Azure 內建角色

Azure 角色型存取控制 (RBAC) 有數個 Azure 內建角色,可供您指派給使用者、群組、服務主體和受控身分識別。 角色指派是您控制 Azure 資源存取權的方式。 如果內建的角色無法滿足您組織的特定需求,您可以建立自己的 Azure 自訂角色。 如需如何指派角色的詳細資訊,請參閱 指派 Azure 角色的步驟

本文列出 Azure 內建角色。 如果您要尋找 Azure Active Directory (Azure AD) 的系統管理員角色,請參閱 Azure AD 內建角色

下表提供每個內建角色的簡短說明。 按一下角色名稱,即可查看每個角色的 ActionsNotActionsDataActionsNotDataActions 清單。 如需這些動作的意義,以及它們如何套用至控制項和資料平面的資訊,請參閱 瞭解 Azure 角色定義

全部

內建角色 描述 ID
一般
參與者 授與管理所有資源的完整存取權,但不允許您在 Azure RBAC 中指派角色、在 Azure 藍圖中管理指派,或共用映像庫。 b24988ac-6180-42a0-ab88-20f7382dd24c
擁有者 授與管理所有資源的完整存取權,包括在 Azure RBAC 中指派角色的能力。 8e3af657-a8ff-443c-a75c-2fe8c4bcb635
讀取者 可檢視所有資源,但無法變更。 acdd72a7-3385-48ef-bd42-f606fba81ae7
使用者存取系統管理員 可讓您管理 Azure 資源的使用者存取。 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
計算
傳統虛擬機器參與者 可讓您管理傳統虛擬機器 (不含虛擬機器所連接的虛擬網路或儲存體帳戶),但無法存取它們。 d73bb868-a0df-4d4d-bd69-98a00b01fccb
受控磁碟的資料運算子 提供將資料上傳至空的受控磁片、讀取或匯出受控磁片的許可權, (未連結至使用 SAS URI 和 Azure AD 驗證執行中的 VM) 和快照集。 959f8984-c045-4866-89c7-12bf9737be2e
磁碟備份讀取器 提供備份保存庫執行磁片備份的許可權。 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24
磁片集區操作員 提供 StoragePool 資源提供者的許可權,以管理新增至磁片集區的磁片。 60fc6e62-5479-42d4-8bf4-67625fcc2840
磁碟還原運算子 提供備份保存庫執行磁片還原的許可權。 b50d9833-a0cb-478e-945f-707fcc997c13
磁片快照集參與者 提供備份保存庫以管理磁片快照集的許可權。 7efff54f-a5b4-42b5-a1c5-5411624893ce
虛擬機器系統管理員登入 在入口網站中檢視虛擬機器並以系統管理員身分登入 1c0163c0-47e6-4577-8991-ea5c82e286e4
虛擬機器參與者 建立和管理虛擬機器、管理磁片、安裝和執行軟體、使用 VM 擴充功能重設虛擬機器根使用者的密碼,以及使用 VM 擴充功能管理本機使用者帳戶。 此角色不會授與您虛擬機器所連線之虛擬網路或儲存體帳戶的管理存取權。 此角色不允許您在 Azure RBAC 中指派角色。 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
虛擬機器使用者登入 在入口網站中檢視虛擬機器並以一般使用者身分登入。 fb879df8-f326-4884-b1cf-06f3ad86be52
Windows Admin Center系統管理員登入 讓我們透過系統管理員身分透過Windows Admin Center來管理資源的 OS。 a6333a3e-0164-44c3-b281-7a5777aff287f
網路功能
CDN 端點參與者 可管理 CDN 端點,但無法將存取權授與其他使用者。 426e0c7f-0c7e-4658-b36f-ff54d6c29b45
CDN 端點讀者 可檢視 CDN 端點,但無法變更。 871e35f6-b5c1-49cc-a043-bde969a0f2cd
CDN 設定檔參與者 可管理 CDN 設定檔及其端點,但無法將存取權授與其他使用者。 ec156ff8-a8d1-4d15-830c-5b80698ca432
CDN 設定檔讀者 可檢視 CDN 設定檔及其端點,但無法變更。 8f96442b-4075-438f-813d-ad51ab4019af
傳統網路參與者 可讓您管理傳統網路,但無法存取它們。 b34d265f-36f7-4a0d-a4d4-e158ca92e90f
DNS 區域參與者 可讓您管理 Azure DNS 中的 DNS 區域與記錄集,但無法讓您控制誰可存取它們。 befefa01-2a29-4197-83a8-272ff33ce314
網路參與者 可讓您管理網路,但無法存取它們。 4d97b98b-1d4f-4787-a291-c67834d212e7
私人 DNS 區域參與者 可讓您管理私人 DNS 區域資源,但無法管理它們連結的虛擬網路。 b12aa53e-6015-4669-85d0-8515ebb3ae7f
流量管理員參與者 可讓您管理「流量管理員」設定檔,但無法控制誰可以存取它們。 a4b10055-b0c7-44c2-b00f-c7b5b3550cf7
Storage
Avere 參與者 可以建立和管理 Avere vFXT 叢集。 4f8fab4f-1852-4a58-a46a-8eaf358af14a
Avere 操作員 供 Avere vFXT 叢集用來管理叢集 c025889f-8102-4ebf-b32c-fc0c6f0c6bd9
備份參與者 可讓您管理備份服務,但無法建立保存庫及授與存取權給其他人 5e467623-bb1f-42f4-a55d-6e525e11384b
備份操作員 可讓您管理備份服務,但無法移除備份、建立保存庫及為其他人提供存取權 00c29273-979b-4161-815c-10b084fb9324
備份讀取者 可以檢視備份服務,但無法進行變更 a795c7a0-d4a2-40c1-ae25-d81f01202912
傳統儲存體帳戶參與者 可讓您管理傳統儲存體帳戶,但無法存取它們。 86e8f5dc-a6e9-4c67-9d15-de283e8eac25
傳統儲存體帳戶金鑰操作員服務角色 「傳統儲存體帳戶金鑰操作員」可以列出及重新產生「傳統儲存體帳戶」的金鑰 985d6b00-f706-48f5-a6fe-d0ca12fb668d
資料箱參與者 可讓您管理資料箱服務下的所有項目,為他人賦予存取權除外。 add466c9-e687-43fc-8d98-dfcf8d720be5
資料箱讀者 可讓您管理資料箱服務,建立訂單或編輯訂單詳細資料和為他人賦予存取權除外。 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027
Data Lake Analytics 開發人員 可讓您提交、監視及管理您自己的作業,但無法建立或刪除 Data Lake Analytics 帳戶。 47b7735b-770e-4598-a7da-8b91488b4c88
彈性 SAN 擁有者 允許完整存取 Azure Elastic SAN 下的所有資源,包括變更網路安全性原則來解除封鎖資料路徑存取 80dcbedb-47ef-405d-95bd-188a1b4ac406
彈性 SAN 讀取器 允許控制 Azure Elastic SAN 的路徑讀取存取 af6a70f8-3c9f-4105-acf1-d719e9fca4ca
彈性 SAN 磁片區群組擁有者 允許完整存取 Azure Elastic SAN 中的磁片區群組,包括變更網路安全性原則來解除封鎖資料路徑存取 a8281131-f312-4f34-8d98-ae12be9f0d23
讀取者及資料存取 可讓您檢視所有內容,但無法讓您刪除或建立儲存體帳戶或內含的資源。 也可透過存取儲存體帳戶金鑰,對儲存體帳戶中內含的所有資料進行讀取/寫入存取。 c12c1c16-33a1-487b-954d-41c89c60f349
儲存體帳戶備份參與者 可讓您在儲存體帳戶上使用Azure 備份來執行備份和還原作業。 e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1
儲存體帳戶參與者 允許管理儲存體帳戶。 支援存取帳戶金鑰,以透過共用金鑰授權來存取資料。 17d1049b-9a84-46fb-8f53-869881c3d3ab
儲存體帳戶金鑰操作員服務角色 允許列出及重新產生儲存體帳戶存取金鑰。 81a9662b-bebf-436f-a333-f67b29880f12
儲存體 Blob 資料參與者 讀取、寫入和刪除 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 ba92f5b4-2d11-453d-a403-e96b0029c9fe
儲存體 Blob 資料擁有者 支援完整存取 Azure 儲存體 blob 容器和資料,包括指派 POSIX 存取控制。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 b7e6dc6d-f1e8-4753-8033-0f276bb0955b
儲存體 Blob 資料讀者 讀取和列出 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
儲存體 Blob 委派者 取得使用者委派金鑰,以針對使用 Azure AD 認證所簽署的容器或 blob,建立共用存取簽章。 如需詳細資訊,請參閱建立使用者委派 SAS db58b8e5-c6ad-4a2a-8342-4190687cbf4a
儲存體檔案資料 SMB 共用參與者 允許讀取、寫入及刪除 Azure 檔案共用上的檔案/目錄。 此角色在 Windows 檔案伺服器上沒有內建的對等項。 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb
儲存體檔案資料 SMB 共用提升權限的參與者 允許對 Azure 檔案共用上的檔案/目錄,讀取、寫入、刪除和修改 ACL。 此角色相當於 Windows 檔案伺服器上的「變更」檔案共用 ACL。 a7264617-510b-434b-a828-9731dc254ea7
儲存體檔案資料 SMB 共用讀者 允許讀取 Azure 檔案共用上的檔案/目錄。 此角色相當於 Windows 檔案伺服器上的讀取檔案共用 ACL。 aba4ae5f-2193-4029-9191-0cb91df5e314
儲存體佇列資料參與者 讀取、寫入及刪除 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 974c5e8b-45b9-4653-ba55-5f855dd0fb88
儲存體佇列資料訊息處理者 從 Azure 儲存體佇列中瞄核、擷取和刪除訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 8a0f0c08-91a1-4084-bc3d-661d67233fed
儲存體佇列資料訊息傳送者 將訊息新增至 Azure 儲存體佇列。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 c6a89b2d-59bc-44d0-9896-0f6e12d7b80a
儲存體佇列資料讀者 讀取和列出 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限 19e7f393-937e-4f77-808e-94535e297925
儲存體資料表資料參與者 允許對 Azure 儲存體資料表和實體進行讀取、寫入和刪除存取 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3
儲存體資料表資料讀取器 允許對 Azure 儲存體資料表和實體進行讀取存取 76199698-9eea-4c19-bc75-cec21354c6b6
Web
Azure 地圖服務資料參與者 授與從 Azure 地圖服務帳戶讀取、寫入和刪除對應相關資料的存取權。 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204
Azure 地圖服務資料讀者 授權從 Azure 地圖服務帳戶讀取地圖相關資料。 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa
Azure Spring Cloud 設定伺服器參與者 允許讀取、寫入和刪除 Azure Spring Cloud Config Server 的存取權 a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b
Azure Spring Cloud 設定伺服器讀取器 允許讀取存取 Azure Spring Cloud Config Server d04c6db6-4947-4782-9e91-30a88feb7be7
Azure Spring Cloud 資料讀取器 允許讀取存取 Azure Spring Cloud Data b5537268-8956-4941-a8f0-646150406f0c
Azure Spring Cloud 服務登錄參與者 允許讀取、寫入和刪除 Azure Spring Cloud Service Registry 的存取權 f5880b48-c26d-48be-b172-7927bfa1c8f1
Azure Spring Cloud 服務登錄讀取器 允許讀取存取 Azure Spring Cloud Service Registry cff1b556-2399-4e7e-856d-a8f754be7b65
