適用於一般專案的 Azure 內建角色

  • 文章

本文列出 [一般] 類別中的 Azure 內建角色。

參與者

授與管理所有資源的完整存取權,但不允許您在 Azure RBAC 中指派角色、在 Azure 藍圖中管理指派,或共用映像庫。

深入了解

動作 描述
* 建立和管理所有類型的資源
NotActions
Microsoft.Authorization/*/Delete 刪除角色、原則指派、原則定義和原則集定義
Microsoft.Authorization/*/Write 建立角色、角色指派、原則指派、原則定義和原則集定義
Microsoft.Authorization/elevateAccess/Action 授與呼叫者租用戶範圍的使用者存取管理員存取
Microsoft.Blueprint/blueprintAssignments/write 建立或更新任何藍圖指派
Microsoft.Blueprint/blueprintAssignments/delete 刪除任何藍圖指派
Microsoft.Compute/galleries/share/action 將資源庫共用至不同的範圍
Microsoft.Purview/consents/write 建立或更新同意資源。
Microsoft.Purview/consents/delete 刪除同意資源。
DataActions
none
NotDataActions
none 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
  "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.Compute/galleries/share/action",
        "Microsoft.Purview/consents/write",
        "Microsoft.Purview/consents/delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

負責人

授與管理所有資源的完整存取權,包括在 Azure RBAC 中指派角色的能力。

深入了解

動作 描述
* 建立和管理所有類型的資源
NotActions
none
DataActions
none
NotDataActions
none 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

讀取者

可檢視所有資源,但無法變更。

深入了解

動作 描述
*/read 讀取除了秘密以外的所有類型的資源。
NotActions
none
DataActions
none
NotDataActions
none 
{
  "assignableScopes": [
    "/"
  ],
  "description": "View all resources, but does not allow you to make any changes.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

角色型 存取控制 管理員 istrator

使用 Azure RBAC 指派角色來管理 Azure 資源的存取權。 此角色不允許使用其他方式來管理存取,例如 Azure 原則。

動作 描述
Microsoft.Authorization/roleAssignments/write 在指定的範圍建立角色指派。
Microsoft.Authorization/roleAssignments/delete 刪除指定範圍的角色指派。
*/read 讀取除了秘密以外的所有類型的資源。
Microsoft.Support/* 建立及更新支援票證
NotActions
none
DataActions
none
NotDataActions
none 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
  "name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Role Based Access Control Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

使用者存取系統管理員

可讓您管理使用者對 Azure 資源的存取。

深入了解

動作 描述
*/read 讀取除了秘密以外的所有類型的資源。
Microsoft.Authorization/* 管理授權
Microsoft.Support/* 建立及更新支援票證
NotActions
none
DataActions
none
NotDataActions
none 
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage user access to Azure resources.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "User Access Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

下一步