適用於安全性的 Azure 內建角色

文章
09/20/2024

本文列出安全性類別中的 Azure 內建角色。

應用程式合規性自動化系統管理員

建立、讀取、下載、修改和刪除報告物件和其他相關資源物件。

動作	描述
Microsoft.AppComplianceAutomation/*
Microsoft.Storage/storageAccounts/blobServices/write	傳回放置 Blob 服務屬性的結果
Microsoft.Storage/storageAccounts/fileservices/write	放置檔案服務屬性
Microsoft.Storage/storageAccounts/listKeys/action	傳回指定儲存體帳戶的存取金鑰。
Microsoft.Storage/storageAccounts/write	使用指定參數來建立儲存體帳戶、更新指定儲存體帳戶的屬性或標記，或新增指定儲存體帳戶的自訂網域。
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action	傳回 Blob 服務的使用者委派金鑰
Microsoft.Storage/storageAccounts/read	傳回儲存體帳戶的清單，或取得指定之儲存體帳戶的屬性。
Microsoft.Storage/storageAccounts/blobServices/containers/read	傳回容器清單
Microsoft.Storage/storageAccounts/blobServices/containers/write	傳回放置 Blob 容器的結果
Microsoft.Storage/storageAccounts/blobServices/read	傳回 Blob 服務屬性或統計數據
Microsoft.PolicyInsights/policyStates/queryResults/action	查詢原則狀態的相關信息。
Microsoft.PolicyInsights/policyStates/triggerEvaluation/action	觸發所選範圍的新合規性評估。
Microsoft.Resources/resources/read	根據篩選取得資源清單。
Microsoft.Resources/subscriptions/read	取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Resources/subscriptions/resourceGroups/resources/read	取得資源群組的資源。
Microsoft.Resources/subscriptions/resources/read	取得訂用帳戶的資源。
Microsoft.Resources/subscriptions/resourceGroups/delete	刪除資源群組及其所有資源。
Microsoft.Resources/subscriptions/resourceGroups/write	建立或更新資源群組。
Microsoft.Resources/tags/read	取得資源上的所有標記。
Microsoft.Resources/deployments/validate/action	驗證部署。
Microsoft.Security/automations/read	取得範圍的自動化
Microsoft.Resources/deployments/write	建立或更新部署。
Microsoft.Security/automations/delete	刪除範圍的自動化
Microsoft.Security/automations/write	建立或更新範圍的自動化
Microsoft.Security/register/action	註冊 Azure 資訊安全中心的訂用帳戶
Microsoft.Security/unregister/action	從 Azure 資訊安全中心取消註冊訂用帳戶
*/read	讀取除了秘密以外的所有類型的資源。
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, download, modify and delete reports objects and related other resource objects.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2",
  "name": "0f37683f-2463-46b6-9ce7-9b788b988ba2",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppComplianceAutomation/*",
        "Microsoft.Storage/storageAccounts/blobServices/write",
        "Microsoft.Storage/storageAccounts/fileservices/write",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.PolicyInsights/policyStates/queryResults/action",
        "Microsoft.PolicyInsights/policyStates/triggerEvaluation/action",
        "Microsoft.Resources/resources/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
        "Microsoft.Resources/subscriptions/resources/read",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/tags/read",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Security/automations/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Security/automations/delete",
        "Microsoft.Security/automations/write",
        "Microsoft.Security/register/action",
        "Microsoft.Security/unregister/action",
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Compliance Automation Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

應用程式合規性自動化讀取者

讀取、下載報告物件和其他相關資源物件。

深入了解

動作	描述
*/read	讀取除了秘密以外的所有類型的資源。
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, download the reports objects and related other resource objects.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
  "name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Compliance Automation Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

證明參與者

可讀取、寫入或刪除證明提供者執行個體

深入了解

動作	描述
Microsoft.Attestation/attestationProviders/attestation/read	取得證明服務狀態。
Microsoft.Attestation/attestationProviders/attestation/write	新增證明服務。
Microsoft.Attestation/attestationProviders/attestation/delete	拿掉證明服務。
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read write or delete the attestation provider instance",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/attestation/write",
        "Microsoft.Attestation/attestationProviders/attestation/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

