你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
用于安全性的 Azure 内置角色
本文列出了安全类别的 Azure 内置角色。
应用合规性自动化管理员
创建、读取、下载、修改和删除报表对象及其他相关的资源对象。
操作 | 说明 |
---|---|
Microsoft.AppComplianceAutomation/* | |
Microsoft.Storage/storageAccounts/blobServices/write | 返回放置 blob 服务属性的结果 |
Microsoft.Storage/storageAccounts/fileservices/write | 放置文件服务属性 |
Microsoft.Storage/storageAccounts/listKeys/action | 返回指定存储帐户的访问密钥。 |
Microsoft.Storage/storageAccounts/write | 使用指定的参数创建存储帐户、更新指定存储帐户的属性或标记,或者为其添加自定义域。 |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 返回 blob 服务的用户委托密钥 |
Microsoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。 |
Microsoft.Storage/storageAccounts/blobServices/containers/read | 返回容器列表 |
Microsoft.Storage/storageAccounts/blobServices/containers/write | 返回放置 blob 容器的结果 |
Microsoft.Storage/storageAccounts/blobServices/read | 返回 blob 服务属性或统计信息 |
Microsoft.PolicyInsights/policyStates/queryResults/action | 查询有关策略状态的信息。 |
Microsoft.PolicyInsights/policyStates/triggerEvaluation/action | 为所选范围触发新的符合性评估。 |
Microsoft.Resources/resources/read | 基于筛选器获取资源的列表。 |
Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Resources/subscriptions/resourceGroups/resources/read | 获取资源组的资源。 |
Microsoft.Resources/subscriptions/resources/read | 获取订阅的资源。 |
Microsoft.Resources/subscriptions/resourceGroups/delete | 删除资源组及其所有资源。 |
Microsoft.Resources/subscriptions/resourceGroups/write | 创建或更新资源组。 |
Microsoft.Resources/tags/read | 获取资源上的所有标记。 |
Microsoft.Resources/deployments/validate/action | 验证部署。 |
Microsoft.Security/automations/read | 获取范围的自动化 |
Microsoft.Resources/deployments/write | 创建或更新部署。 |
Microsoft.Security/automations/delete | 删除范围的自动化 |
Microsoft.Security/automations/write | 创建或更新范围的自动化 |
Microsoft.Security/register/action | 注册 Azure 安全中心的订阅 |
Microsoft.Security/unregister/action | 从 Azure 安全中心取消注册订阅 |
*/read | 读取除密码外的所有类型的资源。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Create, read, download, modify and delete reports objects and related other resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2",
"name": "0f37683f-2463-46b6-9ce7-9b788b988ba2",
"permissions": [
{
"actions": [
"Microsoft.AppComplianceAutomation/*",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/fileservices/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.PolicyInsights/policyStates/queryResults/action",
"Microsoft.PolicyInsights/policyStates/triggerEvaluation/action",
"Microsoft.Resources/resources/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/tags/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Security/automations/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Security/automations/delete",
"Microsoft.Security/automations/write",
"Microsoft.Security/register/action",
"Microsoft.Security/unregister/action",
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
应用合规性自动化读取者
读取和下载报表对象及其他相关的资源对象。
操作 | 说明 |
---|---|
*/read | 读取除密码外的所有类型的资源。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Read, download the reports objects and related other resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
"name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
证明参与者
可读写或删除证明提供者实例
操作 | 说明 |
---|---|
Microsoft.Attestation/attestationProviders/attestation/read | 获取证明服务状态。 |