媒體服務帳戶管理員 建立、讀取、修改和刪除媒體服務帳戶;唯讀存取其他媒體服務資源。 054126f8-9a2b-4f1c-a9ad-eca461f08466
媒體服務即時活動管理員 建立、讀取、修改和刪除即時事件、資產、資產篩選和串流定位器;唯讀存取其他媒體服務資源。 532bc159-b25e-42c0-969e-a1d439f60d77
媒體服務媒體操作員 建立、讀取、修改和刪除資產、資產篩選、串流定位器及作業;唯讀存取其他媒體服務資源。 e4395492-1534-4db2-bedf-88c14621589c
媒體服務原則管理員 建立、讀取、修改和刪除帳戶篩選、串流原則、內容金鑰原則和轉換;唯讀存取其他媒體服務資源。 無法建立作業、資產或串流資源。 c4bba371-dacd-4a26-b320-7250bca963ae
媒體服務串流端點管理員 建立、讀取、修改和刪除串流端點;唯讀存取其他媒體服務資源。 99dba123-b5fe-44d5-874c-ced7199a5804
搜尋索引資料參與者 授與索引資料Azure 認知搜尋的完整存取權。 8ebe5a00-799e-43f5-93ac-243d3dce84a7
搜尋索引資料讀取器 授與Azure 認知搜尋索引資料的讀取權限。 1407120a-92aa-4202-b7e9-c0e197c71c8f
搜尋服務參與者 可讓您管理「搜尋」服務,但無法存取它們。 7ca78c08-252a-4471-8644-bb5ff32d4ba0
SignalR AccessKey Reader 讀取SignalR Service存取金鑰 04165923-9d83-45d5-8227-78b77b0a687e
SignalR App Server 讓您的應用程式伺服器使用 AAD 驗證選項存取SignalR Service。 420fcaa2-552c-430f-98ca-3264be4806c7
SignalR REST API 擁有者 Azure SignalR Service REST API 的完整存取權 fd53cd77-2268-407a-8f46-7e7863d0f521
SignalR REST API 讀取器 Azure SignalR Service REST API 的唯讀存取權 ddde6b66-c0df-4114-a159-3618637b3035
SignalR Service擁有者 Azure SignalR Service REST API 的完整存取權 7e4f1700-ea5a-4f59-8f37-079cfe29dce3
SignalR/Web PubSub 參與者 建立、讀取、更新和刪除 SignalR 服務資源 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761
Web 方案參與者 管理網站的 Web 方案。 不允許您在 Azure RBAC 中指派角色。 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b
網站參與者 管理網站,但不是 Web 方案。 不允許您在 Azure RBAC 中指派角色。 de139f84-1756-47ae-9be6-808fbbe84772
容器
AcrDelete 從容器登錄中刪除存放庫、標籤或資訊清單。 c2f4ef07-c644-48eb-af81-4b1b4947fb11
AcrImageSigner 將信任的映射推送至或從已啟用內容信任的容器登錄提取受信任的映射。 6cef56e8-d556-48e5-a04f-b8e64114680f
AcrPull 從容器登錄提取成品。 7f951dda-4ed3-4680-a7ca-43fe172d538d
AcrPush 將成品推送至容器登錄或提取成品。 8311e382-0749-4cb8-b61a-304f252e45ec
AcrQuarantineReader 從容器登錄提取隔離的映射。 cdda3590-29a3-44f6-95f2-9f980659eb04
AcrQuarantineWriter 將隔離的映射推送至容器登錄,或從容器登錄提取隔離映射。 c8d4ff99-41c3-41a8-9f60-21dfdad59608
Azure Kubernetes Fleet Manager RBAC 管理員 此角色會授與管理員存取權 - 提供命名空間內大部分物件的寫入權限,但 ResourceQuota 物件和命名空間物件本身除外。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 434fb43a-c01c-447e-9f67-c3ad923cfaba
Azure Kubernetes Fleet Manager RBAC 叢集管理員 可讓您管理車隊經理叢集中的所有資源。 18ab4d3d-a1bf-4477-8ad9-8359bc988f69
Azure Kubernetes Fleet Manager RBAC 讀者 允許唯讀存取來查看命名空間中的大部分物件。 它不允許檢視角色或角色系結。 此角色不允許檢視秘密,因為讀取秘密的內容可讓您存取命名空間中的 ServiceAccount 認證,這會允許 API 存取為命名空間中的任何 ServiceAccount, (許可權提升形式) 。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 30b27cfc-9c84-438e-b0ce-70e35255df80
Azure Kubernetes Fleet Manager RBAC 寫入器 允許命名空間中大部分物件的讀取/寫入存取權。 此角色不允許檢視或修改角色或角色系結。 不過,此角色允許以命名空間中的任何 ServiceAccount 的形式存取秘密,因此可用來取得命名空間中任何 ServiceAccount 的 API 存取層級。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 5af6afb3-c06c-4fa4-8848-71a8aee05683
Azure Kubernetes Service 叢集管理員角色 列出叢集管理員認證動作。 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8
Azure Kubernetes Service 叢集使用者角色 列出叢集使用者認證動作。 4abbcc35-e782-43d8-92c5-2d3f1bd2253f
Azure Kubernetes Service參與者角色 授與讀取和寫入Azure Kubernetes Service叢集的存取權 ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8
Azure Kubernetes Service RBAC 管理員 可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 3498e952-d568-435e-9b2c-8d77e338d7f7
Azure Kubernetes Service RBAC 叢集管理員 可讓您管理叢集中的所有資源。 b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b
Azure Kubernetes Service RBAC 讀取者 允許唯讀存取來查看命名空間中的大部分物件。 它不允許檢視角色或角色系結。 此角色不允許檢視秘密,因為讀取秘密的內容可讓您存取命名空間中的 ServiceAccount 認證,這會允許 API 存取為命名空間中的任何 ServiceAccount, (許可權提升形式) 。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 7f6c6a51-bcf8-42ba-9220-52d62157d7db
Azure Kubernetes Service RBAC 寫入者 允許命名空間中大部分物件的讀取/寫入存取權。 此角色不允許檢視或修改角色或角色系結。 然而,此角色允許以命名空間中的任何 ServiceAccount 身分存取秘密並執行 Pod,因此可用來取得命名空間中任何 ServiceAccount 的 API 存取層級。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb
資料庫
Azure 連線SQL Server上線 允許在已啟用 Arc 的伺服器上讀取和寫入 Azure 資源的SQL Server。 e8113dce-c529-4d33-91fa-e9b972617508
Cosmos DB 帳戶讀者角色 可以讀取 Azure Cosmos DB 帳戶資料。 請參閱 DocumentDB 帳戶參與者以管理 Azure Cosmos DB 帳戶。 fbdf93bf-df7d-467e-a4d2-9458aa1360c8
Cosmos DB 操作員 可讓您管理 Azure Cosmos DB 帳戶,但無法存取其中的資料。 防止存取帳戶金鑰和連接字串。 230815da-be43-4aae-9cb4-875f7bd000aa
CosmosBackupOperator 可為帳戶的 Cosmos DB 資料庫或容器提交還原要求 db7b14f2-5adf-42da-9f96-f2ee17bab5cb
CosmosRestoreOperator 可以針對具有連續備份模式的 Cosmos DB 資料庫帳戶執行還原動作 5432c526-bc82-444a-b7ba-57c5b0b5b34f
DocumentDB 帳戶參與者 可以管理 Azure Cosmos DB 帳戶。 Azure Cosmos DB 先前稱為 DocumentDB。 5bd9cd88-fe45-4216-938b-f97437e15450
Redis 快取參與者 可讓您管理 Redis 快取,但無法存取它們。 e0f68234-74aa-48ed-b826-c38b57376e17
SQL DB 參與者 可讓您管理 SQL 資料庫,但無法存取它們。 此外,您也無法管理其安全性相關原則或其父 SQL 伺服器。 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec
SQL 受控執行個體參與者 可讓您管理 SQL 受控執行個體和必要的網路設定,但無法將存取權授與其他人。 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d
SQL 安全性管理員 可讓您管理 SQL 伺服器及資料庫的安全性相關原則,但無法存取它們。 056cd41c-7e88-42e1-933e-88ba6a50c9c3
SQL Server 參與者 可讓您管理 SQL 伺服器及資料庫,但無法存取這些伺服器及資料庫,也無法存取其安全性相關原則。 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437
分析
Azure 事件中樞資料擁有者 允許完整存取 Azure 事件中樞資源。 f526a384-b230-433a-b45c-95f59c4a2dec
Azure 事件中樞資料接收者 允許接收 Azure 事件中樞資源。 a638d3c7-ab3a-418d-83e6-5f17a39d4fde
Azure 事件中樞資料傳送者 允許傳送 Azure 事件中樞資源。 2b629674-e913-4c01-ae53-ef4638d8f975
Data Factory 參與者 建立和管理 Data Factory,以及其中的子資源。 673868aa-7521-48a0-acc6-0f60742d39f5
資料清除者 從 Log Analytics 工作區刪除私人資料。 150f5e0c-0603-4f03-8c7f-cf70034c4e90
HDInsight 叢集操作員 可讓您讀取和修改 HDInsight 叢集設定。 61ed4efc-fab3-44fd-b111-e24485cc132a
HDInsight 網域服務參與者 可讀取、建立、修改和刪除 HDInsight 企業安全性套件所需的網域服務相關作業 8d8d5a11-05d3-4bda-a417-a08778121c7c
Log Analytics 參與者 「Log Analytics 參與者」角色可以讀取所有監視資料和編輯監視設定。 編輯監視設定包括將 VM 擴充功能新增至 VM;讀取儲存體帳戶金鑰,以設定從 Azure 儲存體收集記錄;新增解決方案;和 在所有 Azure 資源上設定 Azure 診斷。 92aaf0da-9dab-42b6-94a3-d43ce8d16293
Log Analytics 讀者 「Log Analytics 讀者」可以檢視和搜尋所有監視資料,以及檢視監視設定,包括檢視所有 Azure 資源上的 Azure 診斷設定。 73c42c96-874c-492b-b04d-ab87d138a893
結構描述登錄參與者 (預覽) 讀取、寫入及刪除結構描述登錄群組和結構描述。 5dffeca3-4936-4216-b2bc-10343a5abb25
結構描述登錄讀取器 (預覽) 讀取並列出結構描述登錄群組和結構描述。 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2
串流分析查詢測試人員 可讓您先執行查詢測試,而不需先建立串流分析作業 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf
AI + 機器學習
AzureML 資料科學家 可以在 Azure Machine Learning 工作區內執行所有動作,但建立或删除計算資源以及修改工作區本身除外。 f6c7c914-8db3-469d-8ca1-694a8f32e121
認知服務參與者 可讓您建立、讀取、更新、刪除及管理認知服務的金鑰。 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68