證明讀取者

可讀取證明提供者屬性

深入了解

動作	描述
Microsoft.Attestation/attestationProviders/attestation/read	取得證明服務狀態。
Microsoft.Attestation/attestationProviders/read	取得證明服務狀態。
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read the attestation provider properties",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 系統管理員

可在金鑰保存庫和其中的所有物件上執行所有資料平面作業，包括憑證、金鑰和祕密。無法管理金鑰保存庫資源或管理角色指派。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Support/*	建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read	檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read	檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read	列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/*
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

金鑰保存庫憑證使用者

讀取憑證內容。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
none
NotActions
none
DataActions
Microsoft.KeyVault/vaults/certificates/read	列出指定之金鑰保存庫中的憑證，或取得憑證的相關信息。
Microsoft.KeyVault/vaults/secrets/getSecret/action	取得密碼的值。
Microsoft.KeyVault/vaults/secrets/readMetadata/action	列出或檢視秘密的屬性，但不是其值。
Microsoft.KeyVault/vaults/keys/read	列出指定保存庫中的金鑰，或讀取金鑰的屬性和公開數據。針對非對稱金鑰，此作業會公開公鑰，並包含執行公鑰演演算法的能力，例如加密和驗證簽章。私鑰和對稱金鑰永遠不會公開。
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
  "name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificates/read",
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
        "Microsoft.KeyVault/vaults/keys/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Certificate User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 憑證員

可對金鑰保存庫的憑證執行任何動作，但不能管理權限。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Support/*	建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read	檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read	檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read	列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/certificatecas/*
Microsoft.KeyVault/vaults/certificates/*
Microsoft.KeyVault/vaults/certificatecontacts/write	管理憑證聯繫人
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
  "name": "a4417e6f-fecd-4de8-b567-7b0420556985",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificatecas/*",
        "Microsoft.KeyVault/vaults/certificates/*",
        "Microsoft.KeyVault/vaults/certificatecontacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Certificates Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 參與者

管理金鑰保存庫，但不允許您在 Azure RBAC 中指派角色，也不允許您存取秘密、金鑰或憑證。

深入了解

重要

使用存取原則許可權模型時，具有Contributor、 Key Vault Contributor或任何其他包含Microsoft.KeyVault/vaults/write密鑰保存庫管理平面許可權角色的使用者，可以藉由設定金鑰保存庫存取原則來授與自己數據平面存取權。若要防止未經授權的密鑰保存庫、金鑰、秘密和憑證存取和管理，請務必限制存取原則許可權模型中密鑰保存庫的參與者角色存取權。若要降低此風險，建議您使用角色型存取控制（RBAC）許可權模型，此模型會將許可權管理限制為「擁有者」和「使用者存取系統管理員」角色，以明確區分安全性作業與系統管理職責。如需詳細資訊，請參閱金鑰保存庫 RBAC 指南和什麼是 Azure RBAC？

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.KeyVault/*
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Support/*	建立和更新支援票證
NotActions
Microsoft.KeyVault/locations/deletedVaults/purge/action	清除虛刪除的 Key Vault
Microsoft.KeyVault/hsmPools/*
Microsoft.KeyVault/managedHsms/*
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage key vaults, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
  "name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.KeyVault/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.KeyVault/locations/deletedVaults/purge/action",
        "Microsoft.KeyVault/hsmPools/*",
        "Microsoft.KeyVault/managedHsms/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯員

可對金鑰保存庫的金鑰執行任何動作，但不能管理權限。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Support/*	建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read	檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read	檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read	列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/keys/*
Microsoft.KeyVault/vaults/keyrotationpolicies/*
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/*",
        "Microsoft.KeyVault/vaults/keyrotationpolicies/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯服務加密使用者

