完全访问权限,包括分配 POSIX 访问控制。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限了解详细信息

操作 描述
Microsoft.Storage/storageAccounts/blobServices/containers/* 对容器的完全权限。
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action 返回 Blob 服务的用户委托密钥。
不操作
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* 对 Blob 的完全权限。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
  "name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/*",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储 Blob 数据读取者

读取和列出 Azure 存储容器和 Blob。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限了解详细信息

操作 描述
Microsoft.Storage/storageAccounts/blobServices/containers/read 返回容器或容器列表。
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action 返回 Blob 服务的用户委托密钥。
不操作
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read 返回 Blob 或 Blob 列表。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage blob containers and data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储 Blob 委托者

获取用户委托密钥,该密钥随后可用于为使用 Azure AD 凭据签名的容器或 Blob 创建共享访问签名。 有关详细信息,请参阅创建用户委托 SAS了解详细信息

操作 描述
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action 返回 Blob 服务的用户委托密钥。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
  "name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Delegator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储文件数据特权参与者

通过重写现有的 ACL/NTFS 权限,允许读取、写入、删除和修改 Azure 文件共享中文件/目录上的 ACL。 在 Windows 文件服务器上,此角色没有内置的等效角色。

操作 描述
不操作
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read 返回某个文件/文件夹,或文件/文件夹列表
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write 返回写入文件或创建文件夹的结果
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete 返回删除文件/文件夹的结果
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action 返回修改文件/文件夹权限的结果
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action 读取文件备份 Sematics 特权
Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action 写入文件备份 Sematics 特权
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd",
  "name": "69566ab7-960f-475b-8e7c-b3118f30c6bd",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action",
        "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action",
        "Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data Privileged Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储文件数据特权读取者

通过重写现有的 ACL/NTFS 权限,允许对 Azure 文件共享中的文件/目录进行读取访问。 在 Windows 文件服务器上,此角色没有内置的等效角色。

操作 描述
不操作
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read 返回某个文件/文件夹,或文件/文件夹列表
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action 读取文件备份 Sematics 特权
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Customer has read access on Azure Storage file shares.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d",
  "name": "b8eda974-7b85-4f76-af95-65846b26df6d",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data Privileged Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储文件数据 SMB 共享参与者

允许针对 Azure 文件共享中的文件/目录的读取、写入和删除权限。 在 Windows 文件服务器上,此角色没有内置的等效角色。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read 返回某个文件/文件夹,或文件/文件夹列表。
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write 返回写入文件或创建文件夹的结果。
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete 返回删除文件/文件夹的结果。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储文件数据 SMB 共享提升参与者

允许读取、写入、删除和修改 Azure 文件共享中文件/目录上的 ACL。 此角色等效于 Windows 文件服务器上更改的文件共享 ACL。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read 返回某个文件/文件夹,或文件/文件夹列表。
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write 返回写入文件或创建文件夹的结果。
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete 返回删除文件/文件夹的结果。
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action 返回修改文件/文件夹权限的结果。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
  "name": "a7264617-510b-434b-a828-9731dc254ea7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Elevated Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储文件数据 SMB 共享读取者

允许针对 Azure 文件共享中的文件/目录的读取权限。 此角色等效于 Windows 文件服务器上的文件共享读取 ACL。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read 返回某个文件/文件夹,或文件/文件夹列表。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure File Share over SMB",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
  "name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储队列数据参与者

读取、写入和删除 Azure 存储队列和队列消息。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限了解详细信息

操作 描述
Microsoft.Storage/storageAccounts/queueServices/queues/delete 删除队列。
Microsoft.Storage/storageAccounts/queueServices/queues/read 返回队列或队列列表。
Microsoft.Storage/storageAccounts/queueServices/queues/write 修改队列元数据或属性。
不操作
DataActions
Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete 从队列中删除一个或多个消息。
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read 扫视或检索队列中的一个或多个消息。
Microsoft.Storage/storageAccounts/queueServices/queues/messages/write 向队列添加消息。
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action 返回处理消息的结果
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
  "name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储队列数据消息处理器

速览、检索和删除 Azure 存储队列中的消息。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限了解详细信息

操作 描述
不操作
DataActions
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read 扫视消息。
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action 检索和删除消息。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
  "name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Message Processor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储队列数据消息发送者

将消息添加到 Azure 存储队列。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限了解详细信息

操作 描述
不操作
DataActions
Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action 向队列添加消息。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for sending of Azure Storage queue messages",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
  "name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Message Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储队列数据读取者

读取并列出 Azure 存储队列和队列消息。 若要了解需要对给定的数据执行哪些操作,请参阅用于调用 Blob 和队列数据操作的权限了解详细信息

操作 描述
Microsoft.Storage/storageAccounts/queueServices/queues/read 返回队列或队列列表。
不操作
DataActions
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read 扫视或检索队列中的一个或多个消息。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage queues and queue messages",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
  "name": "19e7f393-937e-4f77-808e-94535e297925",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储表数据参与者

用于对 Azure 存储表和实体进行读取、写入和删除访问

操作 说明
Microsoft.Storage/storageAccounts/tableServices/tables/read 查询表
Microsoft.Storage/storageAccounts/tableServices/tables/write 创建表
Microsoft.Storage/storageAccounts/tableServices/tables/delete 删除表
不操作
DataActions
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read 查询表实体
Microsoft.Storage/storageAccounts/tableServices/tables/entities/write 插入、合并或替换表实体
Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete 删除表实体
Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action 插入表实体
Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action 合并或更新表实体
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write and delete access to Azure Storage tables and entities",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
  "name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/read",
        "Microsoft.Storage/storageAccounts/tableServices/tables/write",
        "Microsoft.Storage/storageAccounts/tableServices/tables/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Table Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

存储表数据读取者

用于对 Azure 存储表和实体进行读取访问

操作 说明
Microsoft.Storage/storageAccounts/tableServices/tables/read 查询表
不操作
DataActions
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read 查询表实体
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage tables and entities",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6",
  "name": "76199698-9eea-4c19-bc75-cec21354c6b6",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Table Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Web

Azure Maps 数据参与者

从 Azure Maps 帐户中授予地图相关数据的读取、写入和删除权限。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.Maps/accounts/*/read
Microsoft.Maps/accounts/*/write
Microsoft.Maps/accounts/*/delete
Microsoft.Maps/accounts/*/action
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read, write, and delete access to map related data from an Azure maps account.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
  "name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read",
        "Microsoft.Maps/accounts/*/write",
        "Microsoft.Maps/accounts/*/delete",
        "Microsoft.Maps/accounts/*/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Maps Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Maps 数据读取器

授予从 Azure Maps 帐户中读取地图相关数据的权限。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.Maps/accounts/*/read
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read map related data from an Azure maps account.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
  "name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Maps Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Config Server 参与者

允许对 Azure Spring Cloud Config Server 进行读取、写入和删除访问 了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/configService/read 读取特定的 Azure Spring Apps 服务实例的配置内容(例如 application.yaml)
Microsoft.AppPlatform/Spring/configService/write 写入特定的 Azure Spring Apps 服务实例的配置服务器内容
Microsoft.AppPlatform/Spring/configService/delete 删除特定的 Azure Spring Apps 服务实例的配置服务器内容
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read, write and delete access to Azure Spring Cloud Config Server",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
  "name": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/configService/read",
        "Microsoft.AppPlatform/Spring/configService/write",
        "Microsoft.AppPlatform/Spring/configService/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Config Server Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Config Server 读者

允许对 Azure Spring Cloud Config Server 进行读取访问 了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/configService/read 读取特定的 Azure Spring Apps 服务实例的配置内容(例如 application.yaml)
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Config Server",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7",
  "name": "d04c6db6-4947-4782-9e91-30a88feb7be7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/configService/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Config Server Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud 数据读取者

允许对 Azure Spring Cloud 进行读取访问

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/*/read
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c",
  "name": "b5537268-8956-4941-a8f0-646150406f0c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud 服务注册表参与者

允许对 Azure Spring Cloud 服务注册表进行读取、写入和删除访问 了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/eurekaService/read 读取特定的 Azure Spring Apps 服务实例的用户应用注册信息
Microsoft.AppPlatform/Spring/eurekaService/write 写入特定的 Azure Spring Apps 服务实例的用户应用注册信息
Microsoft.AppPlatform/Spring/eurekaService/delete 删除特定的 Azure Spring Apps 服务实例的用户应用注册信息
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read, write and delete access to Azure Spring Cloud Service Registry",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1",
  "name": "f5880b48-c26d-48be-b172-7927bfa1c8f1",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/eurekaService/read",
        "Microsoft.AppPlatform/Spring/eurekaService/write",
        "Microsoft.AppPlatform/Spring/eurekaService/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Service Registry Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud 服务注册表读者

允许对 Azure Spring Cloud 服务注册表进行读取访问 了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppPlatform/Spring/eurekaService/read 读取特定的 Azure Spring Apps 服务实例的用户应用注册信息
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Service Registry",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65",
  "name": "cff1b556-2399-4e7e-856d-a8f754be7b65",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/eurekaService/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Service Registry Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务帐户管理员

创建、读取、修改和删除媒体服务帐户;对其他媒体服务资源的只读访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/listStreamingLocators/action 列出资产的流式处理定位符
Microsoft.Media/mediaservices/streamingLocators/listPaths/action 列出路径
Microsoft.Media/mediaservices/write 创建或更新任何媒体服务帐户
Microsoft.Media/mediaservices/delete 删除任何媒体服务帐户
Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action 审批专用终结点连接
Microsoft.Media/mediaservices/privateEndpointConnections/*
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466",
  "name": "054126f8-9a2b-4f1c-a9ad-eca461f08466",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/write",
        "Microsoft.Media/mediaservices/delete",
        "Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action",
        "Microsoft.Media/mediaservices/privateEndpointConnections/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Account Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务实时事件管理员

创建、读取、修改和删除实时事件、资产、资产筛选器和流式处理定位符;对其他媒体服务资源的只读访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/*
Microsoft.Media/mediaservices/assets/assetfilters/*
Microsoft.Media/mediaservices/streamingLocators/*
Microsoft.Media/mediaservices/liveEvents/*
不操作
Microsoft.Media/mediaservices/assets/getEncryptionKey/action 获取资产加密密钥
Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action 列出内容密钥
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77",
  "name": "532bc159-b25e-42c0-969e-a1d439f60d77",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/*",
        "Microsoft.Media/mediaservices/assets/assetfilters/*",
        "Microsoft.Media/mediaservices/streamingLocators/*",
        "Microsoft.Media/mediaservices/liveEvents/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
        "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Live Events Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务媒体操作员

创建、读取、修改和删除资产、资产筛选器、流式处理定位符和作业;对其他媒体服务资源的只读访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/*
Microsoft.Media/mediaservices/assets/assetfilters/*
Microsoft.Media/mediaservices/streamingLocators/*
Microsoft.Media/mediaservices/transforms/jobs/*
不操作
Microsoft.Media/mediaservices/assets/getEncryptionKey/action 获取资产加密密钥
Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action 列出内容密钥
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c",
  "name": "e4395492-1534-4db2-bedf-88c14621589c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/*",
        "Microsoft.Media/mediaservices/assets/assetfilters/*",
        "Microsoft.Media/mediaservices/streamingLocators/*",
        "Microsoft.Media/mediaservices/transforms/jobs/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
        "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Media Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务策略管理员

创建、读取、修改和删除帐户筛选器、流式处理策略、内容密钥策略和转换;对其他媒体服务资源的只读访问权限。 不能创建作业、资产或流式处理资源。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/listStreamingLocators/action 列出资产的流式处理定位符
Microsoft.Media/mediaservices/streamingLocators/listPaths/action 列出路径
Microsoft.Media/mediaservices/accountFilters/*
Microsoft.Media/mediaservices/streamingPolicies/*
Microsoft.Media/mediaservices/contentKeyPolicies/*
Microsoft.Media/mediaservices/transforms/*
不操作
Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action 获取包含机密的策略属性
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae",
  "name": "c4bba371-dacd-4a26-b320-7250bca963ae",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/accountFilters/*",
        "Microsoft.Media/mediaservices/streamingPolicies/*",
        "Microsoft.Media/mediaservices/contentKeyPolicies/*",
        "Microsoft.Media/mediaservices/transforms/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Policy Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒体服务流式处理终结点管理员

创建、读取、修改和删除流式处理终结点;对其他媒体服务资源的只读访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/listStreamingLocators/action 列出资产的流式处理定位符
Microsoft.Media/mediaservices/streamingLocators/listPaths/action 列出路径
Microsoft.Media/mediaservices/streamingEndpoints/*
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804",
  "name": "99dba123-b5fe-44d5-874c-ced7199a5804",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/streamingEndpoints/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Streaming Endpoints Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

搜索索引数据参与者

授予对 Azure 认知搜索索引数据的完全访问权限。

操作 描述
不操作
DataActions
Microsoft.Search/searchServices/indexes/documents/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to Azure Cognitive Search index data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7",
  "name": "8ebe5a00-799e-43f5-93ac-243d3dce84a7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Search/searchServices/indexes/documents/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Search Index Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

搜索索引数据读取者

授予对 Azure 认知搜索索引数据的读取访问权限。

操作 描述
不操作
DataActions
Microsoft.Search/searchServices/indexes/documents/read 从索引中读取文档或建议的查询词。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read access to Azure Cognitive Search index data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f",
  "name": "1407120a-92aa-4202-b7e9-c0e197c71c8f",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Search/searchServices/indexes/documents/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Search Index Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

搜索服务参与者

允许管理搜索服务,但不允许访问这些服务。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Search/searchServices/* 创建和管理搜索服务
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Search services, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0",
  "name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Search/searchServices/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Search Service Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR AccessKey 读取者

读取 SignalR 服务访问密钥

操作 描述
Microsoft.SignalRService/*/read
Microsoft.SignalRService/SignalR/listkeys/action 通过管理门户或 API 查看 SignalR 访问密钥的值
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read SignalR Service Access Keys",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e",
  "name": "04165923-9d83-45d5-8227-78b77b0a687e",
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*/read",
        "Microsoft.SignalRService/SignalR/listkeys/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR AccessKey Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR 应用服务器

允许应用服务器使用 AAD 身份验证选项访问 SignalR 服务。

操作 描述
不操作
DataActions
Microsoft.SignalRService/SignalR/auth/accessKey/action 生成用于对 AccessTokens 进行签名的 AccessKey;默认情况下,此密钥将在 90 分钟后过期
Microsoft.SignalRService/SignalR/serverConnection/write 启动服务器连接
Microsoft.SignalRService/SignalR/clientConnection/write 关闭客户端连接
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets your app server access SignalR Service with AAD auth options.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7",
  "name": "420fcaa2-552c-430f-98ca-3264be4806c7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/accessKey/action",
        "Microsoft.SignalRService/SignalR/serverConnection/write",
        "Microsoft.SignalRService/SignalR/clientConnection/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR App Server",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR REST API 所有者

完全访问 Azure Signal 服务 REST API

操作 描述
不操作
DataActions
Microsoft.SignalRService/SignalR/auth/clientToken/action 生成供客户端连接 ASRS 的 AccessToken;默认情况下,该令牌将在 5 分钟后过期
Microsoft.SignalRService/SignalR/hub/*
Microsoft.SignalRService/SignalR/group/*
Microsoft.SignalRService/SignalR/client连接ion/*
Microsoft.SignalRService/SignalR/user/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to Azure SignalR Service REST APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521",
  "name": "fd53cd77-2268-407a-8f46-7e7863d0f521",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/clientToken/action",
        "Microsoft.SignalRService/SignalR/hub/*",
        "Microsoft.SignalRService/SignalR/group/*",
        "Microsoft.SignalRService/SignalR/clientConnection/*",
        "Microsoft.SignalRService/SignalR/user/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR REST API Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR REST API 读者

以只读方式访问 Azure Signal 服务 REST API

操作 描述
不操作
DataActions
Microsoft.SignalRService/SignalR/group/read 检查组是否存在或用户是否存在于组中
Microsoft.SignalRService/SignalR/clientConnection/read 检查客户端连接是否存在
Microsoft.SignalRService/SignalR/user/read 检查用户是否存在
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only access to Azure SignalR Service REST APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035",
  "name": "ddde6b66-c0df-4114-a159-3618637b3035",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/group/read",
        "Microsoft.SignalRService/SignalR/clientConnection/read",
        "Microsoft.SignalRService/SignalR/user/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR REST API Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR 服务所有者