認知服務自訂視覺參與者 專案的完整存取權,包括檢視、建立、編輯或刪除專案的能力。 c1ff6cc2-c111-46fe-8896-e0ef812ad9f3
認知服務自訂視覺部署 發佈、取消發佈或匯出模型。 部署可以檢視專案,但無法更新。 5c4089e1-6d96-4d2f-b296-c1bc7137275f
認知服務自訂視覺標籤器 檢視、編輯定型影像,並建立、新增、移除或刪除影像標籤。 標籤器可以檢視專案,但無法更新定型影像和標籤以外的任何專案。 88424f51-ebe7-446f-bc41-7fa16989e96c
認知服務自訂視覺讀者 專案中的唯讀動作。 讀者無法建立或更新專案。 93586559-c37d-4a6b-ba08-b9f0940c2d73
認知服務自訂視覺定型器 檢視、編輯專案並定型模型,包括發佈、取消發佈、匯出模型的能力。 定型人員無法建立或刪除專案。 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b
認知服務資料讀者 (預覽) 可讓您讀取認知服務資料。 b59867f0-fa02-499b-be73-45a86b5b3e1c
認知服務臉部辨識器 可讓您在臉部 API 上執行偵測、驗證、識別、分組及尋找類似的作業。 此角色不允許建立或刪除作業,這使其非常適合只需要推斷功能的端點,遵循「最低許可權」最佳做法。 9894cab4-e18a-44aa-828b-cb588cd6f2d7
認知服務計量建議程式管理員 專案的完整存取權,包括系統層級組態。 cb43c632-a144-4ec5-977c-e80c4affc34a
認知服務 QnA Maker 編輯器 讓我們來建立、編輯、匯入和匯出 KB。 您無法發佈或刪除 KB。 f4cc2bf9-21be-47a1-bdf1-5c5804381025
認知服務 QnA Maker 讀取器 讓我們唯讀取並測試 KB。 466ccd10-b268-4a11-b098-b4849f024126
認知服務使用者 可讓您讀取和列出認知服務的金鑰。 a97b65f3-24c7-4388-baec-2e87135dc908
物聯網
Device Update 系統管理員 提供您管理與內容作業的完整存取權 02ca0879-e8e4-47a5-a61e-5c618b76e64a
裝置更新內容管理員 讓您完整存取內容作業 0378884a-3af5-44ab-8323-f5b22f9f3c98
裝置更新內容讀取者 可讓您讀取內容作業的存取權,但不允許進行變更 d1ee9a80-8b14-47f0-bdc2-f4a351625a7b
裝置更新部署管理員 提供您管理作業的完整存取權 e4237640-0e3d-4a46-8fda-70bc94856432
Device Update 部署讀取者 可讓您讀取管理作業的存取權,但不允許進行變更 49e2f5d2-7741-4835-8efa-19e1fe35e47f
裝置更新讀取者 可讓您讀取管理與內容作業的存取權,但不允許進行變更 e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f
IoT 中樞資料參與者 允許完整存取IoT 中樞資料平面作業。 4fc6c259-987e-4a07-842e-c321cc9d413f
IoT 中樞資料讀者 允許完整讀取IoT 中樞資料平面屬性 b447c946-2db7-41ec-983d-d8bf3b1c77e3
IoT 中樞登錄參與者 允許完整存取IoT 中樞裝置登錄。 4ea46cd5-c1b2-4a8e-910b-273211f9ce47
IoT 中樞對應項參與者 允許讀取和寫入所有IoT 中樞裝置和模組對應項。 494bdba2-168f-4f31-a0a1-191d2f7c028c
混合實境
遠端轉譯系統管理員 為使用者提供 Azure 遠端轉譯 的轉換、管理會話、轉譯和診斷功能 3df8b902-2a6f-47c7-8cc5-360e9b272a7e
遠端轉譯用戶端 為使用者提供 Azure 遠端轉譯的管理會話、轉譯和診斷功能。 d39065c4-c120-43c9-ab0a-63eed9795f0a
空間錨點帳戶參與者 可讓您管理帳戶中的空間錨點,但無法刪除 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827
空間錨點帳戶擁有者 可讓您管理帳戶中的空間錨點,包含刪除 70bbe301-9835-447d-afdd-19eb3167307c
空間錨點帳戶讀者 可讓您尋找和讀取帳戶中空間錨點的屬性 5d51204f-eb77-4b1c-b86a-2ec626c49413
整合
API 管理服務參與者 可管理服務與 API 312a565d-c81f-4fd8-895a-4e21e48d571c
API 管理服務操作員角色 可管理服務,但無法管理 API e022efe7-f5ba-4159-bbe4-b44f577e9b61
API 管理服務讀取者角色 具有服務與 API 的唯讀存取權 71522526-b88f-4d52-b57f-d31fc3546d0d
應用程式組態資料擁有者 允許完整存取應用程式組態資料。 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b
應用程式組態資料讀者 允許讀取應用程式組態資料。 516239f1-63e1-4d78-a4de-a74fb236a071
Azure 轉接聽程式 允許接聽 Azure 轉寄資源的存取。 26e0b698-aa6d-4085-9386-aadae190014d
Azure 轉送擁有者 允許完整存取 Azure 轉寄資源。 2787bf04-f1f5-4bfe-8383-c8a24483ee38
Azure 轉送傳送者 允許傳送對 Azure 轉送資源的存取。 26baccc8-eea7-41f1-98f4-1762cc7f685d
Azure 服務匯流排資料擁有者 允許完整存取 Azure 服務匯流排資源。 090c5cfd-751d-490a-894a-3ce6f1109419
Azure 服務匯流排資料接收者 允許接收 Azure 服務匯流排資源。 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0
Azure 服務匯流排資料傳送者 允許傳送 Azure 服務匯流排資源。 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39
Azure Stack 註冊擁有者 可讓您管理 Azure Stack 註冊。 6f12a6df-dd06-4f3e-bcb1-ce8be600526a
EventGrid 參與者 可讓您管理 EventGrid 作業。 1e241071-0855-49ea-94dc-649edcd759de
EventGrid 資料傳送者 允許傳送事件方格事件的存取權。 d5a91429-5739-47e2-a06b-3470a27159e7
EventGrid EventSubscription 參與者 可讓您管理 EventGrid 事件訂用帳戶作業。 428e0ff0-5e57-4d9c-a221-2c70d0e0a443
EventGrid EventSubscription 讀者 可讓您讀取 EventGrid 事件訂用帳戶。 2414bbcf-6497-4faf-8c65-045460748405
FHIR 資料參與者 角色可讓使用者或主體完整存取 FHIR 資料 5a1fc7df-4bf1-4951-a576-89034ee01acd
FHIR 資料匯出工具 角色可讓使用者或主體讀取和匯出 FHIR 資料 3db33094-8700-4567-8da5-1501d4e7e843
FHIR 資料讀取器 角色可讓使用者或主體讀取 FHIR 資料 4c8d0bbc-75d3-4935-991f-5f3c56d81508
FHIR 資料寫入器 角色可讓使用者或主體讀取和寫入 FHIR 資料 3f88fce4-5892-4214-ae73-ba5294559913
Integration Service Environment 參與者 可讓您管理整合服務環境,但無法存取它們。 a41e2c5b-bd99-4a07-88f4-9bf657a760b8
Integration Service Environment Developer 可讓開發人員在整合服務環境中建立和更新工作流程、整合帳戶和 API 連線。 c7aa55d3-1abb-444a-a5ca-5e51e485d6ec
Intelligent Systems 帳戶參與者 可讓您管理「智慧型系統」帳戶,但無法存取它們。 03a6d094-3444-4b3d-88af-7477090a9e5e
邏輯應用程式參與者 可讓您管理邏輯應用程式,但無法變更對邏輯應用程式的存取。 87a39d53-fc1b-424a-814c-f7e04687dc9e
邏輯應用程式操作員 可讓您讀取、啟用及停用邏輯應用程式,但無法編輯或更新邏輯應用程式。 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe
身分識別
網域服務參與者 可以管理 Azure AD Domain Services 和相關網路組態 在 9324-47f6-8069-5d5bade478b2
網域服務讀取者 可檢視 Azure AD Domain Services 和相關網路組態 361898ef-9ed1-48c2-849c-a832951106bb
受控身分識別參與者 建立、讀取、更新及刪除使用者指派的身分識別 e40ec5ca-96e0-45a2-b4ff-59039f2c2b59
受控身分識別操作員 讀取及指派使用者指派的身分識別 f1a07417-d97a-45cb-824c-7a7467783830
安全性
證明參與者 可以讀取寫入或刪除證明提供者實例 bbf86eb8-f7b4-4cce-96e4-18cddf81d86e
證明讀取器 可以讀取證明提供者屬性 fd1bd22b-8476-40bc-a0bc-69b95687b9f3
Key Vault 管理員 在金鑰保存庫和其中的所有物件上執行所有資料平面作業,包括憑證、金鑰和秘密。 無法管理金鑰保存庫資源或管理角色指派。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 00482a5a-887f-4fb3-b363-3b7fe8e74483
Key Vault 憑證長 在金鑰保存庫的憑證上執行任何動作 (管理權限除外)。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 a4417e6f-fecd-4de8-b567-7b0420556985
Key Vault 參與者 管理金鑰保存庫,但不允許您在 Azure RBAC 中指派角色,而且不允許存取秘密、金鑰或憑證。 f25e0fa2-a7c8-4377-a976-54943a77a395
Key Vault 密碼編譯長 在金鑰保存庫的金鑰上執行任何動作 (管理權限除外)。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 14b46e9e-c2b7-41b4-b07b-48a6ebf60603
Key Vault 密碼編譯服務加密使用者 讀取金鑰的中繼資料,並執行包裝/解除包裝作業。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 e147488a-f6f5-4113-8e2d-b22465e65bf6
Key Vault 密碼編譯使用者 使用金鑰執行密碼編譯作業。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 12338af0-0e69-4776-bea7-57ae8d297424
Key Vault 讀者 讀取金鑰保存庫的中繼資料及其憑證、金鑰和秘密。 無法讀取敏感值,例如秘密內容或金鑰內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 21090545-7ca7-4776-b22c-e363652d74d2
Key Vault 祕密長 在金鑰保存庫的祕密上執行任何動作 (管理權限除外)。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 b86a8fe4-44ce-4948-aee5-eccb2c155cd7
Key Vault 祕密使用者 讀取秘密的內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 4633458b-17de-408a-b874-0445c86b69e6
受控 HSM 參與者 可讓您管理受控 HSM 集區,但無法存取它們。 18500a29-7fe2-46b2-a342-b16a415e101d
Microsoft Sentinel 自動化參與者 Microsoft Sentinel 自動化參與者 f4c81013-99ee-4d62-a7ee-b3f1f648599a
Microsoft Sentinel 參與者 Microsoft Sentinel 參與者 ab8e14d6-4a74-4a29-9ba8-549422addade
Microsoft Sentinel 讀者 Microsoft Sentinel 讀者 8d289c81-5878-46d4-8554-54e1e3d8b5cb
Microsoft Sentinel 回應程式 Microsoft Sentinel 回應程式 3e150937-b8fe-4cfb-8069-0eaf05ecd056
安全性系統管理員 檢視和更新雲端Microsoft Defender的許可權。 與「安全性讀者」角色的權限相同,還可以更新安全性原則及關閉警示和建議。