可讀取金鑰的中繼資料，並執行包裝/解除包裝作業。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
Microsoft.EventGrid/eventSubscriptions/write	建立或更新 eventSubscription
Microsoft.EventGrid/eventSubscriptions/read	讀取 eventSubscription
Microsoft.EventGrid/eventSubscriptions/delete	刪除 eventSubscription
NotActions
none
DataActions
Microsoft.KeyVault/vaults/keys/read	列出指定保存庫中的金鑰，或讀取金鑰的屬性和公開數據。針對非對稱金鑰，此作業會公開公鑰，並包含執行公鑰演演算法的能力，例如加密和驗證簽章。私鑰和對稱金鑰永遠不會公開。
Microsoft.KeyVault/vaults/keys/wrap/action	使用金鑰保存庫金鑰包裝對稱金鑰。請注意，如果金鑰保存庫金鑰非對稱，則此作業可由具有讀取許可權的主體執行。
Microsoft.KeyVault/vaults/keys/unwrap/action	使用金鑰保存庫金鑰解除包裝對稱金鑰。
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventGrid/eventSubscriptions/write",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/eventSubscriptions/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Service Encryption User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯服務發行使用者

發行金鑰。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
none
NotActions
none
DataActions
Microsoft.KeyVault/vaults/keys/release/action	從證明令牌使用KEK的公開部分來釋放金鑰。
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08bbd89e-9f13-488c-ac41-acfcb10c90ab",
  "name": "08bbd89e-9f13-488c-ac41-acfcb10c90ab",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/release/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Service Release User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯使用者

使用金鑰執行密碼編譯作業。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
none
NotActions
none
DataActions
Microsoft.KeyVault/vaults/keys/read	列出指定保存庫中的金鑰，或讀取金鑰的屬性和公開數據。針對非對稱金鑰，此作業會公開公鑰，並包含執行公鑰演演算法的能力，例如加密和驗證簽章。私鑰和對稱金鑰永遠不會公開。
Microsoft.KeyVault/vaults/keys/update/action	更新與指定索引鍵相關聯的指定屬性。
Microsoft.KeyVault/vaults/keys/backup/action	建立金鑰的備份檔案。檔案可用來還原相同訂用帳戶金鑰保存庫中的金鑰。可能適用限制。
Microsoft.KeyVault/vaults/keys/encrypt/action	使用金鑰加密純文字。請注意，如果密鑰非對稱，則此作業可由具有讀取許可權的主體執行。
Microsoft.KeyVault/vaults/keys/decrypt/action	使用金鑰解密加密文字。
Microsoft.KeyVault/vaults/keys/wrap/action	使用金鑰保存庫金鑰包裝對稱金鑰。請注意，如果金鑰保存庫金鑰非對稱，則此作業可由具有讀取許可權的主體執行。
Microsoft.KeyVault/vaults/keys/unwrap/action	使用金鑰保存庫金鑰解除包裝對稱金鑰。
Microsoft.KeyVault/vaults/keys/sign/action	使用索引鍵簽署訊息摘要（哈希）。
Microsoft.KeyVault/vaults/keys/verify/action	使用金鑰驗證訊息摘要（hash）的簽章。請注意，如果密鑰非對稱，則此作業可由具有讀取許可權的主體執行。
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
  "name": "12338af0-0e69-4776-bea7-57ae8d297424",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/update/action",
        "Microsoft.KeyVault/vaults/keys/backup/action",
        "Microsoft.KeyVault/vaults/keys/encrypt/action",
        "Microsoft.KeyVault/vaults/keys/decrypt/action",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action",
        "Microsoft.KeyVault/vaults/keys/sign/action",
        "Microsoft.KeyVault/vaults/keys/verify/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 資料存取系統管理員

新增或移除 Key Vault 系統管理員、Key Vault 憑證人員、Key Vault 密碼編譯人員、Key Vault 密碼編譯服務加密使用者、Key Vault 密碼編譯使用者、Key Vault 讀者、Key Vault 祕密人員或 Key Vault 祕密使用者角色的角色指派，來管理 Azure Key Vault 的存取權。包含用來限制角色指派的 ABAC 條件。