完全访问 Azure Signal 服务 REST API

操作 描述
不操作
DataActions
Microsoft.SignalRService/SignalR/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to Azure SignalR Service REST APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
  "name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR Service Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR/Web PubSub 参与者

创建、读取、更新和删除 SignalR 服务资源

操作 说明
Microsoft.SignalRService/*
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete SignalR service resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
  "name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR/Web PubSub Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Web 计划参与者

管理网站的 web 计划。 不允许在 Azure RBAC 中分配角色。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Web/serverFarms/* 创建和管理服务器场
Microsoft.Web/hostingEnvironments/Join/Action 加入应用服务环境
Microsoft.Insights/autoscalesettings/*
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage the web plans for websites, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
  "name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/serverFarms/*",
        "Microsoft.Web/hostingEnvironments/Join/Action",
        "Microsoft.Insights/autoscalesettings/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Web Plan Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

网站参与者

管理网站,但不管理 web 计划。 不允许在 Azure RBAC 中分配角色。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/components/* 创建和管理 Insights 组件
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Web/certificates/* 创建和管理网站证书
Microsoft.Web/listSitesAssignedToHostName/read 获取分配给主机名的站点名称。
Microsoft.Web/serverFarms/join/action 加入应用服务计划
Microsoft.Web/serverFarms/read 获取应用服务计划的属性
Microsoft.Web/sites/* 创建和管理网站(站点创建还需要对关联的应用服务计划有写入权限)
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage websites (not web plans), but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
  "name": "de139f84-1756-47ae-9be6-808fbbe84772",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/certificates/*",
        "Microsoft.Web/listSitesAssignedToHostName/read",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Website Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

容器

AcrDelete

从容器注册表中删除存储库、标记或清单。 了解详细信息

操作 描述
Microsoft.ContainerRegistry/registries/artifacts/delete 删除容器注册表中的项目。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

将受信任的映像推送到为内容信任启用的容器注册表中或从中拉取受信任的映像。 了解详细信息

操作 描述
Microsoft.ContainerRegistry/registries/sign/write 推送/拉取容器注册表的内容信任元数据。
不操作
DataActions
Microsoft.ContainerRegistry/registries/trustedCollections/write 允许推送或发布受信任的容器注册表内容集合。 这类似于 Microsoft.ContainerRegistry/registries/sign/write 操作,只是这是一个数据操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr image signer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

从容器注册表中拉取项目。 了解详细信息

操作 描述
Microsoft.ContainerRegistry/registries/pull/read 从容器注册表中拉取或获取映像。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

将项目推送到容器注册表或从中拉取项目。 了解详细信息

操作 描述
Microsoft.ContainerRegistry/registries/pull/read 从容器注册表中拉取或获取映像。
Microsoft.ContainerRegistry/registries/push/write 将映像推送或写入容器注册表。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

从容器注册表中拉取已隔离的映像。 了解详细信息

操作 描述
Microsoft.ContainerRegistry/registries/quarantine/read 从容器注册表中拉取或获取已隔离的映像
不操作
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read 允许从容器注册表拉取或获取已隔离的项目。 这类似于 Microsoft.ContainerRegistry/registries/quarantine/read,只不过这是一个数据操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

将已隔离的映像推送到容器注册表或从中拉取已隔离的映像。 了解详细信息

操作 描述
Microsoft.ContainerRegistry/registries/quarantine/read 从容器注册表中拉取或获取已隔离的映像
Microsoft.ContainerRegistry/registries/quarantine/write 写入/修改已隔离映像的隔离状态
不操作
DataActions
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read 允许从容器注册表拉取或获取已隔离的项目。 这类似于 Microsoft.ContainerRegistry/registries/quarantine/read,只不过这是一个数据操作
Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write 允许写入或更新隔离项目的隔离状态。 这类似于 Microsoft.ContainerRegistry/registries/quarantine/write 操作,只不过这是一个数据操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 舰队管理器 RBAC 管理员

此角色授予管理员访问权限 - 提供对命名空间中大多数对象的写入权限,但 ResourceQuota 对象和命名空间对象本身除外。 在群集范围内应用此角色将提供对所有命名空间的访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ContainerService/fleets/read 获取机群
Microsoft.ContainerService/fleets/listCredentials/action 列出机群凭据
不操作
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read 读取 controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write 写入 localsubjectaccessreviews
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read 读取 events
Microsoft.ContainerService/fleets/events/read 读取 events
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read 读取 limitranges
Microsoft.ContainerService/fleets/namespaces/read 读取 namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read 读取 resourcequotas
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 舰队管理器 RBAC 群集管理员

允许管理舰队管理器群集中的所有资源。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ContainerService/fleets/read 获取机群
Microsoft.ContainerService/fleets/listCredentials/action 列出机群凭据
不操作
DataActions
Microsoft.ContainerService/fleets/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the fleet manager cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 舰队管理器 RBAC 读者

允许进行只读访问并查看命名空间中的大多数对象。 不允许查看角色或角色绑定。 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。 在群集范围内应用此角色将提供对所有命名空间的访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ContainerService/fleets/read 获取机群
Microsoft.ContainerService/fleets/listCredentials/action 列出机群凭据
不操作
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read 读取 controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/read 读取 daemonsets
Microsoft.ContainerService/fleets/apps/deployments/read 读取 deployments
Microsoft.ContainerService/fleets/apps/statefulsets/read 读取 statefulsets
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read 读取 horizontalpodautoscalers
Microsoft.ContainerService/fleets/batch/cronjobs/read 读取 cronjobs
Microsoft.ContainerService/fleets/batch/jobs/read 读取作业
Microsoft.ContainerService/fleets/configmaps/read 读取 configmaps
Microsoft.ContainerService/fleets/endpoints/read 读取 endpoints
Microsoft.ContainerService/fleets/events.k8s.io/events/read 读取 events
Microsoft.ContainerService/fleets/events/read 读取 events
Microsoft.ContainerService/fleets/extensions/daemonsets/read 读取 daemonsets
Microsoft.ContainerService/fleets/extensions/deployments/read 读取 deployments
Microsoft.ContainerService/fleets/extensions/ingresses/read 读取 ingresses
Microsoft.ContainerService/fleets/extensions/networkpolicies/read 读取 networkpolicies
Microsoft.ContainerService/fleets/limitranges/read 读取 limitranges
Microsoft.ContainerService/fleets/namespaces/read 读取 namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read 读取 ingresses
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read 读取 networkpolicies
Microsoft.ContainerService/fleets/persistentvolumeclaims/read 读取 persistentvolumeclaims
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read 读取 poddisruptionbudgets
Microsoft.ContainerService/fleets/replicationcontrollers/read 读取 replicationcontrollers
Microsoft.ContainerService/fleets/replicationcontrollers/read 读取 replicationcontrollers
Microsoft.ContainerService/fleets/resourcequotas/read 读取 resourcequotas
Microsoft.ContainerService/fleets/serviceaccounts/read 读取 serviceaccounts
Microsoft.ContainerService/fleets/services/read 读取 services
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 舰队管理器 RBAC 编写者

允许对命名空间中的大多数对象进行读/写访问。 此角色不允许查看或修改角色或角色绑定。 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。 在群集范围内应用此角色将提供对所有命名空间的访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ContainerService/fleets/read 获取机群
Microsoft.ContainerService/fleets/listCredentials/action 列出机群凭据
不操作
DataActions
Microsoft.ContainerService/fleets/apps/controllerrevisions/read 读取 controllerrevisions
Microsoft.ContainerService/fleets/apps/daemonsets/*
Microsoft.ContainerService/fleets/apps/deployments/*
Microsoft.ContainerService/fleets/apps/statefulsets/*
Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/fleets/batch/cronjobs/*
Microsoft.ContainerService/fleets/batch/jobs/*
Microsoft.ContainerService/fleets/configmaps/*
Microsoft.ContainerService/fleets/endpoints/*
Microsoft.ContainerService/fleets/events.k8s.io/events/read 读取 events
Microsoft.ContainerService/fleets/events/read 读取 events
Microsoft.ContainerService/fleets/extensions/daemonsets/*
Microsoft.ContainerService/fleets/extensions/deployments/*
Microsoft.ContainerService/fleets/extensions/ingresses/*
Microsoft.ContainerService/fleets/extensions/networkpolicies/*
Microsoft.ContainerService/fleets/limitranges/read 读取 limitranges
Microsoft.ContainerService/fleets/namespaces/read 读取 namespaces
Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/fleets/persistentvolumeclaims/*
Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/replicationcontrollers/*
Microsoft.ContainerService/fleets/resourcequotas/read 读取 resourcequotas
Microsoft.ContainerService/fleets/secrets/*
Microsoft.ContainerService/fleets/serviceaccounts/*
Microsoft.ContainerService/fleets/services/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 服务群集管理员角色

列出群集管理员凭据操作。 了解详细信息

操作 描述
Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action 列出托管群集的 clusterAdmin 凭据
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action 使用列表凭据按角色名称获取托管的群集访问配置文件
Microsoft.ContainerService/managedClusters/read 获取托管的群集
Microsoft.ContainerService/managedClusters/runcommand/action 针对托管 kubernetes 服务器运行用户发出的命令。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 服务群集监视用户

列出群集监视用户凭据操作。

操作 说明
Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action 列出托管群集的 clusterMonitoringUser 凭据
Microsoft.ContainerService/managedClusters/read 获取托管的群集
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster monitoring user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Monitoring User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 服务群集用户角色

列出群集用户凭据操作。 了解详细信息

操作 描述
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action 列出托管群集的 clusterUser 凭据
Microsoft.ContainerService/managedClusters/read 获取托管的群集
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 服务参与者角色

授予对 Azure Kubernetes 服务群集的读写访问权限了解更多

操作 描述
Microsoft.ContainerService/managedClusters/read 获取托管的群集
Microsoft.ContainerService/managedClusters/write 创建新的或更新现有的托管的群集
Microsoft.Resources/deployments/* 创建和管理部署
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/write",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 服务 RBAC 管理员

允许管理群集/命名空间下的所有资源,但不能更新或删除资源配额和命名空间。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action 列出托管群集的 clusterUser 凭据
不操作
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions
Microsoft.ContainerService/managedClusters/resourcequotas/write 写入 resourcequotas
Microsoft.ContainerService/managedClusters/resourcequotas/delete 删除 resourcequotas
Microsoft.ContainerService/managedClusters/namespaces/write 写入 namespaces
Microsoft.ContainerService/managedClusters/namespaces/delete 删除 namespaces 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 服务 RBAC 群集管理员

允许管理群集中的所有资源。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action 列出托管群集的 clusterUser 凭据
不操作
DataActions
Microsoft.ContainerService/managedClusters/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 服务 RBAC 读取者

允许进行只读访问并查看命名空间中的大多数对象。 不允许查看角色或角色绑定。 此角色不允许查看机密,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。 在群集范围内应用此角色将提供对所有命名空间的访问权限。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read 读取 controllerrevisions
Microsoft.ContainerService/managedClusters/apps/daemonsets/read 读取 daemonsets
Microsoft.ContainerService/managedClusters/apps/deployments/read 读取 deployments
Microsoft.ContainerService/managedClusters/apps/replicasets/read 读取 replicasets
Microsoft.ContainerService/managedClusters/apps/statefulsets/read 读取 statefulsets
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read 读取 horizontalpodautoscalers
Microsoft.ContainerService/managedClusters/batch/cronjobs/read 读取 cronjobs
Microsoft.ContainerService/managedClusters/batch/jobs/read 读取作业
Microsoft.ContainerService/managedClusters/configmaps/read 读取 configmaps
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read 读取 endpointslices
Microsoft.ContainerService/managedClusters/endpoints/read 读取 endpoints
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read 读取 events
Microsoft.ContainerService/managedClusters/events/read 读取 events
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read 读取 daemonsets
Microsoft.ContainerService/managedClusters/extensions/deployments/read 读取 deployments
Microsoft.ContainerService/managedClusters/extensions/ingresses/read 读取 ingresses
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read 读取 networkpolicies
Microsoft.ContainerService/managedClusters/extensions/replicasets/read 读取 replicasets
Microsoft.ContainerService/managedClusters/limitranges/read 读取 limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read 读取 Pod
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read 读取 nodes
Microsoft.ContainerService/managedClusters/namespaces/read 读取 namespaces
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read 读取 ingresses
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read 读取 networkpolicies
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read 读取 persistentvolumeclaims
Microsoft.ContainerService/managedClusters/pods/read 读取 Pod
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read 读取 poddisruptionbudgets
Microsoft.ContainerService/managedClusters/replicationcontrollers/read 读取 replicationcontrollers
Microsoft.ContainerService/managedClusters/resourcequotas/read 读取 resourcequotas
Microsoft.ContainerService/managedClusters/serviceaccounts/read 读取 serviceaccounts
Microsoft.ContainerService/managedClusters/services/read 读取 services
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes 服务 RBAC 写入者

允许对命名空间中的大多数对象进行读/写访问。 此角色不允许查看或修改角色或角色绑定。 但是,允许此角色以命名空间中任何 ServiceAccount 的身份访问机密和运行 Pod,因此可用它获取命名空间中任何 ServiceAccount 的 API 访问级别。 在群集范围内应用此角色将提供对所有命名空间的访问权限。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read 读取 controllerrevisions
Microsoft.ContainerService/managedClusters/apps/daemonsets/*
Microsoft.ContainerService/managedClusters/apps/deployments/*
Microsoft.ContainerService/managedClusters/apps/replicasets/*
Microsoft.ContainerService/managedClusters/apps/statefulsets/*
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/managedClusters/batch/cronjobs/*
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read 读取 leases
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write 写入 leases
Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete 删除 leases
Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read 读取 endpointslices
Microsoft.ContainerService/managedClusters/batch/jobs/*
Microsoft.ContainerService/managedClusters/configmaps/*
Microsoft.ContainerService/managedClusters/endpoints/*
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read 读取 events
Microsoft.ContainerService/managedClusters/events/*
Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
Microsoft.ContainerService/managedClusters/extensions/deployments/*
Microsoft.ContainerService/managedClusters/extensions/ingresses/*
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
Microsoft.ContainerService/managedClusters/extensions/replicasets/*
Microsoft.ContainerService/managedClusters/limitranges/read 读取 limitranges
Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read 读取 Pod
Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read 读取 nodes
Microsoft.ContainerService/managedClusters/namespaces/read 读取 namespaces
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
Microsoft.ContainerService/managedClusters/pods/*
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
Microsoft.ContainerService/managedClusters/replicationcontrollers/*
Microsoft.ContainerService/managedClusters/resourcequotas/read 读取 resourcequotas
Microsoft.ContainerService/managedClusters/secrets/*
Microsoft.ContainerService/managedClusters/serviceaccounts/*
Microsoft.ContainerService/managedClusters/services/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
        "Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
        "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/*",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
        "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

数据库

连接到 Azure 的 SQL Server 载入

对于已启用 Arc 的服务器上的 SQL Server,允许对 Azure 资源的读取和写入访问。 了解详细信息

操作 说明
Microsoft.AzureArcData/sqlServerInstances/read 检索 SQL Server 实例资源
Microsoft.AzureArcData/sqlServerInstances/write 更新 SQL Server 实例资源
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508",
  "name": "e8113dce-c529-4d33-91fa-e9b972617508",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureArcData/sqlServerInstances/read",
        "Microsoft.AzureArcData/sqlServerInstances/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Connected SQL Server Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Cosmos DB 帐户读者角色

可以读取 Azure Cosmos DB 帐户数据。 请参阅 Cosmos DB 帐户参与者,了解如何管理 Azure Cosmos DB 帐户。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.DocumentDB/*/read 读取任何集合
Microsoft.DocumentDB/databaseAccounts/readonlykeys/action 读取数据库帐户只读密钥。
Microsoft.Insights/MetricDefinitions/read 读取指标定义
Microsoft.Insights/Metrics/read 添加指标
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read Azure Cosmos DB Accounts data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDB/*/read",
        "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
        "Microsoft.Insights/MetricDefinitions/read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cosmos DB Account Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Cosmos DB 操作员