如需 IoT Microsoft Defender,請參閱OT 和企業 IoT 監視的 Azure 使用者角色
fb1c8493-542b-48eb-b624-b4c8fea62acd
安全性評量參與者 可讓您將評量推送至雲端Microsoft Defender 612c2aa1-cb24-443b-ac28-3ab7272de6f5
安全性管理員 (舊版) 此為舊版角色。 請改用「安全性系統管理員」。 e3d13bf0-dd5a-482e-ba6b-9b8433878d10
安全性讀取者 檢視雲端Microsoft Defender的許可權。 可以檢視建議、警示、安全性原則和安全性狀態,但無法變更。

如需 IoT Microsoft Defender,請參閱OT 和企業 IoT 監視的 Azure 使用者角色
39bc4728-0917-49c7-9d2c-d95423bc2eb4
DevOps
DevTest Labs 使用者 可讓您連線、啟動、重新啟及關閉您 Azure DevTest Labs 中的虛擬機器。 76283e04-6283-4c54-8f91-bcf1374a3c64
實驗室助理 可讓您檢視現有的實驗室、對實驗室 VM 執行動作,並將邀請傳送給實驗室。 ce40b423-cede-4313-a93f-9b28290b72e1
實驗室參與者 在實驗室層級套用,可讓您管理實驗室。 套用至資源群組,可讓您建立和管理實驗室。 5daaa2af-1fe8-407c-9122-bba179798270
實驗室建立者 可讓您在 Azure 實驗室帳戶下建立新的實驗室。 b97fb8bc-a8b2-4522-a38b-dd33c7e65ead
實驗室操作員 可讓您有限地管理現有的實驗室。 a36e6959-b6be-4b12-8e9f-ef4b474d304d
實驗室服務參與者 可讓您完全控制資源群組中的所有實驗室服務案例。 f69b8690-cc87-41d6-b77a-a4bc3c0a966f
實驗室服務讀取者 可讓您檢視所有實驗室計畫和實驗室資源,但無法變更。 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc
監視
Application Insights 元件參與者 可以管理 Application Insights 元件 ae349356-3a1b-4a5e-921d-050484c6347e
Application Insights 快照集偵錯工具 給予使用者權限,以便檢視及下載使用 Application Insights 快照偵錯工具所收集的偵錯快照。 請注意,擁有者參與者角色未包含這些權限。 將 Application Insights 快照偵錯者角色指派給使用者時,您必須直接將此角色授與使用者。 此角色若新增至自訂角色,則無法辨識。 08954f03-6346-4c2e-81c0-ec3a5cfae23b
監視參與者 可以讀取所有監視資料並編輯監視設定。 請參閱開始使用 Azure 監視器的角色、權限和安全性 749f88d5-cbae-40b8-bcfc-e573ddc772fa
監視計量發行者 針對 Azure 資源啟用發佈計量 3913510d-42f4-4e42-8a64-420c390055eb
監視讀取器 可以讀取所有監視資料 (計量、記錄等等)。 請參閱開始使用 Azure 監視器的角色、權限和安全性 43d0d8ad-25c7-4714-9337-8ba259a9fe05
活頁簿參與者 可以儲存共用活頁簿。 e8ddcd69-c73f-4f9f-9844-4100522f16ad
活頁簿讀者 可以讀取活頁簿。 b279062a-9be3-42a0-92ae-8b3cf002ec4d
管理和控管
自動化參與者 使用 Azure 自動化 管理Azure 自動化資源和其他資源。 f353d9bd-d4a6-484e-a77a-8050b599b867
自動化作業運算子 使用「自動化 Runbook」來建立及管理作業。 4fe576fe-1146-4730-92eb-48519fa6bf9f
自動化運算子 「自動化運算子」能夠啟動、停止、暫止及繼續作業 d3881f73-407a-4167-8283-e981cbba0404
自動化 Runbook 運算子 讀取 Runbook 屬性 - 以便能夠建立 Runbook 的作業。 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5
已啟用 Azure Arc 的 Kubernetes 叢集使用者角色 列出叢集使用者認證動作。 00493d72-78f6-4148-b6c5-d3ce8e4799dd
Azure Arc Kubernetes 管理員 可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 dffb1e0c-446f-4dde-a09f-99eb5cc68b96
Azure Arc Kubernetes 叢集管理員 可讓您管理叢集中的所有資源。 8393591c-06b9-48a2-a542-1bd6b377f6a2
Azure Arc Kubernetes Viewer 可讓您檢視叢集/命名空間中的所有資源,但秘密除外。 63f0a09d-1495-4db4-a681-037d84835eb4
Azure Arc Kubernetes 寫入器 可讓您更新叢集/命名空間中的所有專案,但 (叢集) 角色和 (叢集) 角色系結除外。 5b999177-9696-4545-85c7-50de3797e5a1
Azure Connected Machine 上線 可以讓 Azure Connected Machine 上線。 b64e21ea-ac4e-4cdf-9dc9-5b892992bee7
Azure Connected Machine 資源管理員 可以讀取、寫入、刪除 Azure Connected Machine 及使之重新上線。 cd570a14-e51a-42ad-bac8-bafd67325302
帳單讀取器 允許對計費資料進行讀取存取 fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
藍圖參與者 可以管理藍圖定義,但不能加以指派。 41077137-e803-4205-871c-5a86e6a753b4
藍圖操作員 可以指派現有已發佈的藍圖,但無法建立新的藍圖。 請注意,只有在以使用者指派的受控識別來指派時才有效。 437d2ced-4a38-4302-8479-ed2bcb43d090
成本管理參與者 可檢視成本和管理成本組態 (例如預算、匯出) 434105ed-43f6-45c7-a02f-909b2ba83430
成本管理讀者 可檢視成本資料和組態 (例如預算、匯出) 72fafb9e-0641-4937-9268-a91bfd8191a3
階層設定管理員 允許使用者編輯和刪除階層設定 350f8d15-c687-4448-8ae1-157740a3936d
Kubernetes 叢集 - Azure Arc 上線 用來授權任何使用者/服務建立 connectedClusters 資源的角色定義 34e09817-6cbe-4d01-b1a2-e0eac5743d41
Kubernetes 擴充功能參與者 可以建立、更新、取得、列出和刪除 Kubernetes 擴充功能,以及取得擴充功能非同步作業 85cb6faf-e071-4c9b-8136-154b5a04f717
受控應用程式參與者角色 允許建立受控應用程式資源。 641177b8-a67a-45b9-a033-47bc880bb21e
受控應用程式操作員角色 可讓您讀取受控應用程式資源及對其執行動作 c7393b34-138c-406f-901b-d8cf2b17e6ae
受控應用程式讀者 可讓您讀取受控應用程式中的資源及要求 JIT 存取權。 b9331d33-8a36-4f8c-b097-4f54124fdb44
受控服務註冊指派刪除角色 「受控服務註冊指派刪除角色」可讓管理租用戶使用者刪除指派給其租用戶的註冊指派。 91c1777a-f3dc-4fae-b103-61d183457e46
管理群組參與者 管理群組參與者角色 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c
管理群組讀者 管理群組讀者角色 ac63b705-f282-497d-ac71-919bf39d939d
New Relic APM 帳戶參與者 可讓您管理 New Relic Application Performance Management 帳戶及應用程式,但無法存取它們。 5d28c62d-5b37-4476-8438-e587778df237
原則深入解析資料寫入者 (預覽) 允許讀取資源原則及寫入資源元件原則事件。 66bb4e9e-b016-4a94-8249-4c0511c2be84
配額要求操作員 讀取和建立配額要求、取得配額要求狀態,以及建立支援票證。 0e5f05e5-9ab9-446b-b98d-1e2157c94125
保留購買者 可讓您購買保留 f7b75c60-3036-4b75-91c3-6b41c27c1689
資源原則參與者 有權建立/修改資源原則、建立支援票證及讀取資源/階層的使用者。 36243c78-bf99-498c-9df9-86d9f8d28608
Site Recovery 參與者 可讓您管理 Site Recovery 服務,但無法建立保存庫和指派角色 6670b86e-a3f7-4917-ac9b-5d6ab1be4567
Site Recovery 操作員 可讓您容錯移轉及容錯回復,但無法執行其他 Site Recovery 管理作業 494ae006-db33-4328-bf46-533a6560a3ca
Site Recovery 讀取者 可讓您檢視 Site Recovery 狀態,但無法執行其他管理作業 dbaa88c4-0c30-4179-9fb3-46319faa6149
支援要求參與者 可讓您建立及管理支援要求 cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e
標記參與者 可讓您管理實體上的標記,無需提供對實體本身的存取。 4a9ae827-6dc8-4573-8ac7-8239d42aa03f
範本規格參與者 允許在指派的範圍完整存取範本規格作業。 1c9b6475-caf0-4164-b5a1-2142a7116f4b
範本規格讀取器 允許在指派的範圍讀取範本規格。 392ae280-861d-42bd-9ea5-08ee6d83b80e
虛擬桌面基礎結構
桌面虛擬化應用程式群組參與者 桌面虛擬化應用程式群組的參與者。 86240b0e-9422-4c43-887b-b61143f32ba8
桌面虛擬化應用程式群組讀者 桌面虛擬化應用程式群組的讀者。 aebf23d0-b568-4e86-b8f9-fe83a2c6ab55
桌面虛擬化參與者 桌面虛擬化的參與者。 082f0a83-3be5-4ba1-904c-961cca79b387
桌面虛擬化主機集區參與者 桌面虛擬化主機集區的參與者。 e307426c-f9b6-4e81-87de-d99efb3c32bc
桌面虛擬化主機集區讀者 桌面虛擬化主機集區的讀取者。 ceadfde2-b300-400a-ab7b-6143895aa822
桌面虛擬化讀者 電腦虛擬化的讀者。 49a72310-ab8d-41df-bbb0-79b649203868
桌面虛擬化工作階段主機操作者 桌面虛擬化工作階段主機的操作員。 2ad6aaab-ead9-4eaa-8ac5-da422f562408
桌面虛擬化使用者 允許使用者在應用程式群組中使用應用程式。 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63
桌面虛擬化使用者工作階段操作者 桌面虛擬化使用者會話的操作員。 ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6
桌面虛擬化工作區參與者 桌面虛擬化工作區的參與者。 21efdde3-836f-432b-bf3d-3e8e734d4b2b
桌面虛擬化工作區讀者 桌面虛擬化工作區的讀者。 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d
其他
Azure Digital Twins 資料擁有者 Digital Twins 資料平面的完整存取角色 bcd981a7-7f74-457b-83e1-cceb9e632ffe
Azure Digital Twins 資料讀者 Digital Twins 資料平面屬性的唯讀角色 d57506d4-4c8d-48b1-8587-93c323f6a5a3
BizTalk 參與者 可讓您管理 BizTalk 服務,但無法存取它們。 5e3c6656-6cfa-4708-81fe-0de47ac73342
負載測試參與者 檢視、建立、更新、刪除和執行負載測試。 檢視和列出負載測試資源,但無法進行任何變更。 749a398d-560b-491b-bb21-08924219302e
負載測試擁有者 在負載測試資源和負載測試上執行所有作業。 45bb0b16-2f0c-4e78-afaa-a07599b003f6
負載測試讀取器 檢視和列出所有負載測試和負載測試資源,但無法進行任何變更。 3ae3fb29-0000-4ccd-bf80-542e7b26e081
排程器工作集合參與者 可讓您管理「排程器」工作集合,但無法存取它們。 188a0f2f-5c9e-469b-ae67-2aa5ce574b94
Services Hub 操作員 Services Hub 操作員可讓您執行與 Services Hub 連接器相關的所有讀取、寫入和刪除作業。 82200a5b-e217-47a5-b665-6d8765ee745b