動作	描述
Microsoft.Authorization/roleAssignments/write	建立指定範圍的角色指派。
Microsoft.Authorization/roleAssignments/delete	刪除指定範圍內的角色指派。
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Resources/subscriptions/read	取得訂用帳戶的清單。
Microsoft.Management/managementGroups/read	列出已驗證使用者的管理群組。
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Support/*	建立和更新支援票證
Microsoft.KeyVault/vaults/*/read
NotActions
none
DataActions
none
NotDataActions
none
Condition
((!（ActionMatches{'Microsoft.Authorization/roleAssignments/write'}））OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7,4633458b-17de-408a-b874-0445c86b69e6}））	新增或移除下列角色的角色指派： Key Vault 管理員 Key Vault 憑證長 Key Vault 密碼編譯長 Key Vault 密碼編譯服務加密使用者 Key Vault 密碼編譯使用者 Key Vault 讀取器 Key Vault 祕密長 Key Vault 祕密使用者

{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8",
  "name": "8b54135c-b56d-4d72-a534-26097cfdc8d8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/vaults/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))"
    }
  ],
  "roleName": "Key Vault Data Access Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 讀者

可讀取金鑰保存庫的中繼資料及其憑證、金鑰和祕密。無法讀取敏感值，例如秘密內容或金鑰內容。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Support/*	建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read	檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read	檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read	列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/vaults/secrets/readMetadata/action	列出或檢視秘密的屬性，但不是其值。
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "name": "21090545-7ca7-4776-b22c-e363652d74d2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 祕密員

可對金鑰保存庫的祕密執行任何動作，但不能管理權限。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Support/*	建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read	檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read	檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read	列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/secrets/*
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 祕密使用者

可讀取秘密內容。僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作	描述
none
NotActions
none
DataActions
Microsoft.KeyVault/vaults/secrets/getSecret/action	取得密碼的值。
Microsoft.KeyVault/vaults/secrets/readMetadata/action	列出或檢視秘密的屬性，但不是其值。
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
  "name": "4633458b-17de-408a-b874-0445c86b69e6",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控 HSM 參與者

可讓您管理受控 HSM 集區，但無法加以存取。

深入了解

動作	描述
Microsoft.KeyVault/managedHSMs/*
Microsoft.KeyVault/deletedManagedHsms/read	檢視已刪除受控 hsm 的屬性
Microsoft.KeyVault/locations/deletedManagedHsms/read	檢視已刪除受控 hsm 的屬性
Microsoft.KeyVault/locations/deletedManagedHsms/purge/action	清除虛刪除的受控 hsm
Microsoft.KeyVault/locations/managedHsmOperationResults/read	檢查長時間執行作業的結果
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage managed HSM pools, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
  "name": "18500a29-7fe2-46b2-a342-b16a415e101d",
  "permissions": [
    {
      "actions": [
        "Microsoft.KeyVault/managedHSMs/*",
        "Microsoft.KeyVault/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
        "Microsoft.KeyVault/locations/managedHsmOperationResults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed HSM contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 自動化參與者

深入了解

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Logic/workflows/triggers/read	讀取觸發程式。
Microsoft.Logic/workflows/triggers/listCallbackUrl/action	取得觸發程式的回呼 URL。
Microsoft.Logic/workflows/runs/read	讀取工作流程執行。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read	列出 Web Apps Hostruntime 工作流程觸發程式。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action	取得 Web Apps Hostruntime 工作流程觸發程式 URI。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read	列出 Web Apps Hostruntime 工作流程執行。
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Automation Contributor",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Logic/workflows/triggers/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Logic/workflows/runs/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Automation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 參與者

深入了解

動作	描述
Microsoft.SecurityInsights/*
Microsoft.OperationalInsights/workspaces/analytics/query/action	使用新引擎進行搜尋。
Microsoft.OperationalInsights/workspaces/*/read	檢視記錄分析數據
Microsoft.OperationalInsights/workspaces/savedSearches/*
Microsoft.OperationsManagement/solutions/read	取得現有的 OMS 解決方案
Microsoft.OperationalInsights/workspaces/query/read	對工作區中的數據執行查詢
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read	取得工作區底下的數據源。
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.Insights/workbooks/*
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Support/*	建立和更新支援票證
NotActions
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Contributor",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
  "name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 劇本操作員