Microsoft.Attestation/attestationProviders/attestation/write | 添加证明服务。 |
Microsoft.Attestation/attestationProviders/attestation/delete | 删除证明服务。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can read write or delete the attestation provider instance",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/attestation/write",
"Microsoft.Attestation/attestationProviders/attestation/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
证明读取者
可以读取证明提供程序属性
操作 | 说明 |
---|---|
Microsoft.Attestation/attestationProviders/attestation/read | 获取证明服务状态。 |
Microsoft.Attestation/attestationProviders/read | 获取证明服务状态。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can read the attestation provider properties",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 管理员
对密钥保管库以及其中的所有对象(包括证书、密钥和机密)执行所有数据平面操作。 无法管理密钥保管库资源或管理角色分配。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.KeyVault/checkNameAvailability/read | 检查密钥保管库名称是否有效且未被使用 |
Microsoft.KeyVault/deletedVaults/read | 查看软删除的密钥保管库的属性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可对 Microsoft.KeyVault 资源提供程序执行的操作 |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/* | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
"name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
密钥保管库证书用户
读取证书内容。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/certificates/read | 列出指定的 Key Vault 中的证书,或获取有关证书的信息。 |
Microsoft.KeyVault/vaults/secrets/getSecret/action | 获取机密的值。 |
Microsoft.KeyVault/vaults/secrets/readMetadata/action | 列出或查看机密的属性,但不列出或查看机密的值。 |
Microsoft.KeyVault/vaults/keys/read | 列出指定保管库中的密钥,或读取密钥的属性和公共材料。 对于非对称密钥,此操作会公开公钥,并提供执行公钥算法(例如加密和验证签名)的功能。 永远不会公开私钥和对称密钥。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
"name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificates/read",
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action",
"Microsoft.KeyVault/vaults/keys/read"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificate User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 证书管理人员
对密钥保管库的证书执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.KeyVault/checkNameAvailability/read | 检查密钥保管库名称是否有效且未被使用 |
Microsoft.KeyVault/deletedVaults/read | 查看软删除的密钥保管库的属性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可对 Microsoft.KeyVault 资源提供程序执行的操作 |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/certificatecas/* | |
Microsoft.KeyVault/vaults/certificates/* | |
Microsoft.KeyVault/vaults/certificatecontacts/write | 管理证书联系人 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
"name": "a4417e6f-fecd-4de8-b567-7b0420556985",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificatecas/*",
"Microsoft.KeyVault/vaults/certificates/*",
"Microsoft.KeyVault/vaults/certificatecontacts/write"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificates Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
密钥保管库参与者
管理密钥保管库,但不允许在 Azure RBAC 中分配角色,也不允许访问机密、密钥或证书。
重要
使用访问策略权限模型时,具有Contributor
Key Vault Contributor
密钥保管库管理平面权限的任何其他角色Microsoft.KeyVault/vaults/write
的用户可以通过设置密钥库访问策略来授予自己数据平面访问权限。 为了防止对密钥保管库、密钥、机密和证书进行未经授权的访问和管理,必须限制对访问策略权限模型中密钥保管库的参与者角色访问权限。 为了缓解此风险,我们建议使用基于角色的访问控制(RBAC)权限模型,该模型将权限管理限制为“所有者”和“用户访问管理员”角色,从而允许在安全操作和管理职责之间明确分离。 有关详细信息,请参阅 密钥库 RBAC 指南和什么是 Azure RBAC?