一般

參與者

授與管理所有資源的完整存取權,但不允許您在 Azure RBAC 中指派角色、在 Azure 藍圖中管理指派,或共用映像庫。 深入了解

動作 描述
* 建立和管理所有類型的資源
NotActions
Microsoft。Authorization/*/Delete 刪除角色、原則指派、原則定義和原則集定義
Microsoft。Authorization/*/Write 建立角色、角色指派、原則指派、原則定義和原則集定義
Microsoft。Authorization/elevateAccess/Action 對呼叫者授與租用戶範圍的使用者存取系統管理員存取權
Microsoft。Blueprint/blueprintAssignments/write 建立或更新任何藍圖指派
Microsoft。Blueprint/blueprintAssignments/delete 刪除任何藍圖指派
Microsoft。Compute/galleries/share/action 將資源庫提供給不同的範圍
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
  "name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [
        "Microsoft.Authorization/*/Delete",
        "Microsoft.Authorization/*/Write",
        "Microsoft.Authorization/elevateAccess/Action",
        "Microsoft.Blueprint/blueprintAssignments/write",
        "Microsoft.Blueprint/blueprintAssignments/delete",
        "Microsoft.Compute/galleries/share/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

擁有者

授與管理所有資源的完整存取權,包括在 Azure RBAC 中指派角色的能力。 深入了解

動作 描述
* 建立和管理所有類型的資源
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
  "permissions": [
    {
      "actions": [
        "*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

讀取者

可檢視所有資源,但無法變更。 深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "View all resources, but does not allow you to make any changes.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

使用者存取系統管理員

可讓您管理 Azure 資源的使用者存取。 深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft。授權/* 管理授權
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage user access to Azure resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.Authorization/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "User Access Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

計算

傳統虛擬機器參與者

可讓您管理傳統虛擬機器 (不含虛擬機器所連接的虛擬網路或儲存體帳戶),但無法存取它們。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。ClassicCompute/domainNames/* 建立和管理傳統運算網域名稱
Microsoft。ClassicCompute/virtualMachines/* 建立和管理虛擬機器
Microsoft。ClassicNetwork/networkSecurityGroups/join/action
Microsoft。ClassicNetwork/reservedIps/link/action 連結保留的 IP
Microsoft。ClassicNetwork/reservedIps/read 取得保留的 IP
Microsoft。ClassicNetwork/virtualNetworks/join/action 加入虛擬網路。
Microsoft。ClassicNetwork/virtualNetworks/read 取得虛擬網路。
Microsoft。ClassicStorage/storageAccounts/disks/read 傳回儲存體帳戶磁碟。
Microsoft。ClassicStorage/storageAccounts/images/read 傳回儲存體帳戶映像。 (已被取代。使用 'Microsoft。ClassicStorage/storageAccounts/vmImages')
Microsoft。ClassicStorage/storageAccounts/listKeys/action 列出儲存體帳戶的存取金鑰。
Microsoft。ClassicStorage/storageAccounts/read 傳回具有給定帳戶的儲存體帳戶。
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
  "name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/domainNames/*",
        "Microsoft.ClassicCompute/virtualMachines/*",
        "Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
        "Microsoft.ClassicNetwork/reservedIps/link/action",
        "Microsoft.ClassicNetwork/reservedIps/read",
        "Microsoft.ClassicNetwork/virtualNetworks/join/action",
        "Microsoft.ClassicNetwork/virtualNetworks/read",
        "Microsoft.ClassicStorage/storageAccounts/disks/read",
        "Microsoft.ClassicStorage/storageAccounts/images/read",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.ClassicStorage/storageAccounts/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Virtual Machine Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控磁碟的資料運算子

提供將資料上傳至空的受控磁片、讀取或匯出受控磁片的許可權, (未連結至使用 SAS URI 和 Azure AD 驗證執行中的 VM) 和快照集。

動作 描述
NotActions
DataActions
Microsoft。計算/磁片/下載/動作 在磁片 SAS URI 上執行讀取資料作業
Microsoft。計算/磁片/上傳/動作 在磁片 SAS URI 上執行寫入資料作業
Microsoft。計算/快照集/下載/動作 在快照集 SAS URI 上執行讀取資料作業
Microsoft。計算/快照集/上傳/動作 在快照集 SAS URI 上執行寫入資料作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e",
  "name": "959f8984-c045-4866-89c7-12bf9737be2e",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/disks/download/action",
        "Microsoft.Compute/disks/upload/action",
        "Microsoft.Compute/snapshots/download/action",
        "Microsoft.Compute/snapshots/upload/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Data Operator for Managed Disks",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁碟備份讀取器

提供備份保存庫執行磁片備份的許可權。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。計算/磁片/讀取 取得磁碟的屬性
Microsoft。計算/磁片/beginGetAccess/action 取得磁碟用於 Blob 存取的 SAS URI
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permission to backup vault to perform disk backup.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
  "name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/beginGetAccess/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Backup Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁片集區操作員

提供 StoragePool 資源提供者的許可權,以管理新增至磁片集區的磁片。

動作 描述
Microsoft。計算/磁片/寫入 建立新的磁碟,或更新現有磁碟
Microsoft。計算/磁片/讀取 取得磁碟的屬性
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840",
  "name": "60fc6e62-5479-42d4-8bf4-67625fcc2840",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Pool Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁碟還原運算子

提供備份保存庫執行磁片還原的許可權。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。計算/磁片/寫入 建立新的磁碟,或更新現有磁碟
Microsoft。計算/磁片/讀取 取得磁碟的屬性
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permission to backup vault to perform disk restore.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13",
  "name": "b50d9833-a0cb-478e-945f-707fcc997c13",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Restore Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

磁片快照集參與者

提供備份保存庫以管理磁片快照集的許可權。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。計算/快照集/刪除 刪除快照集
Microsoft。計算/快照集/寫入 建立新的快照集,或更新現有快照集
Microsoft。計算/快照集/讀取 取得快照集的屬性
Microsoft。Compute/snapshots/beginGetAccess/action 取得快照集的 SAS URI 以用於 Blob 存取
Microsoft。Compute/snapshots/endGetAccess/action 撤銷快照集的 SAS URI
Microsoft。計算/磁片/beginGetAccess/action 取得磁碟用於 Blob 存取的 SAS URI
Microsoft。Storage/storageAccounts/listkeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft。Storage/storageAccounts/write 使用指定參數來建立儲存體帳戶、更新指定儲存體帳戶的屬性或標記,或新增指定儲存體帳戶的自訂網域。
Microsoft。Storage/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft。Storage/storageAccounts/delete 刪除現有的儲存體帳戶。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides permission to backup vault to manage disk snapshots.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce",
  "name": "7efff54f-a5b4-42b5-a1c5-5411624893ce",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Compute/snapshots/delete",
        "Microsoft.Compute/snapshots/write",
        "Microsoft.Compute/snapshots/read",
        "Microsoft.Compute/snapshots/beginGetAccess/action",
        "Microsoft.Compute/snapshots/endGetAccess/action",
        "Microsoft.Compute/disks/beginGetAccess/action",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Disk Snapshot Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

虛擬機器系統管理員登入

在入口網站中檢視虛擬機器,並以系統管理員身分登入深入瞭解

動作 描述
Microsoft。Network/publicIPAddresses/read 取得公用 IP 位址定義。
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。Network/loadBalancers/read 取得負載平衡器定義
Microsoft。Network/networkInterfaces/read 取得網路介面定義。
Microsoft。Compute/virtualMachines/*/read
Microsoft。HybridCompute/machines/*/read
Microsoft。HybridConnectivity/endpoints/listCredentials/action 列出資源的端點存取認證。
NotActions
DataActions
Microsoft。Compute/virtualMachines/login/action 以一般使用者身分登入虛擬機器
Microsoft。Compute/virtualMachines/loginAsAdmin/action 以 Windows 系統管理員或 Linux 根使用者權限登入虛擬機器
Microsoft。HybridCompute/machines/login/action 以一般使用者身分登入 Azure Arc 電腦
Microsoft。HybridCompute/machines/loginAsAdmin/action 使用 Windows 系統管理員或 Linux 根使用者權限登入 Azure Arc 電腦
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "View Virtual Machines in the portal and login as administrator",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4",
  "name": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.HybridCompute/machines/*/read",
        "Microsoft.HybridConnectivity/endpoints/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/virtualMachines/login/action",
        "Microsoft.Compute/virtualMachines/loginAsAdmin/action",
        "Microsoft.HybridCompute/machines/login/action",
        "Microsoft.HybridCompute/machines/loginAsAdmin/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Virtual Machine Administrator Login",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