允许管理 Azure Cosmos DB 帐户,但不能访问其中的数据。 阻止访问帐户密钥和连接字符串。 了解详细信息

操作 描述
Microsoft.DocumentDb/databaseAccounts/*
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。
不操作
Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*
Microsoft.DocumentDB/databaseAccounts/regenerateKey/*
Microsoft.DocumentDB/databaseAccounts/listKeys/*
Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write 创建或更新 SQL 角色定义
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete 删除 SQL 角色定义
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write 创建或更新 SQL 角色分配
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete 删除 SQL 角色分配
Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write 创建或更新 MongoDB 角色定义
Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete 删除 MongoDB 角色定义
Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write 创建或更新 MongoDB 用户定义
Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete 删除 MongoDB 用户定义
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
  "name": "230815da-be43-4aae-9cb4-875f7bd000aa",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDb/databaseAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
      ],
      "notActions": [
        "Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
        "Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
        "Microsoft.DocumentDB/databaseAccounts/listKeys/*",
        "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete",
        "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write",
        "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete",
        "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write",
        "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cosmos DB Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CosmosBackupOperator

可以为帐户提交 Cosmos DB 数据库或容器的还原请求 了解详细信息

操作 描述
Microsoft.DocumentDB/databaseAccounts/backup/action 提交配置备份的请求
Microsoft.DocumentDB/databaseAccounts/restore/action 提交还原请求
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can submit restore request for a Cosmos DB database or a container for an account",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
  "name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDB/databaseAccounts/backup/action",
        "Microsoft.DocumentDB/databaseAccounts/restore/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CosmosBackupOperator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CosmosRestoreOperator

可以对连续备份模式下的 Cosmos DB 数据库帐户执行还原操作

操作 说明
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action 提交还原请求
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read 读取可还原数据库帐户或列出所有可还原数据库帐户
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
  "name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CosmosRestoreOperator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DocumentDB 帐户参与者

可管理 Azure Cosmos DB 帐户。 Azure Cosmos DB 以前称为 DocumentDB。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.DocumentDb/databaseAccounts/* 创建并管理 Azure Cosmos DB 帐户
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage DocumentDB accounts, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
  "name": "5bd9cd88-fe45-4216-938b-f97437e15450",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDb/databaseAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "DocumentDB Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Redis 缓存参与者

允许管理 Redis 缓存,但不允许访问这些缓存。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Cache/register/action 将“Microsoft.Cache”资源提供程序注册到订阅
Microsoft.Cache/redis/* 创建和管理 Redis 缓存
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Redis caches, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
  "name": "e0f68234-74aa-48ed-b826-c38b57376e17",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cache/register/action",
        "Microsoft.Cache/redis/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Redis Cache Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL DB 参与者

允许管理 SQL 数据库,但不允许访问这些数据库。 此外,不允许管理其安全相关的策略或其父 SQL 服务器。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Sql/locations/*/read
Microsoft.Sql/servers/databases/* 创建和管理 SQL 数据库
Microsoft.Sql/servers/read 返回服务器列表,或获取指定服务器的属性。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
不操作
Microsoft.Sql/servers/databases/ledgerDigestUploads/write 启用上传账本摘要
Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action 禁用上传账本摘要
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
Microsoft.Sql/managedInstances/securityAlertPolicies/*
Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
Microsoft.Sql/servers/databases/auditingSettings/* 编辑审核设置
Microsoft.Sql/servers/databases/auditRecords/read 检索数据库 Blob 审核记录
Microsoft.Sql/servers/databases/currentSensitivityLabels/*
Microsoft.Sql/servers/databases/dataMaskingPolicies/* 编辑数据屏蔽策略
Microsoft.Sql/servers/databases/extendedAuditingSettings/*
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/servers/databases/securityAlertPolicies/* 编辑安全警报策略
Microsoft.Sql/servers/databases/securityMetrics/* 编辑安全度量值
Microsoft.Sql/servers/databases/sensitivityLabels/*
Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
Microsoft.Sql/servers/vulnerabilityAssessments/*
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
  "name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/servers/databases/*",
        "Microsoft.Sql/servers/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
        "Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL DB Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL 托管实例参与者

允许你管理 SQL 托管实例和必需的网络配置,但无法向其他人授予访问权限。

操作 描述
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Network/networkSecurityGroups/*
Microsoft.Network/routeTables/*
Microsoft.Sql/locations/*/read
Microsoft.Sql/locations/instanceFailoverGroups/*
Microsoft.Sql/managedInstances/*
Microsoft.Support/* 创建和更新支持票证
Microsoft.Network/virtualNetworks/subnets/*
Microsoft.Network/virtualNetworks/*
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
不操作
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete 删除特定的托管服务器仅限 Azure Active Directory 的身份验证对象
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write 添加或更新特定的托管服务器仅限 Azure Active Directory 的身份验证对象
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
  "name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/networkSecurityGroups/*",
        "Microsoft.Network/routeTables/*",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/locations/instanceFailoverGroups/*",
        "Microsoft.Sql/managedInstances/*",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/*",
        "Microsoft.Network/virtualNetworks/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL Managed Instance Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL 安全管理器

允许管理 SQL 服务器和数据库的安全相关策略,但不允许访问它们。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Sql/locations/administratorAzureAsyncOperation/read 获取托管实例 Azure 异步管理员操作结果。
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read 检索为给定实例配置的托管实例高级威胁防护设置列表
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write 更改给定托管实例的托管实例高级威胁防护设置
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read 检索为给定托管数据库配置的托管数据库高级威胁防护设置列表
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write 更改给定托管数据库的数据库高级威胁防护设置
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read 检索为给定实例配置的托管实例高级威胁防护设置列表
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write 更改给定托管实例的托管实例高级威胁防护设置
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read 检索为给定托管数据库配置的托管数据库高级威胁防护设置列表
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write 更改给定托管数据库的数据库高级威胁防护设置
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
Microsoft.Sql/servers/advancedThreatProtectionSettings/read 检索为给定服务器配置的服务器高级威胁防护设置列表
Microsoft.Sql/servers/advancedThreatProtectionSettings/write 更改给定服务器的服务器高级威胁防护设置
Microsoft.Sql/managedInstances/securityAlertPolicies/*
Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*
Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
Microsoft.Sql/managedInstances/serverConfigurationOptions/read 获取指定的 Azure SQL 托管实例服务器配置选项的属性。
Microsoft.Sql/managedInstances/serverConfigurationOptions/write 更新指定的实例的 Azure SQL 托管实例服务器配置选项属性。
Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read 获取 Azure SQL 托管实例服务器配置选项 Azure 异步操作的状态。
Microsoft.Sql/servers/advancedThreatProtectionSettings/read 检索为给定服务器配置的服务器高级威胁防护设置列表
Microsoft.Sql/servers/advancedThreatProtectionSettings/write 更改给定服务器的服务器高级威胁防护设置
Microsoft.Sql/servers/auditingSettings/* 创建和管理 SQL 服务器审核设置
Microsoft.Sql/servers/extendedAuditingSettings/read 检索在给定服务器上配置的扩展服务器 blob 审核策略的详细信息
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read 检索为给定数据库配置的数据库高级威胁防护设置列表
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write 更改给定数据库的数据库高级威胁防护设置
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read 检索为给定数据库配置的数据库高级威胁防护设置列表
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write 更改给定数据库的数据库高级威胁防护设置
Microsoft.Sql/servers/databases/auditingSettings/* 创建和管理 SQL 服务器数据库审核设置
Microsoft.Sql/servers/databases/auditRecords/read 检索数据库 Blob 审核记录
Microsoft.Sql/servers/databases/currentSensitivityLabels/*
Microsoft.Sql/servers/databases/dataMaskingPolicies/* 创建和管理 SQL 服务器数据库数据屏蔽策略
Microsoft.Sql/servers/databases/extendedAuditingSettings/read 检索在给定的数据库上配置的扩展 blob 审核策略的详细信息
Microsoft.Sql/servers/databases/read 返回数据库的列表,或获取指定数据库的属性。
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
Microsoft.Sql/servers/databases/schemas/read 获取数据库架构。
Microsoft.Sql/servers/databases/schemas/tables/columns/read 获取数据库列。
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/servers/databases/schemas/tables/read 获取数据库表。
Microsoft.Sql/servers/databases/securityAlertPolicies/* 创建和管理 SQL 服务器数据库安全警报策略
Microsoft.Sql/servers/databases/securityMetrics/* 创建和管理 SQL 服务器数据库安全度量值
Microsoft.Sql/servers/databases/sensitivityLabels/*
Microsoft.Sql/servers/databases/transparentDataEncryption/*
Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*
Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
Microsoft.Sql/servers/devOpsAuditingSettings/*
Microsoft.Sql/servers/firewallRules/*
Microsoft.Sql/servers/read 返回服务器列表,或获取指定服务器的属性。
Microsoft.Sql/servers/securityAlertPolicies/* 创建和管理 SQL 服务器安全警报策略
Microsoft.Sql/servers/sqlvulnerabilityAssessments/*
Microsoft.Sql/servers/vulnerabilityAssessments/*
Microsoft.Support/* 创建和更新支持票证
Microsoft.Sql/servers/azureADOnlyAuthentications/*
Microsoft.Sql/managedInstances/read 返回托管实例的列表,或获取指定托管实例的属性。
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*
Microsoft.Security/sqlVulnerabilityAssessments/*
Microsoft.Sql/managedInstances/administrators/read 获取托管实例管理员的列表。
Microsoft.Sql/servers/administrators/read 获取特定的 Azure Active Directory 管理员对象
Microsoft.Sql/servers/databases/ledgerDigestUploads/*
Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read 获取账本摘要上传设置的正在进行的操作
Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read 获取账本摘要上传设置的正在进行的操作
Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
  "name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
        "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
        "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
        "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
        "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
        "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
        "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
        "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
        "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
        "Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/serverConfigurationOptions/read",
        "Microsoft.Sql/managedInstances/serverConfigurationOptions/write",
        "Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read",
        "Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
        "Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
        "Microsoft.Sql/servers/auditingSettings/*",
        "Microsoft.Sql/servers/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
        "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
        "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
        "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/read",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/read",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/read",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/read",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/transparentDataEncryption/*",
        "Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/devOpsAuditingSettings/*",
        "Microsoft.Sql/servers/firewallRules/*",
        "Microsoft.Sql/servers/read",
        "Microsoft.Sql/servers/securityAlertPolicies/*",
        "Microsoft.Sql/servers/sqlvulnerabilityAssessments/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*",
        "Microsoft.Support/*",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/*",
        "Microsoft.Sql/managedInstances/read",
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
        "Microsoft.Security/sqlVulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/administrators/read",
        "Microsoft.Sql/servers/administrators/read",
        "Microsoft.Sql/servers/databases/ledgerDigestUploads/*",
        "Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read",
        "Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read",
        "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL Security Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL Server 参与者

允许管理SQL 服务器和数据库,但不允许访问它们及其安全相关策略。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Sql/locations/*/read
Microsoft.Sql/servers/* 创建和管理 SQL 服务器
Microsoft.Support/* 创建和更新支持票证
Microsoft.Insights/metrics/read 添加指标
Microsoft.Insights/metricDefinitions/read 读取指标定义
不操作
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
Microsoft.Sql/managedInstances/securityAlertPolicies/*
Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
Microsoft.Sql/servers/auditingSettings/* 编辑 SQL 服务器审核设置
Microsoft.Sql/servers/databases/auditingSettings/* 编辑 SQL 服务器数据库审核设置
Microsoft.Sql/servers/databases/auditRecords/read 检索数据库 Blob 审核记录
Microsoft.Sql/servers/databases/currentSensitivityLabels/*
Microsoft.Sql/servers/databases/dataMaskingPolicies/* 编辑 SQL 服务器数据库数据屏蔽策略
Microsoft.Sql/servers/databases/extendedAuditingSettings/*
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/servers/databases/securityAlertPolicies/* 编辑 SQL 服务器数据库安全警报策略
Microsoft.Sql/servers/databases/securityMetrics/* 编辑 SQL 服务器数据库安全度量值
Microsoft.Sql/servers/databases/sensitivityLabels/*
Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
Microsoft.Sql/servers/devOpsAuditingSettings/*
Microsoft.Sql/servers/extendedAuditingSettings/*
Microsoft.Sql/servers/securityAlertPolicies/* 编辑 SQL 服务器安全警报策略
Microsoft.Sql/servers/vulnerabilityAssessments/*
Microsoft.Sql/servers/azureADOnlyAuthentications/delete 删除特定服务器仅限 Azure Active Directory 的身份验证对象
Microsoft.Sql/servers/azureADOnlyAuthentications/write 添加或更新特定服务器仅限 Azure Active Directory 的身份验证对象
Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete 删除特定服务器基于外部策略的授权属性
Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write 添加或更新特定服务器基于外部策略的授权属性
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
  "name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/servers/*",
        "Microsoft.Support/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/devOpsAuditingSettings/*",
        "Microsoft.Sql/servers/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/securityAlertPolicies/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/write",
        "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete",
        "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL Server Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

分析

Azure 事件中心数据所有者

允许完全访问 Azure 事件中心资源。 了解详细信息

操作 说明
Microsoft.EventHub/*
不操作
DataActions
Microsoft.EventHub/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Event Hubs resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec",
  "name": "f526a384-b230-433a-b45c-95f59c4a2dec",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Event Hubs Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 事件中心数据接收方

允许接收对 Azure 事件中心资源的访问权限。 了解详细信息

操作 描述
Microsoft.EventHub/*/eventhubs/consumergroups/read
不操作
DataActions
Microsoft.EventHub/*/receive/action
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows receive access to Azure Event Hubs resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
  "name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*/eventhubs/consumergroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*/receive/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Event Hubs Data Receiver",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 事件中心数据发送方

允许以发送方式访问 Azure 事件中心资源。 了解详细信息

操作 描述
Microsoft.EventHub/*/eventhubs/read
不操作
DataActions
Microsoft.EventHub/*/send/action
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows send access to Azure Event Hubs resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975",
  "name": "2b629674-e913-4c01-ae53-ef4638d8f975",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*/eventhubs/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Event Hubs Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

数据工厂参与者

创建和管理数据工厂,以及其中的子资源。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.DataFactory/dataFactories/* 创建和管理数据工厂,以及它们包含的子资源。
Microsoft.DataFactory/factories/* 创建和管理数据工厂,以及它们包含的子资源。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.EventGrid/eventSubscriptions/write 创建或更新事件订阅
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create and manage data factories, as well as child resources within them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5",
  "name": "673868aa-7521-48a0-acc6-0f60742d39f5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DataFactory/dataFactories/*",
        "Microsoft.DataFactory/factories/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.EventGrid/eventSubscriptions/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Factory Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

数据清除程序

从 Log Analytics 工作区中删除专用数据。 了解详细信息

操作 描述
Microsoft.Insights/components/*/read
Microsoft.Insights/components/purge/action 从 Application Insights 清除数据
Microsoft.OperationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.OperationalInsights/workspaces/purge/action 通过查询从工作区中删除指定的数据。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can purge analytics data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90",
  "name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/components/*/read",
        "Microsoft.Insights/components/purge/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/purge/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Purger",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

HDInsight 群集操作员

允许你读取和修改 HDInsight 群集配置。 了解详细信息

操作 描述
Microsoft.HDInsight/*/read
Microsoft.HDInsight/clusters/getGatewaySettings/action 获取 HDInsight 群集的网关设置
Microsoft.HDInsight/clusters/updateGatewaySettings/action 更新 HDInsight 群集的网关设置
Microsoft.HDInsight/clusters/configurations/*
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read and modify HDInsight cluster configurations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a",
  "name": "61ed4efc-fab3-44fd-b111-e24485cc132a",
  "permissions": [
    {
      "actions": [
        "Microsoft.HDInsight/*/read",
        "Microsoft.HDInsight/clusters/getGatewaySettings/action",
        "Microsoft.HDInsight/clusters/updateGatewaySettings/action",
        "Microsoft.HDInsight/clusters/configurations/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "HDInsight Cluster Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

HDInsight 域服务参与者

可以读取、创建、修改和删除 HDInsight 企业安全性套餐所需的域服务相关操作了解更多

操作 描述
Microsoft.AAD/*/read
Microsoft.AAD/domainServices/*/read
Microsoft.AAD/domainServices/oucontainer/*
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c",
  "name": "8d8d5a11-05d3-4bda-a417-a08778121c7c",
  "permissions": [
    {
      "actions": [
        "Microsoft.AAD/*/read",
        "Microsoft.AAD/domainServices/*/read",
        "Microsoft.AAD/domainServices/oucontainer/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "HDInsight Domain Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Log Analytics 参与者

Log Analytics 参与者可以读取所有监视数据并编辑监视设置。 编辑监视设置包括向 VM 添加 VM 扩展、读取存储帐户密钥以便能够从 Azure 存储配置日志收集、添加解决方案以及配置所有 Azure 资源上的 Azure 诊断。 了解详细信息