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.KeyVault/* | |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
Microsoft.KeyVault/locations/deletedVaults/purge/action | 清除软删除的密钥保管库 |
Microsoft.KeyVault/hsmPools/* | |
Microsoft.KeyVault/managedHsms/* | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage key vaults, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
"name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.KeyVault/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.KeyVault/hsmPools/*",
"Microsoft.KeyVault/managedHsms/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Key Vault Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 加密管理人员
对密钥保管库的密钥执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.KeyVault/checkNameAvailability/read | 检查密钥保管库名称是否有效且未被使用 |
Microsoft.KeyVault/deletedVaults/read | 查看软删除的密钥保管库的属性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可对 Microsoft.KeyVault 资源提供程序执行的操作 |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/keys/* | |
Microsoft.KeyVault/vaults/keyrotationpolicies/* | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/*",
"Microsoft.KeyVault/vaults/keyrotationpolicies/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
密钥保管库加密服务加密用户
读取密钥的元数据并执行包装/展开操作。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
Microsoft.EventGrid/eventSubscriptions/write | 创建或更新事件订阅 |
Microsoft.EventGrid/eventSubscriptions/read | 读取事件订阅 |
Microsoft.EventGrid/eventSubscriptions/delete | 删除事件订阅 |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/keys/read | 列出指定保管库中的密钥,或读取密钥的属性和公共材料。 对于非对称密钥,此操作会公开公钥,并提供执行公钥算法(例如加密和验证签名)的功能。 永远不会公开私钥和对称密钥。 |
Microsoft.KeyVault/vaults/keys/wrap/action | 使用 Key Vault 密钥包装对称密钥。 请注意,如果 Key Vault 密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。 |
Microsoft.KeyVault/vaults/keys/unwrap/action | 使用 Key Vault 密钥解包对称密钥。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
"name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
"permissions": [
{
"actions": [
"Microsoft.EventGrid/eventSubscriptions/write",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/eventSubscriptions/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Encryption User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
密钥保管库加密服务发布用户
发布密钥。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/keys/release/action | 使用证明令牌中 KEK 的公共部分来释放密钥。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08bbd89e-9f13-488c-ac41-acfcb10c90ab",
"name": "08bbd89e-9f13-488c-ac41-acfcb10c90ab",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/release/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Release User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 加密用户
使用密钥执行加密操作。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/keys/read | 列出指定保管库中的密钥,或读取密钥的属性和公共材料。 对于非对称密钥,此操作会公开公钥,并提供执行公钥算法(例如加密和验证签名)的功能。 永远不会公开私钥和对称密钥。 |
Microsoft.KeyVault/vaults/keys/update/action | 更新与给定密钥关联的指定属性。 |
Microsoft.KeyVault/vaults/keys/backup/action | 创建密钥的备份文件。 该文件可用于还原同一订阅的 Key Vault 中的密钥。 可能存在限制。 |
Microsoft.KeyVault/vaults/keys/encrypt/action | 使用密钥加密纯文本。 请注意,如果密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。 |
Microsoft.KeyVault/vaults/keys/decrypt/action | 使用密钥解密已加密文本。 |
Microsoft.KeyVault/vaults/keys/wrap/action | 使用 Key Vault 密钥包装对称密钥。 请注意,如果 Key Vault 密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。 |
Microsoft.KeyVault/vaults/keys/unwrap/action | 使用 Key Vault 密钥解包对称密钥。 |
Microsoft.KeyVault/vaults/keys/sign/action | 使用密钥为消息摘要(哈希)签名。 |
Microsoft.KeyVault/vaults/keys/verify/action | 使用密钥验证消息摘要(哈希)的签名。 请注意,如果密钥为非对称密钥,此操作可以由拥有读取访问权限的主体执行。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
"name": "12338af0-0e69-4776-bea7-57ae8d297424",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/update/action",
"Microsoft.KeyVault/vaults/keys/backup/action",
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action",
"Microsoft.KeyVault/vaults/keys/sign/action",
"Microsoft.KeyVault/vaults/keys/verify/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
密钥保管库数据访问管理员
通过添加或删除 Key Vault 管理员、Key Vault 证书主管、Key Vault 加密管理人员、Key Vault 加密服务加密用户、Key Vault 加密用户、Key Vault 加密用户、Key Vault 读取者、Key Vault 机密主管或 Key Vault 机密用户角色来管理对 Azure Key Vault 的访问。 包括用于约束角色分配的 ABAC 条件。
操作 | 说明 |
---|---|