虛擬機器參與者

建立和管理虛擬機器、管理磁片、安裝及執行軟體、使用 VM 擴充功能重設虛擬機器根使用者的密碼,以及使用 VM 擴充功能管理本機使用者帳戶。 此角色不會授與您虛擬機器所連線之虛擬網路或儲存體帳戶的管理存取權。 此角色不允許您在 Azure RBAC 中指派角色。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Compute/availabilitySets/* 建立和管理運算可用性集合
Microsoft。計算/位置/* 建立和管理運算位置
Microsoft。Compute/virtualMachines/* 執行所有虛擬機器動作,包括建立、更新、刪除、啟動、重新開機和關閉虛擬機器。 在虛擬機器上執行腳本。
Microsoft。Compute/virtualMachineScaleSets/* 建立和管理虛擬機器擴展集
Microsoft。Compute/cloudServices/*
Microsoft。計算/磁片/寫入 建立新的磁碟,或更新現有磁碟
Microsoft。計算/磁片/讀取 取得磁碟的屬性
Microsoft。計算/磁片/刪除 刪除磁碟
Microsoft。DevTestLab/schedules/*
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Network/applicationGateways/backendAddressPools/join/action 加入應用程式閘道後端位址集區。 不可警示。
Microsoft。Network/loadBalancers/backendAddressPools/join/action 加入負載平衡器後端位址集區。 不可警示。
Microsoft。Network/loadBalancers/inboundNatPools/join/action 加入負載平衡器輸入 NAT 集區。 不可警示。
Microsoft。Network/loadBalancers/inboundNatRules/join/action 加入負載平衡器輸入 nat 規則。 不可警示。
Microsoft。Network/loadBalancers/probes/join/action 允許使用負載平衡器的探查。 例如,使用此權限,VM 擴展集的 healthProbe 屬性就可以參考探查。 不可警示。
Microsoft。Network/loadBalancers/read 取得負載平衡器定義
Microsoft。網路/位置/* 建立和管理網路位置
Microsoft。Network/networkInterfaces/* 建立和管理網路介面
Microsoft。Network/networkSecurityGroups/join/action 加入網路安全性群組。 不可警示。
Microsoft。Network/networkSecurityGroups/read 取得網路安全性群組定義
Microsoft。Network/publicIPAddresses/join/action 加入公用 IP 位址。 不可警示。
Microsoft。Network/publicIPAddresses/read 取得公用 IP 位址定義。
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。Network/virtualNetworks/subnets/join/action 加入虛擬網路。 不可警示。
Microsoft。RecoveryServices/locations/*
Microsoft。RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write 建立備份保護用途
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read 傳回受保護項目的物件詳細資料
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write 建立備用的受保護項目
Microsoft。RecoveryServices/Vaults/backupPolicies/read 傳回所有保護原則
Microsoft。RecoveryServices/Vaults/backupPolicies/write 建立保護原則
Microsoft。RecoveryServices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft。RecoveryServices/Vaults/usages/read 傳回復原服務保存庫的使用量詳細資料。
Microsoft。RecoveryServices/Vaults/write 「建立保存庫」作業會建立 'vault' 類型的 Azure 資源
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。SerialConsole/serialPorts/connect/action 連線到序列埠
Microsoft。SqlVirtualMachine/*
Microsoft。Storage/storageAccounts/listKeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft。Storage/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
  "name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/availabilitySets/*",
        "Microsoft.Compute/locations/*",
        "Microsoft.Compute/virtualMachines/*",
        "Microsoft.Compute/virtualMachineScaleSets/*",
        "Microsoft.Compute/cloudServices/*",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/delete",
        "Microsoft.DevTestLab/schedules/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/applicationGateways/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/loadBalancers/probes/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/locations/*",
        "Microsoft.Network/networkInterfaces/*",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.RecoveryServices/locations/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/write",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/Vaults/write",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.SerialConsole/serialPorts/connect/action",
        "Microsoft.SqlVirtualMachine/*",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Virtual Machine Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

虛擬機器使用者登入

在入口網站中檢視虛擬機器並以一般使用者身分登入。 深入了解

動作 描述
Microsoft。Network/publicIPAddresses/read 取得公用 IP 位址定義。
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。Network/loadBalancers/read 取得負載平衡器定義
Microsoft。Network/networkInterfaces/read 取得網路介面定義。
Microsoft。Compute/virtualMachines/*/read
Microsoft。HybridCompute/machines/*/read
Microsoft。HybridConnectivity/endpoints/listCredentials/action 列出資源的端點存取認證。
NotActions
DataActions
Microsoft。Compute/virtualMachines/login/action 以一般使用者身分登入虛擬機器
Microsoft。HybridCompute/machines/login/action 以一般使用者身分登入 Azure Arc 電腦
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "View Virtual Machines in the portal and login as a regular user.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52",
  "name": "fb879df8-f326-4884-b1cf-06f3ad86be52",
  "permissions": [
    {
      "actions": [
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.HybridCompute/machines/*/read",
        "Microsoft.HybridConnectivity/endpoints/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Compute/virtualMachines/login/action",
        "Microsoft.HybridCompute/machines/login/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Virtual Machine User Login",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Windows Admin Center系統管理員登入

讓我們透過系統管理員身分Windows Admin Center來管理資源的 OS。 深入了解

動作 描述
Microsoft。HybridCompute/machines/*/read
Microsoft。HybridCompute/machines/extensions/*
Microsoft。HybridCompute/machines/upgradeExtensions/action 升級 Azure Arc 機器上的擴充功能
Microsoft。HybridCompute/operations/read 讀取適用于伺服器的 Azure Arc 的所有作業
Microsoft。Network/networkInterfaces/read 取得網路介面定義。
Microsoft。Network/loadBalancers/read 取得負載平衡器定義
Microsoft。Network/publicIPAddresses/read 取得公用 IP 位址定義。
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。Network/networkSecurityGroups/read 取得網路安全性群組定義
Microsoft。Network/networkSecurityGroups/defaultSecurityRules/read 取得預設的安全性規則定義
Microsoft。Network/networkWatchers/securityGroupView/action 檢視對 VM 套用之已設定且生效的網路安全性群組規則。
Microsoft。Network/networkSecurityGroups/securityRules/read 取得安全性規則定義
Microsoft。Network/networkSecurityGroups/securityRules/write 建立安全性規則,或更新現有的安全性規則
Microsoft。HybridConnectivity/endpoints/write 建立或更新目標資源的端點。
Microsoft。HybridConnectivity/endpoints/read 取得或列出目標資源的端點。
Microsoft。HybridConnectivity/endpoints/listManagedProxyDetails/action
Microsoft。Compute/virtualMachines/read 取得虛擬機器的屬性
Microsoft。Compute/virtualMachines/patchAssessmentResults/latest/read 擷取最新修補程式評估作業的摘要
Microsoft。Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read 擷取上次修補程式評估作業期間評估的修補程式清單
Microsoft。Compute/virtualMachines/patchInstallationResults/read 擷取最新修補程式安裝作業的摘要
Microsoft。Compute/virtualMachines/patchInstallationResults/softwarePatches/read 擷取上次修補程式安裝作業期間嘗試安裝的修補程式清單
Microsoft。Compute/virtualMachines/extensions/read 取得虛擬機器擴充功能的屬性
Microsoft。Compute/virtualMachines/instanceView/read 取得虛擬機器和其資源的詳細執行階段狀態
Microsoft。Compute/virtualMachines/runCommands/read 取得虛擬機器執行命令的屬性
Microsoft。Compute/virtualMachines/vmSizes/read 列出虛擬機器所能更新成的大小
Microsoft。Compute/locations/publishers/artifacttypes/types/read 取得 VMExtension 類型的屬性
Microsoft。Compute/locations/publishers/artifacttypes/types/versions/read 取得 VMExtension 版本的屬性
Microsoft。Compute/diskAccesses/read 取得 DiskAccess 資源的屬性
Microsoft。Compute/galleries/images/read 取得資源庫映像的屬性
Microsoft。計算/映射/讀取 取得映像的屬性
Microsoft。AzureStackHCI/Clusters/Read 取得叢集
Microsoft。AzureStackHCI/Clusters/ArcSettings/Read 取得 HCI 叢集的弧形資源
Microsoft。AzureStackHCI/Clusters/ArcSettings/Extensions/Read 取得 HCI 叢集的擴充資源
Microsoft。AzureStackHCI/Clusters/ArcSettings/Extensions/Write 建立或更新 HCI 叢集的擴充資源
Microsoft。AzureStackHCI/Clusters/ArcSettings/Extensions/Delete 刪除 HCI 叢集的擴充資源
Microsoft。AzureStackHCI/Operations/Read 取得作業
NotActions
DataActions
Microsoft。HybridCompute/machines/WACLoginAsAdmin/action 可讓您以系統管理員身分透過Windows Admin Center管理資源的 OS。
Microsoft。Compute/virtualMachines/WACloginAsAdmin/action 可讓您透過系統管理員身分透過Windows Admin Center管理資源的 OS
Microsoft。AzureStackHCI/Clusters/WACloginAsAdmin/Action 透過系統管理員身分Windows Admin Center管理 HCI 資源的 OS
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Let's you manage the OS of your resource via Windows Admin Center as an administrator.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f",
  "name": "a6333a3e-0164-44c3-b281-7a577aff287f",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/*/read",
        "Microsoft.HybridCompute/machines/extensions/*",
        "Microsoft.HybridCompute/machines/upgradeExtensions/action",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkWatchers/securityGroupView/action",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/write",
        "Microsoft.HybridConnectivity/endpoints/write",
        "Microsoft.HybridConnectivity/endpoints/read",
        "Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read",
        "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read",
        "Microsoft.Compute/virtualMachines/patchInstallationResults/read",
        "Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read",
        "Microsoft.Compute/virtualMachines/extensions/read",
        "Microsoft.Compute/virtualMachines/instanceView/read",
        "Microsoft.Compute/virtualMachines/runCommands/read",
        "Microsoft.Compute/virtualMachines/vmSizes/read",
        "Microsoft.Compute/locations/publishers/artifacttypes/types/read",
        "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
        "Microsoft.Compute/diskAccesses/read",
        "Microsoft.Compute/galleries/images/read",
        "Microsoft.Compute/images/read",
        "Microsoft.AzureStackHCI/Clusters/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete",
        "Microsoft.AzureStackHCI/Operations/Read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.HybridCompute/machines/WACLoginAsAdmin/action",
        "Microsoft.Compute/virtualMachines/WACloginAsAdmin/action",
        "Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Windows Admin Center Administrator Login",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

網路功能

CDN 端點參與者

可管理 CDN 端點,但無法將存取權授與其他使用者。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Cdn/edgenodes/read
Microsoft。Cdn/operationresults/*
Microsoft。Cdn/profiles/endpoints/*
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage CDN endpoints, but can't grant access to other users.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
  "name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/endpoints/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Endpoint Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 端點讀者

可檢視 CDN 端點,但無法變更。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Cdn/edgenodes/read
Microsoft。Cdn/operationresults/*
Microsoft。Cdn/profiles/endpoints/*/read
Microsoft。Cdn/profiles/afdendpoints/validateCustomDomain/action
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view CDN endpoints, but can't make changes.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd",
  "name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/endpoints/*/read",
        "Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Endpoint Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 設定檔參與者