操作 描述
*/read 读取除密码外的所有类型的资源。
Microsoft.ClassicCompute/virtualMachines/extensions/*
Microsoft.ClassicStorage/storageAccounts/listKeys/action 列出存储帐户的访问密钥。
Microsoft.Compute/virtualMachines/extensions/*
Microsoft.HybridCompute/machines/extensions/write 安装或更新 Azure Arc 扩展
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/diagnosticSettings/* 创建、更新或读取 Analysis Server 的诊断设置
Microsoft.OperationalInsights/*
Microsoft.OperationsManagement/*
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourcegroups/deployments/*
Microsoft.Storage/storageAccounts/listKeys/action 返回指定存储帐户的访问密钥。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
  "name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.ClassicCompute/virtualMachines/extensions/*",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.Compute/virtualMachines/extensions/*",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.OperationalInsights/*",
        "Microsoft.OperationsManagement/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Log Analytics Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Log Analytics 读者

Log Analytics 读者可以查看和搜索所有监视数据并查看监视设置,其中包括查看所有 Azure 资源上的 Azure 诊断的配置。 了解详细信息

操作 描述
*/read 读取除密码外的所有类型的资源。
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎进行搜索。
Microsoft.OperationalInsights/workspaces/search/action 执行搜索查询
Microsoft.Support/* 创建和更新支持票证
不操作
Microsoft.OperationalInsights/workspaces/sharedKeys/read 检索工作区的共享密钥。 这些密钥用于将 Microsoft Operational Insights 代理连接到工作区。
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893",
  "name": "73c42c96-874c-492b-b04d-ab87d138a893",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.OperationalInsights/workspaces/sharedKeys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Log Analytics Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

架构注册表参与者(预览)

读取、写入和删除架构注册表组和架构。

操作 描述
Microsoft.EventHub/namespaces/schemagroups/*
不操作
DataActions
Microsoft.EventHub/namespaces/schemas/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, write, and delete Schema Registry groups and schemas.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25",
  "name": "5dffeca3-4936-4216-b2bc-10343a5abb25",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/namespaces/schemagroups/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/namespaces/schemas/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Schema Registry Contributor (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

架构注册表读取器(预览版)

读取和列出架构注册表组和架构。

操作 描述
Microsoft.EventHub/namespaces/schemagroups/read 获取 SchemaGroup 资源说明列表
不操作
DataActions
Microsoft.EventHub/namespaces/schemas/read 检索架构
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and list Schema Registry groups and schemas.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
  "name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/namespaces/schemagroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/namespaces/schemas/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Schema Registry Reader (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

流分析查询测试者

可以执行查询测试,而无需先创建流分析作业

操作 说明
Microsoft.StreamAnalytics/locations/TestQuery/action 测试流分析资源提供程序的查询
Microsoft.StreamAnalytics/locations/OperationResults/read 读取流分析操作结果
Microsoft.StreamAnalytics/locations/SampleInput/action 流分析资源提供程序的示例输入
Microsoft.StreamAnalytics/locations/CompileQuery/action 流分析资源提供程序的编译查询
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you perform query testing without creating a stream analytics job first",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
  "name": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
  "permissions": [
    {
      "actions": [
        "Microsoft.StreamAnalytics/locations/TestQuery/action",
        "Microsoft.StreamAnalytics/locations/OperationResults/read",
        "Microsoft.StreamAnalytics/locations/SampleInput/action",
        "Microsoft.StreamAnalytics/locations/CompileQuery/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Stream Analytics Query Tester",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AI + 机器学习

AzureML 计算操作员

可以在 机器学习 服务托管计算资源(包括笔记本 VM)上访问和执行 CRUD 操作。 了解详细信息

操作 说明
Microsoft.MachineLearningServices/workspaces/computes/*
Microsoft.MachineLearningServices/workspaces/notebooks/vm/*
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs).",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815",
  "name": "e503ece1-11d0-4e8e-8e2c-7a6c3bf38815",
  "permissions": [
    {
      "actions": [
        "Microsoft.MachineLearningServices/workspaces/computes/*",
        "Microsoft.MachineLearningServices/workspaces/notebooks/vm/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AzureML Compute Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AzureML 数据科学家

可以在 Azure 机器学习工作区中执行所有操作,但创建或删除计算资源及修改工作区本身除外。 了解详细信息

操作 说明
Microsoft.MachineLearningServices/workspaces/*/read
Microsoft.MachineLearningServices/workspaces/*/action
Microsoft.MachineLearningServices/workspaces/*/delete
Microsoft.MachineLearningServices/workspaces/*/write
不操作
Microsoft.MachineLearningServices/workspaces/delete 删除机器学习服务工作区
Microsoft.MachineLearningServices/workspaces/write 创建或更新机器学习服务工作区
Microsoft.MachineLearningServices/workspaces/computes/*/write
Microsoft.MachineLearningServices/workspaces/computes/*/delete
Microsoft.MachineLearningServices/workspaces/computes/listKeys/action 列出机器学习服务工作区中的计算资源的机密
Microsoft.MachineLearningServices/workspaces/listKeys/action 列出机器学习服务工作区的机密
Microsoft.MachineLearningServices/workspaces/hubs/write 创建或更新机器学习服务中心工作区
Microsoft.MachineLearningServices/workspaces/hubs/delete 删除机器学习服务中心工作区
Microsoft.MachineLearningServices/workspaces/featurestores/write 创建或更新机器学习服务特征存储
Microsoft.MachineLearningServices/workspaces/featurestores/delete 删除机器学习服务特征存储
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121",
  "name": "f6c7c914-8db3-469d-8ca1-694a8f32e121",
  "permissions": [
    {
      "actions": [
        "Microsoft.MachineLearningServices/workspaces/*/read",
        "Microsoft.MachineLearningServices/workspaces/*/action",
        "Microsoft.MachineLearningServices/workspaces/*/delete",
        "Microsoft.MachineLearningServices/workspaces/*/write"
      ],
      "notActions": [
        "Microsoft.MachineLearningServices/workspaces/delete",
        "Microsoft.MachineLearningServices/workspaces/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/delete",
        "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
        "Microsoft.MachineLearningServices/workspaces/listKeys/action",
        "Microsoft.MachineLearningServices/workspaces/hubs/write",
        "Microsoft.MachineLearningServices/workspaces/hubs/delete",
        "Microsoft.MachineLearningServices/workspaces/featurestores/write",
        "Microsoft.MachineLearningServices/workspaces/featurestores/delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AzureML Data Scientist",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务参与者

允许创建、读取、更新、删除和管理认知服务的密钥。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.CognitiveServices/*
Microsoft.Features/features/read 获取订阅的功能。
Microsoft.Features/providers/features/read 获取给定资源提供程序中某个订阅的功能。
Microsoft.Features/providers/features/register/action 在给定的资源提供程序中注册某个订阅的功能。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/diagnosticSettings/* 创建、更新或读取 Analysis Server 的诊断设置
Microsoft.Insights/logDefinitions/read 读取日志定义
Microsoft.Insights/metricdefinitions/read 读取指标定义
Microsoft.Insights/metrics/read 添加指标
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourcegroups/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you create, read, update, delete and manage keys of Cognitive Services.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
  "name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.CognitiveServices/*",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Insights/logDefinitions/read",
        "Microsoft.Insights/metricdefinitions/read",
        "Microsoft.Insights/metrics/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务自定义视觉参与者

对项目的完全访问权限,包括可以查看、创建、编辑或删除项目。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
不操作
DataActions
Microsoft.CognitiveServices/accounts/CustomVision/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to the project, including the ability to view, create, edit, or delete projects.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
  "name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Custom Vision Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务自定义视觉部署

发布、取消发布或导出模型。 部署可以查看项目,但不能更新项目。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
不操作
DataActions
Microsoft.CognitiveServices/accounts/CustomVision/*/read
Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*
Microsoft.CognitiveServices/accounts/CustomVision/classify/*
Microsoft.CognitiveServices/accounts/CustomVision/detect/*
NotDataActions
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read 导出项目。 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Publish, unpublish or export models. Deployment can view the project but can't update.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f",
  "name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/classify/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/detect/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Deployment",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务自定义视觉标记者

查看、编辑训练图像,创建、添加、移除或删除图像标记。 标记者可以查看项目,但不能更新除训练图像和标记以外的任何内容。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
不操作
DataActions
Microsoft.CognitiveServices/accounts/CustomVision/*/read
Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action 获取已发送到预测终结点的图像。
Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action 此 API 获取未标记图像数组/批的建议标记和区域,以及标记的置信度。 如果未找到标记,则返回空数组。
NotDataActions
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read 导出项目。 
{
  "assignableScopes": [
    "/"
  ],
  "description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c",
  "name": "88424f51-ebe7-446f-bc41-7fa16989e96c",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Labeler",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务自定义视觉读取者

只读项目中的操作。 读取者不能创建或更新项目。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
不操作
DataActions
Microsoft.CognitiveServices/accounts/CustomVision/*/read
Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action 获取已发送到预测终结点的图像。
NotDataActions
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read 导出项目。 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only actions in the project. Readers can't create or update the project.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73",
  "name": "93586559-c37d-4a6b-ba08-b9f0940c2d73",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务自定义视觉训练者

查看、编辑项目和训练模型,包括可以发布、取消发布、导出模型。 训练者不能创建或删除项目。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
不操作
DataActions
Microsoft.CognitiveServices/accounts/CustomVision/*
NotDataActions
Microsoft.CognitiveServices/accounts/CustomVision/projects/action 创建项目。
Microsoft.CognitiveServices/accounts/CustomVision/projects/delete 删除特定的项目。
Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action 导入项目。
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read 导出项目。 
{
  "assignableScopes": [
    "/"
  ],
  "description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
  "name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/delete",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Trainer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务数据读取者(预览版)

允许读取认知服务数据。

操作 描述
不操作
DataActions
Microsoft.CognitiveServices/*/read
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read Cognitive Services data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c",
  "name": "b59867f0-fa02-499b-be73-45a86b5b3e1c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Data Reader (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务人脸识别者

让你可以在人脸 API 上执行“检测”、“验证”、“识别”、“分组”和“查找相似”等操作。 此角色不允许创建或删除操作,因此非常适合只需要对功能进行推理、遵循“最小特权”最佳做法的终结点。

操作 描述
不操作
DataActions
Microsoft.CognitiveServices/accounts/Face/detect/action 检测图像中的人脸,返回人脸矩形以及可选的 faceId、地标和属性。
Microsoft.CognitiveServices/accounts/Face/verify/action 验证两张人脸是否属于同一个人,或者一张人脸是否属于某一个人。
Microsoft.CognitiveServices/accounts/Face/identify/action 一对多的识别,用于在人员组或大型人员组中查找与特定查询人脸最接近的匹配项。
Microsoft.CognitiveServices/accounts/Face/group/action 根据人脸相似性将候选人脸划分为组。
Microsoft.CognitiveServices/accounts/Face/findsimilars/action 给定查询人脸的 faceId,用于在 faceId 数组、人脸列表或大型人脸列表中搜索类似的人脸。 faceId
Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action

在一个红外、颜色和/或深度的图像序列中对目标人脸执行活动检测,并将目标人脸的活动分类返回为“真实人脸”、“假冒人脸”或“不确定”(如果无法使用给定输入进行分类)。
Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action

在相同模态(例如颜色或红外)的图像序列中对目标人脸执行活动检测,并将目标人脸的活动分类返回为“真实人脸”、“假冒人脸”或“不确定”(如果无法使用给定输入进行分类)。
Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action 在一系列相同流类型(如颜色)的图像中检测目标人脸的活动,然后与 VerifyImage 进行比较以返回标识方案的置信度得分。
Microsoft.CognitiveServices/accounts/Face/*/sessions/action
Microsoft.CognitiveServices/accounts/Face/*/sessions/delete
Microsoft.CognitiveServices/accounts/Face/*/sessions/read
Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7",
  "name": "9894cab4-e18a-44aa-828b-cb588cd6f2d7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/Face/detect/action",
        "Microsoft.CognitiveServices/accounts/Face/verify/action",
        "Microsoft.CognitiveServices/accounts/Face/identify/action",
        "Microsoft.CognitiveServices/accounts/Face/group/action",
        "Microsoft.CognitiveServices/accounts/Face/findsimilars/action",
        "Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action",
        "Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action",
        "Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action",
        "Microsoft.CognitiveServices/accounts/Face/*/sessions/action",
        "Microsoft.CognitiveServices/accounts/Face/*/sessions/delete",
        "Microsoft.CognitiveServices/accounts/Face/*/sessions/read",
        "Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Face Recognizer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务指标顾问管理员

拥有对项目的完全访问权限,包括系统级配置。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
不操作
DataActions
Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to the project, including the system level configuration.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a",
  "name": "cb43c632-a144-4ec5-977c-e80c4affc34a",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Metrics Advisor Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务 OpenAI 参与者

完全访问权限,包括微调、部署和生成文本 的功能了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/deployments/write 写入部署。
Microsoft.CognitiveServices/accounts/deployments/delete 删除部署。
Microsoft.CognitiveServices/accounts/raiPolicies/read 获取帐户下的所有适用策略,包括默认策略。
Microsoft.CognitiveServices/accounts/raiPolicies/write 创建或更新自定义负责任 AI 策略。
Microsoft.CognitiveServices/accounts/raiPolicies/delete 删除现有部署未引用的自定义负责任 AI 策略。
Microsoft.CognitiveServices/accounts/commitmentplans/read 读取承诺计划。
Microsoft.CognitiveServices/accounts/commitmentplans/write 写入承诺计划。
Microsoft.CognitiveServices/accounts/commitmentplans/delete 删除承诺计划。
Microsoft.Authorization/roleAssignments/read 获取有关角色分配的信息。
Microsoft.Authorization/roleDefinitions/read 获取有关角色定义的信息。
不操作
DataActions
Microsoft.CognitiveServices/accounts/OpenAI/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access including the ability to fine-tune, deploy and generate text",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442",
  "name": "a001fd3d-188f-4b5d-821b-7da978bf7442",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.CognitiveServices/accounts/deployments/write",
        "Microsoft.CognitiveServices/accounts/deployments/delete",
        "Microsoft.CognitiveServices/accounts/raiPolicies/read",
        "Microsoft.CognitiveServices/accounts/raiPolicies/write",
        "Microsoft.CognitiveServices/accounts/raiPolicies/delete",
        "Microsoft.CognitiveServices/accounts/commitmentplans/read",
        "Microsoft.CognitiveServices/accounts/commitmentplans/write",
        "Microsoft.CognitiveServices/accounts/commitmentplans/delete",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/OpenAI/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services OpenAI Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务 OpenAI 用户

查看文件、模型、部署的读取访问权限。 创建完成操作和嵌入调用的功能。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
Microsoft.Authorization/roleAssignments/read 获取有关角色分配的信息。
Microsoft.Authorization/roleDefinitions/read 获取有关角色定义的信息。
不操作
DataActions
Microsoft.CognitiveServices/accounts/OpenAI/*/read
Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action 从所选模型创建完成
Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action 使用当前引擎搜索最相关的文档。
Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action (仅适用于浏览器。)通过 GET 请求从模型流式传输生成的文本。 之所以提供此方法,是因为浏览器原生 EventSource 方法只能发送 GET 请求。 它支持比 POST 变体更有限的一组配置选项。
Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/write
Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action 使用当前引擎搜索最相关的文档。
Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action 从所选模型创建完成操作。
Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action 为聊天消息创建完成操作
Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action 使用扩展为聊天消息创建完成操作
Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action 返回给定提示的嵌入。
Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/write
Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action 创建映像代系。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Ability to view files, models, deployments. Readers are able to call inference operations such as chat completions and image generation.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd",
  "name": "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/OpenAI/*/read",
        "Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action",
        "Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action",
        "Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action",
        "Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/write",
        "Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action",
        "Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action",
        "Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action",
        "Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action",
        "Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action",
        "Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/write",
        "Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services OpenAI User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务 QnA Maker 编辑者