Microsoft.Authorization/roleAssignments/write | 创建指定范围的角色分配。 |
Microsoft.Authorization/roleAssignments/delete | 删除指定范围的角色分配。 |
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
Microsoft.Management/managementGroups/read | 列出已通过身份验证的用户的管理组。 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.KeyVault/vaults/*/read | |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 | |
Condition | |
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) | 添加或移除以下角色的角色分配: Key Vault 管理员 Key Vault 证书管理人员 Key Vault 加密管理人员 密钥保管库加密服务加密用户 Key Vault 加密用户 Key Vault 读取者 Key Vault 机密管理人员 Key Vault 机密用户 |
{
"assignableScopes": [
"/"
],
"description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8",
"name": "8b54135c-b56d-4d72-a534-26097cfdc8d8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*",
"Microsoft.KeyVault/vaults/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))"
}
],
"roleName": "Key Vault Data Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 读取者
读取密钥保管库及其证书、密钥和机密的元数据。 无法读取机密内容或密钥材料等敏感值。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.KeyVault/checkNameAvailability/read | 检查密钥保管库名称是否有效且未被使用 |
Microsoft.KeyVault/deletedVaults/read | 查看软删除的密钥保管库的属性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可对 Microsoft.KeyVault 资源提供程序执行的操作 |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/vaults/secrets/readMetadata/action | 列出或查看机密的属性,但不列出或查看机密的值。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
"name": "21090545-7ca7-4776-b22c-e363652d74d2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 机密管理人员
对密钥保管库的机密执行任何操作(管理权限除外)。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.KeyVault/checkNameAvailability/read | 检查密钥保管库名称是否有效且未被使用 |
Microsoft.KeyVault/deletedVaults/read | 查看软删除的密钥保管库的属性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出可对 Microsoft.KeyVault 资源提供程序执行的操作 |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/secrets/* | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 机密用户
读取机密内容。 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.KeyVault/vaults/secrets/getSecret/action | 获取机密的值。 |
Microsoft.KeyVault/vaults/secrets/readMetadata/action | 列出或查看机密的属性,但不列出或查看机密的值。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
"name": "4633458b-17de-408a-b874-0445c86b69e6",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
托管 HSM 参与者
允许你管理托管 HSM 池,但不允许访问这些池。
操作 | 说明 |
---|---|
Microsoft.KeyVault/managedHSMs/* | |
Microsoft.KeyVault/deletedManagedHsms/read | 查看已删除的托管 HSM 的属性 |
Microsoft.KeyVault/locations/deletedManagedHsms/read | 查看已删除的托管 HSM 的属性 |
Microsoft.KeyVault/locations/deletedManagedHsms/purge/action | 清除已软删除的托管 HSM |
Microsoft.KeyVault/locations/managedHsmOperationResults/read | 检查长时间运行的操作的结果 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage managed HSM pools, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
"name": "18500a29-7fe2-46b2-a342-b16a415e101d",
"permissions": [
{
"actions": [
"Microsoft.KeyVault/managedHSMs/*",
"Microsoft.KeyVault/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
"Microsoft.KeyVault/locations/managedHsmOperationResults/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed HSM contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 自动化参与者
Microsoft Sentinel 自动化参与者
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Logic/workflows/triggers/read | 读取触发器。 |
Microsoft.Logic/workflows/triggers/listCallbackUrl/action | 获取触发器的回调 URL。 |
Microsoft.Logic/workflows/runs/read | 读取工作流运行。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read | 列出 Web 应用 Hostruntime 工作流触发器。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | 获取 Web 应用 Hostruntime 工作流触发器 URI。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read | 列出 Web 应用 Hostruntime 工作流运行。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Automation Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Logic/workflows/triggers/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Logic/workflows/runs/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Automation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 参与者
Microsoft Sentinel 参与者
操作 | 说明 |
---|---|
Microsoft.SecurityInsights/* | |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新引擎进行搜索。 |
Microsoft.OperationalInsights/workspaces/*/read | 查看日志分析数据 |
Microsoft.OperationalInsights/workspaces/savedSearches/* | |
