適用於資料庫的 Azure 內建角色
本文列出 [資料庫] 類別中的 Azure 內建角色。
Azure 連線的 SQL Server 上線
允許在已啟用 Arc 的伺服器上對 SQL Server 的 Azure 資源進行讀取和寫入存取。
動作 | 描述 |
---|---|
Microsoft.AzureArcData/sqlServerInstances/read | 擷取 SQL Server 實例資源 |
Microsoft.AzureArcData/sqlServerInstances/write | 更新 SQL Server 實例資源 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508",
"name": "e8113dce-c529-4d33-91fa-e9b972617508",
"permissions": [
{
"actions": [
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected SQL Server Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB 帳戶讀取者角色
可讀取 Azure Cosmos DB 帳戶資料。 請參閱 DocumentDB 帳戶參與者 來管理 Azure Cosmos DB 帳戶。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.DocumentDB/*/read | 讀取任何集合 |
Microsoft.DocumentDB/databaseAccounts/readonlykeys/action | 讀取資料庫帳戶唯讀密鑰。 |
Microsoft.Insights/MetricDefinitions/read | 讀取計量定義 |
Microsoft.Insights/Metrics/read | 讀取計量 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB 操作員
可讓您管理 Azure Cosmos DB 帳戶,但無法存取其中的資料。 防止存取帳戶金鑰和連接字串。
動作 | 描述 |
---|---|
Microsoft.DocumentDb/databaseAccounts/* | |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。 |
NotActions | |
Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/* | |
Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* | |
Microsoft.DocumentDB/databaseAccounts/regenerateKey/* | |
Microsoft.DocumentDB/databaseAccounts/listKeys/* | |
Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* | |
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write | 建立或更新 SQL 角色定義 |
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete | 刪除 SQL 角色定義 |
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write | 建立或更新 SQL 角色指派 |
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete | 刪除 SQL 角色指派 |
Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write | 建立或更新 Mongo 角色定義 |
Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete | 刪除 MongoDB 角色定義 |
Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write | 建立或更新 MongoDB 用戶定義 |
Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete | 刪除 MongoDB 用戶定義 |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
"name": "230815da-be43-4aae-9cb4-875f7bd000aa",
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [
"Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*",
"Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
"Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
"Microsoft.DocumentDB/databaseAccounts/listKeys/*",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosBackupOperator
可為帳戶的 Cosmos DB 資料庫或容器提交還原要求
動作 | 描述 |
---|---|
Microsoft.DocumentDB/databaseAccounts/backup/action | 提交要求以設定備份 |
Microsoft.DocumentDB/databaseAccounts/restore/action | 提交還原要求 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Can submit restore request for a Cosmos DB database or a container for an account",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/databaseAccounts/backup/action",
"Microsoft.DocumentDB/databaseAccounts/restore/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosBackupOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosRestoreOperator
可針對連續備份模式的 Cosmos DB 資料庫帳戶執行還原動作
動作 | 描述 |
---|---|
Microsoft.DocumentDB/locations/restoreableDatabaseAccounts/restore/action | 提交還原要求 |
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read | |
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read | 讀取可還原的資料庫帳戶或列出所有可還原的資料庫帳戶 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosRestoreOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DocumentDB 帳戶參與者
可管理 Azure Cosmos DB 帳戶。 Azure Cosmos DB 先前稱為 DocumentDB。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.DocumentDb/databaseAccounts/* | 建立和管理 Azure Cosmos DB 帳戶 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DocumentDB accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
"name": "5bd9cd88-fe45-4216-938b-f97437e15450",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DocumentDB Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
PostgreSQL 彈性伺服器長期保留備份角色
允許備份保存庫存取 PostgreSQL 彈性伺服器資源 API 以進行長期保留備份的角色。
動作 | 描述 |
---|---|
Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read | 傳回 PostgreSQL 伺服器長期備份作業追蹤的清單。 |
Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action | 檢查伺服器是否已準備好進行長期備份 |
Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action | 開始伺服器的長期備份 |
Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read | 傳回 PostgreSQL 伺服器作業結果 |
Microsoft.DBforPostgreSQL/locations/operationResults/read | 傳回 PostgreSQL 伺服器作業結果 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c088a766-074b-43ba-90d4-1fb21feae531",
"name": "c088a766-074b-43ba-90d4-1fb21feae531",
"permissions": [
{
"actions": [
"Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action",
"Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action",
"Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read",