允许你创建、编辑、导入和导出知识库。 但不能发布或删除知识库。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
Microsoft.Authorization/roleAssignments/read 获取有关角色分配的信息。
Microsoft.Authorization/roleDefinitions/read 获取有关角色定义的信息。
不操作
DataActions
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read 获取知识库列表或特定知识库的详细信息。
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read 下载知识库。
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write 用于创建新知识库的异步操作。
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write 用于修改知识库或替换知识库内容的异步操作。
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action 用于查询知识库的 GenerateAnswer 调用。
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action 用于将建议添加到知识库的 Train 调用。
Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read 从运行时下载更改。
Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write 替换更改数据。
Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read 获取终结点的终结点密钥
Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action 重新生成终结点密钥。
Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read 获取终结点的终结点设置
Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write 更新终结点的终结点设置。
Microsoft.CognitiveServices/accounts/QnAMaker/operations/read 获取特定的长时间运行的操作的详细信息。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read 获取知识库列表或特定知识库的详细信息。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read 下载知识库。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write 用于创建新知识库的异步操作。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write 用于修改知识库或替换知识库内容的异步操作。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action 用于查询知识库的 GenerateAnswer 调用。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action 用于将建议添加到知识库的 Train 调用。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read 从运行时下载更改。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write 替换更改数据。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read 获取终结点的终结点密钥
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action 重新生成终结点密钥。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read 获取终结点的终结点设置
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write 更新终结点的终结点设置。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read 获取特定的长时间运行的操作的详细信息。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read 获取知识库列表或特定知识库的详细信息。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read 下载知识库。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write 用于创建新知识库的异步操作。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write 用于修改知识库或替换知识库内容的异步操作。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action 用于查询知识库的 GenerateAnswer 调用。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action 用于将建议添加到知识库的 Train 调用。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read 从运行时下载更改。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write 替换更改数据。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read 获取终结点的终结点密钥
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action 重新生成终结点密钥。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read 获取终结点的终结点设置
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write 更新终结点的终结点设置。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read 获取特定的长时间运行的操作的详细信息。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Let's you create, edit, import and export a KB. You cannot publish or delete a KB.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025",
  "name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/operations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services QnA Maker Editor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务 QnA Maker 读取者

只能读取和测试知识库。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
Microsoft.Authorization/roleAssignments/read 获取有关角色分配的信息。
Microsoft.Authorization/roleDefinitions/read 获取有关角色定义的信息。
不操作
DataActions
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read 获取知识库列表或特定知识库的详细信息。
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read 下载知识库。
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action 用于查询知识库的 GenerateAnswer 调用。
Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read 从运行时下载更改。
Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read 获取终结点的终结点密钥
Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read 获取终结点的终结点设置
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read 获取知识库列表或特定知识库的详细信息。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read 下载知识库。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action 用于查询知识库的 GenerateAnswer 调用。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read 从运行时下载更改。
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read 获取终结点的终结点密钥
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read 获取终结点的终结点设置
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read 获取知识库列表或特定知识库的详细信息。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read 下载知识库。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action 用于查询知识库的 GenerateAnswer 调用。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read 从运行时下载更改。
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read 获取终结点的终结点密钥
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read 获取终结点的终结点设置
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Let's you read and test a KB only.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126",
  "name": "466ccd10-b268-4a11-b098-b4849f024126",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services QnA Maker Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务使用情况读取者

查看认知服务使用情况的最小权限。 了解详细信息

操作 说明
Microsoft.CognitiveServices/locations/usages/read 读取所有使用情况数据
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Minimal permission to view Cognitive Services usages.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bba48692-92b0-4667-a9ad-c31c7b334ac2",
  "name": "bba48692-92b0-4667-a9ad-c31c7b334ac2",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/locations/usages/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Usages Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

认知服务用户

允许读取和列出认知服务的密钥。 了解详细信息

操作 描述
Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/listkeys/action 列出密钥
Microsoft.Insights/alertRules/read 读取经典指标警报
Microsoft.Insights/diagnosticSettings/read 读取资源诊断设置
Microsoft.Insights/logDefinitions/read 读取日志定义
Microsoft.Insights/metricdefinitions/read 读取指标定义
Microsoft.Insights/metrics/read 添加指标
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
Microsoft.CognitiveServices/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read and list keys of Cognitive Services.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908",
  "name": "a97b65f3-24c7-4388-baec-2e87135dc908",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.CognitiveServices/accounts/listkeys/action",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Insights/logDefinitions/read",
        "Microsoft.Insights/metricdefinitions/read",
        "Microsoft.Insights/metrics/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

物联网

设备更新管理员

授予你对管理和内容操作的完全访问权限 了解更多

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/updates/write 执行与更新相关的写入操作
Microsoft.DeviceUpdate/accounts/instances/updates/delete 执行与更新相关的删除操作
Microsoft.DeviceUpdate/accounts/instances/management/read 执行与管理相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/management/write 执行与管理相关的写入操作
Microsoft.DeviceUpdate/accounts/instances/management/delete 执行与管理相关的删除操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to management and content operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a",
  "name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete",
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新内容管理员

授予你对内容操作的完全访问权限 了解更多

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/updates/write 执行与更新相关的写入操作
Microsoft.DeviceUpdate/accounts/instances/updates/delete 执行与更新相关的删除操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to content operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98",
  "name": "0378884a-3af5-44ab-8323-f5b22f9f3c98",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Content Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新内容读取者

授予你对内容操作的读取访问权限,但不允许进行更改 了解更多

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to content operations, but does not allow making changes",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
  "name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Content Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新部署管理员

授予你对管理操作的完全访问权限 了解更多

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/management/read 执行与管理相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/management/write 执行与管理相关的写入操作
Microsoft.DeviceUpdate/accounts/instances/management/delete 执行与管理相关的删除操作
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to management operations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432",
  "name": "e4237640-0e3d-4a46-8fda-70bc94856432",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete",
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Deployments Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新部署读取者

授予你对管理操作的读取访问权限,但不允许进行更改 了解更多

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/management/read 执行与管理相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to management operations, but does not allow making changes",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f",
  "name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Deployments Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

设备更新读取者

授予你对管理和内容操作的读取访问权限,但不允许进行更改 了解更多

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
不操作
DataActions
Microsoft.DeviceUpdate/accounts/instances/updates/read 执行与更新相关的读取操作
Microsoft.DeviceUpdate/accounts/instances/management/read 执行与管理相关的读取操作
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to management and content operations, but does not allow making changes",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
  "name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中心数据参与者

具有 IoT 中心数据平面操作的完全访问权限。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.Devices/IotHubs/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to IoT Hub data plane operations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f",
  "name": "4fc6c259-987e-4a07-842e-c321cc9d413f",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中心数据读取者

具有 IoT 中心数据平面属性的完全读取访问权限。了解详细信息

操作 描述
不操作
DataActions
Microsoft.Devices/IotHubs/*/read
Microsoft.Devices/IotHubs/fileUpload/notifications/action 接收、完成或放弃文件上传通知
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full read access to IoT Hub data-plane properties",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3",
  "name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*/read",
        "Microsoft.Devices/IotHubs/fileUpload/notifications/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中心注册表参与者

具有 IoT 中心设备注册表的完全访问权限。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.Devices/IotHubs/devices/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to IoT Hub device registry.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
  "name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/devices/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Registry Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中心孪生参与者

具有所有 IoT 中心设备和模块孪生的读写访问权限。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.Devices/IotHubs/twins/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read and write access to all IoT Hub device and module twins.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c",
  "name": "494bdba2-168f-4f31-a0a1-191d2f7c028c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/twins/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Twin Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

混合现实

远程渲染管理员

为用户提供 Azure 远程渲染的转换、管理会话、渲染和诊断功能 了解详细信息

操作 描述
不操作
DataActions
Microsoft.MixedReality/RemoteRenderingAccounts/convert/action 启动资产转换
Microsoft.MixedReality/RemoteRenderingAccounts/convert/read 获取资产转换属性
Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete 停止资产转换
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read 获取会话属性
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action 启动会话
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete 停止会话
Microsoft.MixedReality/RemoteRenderingAccounts/render/read 连接到会话
Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read 连接到远程渲染检查器
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
  "name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Remote Rendering Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

远程渲染客户端

为用户提供 Azure 远程渲染的管理会话、渲染和诊断功能。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read 获取会话属性
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action 启动会话
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete 停止会话
Microsoft.MixedReality/RemoteRenderingAccounts/render/read 连接到会话
Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read 连接到远程渲染检查器
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a",
  "name": "d39065c4-c120-43c9-ab0a-63eed9795f0a",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Remote Rendering Client",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

空间定位点帐户参与者

允许你管理帐户中的空间定位点,但不能删除它们 了解详细信息

操作 描述
不操作
DataActions
Microsoft.MixedReality/SpatialAnchorsAccounts/create/action 创建空间定位点
Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read 发现附近的空间定位点
Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read 获取空间定位点的属性
Microsoft.MixedReality/SpatialAnchorsAccounts/query/read 查找空间定位点
Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read 提交诊断数据以帮助提高 Azure 空间定位点服务的质量
Microsoft.MixedReality/SpatialAnchorsAccounts/write 更新空间定位点属性
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage spatial anchors in your account, but not delete them",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
  "name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Spatial Anchors Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

空间定位点帐户所有者

允许你管理帐户中的空间定位点,包括删除它们 了解详细信息

操作 描述
不操作
DataActions
Microsoft.MixedReality/SpatialAnchorsAccounts/create/action 创建空间定位点
Microsoft.MixedReality/SpatialAnchorsAccounts/delete 删除空间定位点
Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read 发现附近的空间定位点
Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read 获取空间定位点的属性
Microsoft.MixedReality/SpatialAnchorsAccounts/query/read 查找空间定位点
Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read 提交诊断数据以帮助提高 Azure 空间定位点服务的质量
Microsoft.MixedReality/SpatialAnchorsAccounts/write 更新空间定位点属性
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage spatial anchors in your account, including deleting them",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c",
  "name": "70bbe301-9835-447d-afdd-19eb3167307c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/delete",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Spatial Anchors Account Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

空间定位点帐户读取者

允许你查找并读取帐户中的空间定位点的属性 了解详细信息

操作 描述
不操作
DataActions
Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read 发现附近的空间定位点
Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read 获取空间定位点的属性
Microsoft.MixedReality/SpatialAnchorsAccounts/query/read 查找空间定位点
Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read 提交诊断数据以帮助提高 Azure 空间定位点服务的质量
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you locate and read properties of spatial anchors in your account",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413",
  "name": "5d51204f-eb77-4b1c-b86a-2ec626c49413",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Spatial Anchors Account Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

集成

API 管理服务参与者

可以管理服务和 API 了解详细信息

操作 描述
Microsoft.ApiManagement/service/* 创建和管理 API 管理服务
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage service and the APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c",
  "name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理服务操作员角色

可以管理服务,但不能管理 API 了解详细信息

操作 描述
Microsoft.ApiManagement/service/*/read 读取 API 管理服务实例
Microsoft.ApiManagement/service/backup/action 将 API 管理服务备份到用户提供的存储帐户中的指定容器
Microsoft.ApiManagement/service/delete 删除 API 管理服务实例
Microsoft.ApiManagement/service/managedeployments/action 更改 API 管理服务的 SKU/单位,以及添加/删除其区域部署
Microsoft.ApiManagement/service/read 读取 API 管理服务实例的元数据
Microsoft.ApiManagement/service/restore/action 从用户提供的存储帐户中的指定容器还原 API 管理服务
Microsoft.ApiManagement/service/updatecertificate/action 上传 API 管理服务的 TLS/SSL 证书
Microsoft.ApiManagement/service/updatehostname/action 设置、更新或删除 API 管理服务的自定义域名
Microsoft.ApiManagement/service/write 创建或更新 API 管理服务实例
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
Microsoft.ApiManagement/service/users/keys/read 获取与用户关联的密钥
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage service but not the APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61",
  "name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/backup/action",
        "Microsoft.ApiManagement/service/delete",
        "Microsoft.ApiManagement/service/managedeployments/action",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.ApiManagement/service/restore/action",
        "Microsoft.ApiManagement/service/updatecertificate/action",
        "Microsoft.ApiManagement/service/updatehostname/action",
        "Microsoft.ApiManagement/service/write",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Operator Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理服务读者角色

对服务和 API 的只读访问权限 了解详细信息

操作 描述
Microsoft.ApiManagement/service/*/read 读取 API 管理服务实例
Microsoft.ApiManagement/service/read 读取 API 管理服务实例的元数据
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
Microsoft.ApiManagement/service/users/keys/read 获取与用户关联的密钥
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only access to service and APIs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d",
  "name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API Management 服务工作区 API 开发人员

对标记和产品拥有读取访问权限,并拥有以下写入访问权限:将 API 分配到产品、将标记分配到产品和 API。 应在服务范围内分配此角色。 了解详细信息

操作 说明
Microsoft.ApiManagement/service/tags/read 列出服务实例中定义的标记的集合。 或获取按标识符指定的标记的详细信息。
Microsoft.ApiManagement/service/tags/apiLinks/*
Microsoft.ApiManagement/service/tags/operationLinks/*
Microsoft.ApiManagement/service/tags/productLinks/*
Microsoft.ApiManagement/service/products/read 列出指定服务实例中的产品集合。 或获取按标识符指定的产品的详细信息。
Microsoft.ApiManagement/service/products/apiLinks/*
Microsoft.ApiManagement/service/read 读取 API 管理服务实例的元数据
Microsoft.Authorization/*/read 读取角色和角色分配
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/9565a273-41b9-4368-97d2-aeb0c976a9b3",
  "name": "9565a273-41b9-4368-97d2-aeb0c976a9b3",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/tags/read",
        "Microsoft.ApiManagement/service/tags/apiLinks/*",
        "Microsoft.ApiManagement/service/tags/operationLinks/*",
        "Microsoft.ApiManagement/service/tags/productLinks/*",
        "Microsoft.ApiManagement/service/products/read",
        "Microsoft.ApiManagement/service/products/apiLinks/*",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Workspace API Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理服务工作区 API 产品经理

具有与 API 管理服务工作区 API 开发人员相同的访问权限,对用户具有读取访问权限,并且具有写入访问权限,可允许将用户分配给组。 应在服务范围内分配此角色。 了解详细信息

操作 说明
Microsoft.ApiManagement/service/users/read 列出指定服务实例中已注册用户的集合。 或获取按标识符指定的用户的详细信息。
Microsoft.ApiManagement/service/tags/read 列出服务实例中定义的标记的集合。 或获取按标识符指定的标记的详细信息。
Microsoft.ApiManagement/service/tags/apiLinks/*
Microsoft.ApiManagement/service/tags/operationLinks/*
Microsoft.ApiManagement/service/tags/productLinks/*
Microsoft.ApiManagement/service/products/read 列出指定服务实例中的产品集合。 或获取按标识符指定的产品的详细信息。
Microsoft.ApiManagement/service/products/apiLinks/*
Microsoft.ApiManagement/service/groups/read 列出服务实例中定义的组的集合。 或获取按标识符指定的组的详细信息。
Microsoft.ApiManagement/service/groups/users/*
Microsoft.ApiManagement/service/read 读取 API 管理服务实例的元数据
Microsoft.Authorization/*/read 读取角色和角色分配
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da",
  "name": "d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/users/read",
        "Microsoft.ApiManagement/service/tags/read",
        "Microsoft.ApiManagement/service/tags/apiLinks/*",
        "Microsoft.ApiManagement/service/tags/operationLinks/*",
        "Microsoft.ApiManagement/service/tags/productLinks/*",
        "Microsoft.ApiManagement/service/products/read",
        "Microsoft.ApiManagement/service/products/apiLinks/*",
        "Microsoft.ApiManagement/service/groups/read",
        "Microsoft.ApiManagement/service/groups/users/*",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Workspace API Product Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理工作区 API 开发人员

对工作区中的实体具有读取访问权限,并对用于编辑 API 的实体具有读写访问权限。 应在工作区范围内分配此角色。 了解详细信息

操作 说明
Microsoft.ApiManagement/service/workspaces/*/read
Microsoft.ApiManagement/service/workspaces/apis/*
Microsoft.ApiManagement/service/workspaces/apiVersionSets/*
Microsoft.ApiManagement/service/workspaces/policies/*
Microsoft.ApiManagement/service/workspaces/schemas/*
Microsoft.ApiManagement/service/workspaces/products/*
Microsoft.ApiManagement/service/workspaces/policyFragments/*
Microsoft.ApiManagement/service/workspaces/namedValues/*
Microsoft.ApiManagement/service/workspaces/tags/*
Microsoft.Authorization/*/read 读取角色和角色分配
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/56328988-075d-4c6a-8766-d93edd6725b6",
  "name": "56328988-075d-4c6a-8766-d93edd6725b6",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/workspaces/*/read",
        "Microsoft.ApiManagement/service/workspaces/apis/*",
        "Microsoft.ApiManagement/service/workspaces/apiVersionSets/*",
        "Microsoft.ApiManagement/service/workspaces/policies/*",
        "Microsoft.ApiManagement/service/workspaces/schemas/*",
        "Microsoft.ApiManagement/service/workspaces/products/*",
        "Microsoft.ApiManagement/service/workspaces/policyFragments/*",
        "Microsoft.ApiManagement/service/workspaces/namedValues/*",
        "Microsoft.ApiManagement/service/workspaces/tags/*",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Workspace API Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理工作区 API 产品经理