可管理 CDN 設定檔及其端點,但無法將存取權授與其他使用者。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Cdn/edgenodes/read
Microsoft。Cdn/operationresults/*
Microsoft。Cdn/profiles/*
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage CDN profiles and their endpoints, but can't grant access to other users.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432",
  "name": "ec156ff8-a8d1-4d15-830c-5b80698ca432",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Profile Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CDN 設定檔讀者

可檢視 CDN 設定檔及其端點,但無法變更。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Cdn/edgenodes/read
Microsoft。Cdn/operationresults/*
Microsoft。Cdn/profiles/*/read
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view CDN profiles and their endpoints, but can't make changes.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af",
  "name": "8f96442b-4075-438f-813d-ad51ab4019af",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cdn/edgenodes/read",
        "Microsoft.Cdn/operationresults/*",
        "Microsoft.Cdn/profiles/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CDN Profile Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

傳統網路參與者

可讓您管理傳統網路,但無法存取它們。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。ClassicNetwork/* 建立和管理傳統網路
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic networks, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
  "name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicNetwork/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Network Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DNS 區域參與者

可讓您管理 Azure DNS 中的 DNS 區域與記錄集,但無法讓您控制誰可存取它們。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Network/dnsZones/* 建立和管理 DNS 區域和記錄
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314",
  "name": "befefa01-2a29-4197-83a8-272ff33ce314",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/dnsZones/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "DNS Zone Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

網路參與者

可讓您管理網路,但無法存取它們。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。網路/* 建立和管理網路
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage networks, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
  "name": "4d97b98b-1d4f-4787-a291-c67834d212e7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Network Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

私人 DNS 區域參與者

可讓您管理私人 DNS 區域資源,但無法管理它們所連結的虛擬網路。 深入了解

動作 描述
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Network/privateDnsZones/*
Microsoft。Network/privateDnsOperationResults/*
Microsoft。Network/privateDnsOperationStatuses/*
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。Network/virtualNetworks/join/action 加入虛擬網路。 不可警示。
Microsoft。Authorization/*/read 讀取角色和角色指派
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
  "name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/privateDnsZones/*",
        "Microsoft.Network/privateDnsOperationResults/*",
        "Microsoft.Network/privateDnsOperationStatuses/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Private DNS Zone Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

流量管理員參與者

可讓您管理「流量管理員」設定檔,但無法控制誰可以存取它們。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Network/trafficManagerProfiles/*
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
  "name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/trafficManagerProfiles/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Traffic Manager Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體

Avere 參與者

可以建立和管理 Avere vFXT 叢集。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。計算/*/read
Microsoft。Compute/availabilitySets/*
Microsoft。Compute/proximityPlacementGroups/*
Microsoft。Compute/virtualMachines/*
Microsoft。計算/磁片/*
Microsoft。網路/*/read
Microsoft。Network/networkInterfaces/*
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。Network/virtualNetworks/subnets/read 取得虛擬網路子網路定義
Microsoft。Network/virtualNetworks/subnets/join/action 加入虛擬網路。 不可警示。
Microsoft。Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
Microsoft。Network/networkSecurityGroups/join/action 加入網路安全性群組。 不可警示。
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。儲存體/*/read
Microsoft。Storage/storageAccounts/* 建立及管理儲存體帳戶
Microsoft。支援/* 建立和更新支援票證
Microsoft。Resources/subscriptions/resourceGroups/resources/read 取得資源群組的資源。
NotActions
DataActions
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/delete 傳回刪除 Blob 的結果
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/read 傳回 Blob 或 Blob 清單
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/write 傳回寫入 Blob 的結果
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create and manage an Avere vFXT cluster.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a",
  "name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/*/read",
        "Microsoft.Compute/availabilitySets/*",
        "Microsoft.Compute/proximityPlacementGroups/*",
        "Microsoft.Compute/virtualMachines/*",
        "Microsoft.Compute/disks/*",
        "Microsoft.Network/*/read",
        "Microsoft.Network/networkInterfaces/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/*/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Avere Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Avere 操作員

Avere vFXT 叢集用來管理叢集 深入瞭解

動作 描述
Microsoft。Compute/virtualMachines/read 取得虛擬機器的屬性
Microsoft。Network/networkInterfaces/read 取得網路介面定義。
Microsoft。Network/networkInterfaces/write 建立網路介面,或更新現有的網路介面。
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。Network/virtualNetworks/subnets/read 取得虛擬網路子網路定義
Microsoft。Network/virtualNetworks/subnets/join/action 加入虛擬網路。 不可警示。
Microsoft。Network/networkSecurityGroups/join/action 加入網路安全性群組。 不可警示。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Storage/storageAccounts/blobServices/containers/delete 傳回刪除容器的結果
Microsoft。Storage/storageAccounts/blobServices/containers/read 傳回容器的清單
Microsoft。Storage/storageAccounts/blobServices/containers/write 傳回放置 Blob 容器的結果
NotActions
DataActions
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/delete 傳回刪除 Blob 的結果
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/read 傳回 Blob 或 Blob 清單
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/write 傳回寫入 Blob 的結果
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Used by the Avere vFXT cluster to manage the cluster",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
  "name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Avere Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

備份參與者

可讓您管理備份服務,但無法建立保存庫,並授與其他人的存取權 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。RecoveryServices/locations/*
Microsoft。RecoveryServices/Vaults/backupFabrics/operationResults/* 管理備份管理上作業的結果
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/* 在復原服務保存庫的備份網狀架構內建立和管理備份容器
Microsoft。RecoveryServices/Vaults/backupFabrics/refreshContainers/action 重新整理容器清單
Microsoft。RecoveryServices/Vaults/backupJobs/* 建立和管理備份作業
Microsoft。RecoveryServices/Vaults/backupJobsExport/action 匯出作業
Microsoft。RecoveryServices/Vaults/backupOperationResults/* 建立和管理備份管理作業的結果
Microsoft。RecoveryServices/Vaults/backupPolicies/* 建立和管理備份原則
Microsoft。RecoveryServices/Vaults/backupProtectableItems/* 建立和管理可以備份的項目
Microsoft。RecoveryServices/Vaults/backupProtectedItems/* 建立和管理備份項目
Microsoft。RecoveryServices/Vaults/backupProtectionContainers/* 建立和管理保存備份項目的容器
Microsoft。RecoveryServices/Vaults/backupSecurityPIN/*
Microsoft。RecoveryServices/Vaults/backupUsageSummaries/read 傳回復原服務之受保護項目和受保護伺服器的摘要。
Microsoft。RecoveryServices/Vaults/certificates/* 建立和管理備份復原服務保存庫中與備份相關的憑證
Microsoft。RecoveryServices/Vaults/extendedInformation/* 建立和管理與保存庫相關的擴充資訊
Microsoft。RecoveryServices/Vaults/monitoringAlerts/read 取得復原服務保存庫的警示。
Microsoft。RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft。RecoveryServices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft。RecoveryServices/Vaults/registeredIdentities/* 建立和管理註冊的身分識別
Microsoft。RecoveryServices/Vaults/usages/* 建立和管理復原服務保存庫的使用方式
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Storage/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft。RecoveryServices/Vaults/backupstorageconfig/*
Microsoft。RecoveryServices/Vaults/backupconfig/*
Microsoft。RecoveryServices/Vaults/backupValidateOperation/action 驗證受保護項目上的作業
Microsoft。RecoveryServices/Vaults/write 「建立保存庫」作業會建立 'vault' 類型的 Azure 資源
Microsoft。RecoveryServices/Vaults/backupOperations/read 傳回復原服務保存庫的備份作業狀態。
Microsoft。RecoveryServices/Vaults/backupEngines/read 傳回已向保存庫註冊的所有備份管理伺服器。
Microsoft。RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*
Microsoft。RecoveryServices/Vaults/backupFabrics/protectableContainers/read 取得所有可保護的容器
Microsoft。RecoveryServices/locations/backupStatus/action 檢查復原服務保存庫的備份狀態
Microsoft。RecoveryServices/locations/backupPreValidateProtection/action
Microsoft。RecoveryServices/locations/backupValidateFeatures/action 驗證功能
Microsoft。RecoveryServices/Vaults/monitoringAlerts/write 解決警示。
Microsoft。RecoveryServices/operations/read 作業會傳回資源提供者的作業清單
Microsoft。RecoveryServices/locations/operationStatus/read 取得給定作業的作業狀態
Microsoft。RecoveryServices/Vaults/backupProtectionIntents/read 列出所有的備份保護用途
Microsoft。支援/* 建立和更新支援票證
Microsoft。DataProtection/locations/getBackupStatus/action 檢查復原服務保存庫的備份狀態
Microsoft。DataProtection/backupVaults/backupInstances/write 建立備份實例
Microsoft。DataProtection/backupVaults/backupInstances/delete 刪除備份實例
Microsoft。DataProtection/backupVaults/backupInstances/read 傳回所有備份實例
Microsoft。DataProtection/backupVaults/backupInstances/read 傳回所有備份實例
Microsoft。DataProtection/backupVaults/deletedBackupInstances/read 列出備份保存庫中虛刪除的備份實例。
Microsoft。DataProtection/backupVaults/deletedBackupInstances/undelete/action 執行虛刪除備份實例的取消刪除。 備份實例會從 SoftDeleted 移至 ProtectionStopped 狀態。
Microsoft。DataProtection/backupVaults/backupInstances/backup/action 在備份實例上執行備份
Microsoft。DataProtection/backupVaults/backupInstances/validateRestore/action 驗證備份實例的還原
Microsoft。DataProtection/backupVaults/backupInstances/restore/action 在備份實例上觸發還原
Microsoft。DataProtection/backupVaults/backupPolicies/write 建立備份原則
Microsoft。DataProtection/backupVaults/backupPolicies/delete 刪除備份原則
Microsoft。DataProtection/backupVaults/backupPolicies/read 傳回所有備份原則
Microsoft。DataProtection/backupVaults/backupPolicies/read 傳回所有備份原則
Microsoft。DataProtection/backupVaults/backupInstances/recoveryPoints/read 傳回所有復原點
Microsoft。DataProtection/backupVaults/backupInstances/recoveryPoints/read 傳回所有復原點
Microsoft。DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action 尋找可還原的時間範圍
Microsoft。DataProtection/backupVaults/write 建立 BackupVault 作業會建立類型為 'Backup Vault' 的 Azure 資源
Microsoft。DataProtection/backupVaults/read 取得訂用帳戶中的備份保存庫清單
Microsoft。DataProtection/backupVaults/operationResults/read 取得備份保存庫修補作業的作業結果
Microsoft。DataProtection/backupVaults/operationStatus/read 傳回備份保存庫的備份作業狀態。
Microsoft。DataProtection/locations/checkNameAvailability/action 檢查要求的 BackupVault 名稱是否可用
Microsoft。DataProtection/backupVaults/read 取得訂用帳戶中的備份保存庫清單
Microsoft。DataProtection/backupVaults/read 取得訂用帳戶中的備份保存庫清單
Microsoft。DataProtection/locations/operationStatus/read 傳回備份保存庫的備份作業狀態。
Microsoft。DataProtection/locations/operationResults/read 傳回備份保存庫的備份作業結果。
Microsoft。DataProtection/backupVaults/validateForBackup/action 驗證備份實例的備份
Microsoft。DataProtection/operations/read 作業會傳回資源提供者的作業清單
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage backup service,but can't create vaults and give access to others",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
  "name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/*",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
        "Microsoft.RecoveryServices/Vaults/usages/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/write",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*",
        "Microsoft.DataProtection/locations/getBackupStatus/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/write",
        "Microsoft.DataProtection/backupVaults/backupInstances/delete",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/backupVaults/backupPolicies/write",
        "Microsoft.DataProtection/backupVaults/backupPolicies/delete",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/write",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/operationStatus/read",
        "Microsoft.DataProtection/locations/checkNameAvailability/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