"Microsoft.DBforPostgreSQL/locations/operationResults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "PostgreSQL Flexible Server Long Term Retention Backup Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Redis 快取參與者
可讓您管理 Redis 快取,但無法加以存取。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Cache/register/action | 向訂用帳戶註冊 『Microsoft.Cache』 資源提供者 |
Microsoft.Cache/redis/* | 建立和管理 Redis 快取 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Redis caches, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
"name": "e0f68234-74aa-48ed-b826-c38b57376e17",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/register/action",
"Microsoft.Cache/redis/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Redis Cache Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL DB 參與者
可讓您管理 SQL 資料庫,但無法加以存取。 此外,您無法管理其安全性相關原則或其父 SQL 伺服器。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Sql/locations/*/read | |
Microsoft.Sql/servers/databases/* | 建立和管理 SQL 資料庫 |
Microsoft.Sql/servers/read | 傳回伺服器清單,或取得指定伺服器的屬性。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Insights/metrics/read | 讀取計量 |
Microsoft.Insights/metricDefinitions/read | 讀取計量定義 |
NotActions | |
Microsoft.Sql/servers/databases/ledgerDigestUploads/write | 啟用上傳總帳摘要 |
Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action | 停用上傳總帳摘要 |
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/databases/auditingSettings/* | 編輯稽核設定 |
Microsoft.Sql/servers/databases/auditRecords/read | 擷取資料庫 Blob 稽核記錄 |
Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 編輯數據遮罩原則 |
Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/securityAlertPolicies/* | 編輯安全性警示原則 |
Microsoft.Sql/servers/databases/securityMetrics/* | 編輯安全性計量 |
Microsoft.Sql/servers/databases/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
Microsoft.Sql/servers/vulnerabilityAssessments/* | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL DB Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL 受控執行個體參與者
可讓您管理 SQL 受控執行個體,並需要網路設定,但無法授與其他人存取權。
動作 | 描述 |
---|---|
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Network/networkSecurityGroups/* | |
Microsoft.Network/routeTables/* | |
Microsoft.Sql/locations/*/read | |
Microsoft.Sql/locations/instanceFailoverGroups/* | |
Microsoft.Sql/managedInstances/* | |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Network/virtualNetworks/subnets/* | |
Microsoft.Network/virtualNetworks/* | |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Insights/metrics/read | 讀取計量 |
Microsoft.Insights/metricDefinitions/read | 讀取計量定義 |
NotActions | |
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete | 刪除特定的受控伺服器 Azure Active Directory 僅限驗證物件 |
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | 新增或更新特定的受控伺服器 Azure Active Directory 僅限驗證物件 |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"permissions": [
{
"actions": [
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/locations/instanceFailoverGroups/*",
"Microsoft.Sql/managedInstances/*",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Managed Instance Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL 安全性管理員
可讓您管理 SQL 伺服器及資料庫的安全性相關原則,但無法加以存取。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Sql/locations/administratorAzureAsyncOperation/read | 取得受控實例 azure 異步管理員作業結果。 |
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read | 擷取針對指定實例設定的受控實例進階威脅防護設定清單 |
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write | 變更指定受控實例的受控實例進階威脅防護設定 |
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read | 擷取針對指定受控資料庫設定的受控資料庫進階威脅防護設定清單 |
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write | 變更指定受控資料庫的資料庫進階威脅防護設定 |
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read | 擷取針對指定實例設定的受控實例進階威脅防護設定清單 |
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write | 變更指定受控實例的受控實例進階威脅防護設定 |
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read | 擷取針對指定受控資料庫設定的受控資料庫進階威脅防護設定清單 |
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write | 變更指定受控資料庫的資料庫進階威脅防護設定 |
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/advancedThreatProtectionSettings/read | 擷取針對指定伺服器設定的伺服器進階威脅防護設定清單 |
Microsoft.Sql/servers/advancedThreatProtectionSettings/write | 變更指定伺服器的 [進階威脅防護] 設定 |
Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* | |
Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
Microsoft.Sql/managedInstances/serverConfigurationOptions/read | 取得指定 Azure SQL 受控執行個體 伺服器組態選項的屬性。 |
Microsoft.Sql/managedInstances/serverConfigurationOptions/write | 更新指定實例 Azure SQL 受控執行個體 的伺服器組態選項屬性。 |
Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read | 取得 azure 異步操作 Azure SQL 受控執行個體 伺服器組態選項的狀態。 |
Microsoft.Sql/servers/advancedThreatProtectionSettings/read | 擷取針對指定伺服器設定的伺服器進階威脅防護設定清單 |
Microsoft.Sql/servers/advancedThreatProtectionSettings/write | 變更指定伺服器的 [進階威脅防護] 設定 |
Microsoft.Sql/servers/auditingSettings/* | 建立和管理 SQL Server 稽核設定 |
Microsoft.Sql/servers/extendedAuditingSettings/read | 擷取指定伺服器上所設定之擴充伺服器 Blob 稽核原則的詳細數據 |