对工作区中的实体具有读取访问权限,并对用于发布 API 的实体具有读写访问权限。 应在工作区范围内分配此角色。 了解详细信息

操作 说明
Microsoft.ApiManagement/service/workspaces/*/read
Microsoft.ApiManagement/service/workspaces/products/*
Microsoft.ApiManagement/service/workspaces/subscriptions/*
Microsoft.ApiManagement/service/workspaces/groups/*
Microsoft.ApiManagement/service/workspaces/tags/*
Microsoft.ApiManagement/service/workspaces/notifications/*
Microsoft.Authorization/*/read 读取角色和角色分配
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/73c2c328-d004-4c5e-938c-35c6f5679a1f",
  "name": "73c2c328-d004-4c5e-938c-35c6f5679a1f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/workspaces/*/read",
        "Microsoft.ApiManagement/service/workspaces/products/*",
        "Microsoft.ApiManagement/service/workspaces/subscriptions/*",
        "Microsoft.ApiManagement/service/workspaces/groups/*",
        "Microsoft.ApiManagement/service/workspaces/tags/*",
        "Microsoft.ApiManagement/service/workspaces/notifications/*",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Workspace API Product Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理工作区参与者

可以管理工作区和视图,但不能修改其成员。 应在工作区范围内分配此角色。 了解详细信息

操作 说明
Microsoft.ApiManagement/service/workspaces/*
Microsoft.Authorization/*/read 读取角色和角色分配
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0c34c906-8d99-4cb7-8bb7-33f5b0a1a799",
  "name": "0c34c906-8d99-4cb7-8bb7-33f5b0a1a799",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/workspaces/*",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Workspace Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理工作区读者

对工作区中的实体具有只读访问权限。 应在工作区范围内分配此角色。 了解详细信息

操作 说明
Microsoft.ApiManagement/service/workspaces/*/read
Microsoft.Authorization/*/read 读取角色和角色分配
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2",
  "name": "ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/workspaces/*/read",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Workspace Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

应用程序配置数据所有者

允许对应用程序配置数据进行完全访问。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppConfiguration/configurationStores/*/read
Microsoft.AppConfiguration/configurationStores/*/write
Microsoft.AppConfiguration/configurationStores/*/delete
Microsoft.AppConfiguration/configurationStores/*/action
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows full access to App Configuration data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
  "name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read",
        "Microsoft.AppConfiguration/configurationStores/*/write",
        "Microsoft.AppConfiguration/configurationStores/*/delete",
        "Microsoft.AppConfiguration/configurationStores/*/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

应用程序配置数据读取者

允许对应用程序配置数据进行读取访问。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.AppConfiguration/configurationStores/*/read
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read access to App Configuration data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071",
  "name": "516239f1-63e1-4d78-a4de-a74fb236a071",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 中继侦听器

允许侦听对 Azure 中继资源的访问。

操作 说明
Microsoft.Relay/*/wcfRelays/read
Microsoft.Relay/*/hybridConnections/read
不操作
DataActions
Microsoft.Relay/*/listen/action
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for listen access to Azure Relay resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d",
  "name": "26e0b698-aa6d-4085-9386-aadae190014d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*/wcfRelays/read",
        "Microsoft.Relay/*/hybridConnections/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*/listen/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Relay Listener",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 中继所有者

允许完全访问 Azure 中继资源。

操作 说明
Microsoft.Relay/*
不操作
DataActions
Microsoft.Relay/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Relay resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38",
  "name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38",
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Relay Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 中继发送方

允许发送对 Azure 中继资源的访问权限。

操作 说明
Microsoft.Relay/*/wcfRelays/read
Microsoft.Relay/*/hybridConnections/read
不操作
DataActions
Microsoft.Relay/*/send/action
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for send access to Azure Relay resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d",
  "name": "26baccc8-eea7-41f1-98f4-1762cc7f685d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*/wcfRelays/read",
        "Microsoft.Relay/*/hybridConnections/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Relay Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 服务总线数据所有者

允许完全访问 Azure 服务总线资源。 了解详细信息

操作 说明
Microsoft.ServiceBus/*
不操作
DataActions
Microsoft.ServiceBus/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Service Bus resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
  "name": "090c5cfd-751d-490a-894a-3ce6f1109419",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 服务总线数据接收方

允许对 Azure 服务总线资源进行接收访问。 了解详细信息

操作 描述
Microsoft.ServiceBus/*/queues/read
Microsoft.ServiceBus/*/topics/read
Microsoft.ServiceBus/*/topics/subscriptions/read
不操作
DataActions
Microsoft.ServiceBus/*/receive/action
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for receive access to Azure Service Bus resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
  "name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/receive/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Receiver",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 服务总线数据发送方

允许对 Azure 服务总线资源进行发送访问。 了解详细信息

操作 描述
Microsoft.ServiceBus/*/queues/read
Microsoft.ServiceBus/*/topics/read
Microsoft.ServiceBus/*/topics/subscriptions/read
不操作
DataActions
Microsoft.ServiceBus/*/send/action
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for send access to Azure Service Bus resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack 注册所有者

允许管理 Azure Stack 注册。

操作 描述
Microsoft.AzureStack/edgeSubscriptions/read
Microsoft.AzureStack/registrations/products/*/action
Microsoft.AzureStack/registrations/products/read 获取 Azure Stack 市场产品的属性
Microsoft.AzureStack/registrations/read 获取 Azure Stack 注册的属性
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Stack registrations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStack/edgeSubscriptions/read",
        "Microsoft.AzureStack/registrations/products/*/action",
        "Microsoft.AzureStack/registrations/products/read",
        "Microsoft.AzureStack/registrations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack Registration Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid 参与者

可以管理 EventGrid 操作。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.EventGrid/* 创建和管理事件网格资源
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage EventGrid operations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de",
  "name": "1e241071-0855-49ea-94dc-649edcd759de",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid 数据发送方

允许发送对事件网格事件的访问权限。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.EventGrid/topics/read 读取主题
Microsoft.EventGrid/domains/read 读取域
Microsoft.EventGrid/partnerNamespaces/read 读取合作伙伴命名空间
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.EventGrid/namespaces/read 读取命名空间
不操作
DataActions
Microsoft.EventGrid/events/send/action 将事件发送到主题
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows send access to event grid events.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7",
  "name": "d5a91429-5739-47e2-a06b-3470a27159e7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/topics/read",
        "Microsoft.EventGrid/domains/read",
        "Microsoft.EventGrid/partnerNamespaces/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.EventGrid/namespaces/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventGrid/events/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription 参与者

可以管理 EventGrid 事件订阅操作。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.EventGrid/eventSubscriptions/* 创建和管理区域事件订阅
Microsoft.EventGrid/topicTypes/eventSubscriptions/read 按主题类型列出全局事件订阅
Microsoft.EventGrid/locations/eventSubscriptions/read 列出区域事件订阅
Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read 按主题类型列出区域事件订阅
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage EventGrid event subscription operations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
  "name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/*",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid EventSubscription Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription 读者

可以读取 EventGrid 事件订阅。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.EventGrid/eventSubscriptions/read 读取事件订阅
Microsoft.EventGrid/topicTypes/eventSubscriptions/read 按主题类型列出全局事件订阅
Microsoft.EventGrid/locations/eventSubscriptions/read 列出区域事件订阅
Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read 按主题类型列出区域事件订阅
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read EventGrid event subscriptions.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405",
  "name": "2414bbcf-6497-4faf-8c65-045460748405",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid EventSubscription Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 数据参与者

角色允许用户或主体完全访问 FHIR 数据 了解详细信息

操作 描述
不操作
DataActions
Microsoft.HealthcareApis/services/fhir/resources/*
Microsoft.HealthcareApis/workspaces/fhirservices/resources/*
NotDataActions
Microsoft.HealthcareApis/services/fhir/resources/smart/action 允许用户根据 SMART on FHIR 规范访问 FHIR 服务。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action 允许用户根据 SMART on FHIR 规范访问 FHIR 服务。 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal full access to FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd",
  "name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/*",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
      ],
      "notDataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/smart/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action"
      ]
    }
  ],
  "roleName": "FHIR Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 数据导出者

角色允许用户或主体读取和导出 FHIR 数据 了解详细信息

操作 描述
不操作
DataActions
Microsoft.HealthcareApis/services/fhir/resources/read 读取 FHIR 资源(包括搜索和带有版本的历史记录)。
Microsoft.HealthcareApis/services/fhir/resources/export/action 导出操作 ($export)。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read 读取 FHIR 资源(包括搜索和带有版本的历史记录)。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action 导出操作 ($export)。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and export FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",
  "name": "3db33094-8700-4567-8da5-1501d4e7e843",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/services/fhir/resources/export/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Exporter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 数据导入者

角色允许用户或主体读取和导入 FHIR 数据 了解详细信息

操作 描述
不操作
DataActions
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read 读取 FHIR 资源(包括搜索和带有版本的历史记录)。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action 批量导入 FHIR 资源。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and import FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b",
  "name": "4465e953-8ced-4406-a58e-0f6e3f3b530b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Importer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 数据读取者

角色允许用户或主体读取 FHIR 数据 了解详细信息

操作 描述
不操作
DataActions
Microsoft.HealthcareApis/services/fhir/resources/read 读取 FHIR 资源(包括搜索和带有版本的历史记录)。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read 读取 FHIR 资源(包括搜索和带有版本的历史记录)。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508",
  "name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 数据写入者

角色允许用户或主体读取和写入 FHIR 数据 了解详细信息

操作 描述
不操作
DataActions
Microsoft.HealthcareApis/services/fhir/resources/read 读取 FHIR 资源(包括搜索和带有版本的历史记录)。
Microsoft.HealthcareApis/services/fhir/resources/write 写入 FHIR 资源(包括创建和更新)。
Microsoft.HealthcareApis/services/fhir/resources/delete 删除 FHIR 资源(软删除)。
Microsoft.HealthcareApis/services/fhir/resources/export/action 导出操作 ($export)。
Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action 验证操作 ($validate)。
Microsoft.HealthcareApis/services/fhir/resources/reindex/action Allows user to run Reindex job to index any search parameters that haven't yet been indexed.
Microsoft.HealthcareApis/services/fhir/resources/convertData/action 数据转换操作 ($convert-data)
Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action 允许用户对配置文件资源执行“创建更新删除”操作。
Microsoft.HealthcareApis/services/fhir/resources/import/action 批量导入 FHIR 资源。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/read 读取 FHIR 资源(包括搜索和带有版本的历史记录)。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/write 写入 FHIR 资源(包括创建和更新)。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete 删除 FHIR 资源(软删除)。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action 导出操作 ($export)。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action 验证操作 ($validate)。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action Allows user to run Reindex job to index any search parameters that haven't yet been indexed.
Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action 数据转换操作 ($convert-data)
Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action 允许用户对配置文件资源执行“创建更新删除”操作。
Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action 批量导入 FHIR 资源。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and write FHIR Data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913",
  "name": "3f88fce4-5892-4214-ae73-ba5294559913",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/services/fhir/resources/write",
        "Microsoft.HealthcareApis/services/fhir/resources/delete",
        "Microsoft.HealthcareApis/services/fhir/resources/export/action",
        "Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action",
        "Microsoft.HealthcareApis/services/fhir/resources/reindex/action",
        "Microsoft.HealthcareApis/services/fhir/resources/convertData/action",
        "Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action",
        "Microsoft.HealthcareApis/services/fhir/resources/import/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/write",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

集成服务环境参与者

允许管理集成服务环境,但不允许访问这些环境。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Support/* 创建和更新支持票证
Microsoft.Logic/integrationServiceEnvironments/*
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage integration service environments, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
  "name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*",
        "Microsoft.Logic/integrationServiceEnvironments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Integration Service Environment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

集成服务环境开发人员

允许开发人员在集成服务环境中创建和更新工作流、集成帐户与 API 连接。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Support/* 创建和更新支持票证
Microsoft.Logic/integrationServiceEnvironments/read 读取集成服务环境。
Microsoft.Logic/integrationServiceEnvironments/*/join/action
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
  "name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*",
        "Microsoft.Logic/integrationServiceEnvironments/read",
        "Microsoft.Logic/integrationServiceEnvironments/*/join/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Integration Service Environment Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Intelligent Systems 帐户参与者

允许管理智能系统帐户,但不允许访问这些帐户。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.IntelligentSystems/accounts/* 创建和管理智能系统帐户
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Intelligent Systems accounts, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e",
  "name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.IntelligentSystems/accounts/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Intelligent Systems Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

逻辑应用参与者

允许管理逻辑应用,但不允许更改其访问权限。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.ClassicStorage/storageAccounts/listKeys/action 列出存储帐户的访问密钥。
Microsoft.ClassicStorage/storageAccounts/read 返回包含给定帐户的存储帐户。
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Insights/metricAlerts/*
Microsoft.Insights/diagnosticSettings/* 创建、更新或读取 Analysis Server 的诊断设置
Microsoft.Insights/logdefinitions/* 此权限对于需要通过门户访问活动日志的用户是必需的。 列出活动日志中的日志类别。
Microsoft.Insights/metricDefinitions/* 读取指标定义(资源的可用指标类型的列表)。
Microsoft.Logic/* 管理逻辑应用资源。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/storageAccounts/listkeys/action 返回指定存储帐户的访问密钥。
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Web/connectionGateways/* 创建和管理连接网关。
Microsoft.Web/connections/* 创建和管理连接。
Microsoft.Web/customApis/* 创建和管理自定义 API。
Microsoft.Web/serverFarms/join/action 加入应用服务计划
Microsoft.Web/serverFarms/read 获取应用服务计划的属性
Microsoft.Web/sites/functions/listSecrets/action 列出函数机密。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage logic app, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e",
  "name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.ClassicStorage/storageAccounts/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metricAlerts/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Insights/logdefinitions/*",
        "Microsoft.Insights/metricDefinitions/*",
        "Microsoft.Logic/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*",
        "Microsoft.Web/connectionGateways/*",
        "Microsoft.Web/connections/*",
        "Microsoft.Web/customApis/*",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/functions/listSecrets/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic App Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

逻辑应用运算符

允许读取、启用和禁用逻辑应用,但不允许编辑或更新它们。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/*/read 读取 Insights 警报规则
Microsoft.Insights/metricAlerts/*/read
Microsoft.Insights/diagnosticSettings/*/read 获取逻辑应用的诊断设置
Microsoft.Insights/metricDefinitions/*/read 获取逻辑应用的可用指标。
Microsoft.Logic/*/read 读取逻辑应用资源。
Microsoft.Logic/workflows/disable/action 禁用工作流。
Microsoft.Logic/workflows/enable/action 启用工作流。
Microsoft.Logic/workflows/validate/action 验证工作流。
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/subscriptions/operationresults/read 获取订阅操作结果。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.Web/connectionGateways/*/read 读取连接网关。
Microsoft.Web/connections/*/read 读取连接。
Microsoft.Web/customApis/*/read 读取自定义 API。
Microsoft.Web/serverFarms/read 获取应用服务计划的属性
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read, enable and disable logic app.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
  "name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*/read",
        "Microsoft.Insights/metricAlerts/*/read",
        "Microsoft.Insights/diagnosticSettings/*/read",
        "Microsoft.Insights/metricDefinitions/*/read",
        "Microsoft.Logic/*/read",
        "Microsoft.Logic/workflows/disable/action",
        "Microsoft.Logic/workflows/enable/action",
        "Microsoft.Logic/workflows/validate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/connectionGateways/*/read",
        "Microsoft.Web/connections/*/read",
        "Microsoft.Web/customApis/*/read",
        "Microsoft.Web/serverFarms/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic App Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