深入了解

動作	描述
Microsoft.Logic/workflows/read	讀取工作流程。
Microsoft.Logic/workflows/triggers/listCallbackUrl/action	取得觸發程式的回呼 URL。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action	取得 Web Apps Hostruntime 工作流程觸發程式 URI。
Microsoft.Web/sites/read	取得 Web 應用程式的屬性
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Playbook Operator",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5",
  "name": "51d6186e-6489-4900-b93f-92e23144cca5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Logic/workflows/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Playbook Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 讀者

深入了解

動作	描述
Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action	檢查使用者授權和授權
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action	查詢威脅情報指標
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action	查詢威脅情報指標
Microsoft.OperationalInsights/workspaces/analytics/query/action	使用新引擎進行搜尋。
Microsoft.OperationalInsights/workspaces/*/read	檢視記錄分析數據
Microsoft.OperationalInsights/workspaces/LinkedServices/read	取得指定工作區底下的連結服務。
Microsoft.OperationalInsights/workspaces/savedSearches/read	取得已儲存的搜尋查詢。
Microsoft.OperationsManagement/solutions/read	取得現有的 OMS 解決方案
Microsoft.OperationalInsights/workspaces/query/read	對工作區中的數據執行查詢
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read	取得工作區底下的數據源。
Microsoft.Insights/workbooks/read	讀取活頁簿
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Resources/templateSpecs/*/read	取得或列出範本規格和範本規格版本
Microsoft.Support/*	建立和更新支援票證
NotActions
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/templateSpecs/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 回應程式

深入了解

動作	描述
Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action	檢查使用者授權和授權
Microsoft.SecurityInsights/automationRules/*
Microsoft.SecurityInsights/cases/*
Microsoft.SecurityInsights/incidents/*
Microsoft.SecurityInsights/entities/runPlaybook/action	在實體上執行劇本
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action	將標籤附加至威脅情報指標
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action	查詢威脅情報指標
Microsoft.SecurityInsights/threatIntelligence/bulkTag/action	大量標記威脅情報
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action	將標籤附加至威脅情報指標
Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action	取代威脅情報指標的標記
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action	查詢威脅情報指標
Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action	復原動作
Microsoft.OperationalInsights/workspaces/analytics/query/action	使用新引擎進行搜尋。
Microsoft.OperationalInsights/workspaces/*/read	檢視記錄分析數據
Microsoft.OperationalInsights/workspaces/dataSources/read	取得工作區底下的數據源。
Microsoft.OperationalInsights/workspaces/savedSearches/read	取得已儲存的搜尋查詢。
Microsoft.OperationsManagement/solutions/read	取得現有的 OMS 解決方案
Microsoft.OperationalInsights/workspaces/query/read	對工作區中的數據執行查詢
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read	取得工作區底下的數據源。
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.Insights/workbooks/read	讀取活頁簿
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Support/*	建立和更新支援票證
NotActions
Microsoft.SecurityInsights/cases/*/Delete
Microsoft.SecurityInsights/incidents/*/Delete
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Responder",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/automationRules/*",
        "Microsoft.SecurityInsights/cases/*",
        "Microsoft.SecurityInsights/incidents/*",
        "Microsoft.SecurityInsights/entities/runPlaybook/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/cases/*/Delete",
        "Microsoft.SecurityInsights/incidents/*/Delete",
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Responder",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性系統管理員

檢視和更新適用於雲端的 Microsoft Defender 權限。與安全性讀取者角色相同的權限，也可以更新安全性原則並關閉警示和建議。

如需適用於IoT的 Microsoft Defender，請參閱適用於OT和企業IoT監視的 Azure 使用者角色。

深入了解

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Authorization/policyAssignments/*	建立和管理原則指派
Microsoft.Authorization/policyDefinitions/*	建立和管理原則定義
Microsoft.Authorization/policyExemptions/*	建立和管理原則豁免
Microsoft.Authorization/policySetDefinitions/*	建立和管理原則集
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.Management/managementGroups/read	列出已驗證使用者的管理群組。
Microsoft.operationalInsights/workspaces/*/read	檢視記錄分析數據
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Security/*	建立和管理安全性元件和原則
Microsoft.IoTSecurity/*
Microsoft.IoTFirmwareDefense/*
Microsoft.Support/*	建立和更新支援票證
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Admin Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/policyAssignments/*",
        "Microsoft.Authorization/policyDefinitions/*",
        "Microsoft.Authorization/policyExemptions/*",
        "Microsoft.Authorization/policySetDefinitions/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.IoTSecurity/*",
        "Microsoft.IoTFirmwareDefense/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性評量參與者