Microsoft.OperationsManagement/solutions/read | 获取现有的 OMS 解决方案 |
Microsoft.OperationalInsights/workspaces/query/read | 对工作区中的数据运行查询 |
Microsoft.OperationalInsights/workspaces/query/*/read | |
Microsoft.OperationalInsights/workspaces/dataSources/read | 获取工作区下的数据源。 |
Microsoft.OperationalInsights/querypacks/*/read | |
Microsoft.Insights/workbooks/* | |
Microsoft.Insights/myworkbooks/read | |
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
"name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/*",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel Playbook 操作员
Microsoft Sentinel Playbook 操作员
操作 | 说明 |
---|---|
Microsoft.Logic/workflows/read | 读取工作流。 |
Microsoft.Logic/workflows/triggers/listCallbackUrl/action | 获取触发器的回调 URL。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | 获取 Web 应用 Hostruntime 工作流触发器 URI。 |
Microsoft.Web/sites/read | 获取 Web 应用的属性 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Playbook Operator",
"id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5",
"name": "51d6186e-6489-4900-b93f-92e23144cca5",
"permissions": [
{
"actions": [
"Microsoft.Logic/workflows/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Playbook Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 读取者
Microsoft Sentinel 读取者
操作 | 描述 |
---|---|
Microsoft.SecurityInsights/*/read | |
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action | 检查用户授权和许可证 |
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action | 查询威胁情报指示器 |
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action | 查询威胁情报指示器 |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新引擎进行搜索。 |
Microsoft.OperationalInsights/workspaces/*/read | 查看日志分析数据 |
Microsoft.OperationalInsights/workspaces/LinkedServices/read | 获取给定工作区下的链接服务。 |
Microsoft.OperationalInsights/workspaces/savedSearches/read | 获取保存的搜索查询。 |
Microsoft.OperationsManagement/solutions/read | 获取现有的 OMS 解决方案 |
Microsoft.OperationalInsights/workspaces/query/read | 对工作区中的数据运行查询 |
Microsoft.OperationalInsights/workspaces/query/*/read | |
Microsoft.OperationalInsights/querypacks/*/read | |
Microsoft.OperationalInsights/workspaces/dataSources/read | 获取工作区下的数据源。 |
Microsoft.Insights/workbooks/read | 读取工作簿 |
Microsoft.Insights/myworkbooks/read | |
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Resources/templateSpecs/*/read | 获取或列出模板规格和模板规格版本 |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/LinkedServices/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/templateSpecs/*/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 响应者
Microsoft Sentinel 响应者
操作 | 描述 |
---|---|
Microsoft.SecurityInsights/*/read | |
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action | 检查用户授权和许可证 |
Microsoft.SecurityInsights/automationRules/* | |
Microsoft.SecurityInsights/cases/* | |
Microsoft.SecurityInsights/incidents/* | |
Microsoft.SecurityInsights/entities/runPlaybook/action | 在实体上运行剧本 |
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action | 将标记追加到威胁情报指示器 |
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action | 查询威胁情报指示器 |
Microsoft.SecurityInsights/threatIntelligence/bulkTag/action | 批量标记威胁情报 |
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action | 将标记追加到威胁情报指示器 |
Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action | 替换威胁情报指示器的标记 |
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action | 查询威胁情报指示器 |
Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action | 撤消操作 |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新引擎进行搜索。 |
Microsoft.OperationalInsights/workspaces/*/read | 查看日志分析数据 |
Microsoft.OperationalInsights/workspaces/dataSources/read | 获取工作区下的数据源。 |
Microsoft.OperationalInsights/workspaces/savedSearches/read | 获取保存的搜索查询。 |
Microsoft.OperationsManagement/solutions/read | 获取现有的 OMS 解决方案 |
Microsoft.OperationalInsights/workspaces/query/read | 对工作区中的数据运行查询 |
Microsoft.OperationalInsights/workspaces/query/*/read | |
Microsoft.OperationalInsights/workspaces/dataSources/read | 获取工作区下的数据源。 |
Microsoft.OperationalInsights/querypacks/*/read | |
Microsoft.Insights/workbooks/read | 读取工作簿 |
Microsoft.Insights/myworkbooks/read | |
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
Microsoft.SecurityInsights/cases/*/Delete | |
Microsoft.SecurityInsights/incidents/*/Delete | |
Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Responder",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/automationRules/*",
"Microsoft.SecurityInsights/cases/*",
"Microsoft.SecurityInsights/incidents/*",
"Microsoft.SecurityInsights/entities/runPlaybook/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/cases/*/Delete",
"Microsoft.SecurityInsights/incidents/*/Delete",
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Responder",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全管理员
查看和更新 Microsoft Defender for Cloud 的权限。 与安全读取者角色具有相同的权限,还可以更新安全策略并关闭警报和建议。
对于 Microsoft Defender for IoT,请参阅用于 OT 和企业 IoT 监视的 Azure 用户角色。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Authorization/policyAssignments/* | 创建和管理策略分配 |
Microsoft.Authorization/policyDefinitions/* | 创建和管理策略定义 |
Microsoft.Authorization/policyExemptions/* | 创建和管理策略豁免 |
Microsoft.Authorization/policySetDefinitions/* | 创建和管理策略集 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Management/managementGroups/read | 列出已通过身份验证的用户的管理组。 |
Microsoft.operationalInsights/workspaces/*/read | 查看日志分析数据 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Security/* | 创建和管理安全组件和策略 |
Microsoft.IoTSecurity/* | |
Microsoft.IoTFirmwareDefense/* | |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Security Admin Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
"name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Management/managementGroups/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.IoTSecurity/*",
"Microsoft.IoTFirmwareDefense/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全评估参与者
可将评估推送到 Microsoft Defender for Cloud
操作 | 描述 |
---|---|
Microsoft.Security/assessments/write | 创建或更新订阅的安全评估 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you push assessments to Security Center",
"id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"permissions": [
{
"actions": [
"Microsoft.Security/assessments/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Assessment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全管理器(旧版)
这是旧角色。 请改用安全管理员。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.ClassicCompute/*/read | 读取经典虚拟机的配置信息 |
Microsoft.ClassicCompute/virtualMachines/*/write | 写入经典虚拟机的配置 |
Microsoft.ClassicNetwork/*/read | 读取有关经典网络的配置信息 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Security/* | 创建和管理安全组件和策略 |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "This is a legacy role. Please use Security Administrator instead",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/*/read",
"Microsoft.ClassicCompute/virtualMachines/*/write",
"Microsoft.ClassicNetwork/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Manager (Legacy)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全读取者
查看 Microsoft Defender for Cloud 的权限。 可以查看但不能更改建议、警报、安全策略和安全状态。
对于 Microsoft Defender for IoT,请参阅用于 OT 和企业 IoT 监视的 Azure 用户角色。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/read | 读取经典指标警报 |
Microsoft.operationalInsights/workspaces/*/read | 查看日志分析数据 |
Microsoft.Resources/deployments/*/read | |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Security/*/read | 读取安全组件和策略 |
Microsoft.IoTSecurity/*/read | |
Microsoft.Support/*/read | |
Microsoft.Security/iotDefenderSettings/packageDownloads/action | 获取可下载的 IoT Defender 包信息 |
Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action | 下载包含订阅配额数据的管理器激活文件 |
Microsoft.Security/iotSensors/downloadResetPassword/action | 下载 IoT 传感器的重置密码文件 |
Microsoft.IoTSecurity/defenderSettings/packageDownloads/action | 获取可下载的 IoT Defender 包信息 |
Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action | 下载管理器激活文件 |
Microsoft.Management/managementGroups/read | 列出已通过身份验证的用户的管理组。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Security Reader Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*/read",
"Microsoft.IoTSecurity/*/read",
"Microsoft.Support/*/read",
"Microsoft.Security/iotDefenderSettings/packageDownloads/action",
"Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
"Microsoft.Security/iotSensors/downloadResetPassword/action",
"Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
"Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
"Microsoft.Management/managementGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}