标识

域服务参与者

可以管理 Azure AD 域服务和相关网络配置 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/read 获取或列出部署。
Microsoft.Resources/deployments/write 创建或更新部署。
Microsoft.Resources/deployments/delete 删除部署。
Microsoft.Resources/deployments/cancel/action 取消部署。
Microsoft.Resources/deployments/validate/action 验证部署。
Microsoft.Resources/deployments/whatIf/action 预测模板部署更改。
Microsoft.Resources/deployments/exportTemplate/action 导出部署的模板
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/deployments/operationstatuses/read 获取或列出部署操作状态。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/AlertRules/Write 创建或更新经典指标警报
Microsoft.Insights/AlertRules/Delete 删除经典指标警报
Microsoft.Insights/AlertRules/Read 读取经典指标警报
Microsoft.Insights/AlertRules/Activated/Action 经典指标警报已激活
Microsoft.Insights/AlertRules/Resolved/Action 经典指标警报已解决
Microsoft.Insights/AlertRules/Throttled/Action 经典指标预警规则已中止
Microsoft.Insights/AlertRules/Incidents/Read 读取经典指标警报事件
Microsoft.Insights/Logs/Read 从所有日志中读取数据
Microsoft.Insights/Metrics/Read 添加指标
Microsoft.Insights/DiagnosticSettings/* 创建、更新或读取 Analysis Server 的诊断设置
Microsoft.Insights/DiagnosticSettingsCategories/Read 读取诊断设置类别
Microsoft.AAD/register/action 注册域服务
Microsoft.AAD/unregister/action 取消注册域服务
Microsoft.AAD/domainServices/*
Microsoft.Network/register/action 注册订阅
Microsoft.Network/unregister/action 取消注册订阅
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/virtualNetworks/write 创建虚拟网络,或更新现有的虚拟网络
Microsoft.Network/virtualNetworks/delete 删除虚拟网络
Microsoft.Network/virtualNetworks/peer/action 在两个不同的虚拟网络之间建立对等互连
Microsoft.Network/virtualNetworks/join/action 加入虚拟网络。 不可发出警报。
Microsoft.Network/virtualNetworks/subnets/read 获取虚拟网络子网定义
Microsoft.Network/virtualNetworks/subnets/write 创建虚拟网络子网,或更新现有的虚拟网络子网
Microsoft.Network/virtualNetworks/subnets/delete 删除虚拟网络子网
Microsoft.Network/virtualNetworks/subnets/join/action 加入虚拟网络。 不可发出警报。
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read 获取虚拟网络对等互连定义
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write 创建虚拟网络对等互连,或更新现有的虚拟网络对等互连
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete 删除虚拟网络对等互连
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read 获取虚拟网络的诊断设置
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read 获取 PingMesh 的可用指标
Microsoft.Network/azureFirewalls/read 获取 Azure 防火墙
Microsoft.Network/ddosProtectionPlans/read 获取 DDoS 保护计划
Microsoft.Network/ddosProtectionPlans/join/action 加入 DDoS 保护计划。 不可发出警报。
Microsoft.Network/loadBalancers/read 获取负载均衡器定义
Microsoft.Network/loadBalancers/delete 删除负载均衡器
Microsoft.Network/loadBalancers/*/read
Microsoft.Network/loadBalancers/backendAddressPools/join/action 加入负载均衡器后端地址池。 不可发出警报。
Microsoft.Network/loadBalancers/inboundNatRules/join/action 加入负载均衡器入站 NAT 规则。 不可发出警报。
Microsoft.Network/natGateways/join/action 加入 NAT 网关
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Network/networkInterfaces/write 创建网络接口,或更新现有的网络接口。
Microsoft.Network/networkInterfaces/delete 删除网络接口
Microsoft.Network/networkInterfaces/join/action 将虚拟机加入到网络接口。 不可发出警报。
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read 获取默认的安全规则定义
Microsoft.Network/networkSecurityGroups/read 获取网络安全组定义
Microsoft.Network/networkSecurityGroups/write 创建网络安全组,或更新现有的网络安全组
Microsoft.Network/networkSecurityGroups/delete 删除网络安全组
Microsoft.Network/networkSecurityGroups/join/action 加入网络安全组。 不可发出警报。
Microsoft.Network/networkSecurityGroups/securityRules/read 获取安全规则定义
Microsoft.Network/networkSecurityGroups/securityRules/write 创建安全规则,或更新现有的安全规则
Microsoft.Network/networkSecurityGroups/securityRules/delete 删除安全规则
Microsoft.Network/routeTables/read 获取路由表定义
Microsoft.Network/routeTables/write 创建路由表,或更新现有的路由表
Microsoft.Network/routeTables/delete 删除路由表定义
Microsoft.Network/routeTables/join/action 加入路由表。 不可发出警报。
Microsoft.Network/routeTables/routes/read 获取路由定义
Microsoft.Network/routeTables/routes/write 创建路由,或更新现有的路由
Microsoft.Network/routeTables/routes/delete 删除路由定义
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage Azure AD Domain Services and related network configurations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
  "name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/deployments/whatIf/action",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Insights/Logs/Read",
        "Microsoft.Insights/Metrics/Read",
        "Microsoft.Insights/DiagnosticSettings/*",
        "Microsoft.Insights/DiagnosticSettingsCategories/Read",
        "Microsoft.AAD/register/action",
        "Microsoft.AAD/unregister/action",
        "Microsoft.AAD/domainServices/*",
        "Microsoft.Network/register/action",
        "Microsoft.Network/unregister/action",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/peer/action",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/virtualNetworks/subnets/delete",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Network/azureFirewalls/read",
        "Microsoft.Network/ddosProtectionPlans/read",
        "Microsoft.Network/ddosProtectionPlans/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/delete",
        "Microsoft.Network/loadBalancers/*/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/natGateways/join/action",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkInterfaces/delete",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/networkSecurityGroups/delete",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/write",
        "Microsoft.Network/networkSecurityGroups/securityRules/delete",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/routeTables/write",
        "Microsoft.Network/routeTables/delete",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/routeTables/routes/read",
        "Microsoft.Network/routeTables/routes/write",
        "Microsoft.Network/routeTables/routes/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Domain Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

域服务读取者

可以查看 Azure AD 域服务和相关网络配置

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/read 获取或列出部署。
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/deployments/operationstatuses/read 获取或列出部署操作状态。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Insights/AlertRules/Read 读取经典指标警报
Microsoft.Insights/AlertRules/Incidents/Read 读取经典指标警报事件
Microsoft.Insights/Logs/Read 从所有日志中读取数据
Microsoft.Insights/Metrics/read 添加指标
Microsoft.Insights/DiagnosticSettings/read 读取资源诊断设置
Microsoft.Insights/DiagnosticSettingsCategories/Read 读取诊断设置类别
Microsoft.AAD/domainServices/*/read
Microsoft.Network/virtualNetworks/read 获取虚拟网络定义
Microsoft.Network/virtualNetworks/subnets/read 获取虚拟网络子网定义
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read 获取虚拟网络对等互连定义
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read 获取虚拟网络的诊断设置
Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read 获取 PingMesh 的可用指标
Microsoft.Network/azureFirewalls/read 获取 Azure 防火墙
Microsoft.Network/ddosProtectionPlans/read 获取 DDoS 保护计划
Microsoft.Network/loadBalancers/read 获取负载均衡器定义
Microsoft.Network/loadBalancers/*/read
Microsoft.Network/natGateways/read 获取 NAT 网关定义
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read 获取默认的安全规则定义
Microsoft.Network/networkSecurityGroups/read 获取网络安全组定义
Microsoft.Network/networkSecurityGroups/securityRules/read 获取安全规则定义
Microsoft.Network/routeTables/read 获取路由表定义
Microsoft.Network/routeTables/routes/read 获取路由定义
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view Azure AD Domain Services and related network configurations",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
  "name": "361898ef-9ed1-48c2-849c-a832951106bb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Insights/Logs/Read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Insights/DiagnosticSettings/read",
        "Microsoft.Insights/DiagnosticSettingsCategories/Read",
        "Microsoft.AAD/domainServices/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Network/azureFirewalls/read",
        "Microsoft.Network/ddosProtectionPlans/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/*/read",
        "Microsoft.Network/natGateways/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/routeTables/routes/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Domain Services Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管的标识参与者

创建、读取、更新和删除用户分配的标识 了解详细信息

操作 描述
Microsoft.ManagedIdentity/userAssignedIdentities/read 获取现有用户分配标识
Microsoft.ManagedIdentity/userAssignedIdentities/write 创建新的用户分配标识或更新与现有用户分配标识关联的标记
Microsoft.ManagedIdentity/userAssignedIdentities/delete 删除现有用户分配标识
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete User Assigned Identity",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管的标识操作员

读取和分配用户分配的标识 了解详细信息

操作 描述
Microsoft.ManagedIdentity/userAssignedIdentities/*/read
Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and Assign User Assigned Identity",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
  "name": "f1a07417-d97a-45cb-824c-7a7467783830",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性

应用合规性自动化管理员

创建、读取、下载、修改和删除报表对象及其他相关的资源对象。 了解详细信息

操作 说明
Microsoft.AppComplianceAutomation/*
Microsoft.Storage/storageAccounts/blobServices/write 返回放置 blob 服务属性的结果
Microsoft.Storage/storageAccounts/fileservices/write 放置文件服务属性
Microsoft.Storage/storageAccounts/listKeys/action 返回指定存储帐户的访问密钥。
Microsoft.Storage/storageAccounts/write 使用指定的参数创建存储帐户、更新指定存储帐户的属性或标记,或者为其添加自定义域。
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action 返回 blob 服务的用户委托密钥
Microsoft.Storage/storageAccounts/read 返回存储帐户的列表,或获取指定存储帐户的属性。
Microsoft.Storage/storageAccounts/blobServices/containers/read 返回容器列表
Microsoft.Storage/storageAccounts/blobServices/containers/write 返回放置 blob 容器的结果
Microsoft.Storage/storageAccounts/blobServices/read 返回 blob 服务属性或统计信息
Microsoft.PolicyInsights/policyStates/queryResults/action 查询有关策略状态的信息。
Microsoft.PolicyInsights/policyStates/triggerEvaluation/action 为所选范围触发新的符合性评估。
Microsoft.Resources/resources/read 基于筛选器获取资源的列表。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/subscriptions/resourceGroups/resources/read 获取资源组的资源。
Microsoft.Resources/subscriptions/resources/read 获取订阅的资源。
Microsoft.Resources/subscriptions/resourceGroups/delete 删除资源组及其所有资源。
Microsoft.Resources/subscriptions/resourceGroups/write 创建或更新资源组。
Microsoft.Resources/tags/read 获取资源上的所有标记。
Microsoft.Resources/deployments/validate/action 验证部署。
Microsoft.Security/automations/read 获取范围的自动化
Microsoft.Resources/deployments/write 创建或更新部署。
Microsoft.Security/automations/delete 删除范围的自动化
Microsoft.Security/automations/write 创建或更新范围的自动化
Microsoft.Security/register/action 注册 Azure 安全中心的订阅
Microsoft.Security/unregister/action 从 Azure 安全中心取消注册订阅
*/read 读取除密码外的所有类型的资源。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, download, modify and delete reports objects and related other resource objects.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2",
  "name": "0f37683f-2463-46b6-9ce7-9b788b988ba2",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppComplianceAutomation/*",
        "Microsoft.Storage/storageAccounts/blobServices/write",
        "Microsoft.Storage/storageAccounts/fileservices/write",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.PolicyInsights/policyStates/queryResults/action",
        "Microsoft.PolicyInsights/policyStates/triggerEvaluation/action",
        "Microsoft.Resources/resources/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
        "Microsoft.Resources/subscriptions/resources/read",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/tags/read",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Security/automations/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Security/automations/delete",
        "Microsoft.Security/automations/write",
        "Microsoft.Security/register/action",
        "Microsoft.Security/unregister/action",
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Compliance Automation Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

应用合规性自动化读取者

读取和下载报表对象及其他相关的资源对象。 了解详细信息

操作 描述
*/read 读取除密码外的所有类型的资源。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, download the reports objects and related other resource objects.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
  "name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Compliance Automation Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

证明参与者

可以读写或删除证明提供程序实例 了解详细信息

操作 说明
Microsoft.Attestation/attestationProviders/attestation/read 获取证明服务状态。
Microsoft.Attestation/attestationProviders/attestation/write 添加证明服务。
Microsoft.Attestation/attestationProviders/attestation/delete 删除证明服务。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read write or delete the attestation provider instance",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/attestation/write",
        "Microsoft.Attestation/attestationProviders/attestation/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

证明读取者

可以读取证明提供程序属性 了解详细信息

操作 说明
Microsoft.Attestation/attestationProviders/attestation/read 获取证明服务状态。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read the attestation provider properties",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 管理员

对密钥保管库以及其中的所有对象(包括证书、密钥和机密)执行所有数据平面操作。 无法管理密钥保管库资源或管理角色分配。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 证书管理人员

对密钥保管库的证书执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/certificatecas/*
Microsoft.KeyVault/vaults/certificates/*
Microsoft.KeyVault/vaults/certificatecontacts/write 管理证书联系人
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
  "name": "a4417e6f-fecd-4de8-b567-7b0420556985",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificatecas/*",
        "Microsoft.KeyVault/vaults/certificates/*",
        "Microsoft.KeyVault/vaults/certificatecontacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Certificates Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

密钥保管库参与者

管理密钥保管库,但不允许在 Azure RBAC 中分配角色,也不允许访问机密、密钥或证书。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.KeyVault/*
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
Microsoft.KeyVault/locations/deletedVaults/purge/action 清除软删除的密钥保管库
Microsoft.KeyVault/hsmPools/*
Microsoft.KeyVault/managedHsms/*
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage key vaults, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
  "name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.KeyVault/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.KeyVault/locations/deletedVaults/purge/action",
        "Microsoft.KeyVault/hsmPools/*",
        "Microsoft.KeyVault/managedHsms/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 加密管理人员

对密钥保管库的密钥执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/keys/*
Microsoft.KeyVault/vaults/keyrotationpolicies/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/*",
        "Microsoft.KeyVault/vaults/keyrotationpolicies/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

密钥保管库加密服务加密用户

读取密钥的元数据并执行包装/展开操作。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 了解详细信息

操作 说明
Microsoft.EventGrid/eventSubscriptions/write 创建或更新事件订阅
Microsoft.EventGrid/eventSubscriptions/read 读取事件订阅
Microsoft.EventGrid/eventSubscriptions/delete 删除事件订阅
不操作
DataActions
Microsoft.KeyVault/vaults/keys/read 列出指定保管库中的密钥,或读取密钥的属性和公共材料。 对于非对称密钥,此操作会公开公钥,并提供执行公钥算法(例如加密和验证签名)的功能。 永远不会公开私钥和对称密钥。
Microsoft.KeyVault/vaults/keys/wrap/action 使用 Key Vault 密钥包装对称密钥。 请注意,如果 Key Vault 密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。
Microsoft.KeyVault/vaults/keys/unwrap/action 使用 Key Vault 密钥解包对称密钥。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventGrid/eventSubscriptions/write",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/eventSubscriptions/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Service Encryption User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 加密用户

使用密钥执行加密操作。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.KeyVault/vaults/keys/read 列出指定保管库中的密钥,或读取密钥的属性和公共材料。 对于非对称密钥,此操作会公开公钥,并提供执行公钥算法(例如加密和验证签名)的功能。 永远不会公开私钥和对称密钥。
Microsoft.KeyVault/vaults/keys/update/action 更新与给定密钥关联的指定属性。
Microsoft.KeyVault/vaults/keys/backup/action 创建密钥的备份文件。 该文件可用于还原同一订阅的 Key Vault 中的密钥。 可能存在限制。
Microsoft.KeyVault/vaults/keys/encrypt/action 使用密钥加密纯文本。 请注意,如果密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。
Microsoft.KeyVault/vaults/keys/decrypt/action 使用密钥解密已加密文本。
Microsoft.KeyVault/vaults/keys/wrap/action 使用 Key Vault 密钥包装对称密钥。 请注意,如果 Key Vault 密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。
Microsoft.KeyVault/vaults/keys/unwrap/action 使用 Key Vault 密钥解包对称密钥。
Microsoft.KeyVault/vaults/keys/sign/action 使用密钥为消息摘要(哈希)签名。
Microsoft.KeyVault/vaults/keys/verify/action 使用密钥验证消息摘要(哈希)的签名。 请注意,如果密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
  "name": "12338af0-0e69-4776-bea7-57ae8d297424",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/update/action",
        "Microsoft.KeyVault/vaults/keys/backup/action",
        "Microsoft.KeyVault/vaults/keys/encrypt/action",
        "Microsoft.KeyVault/vaults/keys/decrypt/action",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action",
        "Microsoft.KeyVault/vaults/keys/sign/action",
        "Microsoft.KeyVault/vaults/keys/verify/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

密钥保管库数据访问管理员(预览版)