可讓您將評量推送至適用於雲端的 Microsoft Defender

動作	描述
Microsoft.Security/assessments/write	在您的訂用帳戶上建立或更新安全性評定
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you push assessments to Security Center",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Security/assessments/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Assessment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性管理員 (舊版)

這是舊版角色。請改用安全性系統管理員。

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.ClassicCompute/*/read	讀取設定資訊傳統虛擬機
Microsoft.ClassicCompute/virtualMachines/*/write	為傳統虛擬機撰寫組態
Microsoft.ClassicNetwork/*/read	閱讀傳統網路的組態資訊
Microsoft.Insights/alertRules/*	建立和管理傳統計量警示
Microsoft.ResourceHealth/availabilityStatuses/read	取得指定範圍中所有資源的可用性狀態
Microsoft.Resources/deployments/*	建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Security/*	建立和管理安全性元件和原則
Microsoft.Support/*	建立和更新支援票證
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "This is a legacy role. Please use Security Administrator instead",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/*/read",
        "Microsoft.ClassicCompute/virtualMachines/*/write",
        "Microsoft.ClassicNetwork/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Manager (Legacy)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性讀取者

檢視適用於雲端的 Microsoft Defender 權限。可以檢視建議、警示、安全性原則和安全性狀態，但無法進行變更。

如需適用於IoT的 Microsoft Defender，請參閱適用於OT和企業IoT監視的 Azure 使用者角色。

深入了解

動作	描述
Microsoft.Authorization/*/read	讀取角色和角色指派
Microsoft.Insights/alertRules/read	讀取傳統計量警示
Microsoft.operationalInsights/workspaces/*/read	檢視記錄分析數據
Microsoft.Resources/deployments/*/read
Microsoft.Resources/subscriptions/resourceGroups/read	取得或列出資源群組。
Microsoft.Security/*/read	讀取安全性元件和原則
Microsoft.IoTSecurity/*/read
Microsoft.Support/*/read
Microsoft.Security/iotDefenderSettings/packageDownloads/action	取得可下載的IoT Defender套件資訊
Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action	下載具有訂用帳戶配額數據的管理員啟用檔案
Microsoft.Security/iotSensors/downloadResetPassword/action	下載IoT感測器的重設密碼檔案
Microsoft.IoTSecurity/defenderSettings/packageDownloads/action	取得可下載的IoT Defender套件資訊
Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action	下載管理員啟用檔案
Microsoft.Management/managementGroups/read	列出已驗證使用者的管理群組。
NotActions
none
DataActions
none
NotDataActions
none

{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Reader Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*/read",
        "Microsoft.IoTSecurity/*/read",
        "Microsoft.Support/*/read",
        "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
        "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
        "Microsoft.Security/iotSensors/downloadResetPassword/action",
        "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
        "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
        "Microsoft.Management/managementGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

下一步

使用 Azure 入口網站指派 Azure 角色

分享方式：

適用於安全性的 Azure 內建角色

應用程式合規性自動化系統管理員

應用程式合規性自動化讀取者

證明參與者

證明讀取者

Key Vault 系統管理員

金鑰保存庫憑證使用者

Key Vault 憑證員

Key Vault 參與者

Key Vault 密碼編譯員

Key Vault 密碼編譯服務加密使用者

Key Vault 密碼編譯服務發行使用者

Key Vault 密碼編譯使用者

Key Vault 資料存取系統管理員

Key Vault 讀者

Key Vault 祕密員

Key Vault 祕密使用者

受控 HSM 參與者

Microsoft Sentinel 自動化參與者

Microsoft Sentinel 參與者

Microsoft Sentinel 劇本操作員

Microsoft Sentinel 讀者

Microsoft Sentinel 回應程式

安全性系統管理員

安全性評量參與者

安全性管理員 (舊版)

安全性讀取者

下一步

意見反映

更多資源