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read | 擷取針對指定資料庫設定的資料庫進階威脅防護設定清單 |
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write | 變更指定資料庫的資料庫進階威脅防護設定 |
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read | 擷取針對指定資料庫設定的資料庫進階威脅防護設定清單 |
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write | 變更指定資料庫的資料庫進階威脅防護設定 |
Microsoft.Sql/servers/databases/auditingSettings/* | 建立和管理 SQL Server 資料庫稽核設定 |
Microsoft.Sql/servers/databases/auditRecords/read | 擷取資料庫 Blob 稽核記錄 |
Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 建立和管理 SQL Server 資料庫數據遮罩原則 |
Microsoft.Sql/servers/databases/extendedAuditingSettings/read | 擷取指定資料庫上所設定之擴充 Blob 稽核原則的詳細數據 |
Microsoft.Sql/servers/databases/read | 傳回資料庫清單,或取得指定資料庫的屬性。 |
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/servers/databases/schemas/read | 取得資料庫架構。 |
Microsoft.Sql/servers/databases/schemas/tables/columns/read | 取得資料庫數據行。 |
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/schemas/tables/read | 取得資料庫數據表。 |
Microsoft.Sql/servers/databases/securityAlertPolicies/* | 建立和管理 SQL Server 資料庫安全性警示原則 |
Microsoft.Sql/servers/databases/securityMetrics/* | 建立和管理 SQL Server 資料庫安全性計量 |
Microsoft.Sql/servers/databases/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/transparentDataEncryption/* | |
Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
Microsoft.Sql/servers/devOpsAuditingSettings/* | |
Microsoft.Sql/servers/firewallRules/* | |
Microsoft.Sql/servers/read | 傳回伺服器清單,或取得指定伺服器的屬性。 |
Microsoft.Sql/servers/securityAlertPolicies/* | 建立和管理 SQL Server 安全性警示原則 |
Microsoft.Sql/servers/sqlvulnerabilityAssessments/* | |
Microsoft.Sql/servers/vulnerabilityAssessments/* | |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Sql/servers/azureADOnlyAuthentications/* | |
Microsoft.Sql/managedInstances/read | 傳回受控執行個體的清單,或取得指定受控執行個體的屬性。 |
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* | |
Microsoft.Security/sqlVulnerabilityAssessments/* | |
Microsoft.Sql/managedInstances/administrators/read | 取得受控實例管理員的清單。 |
Microsoft.Sql/servers/administrators/read | 取得特定的 Azure Active Directory 系統管理員物件 |
Microsoft.Sql/servers/databases/ledgerDigestUploads/* | |
Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read | 取得總賬摘要上傳設定的進行中作業 |
Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read | 取得總賬摘要上傳設定的進行中作業 |
Microsoft.Sql/servers/externalPolicyBasedAuthorizations/* | |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/read",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/write",
"Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/transparentDataEncryption/*",
"Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/firewallRules/*",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Support/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/*",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
"Microsoft.Security/sqlVulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/administrators/read",
"Microsoft.Sql/servers/administrators/read",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/*",
"Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read",
"Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Security Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Server 參與者
可讓您管理 SQL 伺服器及資料庫,但無法存取它們,以及它們的安全性相關原則。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Sql/locations/*/read | |
Microsoft.Sql/servers/* | 建立和管理 SQL Server |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.Insights/metrics/read | 讀取計量 |
Microsoft.Insights/metricDefinitions/read | 讀取計量定義 |
NotActions | |
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/auditingSettings/* | 編輯 SQL Server 稽核設定 |
Microsoft.Sql/servers/databases/auditingSettings/* | 編輯 SQL Server 資料庫稽核設定 |
Microsoft.Sql/servers/databases/auditRecords/read | 擷取資料庫 Blob 稽核記錄 |
Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
Microsoft.Sql/servers/databases/dataMaskingPolicies/* | 編輯 SQL Server 資料庫數據遮罩原則 |
Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/securityAlertPolicies/* | 編輯 SQL Server 資料庫安全性警示原則 |
Microsoft.Sql/servers/databases/securityMetrics/* | 編輯 SQL Server 資料庫安全性計量 |
Microsoft.Sql/servers/databases/sensitivityLabels/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
Microsoft.Sql/servers/devOpsAuditingSettings/* | |
Microsoft.Sql/servers/extendedAuditingSettings/* | |
Microsoft.Sql/servers/securityAlertPolicies/* | 編輯 SQL Server 安全性警示原則 |
Microsoft.Sql/servers/vulnerabilityAssessments/* | |
Microsoft.Sql/servers/azureADOnlyAuthentications/delete | 刪除特定的伺服器 Azure Active Directory 僅限驗證物件 |
Microsoft.Sql/servers/azureADOnlyAuthentications/write | 新增或更新特定伺服器 Azure Active Directory 僅限驗證物件 |
Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete | 刪除特定伺服器外部原則型授權屬性 |
Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write | 新增或更新特定伺服器外部原則型授權屬性 |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}