通过添加或删除 Key Vault 管理员、Key Vault 证书主管、Key Vault 加密管理人员、Key Vault 加密服务加密用户、Key Vault 加密用户、Key Vault 加密用户、Key Vault 读取者、Key Vault 机密主管或 Key Vault 机密用户角色来管理对 Azure Key Vault 的访问。 包括用于约束角色分配的 ABAC 条件。

操作 说明
Microsoft.Authorization/roleAssignments/write 创建指定范围的角色分配。
Microsoft.Authorization/roleAssignments/delete 删除指定范围的角色分配。
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/subscriptions/read 获取订阅的列表。
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Support/* 创建和更新支持票证
Microsoft.KeyVault/vaults/*/read
不操作
DataActions
NotDataActions
Condition
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) 添加或移除以下角色的角色分配:
Key Vault 管理员
Key Vault 证书管理人员
Key Vault 加密管理人员
密钥保管库加密服务加密用户
Key Vault 加密用户
Key Vault 读取者
Key Vault 机密管理人员
Key Vault 机密用户		 
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8",
    "properties": {
        "roleName": "Key Vault Data Access Administrator (preview)",
        "description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/roleAssignments/write",
                    "Microsoft.Authorization/roleAssignments/delete",
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/read",
                    "Microsoft.Management/managementGroups/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Support/*",
                    "Microsoft.KeyVault/vaults/*/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": [],
                "conditionVersion": "2.0",
                "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))"
            }
        ]
    }
}

Key Vault 读取者

读取密钥保管库及其证书、密钥和机密的元数据。 无法读取机密内容或密钥材料等敏感值。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/vaults/secrets/readMetadata/action 列出或查看机密的属性,但不列出或查看机密的值。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "name": "21090545-7ca7-4776-b22c-e363652d74d2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 机密管理人员

对密钥保管库的机密执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
Microsoft.KeyVault/checkNameAvailability/read 检查密钥保管库名称是否有效且未被使用
Microsoft.KeyVault/deletedVaults/read 查看软删除的密钥保管库的属性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出可对 Microsoft.KeyVault 资源提供程序执行的操作
不操作
DataActions
Microsoft.KeyVault/vaults/secrets/*
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 机密用户

读取机密内容。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。 了解详细信息

操作 描述
不操作
DataActions
Microsoft.KeyVault/vaults/secrets/getSecret/action 获取机密的值。
Microsoft.KeyVault/vaults/secrets/readMetadata/action 列出或查看机密的属性,但不列出或查看机密的值。
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
  "name": "4633458b-17de-408a-b874-0445c86b69e6",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

托管 HSM 参与者

允许你管理托管 HSM 池,但不允许访问这些池。 了解详细信息

操作 说明
Microsoft.KeyVault/managedHSMs/*
Microsoft.KeyVault/deletedManagedHsms/read 查看已删除的托管 HSM 的属性
Microsoft.KeyVault/locations/deletedManagedHsms/read 查看已删除的托管 HSM 的属性
Microsoft.KeyVault/locations/deletedManagedHsms/purge/action 清除已软删除的托管 HSM
Microsoft.KeyVault/locations/managedHsmOperationResults/read 检查长时间运行的操作的结果
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage managed HSM pools, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
  "name": "18500a29-7fe2-46b2-a342-b16a415e101d",
  "permissions": [
    {
      "actions": [
        "Microsoft.KeyVault/managedHSMs/*",
        "Microsoft.KeyVault/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
        "Microsoft.KeyVault/locations/managedHsmOperationResults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed HSM contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 自动化参与者

Microsoft Sentinel 自动化参与者 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Logic/workflows/triggers/read 读取触发器。
Microsoft.Logic/workflows/triggers/listCallbackUrl/action 获取触发器的回调 URL。
Microsoft.Logic/workflows/runs/read 读取工作流运行。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read 列出 Web 应用 Hostruntime 工作流触发器。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action 获取 Web 应用 Hostruntime 工作流触发器 URI。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read 列出 Web 应用 Hostruntime 工作流运行。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Automation Contributor",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Logic/workflows/triggers/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Logic/workflows/runs/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Automation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 参与者

Microsoft Sentinel 参与者 了解详细信息

操作 说明
Microsoft.SecurityInsights/*
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎进行搜索。
Microsoft.OperationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.OperationalInsights/workspaces/savedSearches/*
Microsoft.OperationsManagement/solutions/read 获取现有的 OMS 解决方案
Microsoft.OperationalInsights/workspaces/query/read 对工作区中的数据运行查询
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read 获取工作区下的数据源。
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.Insights/workbooks/*
Microsoft.Insights/myworkbooks/read 读取专用工作簿
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Contributor",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
  "name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel Playbook 操作员

Microsoft Sentinel Playbook 操作员 了解详细信息

操作 说明
Microsoft.Logic/workflows/read 读取工作流。
Microsoft.Logic/workflows/triggers/listCallbackUrl/action 获取触发器的回调 URL。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action 获取 Web 应用 Hostruntime 工作流触发器 URI。
Microsoft.Web/sites/read 获取 Web 应用的属性
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Playbook Operator",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5",
  "name": "51d6186e-6489-4900-b93f-92e23144cca5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Logic/workflows/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Playbook Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 读取者

Microsoft Sentinel 读取者 了解详细信息

操作 描述
Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action 检查用户授权和许可证
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action 查询威胁情报指示器
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action 查询威胁情报指示器
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎进行搜索。
Microsoft.OperationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.OperationalInsights/workspaces/LinkedServices/read 获取给定工作区下的链接服务。
Microsoft.OperationalInsights/workspaces/savedSearches/read 获取保存的搜索查询。
Microsoft.OperationsManagement/solutions/read 获取现有的 OMS 解决方案
Microsoft.OperationalInsights/workspaces/query/read 对工作区中的数据运行查询
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read 获取工作区下的数据源。
Microsoft.Insights/workbooks/read 读取工作簿
Microsoft.Insights/myworkbooks/read 读取专用工作簿
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Resources/templateSpecs/*/read 获取或列出模板规格和模板规格版本
Microsoft.Support/* 创建和更新支持票证
不操作
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/templateSpecs/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 响应者

Microsoft Sentinel 响应者 了解详细信息

操作 描述
Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action 检查用户授权和许可证
Microsoft.SecurityInsights/automationRules/*
Microsoft.SecurityInsights/cases/*
Microsoft.SecurityInsights/incidents/*
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action 将标记追加到威胁情报指示器
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action 查询威胁情报指示器
Microsoft.SecurityInsights/threatIntelligence/bulkTag/action 批量标记威胁情报
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action 将标记追加到威胁情报指示器
Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action 替换威胁情报指示器的标记
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action 查询威胁情报指示器
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎进行搜索。
Microsoft.OperationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.OperationalInsights/workspaces/dataSources/read 获取工作区下的数据源。
Microsoft.OperationalInsights/workspaces/savedSearches/read 获取保存的搜索查询。
Microsoft.OperationsManagement/solutions/read 获取现有的 OMS 解决方案
Microsoft.OperationalInsights/workspaces/query/read 对工作区中的数据运行查询
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read 获取工作区下的数据源。
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.Insights/workbooks/read 读取工作簿
Microsoft.Insights/myworkbooks/read 读取专用工作簿
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Support/* 创建和更新支持票证
不操作
Microsoft.SecurityInsights/cases/*/Delete
Microsoft.SecurityInsights/incidents/*/Delete
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Responder",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/automationRules/*",
        "Microsoft.SecurityInsights/cases/*",
        "Microsoft.SecurityInsights/incidents/*",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/cases/*/Delete",
        "Microsoft.SecurityInsights/incidents/*/Delete",
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Responder",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全管理员

查看和更新 Microsoft Defender for Cloud 的权限。 与安全读取者角色具有相同的权限,还可以更新安全策略并关闭警报和建议。

对于 Microsoft Defender for IoT,请参阅用于 OT 和企业 IoT 监视的 Azure 用户角色了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Authorization/policyAssignments/* 创建和管理策略分配
Microsoft.Authorization/policyDefinitions/* 创建和管理策略定义
Microsoft.Authorization/policyExemptions/* 创建和管理策略豁免
Microsoft.Authorization/policySetDefinitions/* 创建和管理策略集
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
Microsoft.operationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Security/* 创建和管理安全组件和策略
Microsoft.IoTSecurity/*
Microsoft.IoTFirmwareDefense/*
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Admin Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/policyAssignments/*",
        "Microsoft.Authorization/policyDefinitions/*",
        "Microsoft.Authorization/policyExemptions/*",
        "Microsoft.Authorization/policySetDefinitions/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.IoTSecurity/*",
        "Microsoft.IoTFirmwareDefense/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全评估参与者

可将评估推送到 Microsoft Defender for Cloud

操作 描述
Microsoft.Security/assessments/write 创建或更新订阅的安全评估
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you push assessments to Security Center",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Security/assessments/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Assessment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全管理器(旧版)

这是旧角色。 请改用安全管理员。

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.ClassicCompute/*/read 读取经典虚拟机的配置信息
Microsoft.ClassicCompute/virtualMachines/*/write 写入经典虚拟机的配置
Microsoft.ClassicNetwork/*/read 读取有关经典网络的配置信息
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.ResourceHealth/availabilityStatuses/read 获取指定范围内所有资源的可用性状态
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Security/* 创建和管理安全组件和策略
Microsoft.Support/* 创建和更新支持票证
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "This is a legacy role. Please use Security Administrator instead",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/*/read",
        "Microsoft.ClassicCompute/virtualMachines/*/write",
        "Microsoft.ClassicNetwork/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Manager (Legacy)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全读取者

查看 Microsoft Defender for Cloud 的权限。 可以查看但不能更改建议、警报、安全策略和安全状态。

对于 Microsoft Defender for IoT,请参阅用于 OT 和企业 IoT 监视的 Azure 用户角色了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/read 读取经典指标警报
Microsoft.operationalInsights/workspaces/*/read 查看日志分析数据
Microsoft.Resources/deployments/*/read
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Security/*/read 读取安全组件和策略
Microsoft.IoTSecurity/*/read
Microsoft.Support/*/read
Microsoft.Security/iotDefenderSettings/packageDownloads/action 获取可下载的 IoT Defender 包信息
Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action 下载包含订阅配额数据的管理器激活文件
Microsoft.Security/iotSensors/downloadResetPassword/action 下载 IoT 传感器的重置密码文件
Microsoft.IoTSecurity/defenderSettings/packageDownloads/action 获取可下载的 IoT Defender 包信息
Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action 下载管理器激活文件
Microsoft.Management/managementGroups/read 列出已通过身份验证的用户的管理组。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Reader Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*/read",
        "Microsoft.IoTSecurity/*/read",
        "Microsoft.Support/*/read",
        "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
        "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
        "Microsoft.Security/iotSensors/downloadResetPassword/action",
        "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
        "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
        "Microsoft.Management/managementGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DevOps

DevTest 实验室用户

允许连接、启动、重启和关闭 Azure 开发测试实验室中的虚拟机。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Compute/availabilitySets/read 获取可用性集的属性
Microsoft.Compute/virtualMachines/*/read 读取虚拟机属性(VM 大小、运行时状态、VM 扩展等)
Microsoft.Compute/virtualMachines/deallocate/action 关闭虚拟机并释放计算资源
Microsoft.Compute/virtualMachines/read 获取虚拟机的属性
Microsoft.Compute/virtualMachines/restart/action 重新启动虚拟机
Microsoft.Compute/virtualMachines/start/action 启动虚拟机
Microsoft.DevTestLab/*/read 读取实验室属性
Microsoft.DevTestLab/labs/claimAnyVm/action 在实验室中声明随机可声明的虚拟机。
Microsoft.DevTestLab/labs/createEnvironment/action 在实验室中创建虚拟机。
Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action 确保当前用户在实验室中存在有效的配置文件。
Microsoft.DevTestLab/labs/formulas/delete 删除公式。
Microsoft.DevTestLab/labs/formulas/read 读取公式。
Microsoft.DevTestLab/labs/formulas/write 添加或修改公式。
Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action 评估实验室策略。
Microsoft.DevTestLab/labs/virtualMachines/claim/action 获得现有虚拟机的所有权
Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action 列出适用的启动/停止计划(如果有)。
Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action 获取一个字符串,该字符串表示虚拟机的 RDP 文件内容
Microsoft.Network/loadBalancers/backendAddressPools/join/action 加入负载均衡器后端地址池。 不可发出警报。
Microsoft.Network/loadBalancers/inboundNatRules/join/action 加入负载均衡器入站 NAT 规则。 不可发出警报。
Microsoft.Network/networkInterfaces/*/read 读取网络接口(例如,此网络接口所属的所有负载均衡器)的属性
Microsoft.Network/networkInterfaces/join/action 将虚拟机加入到网络接口。 不可发出警报。
Microsoft.Network/networkInterfaces/read 获取网络接口定义。
Microsoft.Network/networkInterfaces/write 创建网络接口,或更新现有的网络接口。
Microsoft.Network/publicIPAddresses/*/read 读取公共 IP 地址的属性
Microsoft.Network/publicIPAddresses/join/action 加入公共 IP 地址。 不可发出警报。
Microsoft.Network/publicIPAddresses/read 获取公共 IP 地址定义。
Microsoft.Network/virtualNetworks/subnets/join/action 加入虚拟网络。 不可发出警报。
Microsoft.Resources/deployments/operations/read 获取或列出部署操作。
Microsoft.Resources/deployments/read 获取或列出部署。
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
Microsoft.Storage/storageAccounts/listKeys/action 返回指定存储帐户的访问密钥。
不操作
Microsoft.Compute/virtualMachines/vmSizes/read 列出可将虚拟机更新到的大小
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64",
  "name": "76283e04-6283-4c54-8f91-bcf1374a3c64",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/availabilitySets/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.Compute/virtualMachines/deallocate/action",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.DevTestLab/*/read",
        "Microsoft.DevTestLab/labs/claimAnyVm/action",
        "Microsoft.DevTestLab/labs/createEnvironment/action",
        "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action",
        "Microsoft.DevTestLab/labs/formulas/delete",
        "Microsoft.DevTestLab/labs/formulas/read",
        "Microsoft.DevTestLab/labs/formulas/write",
        "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action",
        "Microsoft.DevTestLab/labs/virtualMachines/claim/action",
        "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action",
        "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/networkInterfaces/*/read",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/publicIPAddresses/*/read",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/listKeys/action"
      ],
      "notActions": [
        "Microsoft.Compute/virtualMachines/vmSizes/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "DevTest Labs User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

实验室助理

允许查看现有实验室、在实验室 VM 上执行操作,以及向实验室发送邀请。 了解详细信息

操作 描述
Microsoft.Authorization/*/read 读取角色和角色分配
Microsoft.Insights/alertRules/* 创建和管理经典指标警报
Microsoft.LabServices/labPlans/images/read 获取映像的属性。
Microsoft.LabServices/labPlans/read 获取实验室计划的属性。
Microsoft.LabServices/labs/read 获取实验室的属性。
Microsoft.LabServices/labs/schedules/read 获取计划的属性。
Microsoft.LabServices/labs/users/read 获取用户的属性。
Microsoft.LabServices/labs/users/invite/action 向用户发送电子邮件以邀请其加入实验室。
Microsoft.LabServices/labs/virtualMachines/read 获取虚拟机的属性。
Microsoft.LabServices/labs/virtualMachines/start/action 启动虚拟机。
Microsoft.LabServices/labs/virtualMachines/stop/action 停止和释放虚拟机。
Microsoft.LabServices/labs/virtualMachines/reimage/action 将虚拟机重新映像到上次发布的映像。
Microsoft.LabServices/labs/virtualMachines/redeploy/action 将虚拟机重新部署到其他计算节点。
Microsoft.LabServices/locations/usages/read 获取位置中的使用情况
Microsoft.LabServices/skus/read 获取实验室服务 SKU 的属性。
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 获取或列出资源组。
不操作
DataActions
NotDataActions 
{
  "assignableScopes": [
    "/"
  ],
  "description": "The lab assistant role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1",
  "name": "ce40b423-cede-4313-a93f-9b28290b72e1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.LabServices/labPlans/images/read",
        "Microsoft.LabServices/labPlans/read",
        "Microsoft.LabServices/labs/read",
        "Microsoft.LabServices/labs/schedules/read",
        "Microsoft.LabServices/labs/users/read",
        "Microsoft.LabServices/labs/users/invite/action",
        "Microsoft.LabServices/labs/virtualMachine