備份操作員

可讓您管理備份服務,但除了移除備份、保存庫建立以及授與其他人的存取 權深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。RecoveryServices/Vaults/backupFabrics/operationResults/read 傳回作業的狀態
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read 取得對保護容器執行之作業的結果。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action 對受保護的項目執行備份。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read 取得對受保護項目執行之作業的結果。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read 傳回對受保護項目執行之作業的狀態。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read 傳回受保護項目的物件詳細資料
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action 為受保護的項目佈建即時項目復原
Microsoft。RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action 取得跨區域還原的 AccessToken。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read 取得受保護項目的復原點。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action 還原受保護項目的復原點。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action 為受保護的項目撤銷即時項目復原
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write 建立備用的受保護項目
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/read 傳回所有已註冊的容器
Microsoft。RecoveryServices/Vaults/backupFabrics/refreshContainers/action 重新整理容器清單
Microsoft。RecoveryServices/Vaults/backupJobs/* 建立和管理備份作業
Microsoft。RecoveryServices/Vaults/backupJobsExport/action 匯出作業
Microsoft。RecoveryServices/Vaults/backupOperationResults/* 建立和管理備份管理作業的結果
Microsoft。RecoveryServices/Vaults/backupPolicies/operationResults/read 取得原則作業的結果。
Microsoft。RecoveryServices/Vaults/backupPolicies/read 傳回所有保護原則
Microsoft。RecoveryServices/Vaults/backupProtectableItems/* 建立和管理可以備份的項目
Microsoft。RecoveryServices/Vaults/backupProtectedItems/read 傳回所有受保護項目的清單。
Microsoft。RecoveryServices/Vaults/backupProtectionContainers/read 傳回屬於訂用帳戶的所有容器
Microsoft。RecoveryServices/Vaults/backupUsageSummaries/read 傳回復原服務之受保護項目和受保護伺服器的摘要。
Microsoft。RecoveryServices/Vaults/certificates/write 「更新資源憑證」作業會更新資源/保存庫的認證憑證。
Microsoft。RecoveryServices/Vaults/extendedInformation/read 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源
Microsoft。RecoveryServices/Vaults/extendedInformation/write 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源
Microsoft。RecoveryServices/Vaults/monitoringAlerts/read 取得復原服務保存庫的警示。
Microsoft。RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft。RecoveryServices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft。RecoveryServices/Vaults/registeredIdentities/operationResults/read 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果
Microsoft。RecoveryServices/Vaults/registeredIdentities/read 「取得容器」作業可用來取得為資源註冊的容器。
Microsoft。RecoveryServices/Vaults/registeredIdentities/write 「註冊服務容器」作業可用來向復原服務註冊容器。
Microsoft。RecoveryServices/Vaults/usages/read 傳回復原服務保存庫的使用量詳細資料。
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Storage/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft。RecoveryServices/Vaults/backupstorageconfig/*
Microsoft。RecoveryServices/Vaults/backupValidateOperation/action 驗證受保護項目上的作業
Microsoft。RecoveryServices/Vaults/backupTriggerValidateOperation/action 驗證受保護項目上的作業
Microsoft。RecoveryServices/Vaults/backupValidateOperationResults/read 驗證受保護項目上的作業
Microsoft。RecoveryServices/Vaults/backupValidateOperationsStatuses/read 驗證受保護項目上的作業
Microsoft。RecoveryServices/Vaults/backupOperations/read 傳回復原服務保存庫的備份作業狀態。
Microsoft。RecoveryServices/Vaults/backupPolicies/operations/read 取得原則作業的狀態。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/write 建立已註冊的容器
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/query/action 執行容器內工作負載的查詢
Microsoft。RecoveryServices/Vaults/backupEngines/read 傳回已向保存庫註冊的所有備份管理伺服器。
Microsoft。RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write 建立備份保護用途
Microsoft。RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read 取得備份保護用途
Microsoft。RecoveryServices/Vaults/backupFabrics/protectableContainers/read 取得所有可保護的容器
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read 取得容器中的所有項目
Microsoft。RecoveryServices/locations/backupStatus/action 檢查復原服務保存庫的備份狀態
Microsoft。RecoveryServices/locations/backupPreValidateProtection/action
Microsoft。RecoveryServices/locations/backupValidateFeatures/action 驗證功能
Microsoft。RecoveryServices/locations/backupAadProperties/read 取得 AAD 屬性,以在跨區域還原的第三個區域中進行驗證。
Microsoft。RecoveryServices/locations/backupCrrJobs/action 列出復原服務保存庫次要區域中的跨區域還原作業。
Microsoft。RecoveryServices/locations/backupCrrJob/action 取得復原服務保存庫次要區域中的跨區域還原作業詳細資料。
Microsoft。RecoveryServices/locations/backupCrossRegionRestore/action 觸發跨區域還原。
Microsoft。RecoveryServices/locations/backupCrrOperationResults/read 傳回復原服務保存庫的 CRR 作業結果。
Microsoft。RecoveryServices/locations/backupCrrOperationsStatus/read 傳回復原服務保存庫的 CRR 作業狀態。
Microsoft。RecoveryServices/Vaults/monitoringAlerts/write 解決警示。
Microsoft。RecoveryServices/operations/read 作業會傳回資源提供者的作業清單
Microsoft。RecoveryServices/locations/operationStatus/read 取得給定作業的作業狀態
Microsoft。RecoveryServices/Vaults/backupProtectionIntents/read 列出所有的備份保護用途
Microsoft。支援/* 建立和更新支援票證
Microsoft。DataProtection/backupVaults/backupInstances/read 傳回所有備份實例
Microsoft。DataProtection/backupVaults/backupInstances/read 傳回所有備份實例
Microsoft。DataProtection/backupVaults/deletedBackupInstances/read 列出備份保存庫中虛刪除的備份實例。
Microsoft。DataProtection/backupVaults/backupPolicies/read 傳回所有備份原則
Microsoft。DataProtection/backupVaults/backupPolicies/read 傳回所有備份原則
Microsoft。DataProtection/backupVaults/backupInstances/recoveryPoints/read 傳回所有復原點
Microsoft。DataProtection/backupVaults/backupInstances/recoveryPoints/read 傳回所有復原點
Microsoft。DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action 尋找可還原的時間範圍
Microsoft。DataProtection/backupVaults/read 取得訂用帳戶中的備份保存庫清單
Microsoft。DataProtection/backupVaults/operationResults/read 取得備份保存庫修補作業的作業結果
Microsoft。DataProtection/backupVaults/operationStatus/read 傳回備份保存庫的備份作業狀態。
Microsoft。DataProtection/backupVaults/read 取得訂用帳戶中的備份保存庫清單
Microsoft。DataProtection/backupVaults/read 取得訂用帳戶中的備份保存庫清單
Microsoft。DataProtection/locations/operationStatus/read 傳回備份保存庫的備份作業狀態。
Microsoft。DataProtection/locations/operationResults/read 傳回備份保存庫的備份作業結果。
Microsoft。DataProtection/operations/read 作業會傳回資源提供者的作業清單
Microsoft。DataProtection/backupVaults/validateForBackup/action 驗證備份實例的備份
Microsoft。DataProtection/backupVaults/backupInstances/backup/action 在備份實例上執行備份
Microsoft。DataProtection/backupVaults/backupInstances/validateRestore/action 驗證備份實例的還原
Microsoft。DataProtection/backupVaults/backupInstances/restore/action 在備份實例上觸發還原
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
  "name": "00c29273-979b-4161-815c-10b084fb9324",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
        "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/write",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/write",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/locations/backupAadProperties/read",
        "Microsoft.RecoveryServices/locations/backupCrrJobs/action",
        "Microsoft.RecoveryServices/locations/backupCrrJob/action",
        "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
        "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
        "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/operationStatus/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/operations/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

備份讀取者

可以檢視備份服務,但無法進行變更 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp 是服務所使用的內部作業
Microsoft。RecoveryServices/Vaults/backupFabrics/operationResults/read 傳回作業的狀態
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read 取得對保護容器執行之作業的結果。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read 取得對受保護項目執行之作業的結果。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read 傳回對受保護項目執行之作業的狀態。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read 傳回受保護項目的物件詳細資料
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read 取得受保護項目的復原點。
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/read 傳回所有已註冊的容器
Microsoft。RecoveryServices/Vaults/backupJobs/operationResults/read 傳回作業的作業結果。
Microsoft。RecoveryServices/Vaults/backupJobs/read 傳回所有作業物件
Microsoft。RecoveryServices/Vaults/backupJobsExport/action 匯出作業
Microsoft。RecoveryServices/Vaults/backupOperationResults/read 傳回復原服務保存庫的備份作業結果。
Microsoft。RecoveryServices/Vaults/backupPolicies/operationResults/read 取得原則作業的結果。
Microsoft。RecoveryServices/Vaults/backupPolicies/read 傳回所有保護原則
Microsoft。RecoveryServices/Vaults/backupProtectedItems/read 傳回所有受保護項目的清單。
Microsoft。RecoveryServices/Vaults/backupProtectionContainers/read 傳回屬於訂用帳戶的所有容器
Microsoft。RecoveryServices/Vaults/backupUsageSummaries/read 傳回復原服務之受保護項目和受保護伺服器的摘要。
Microsoft。RecoveryServices/Vaults/extendedInformation/read 「取得延伸資訊」作業會取得物件的延伸資訊,此延伸資訊代表 'vault' 類型的 Azure 資源
Microsoft。RecoveryServices/Vaults/monitoringAlerts/read 取得復原服務保存庫的警示。
Microsoft。RecoveryServices/Vaults/read 「取得保存庫」作業會取得物件,此物件代表 'vault' 類型的 Azure 資源
Microsoft。RecoveryServices/Vaults/registeredIdentities/operationResults/read 「取得作業結果」作業可用來取得以非同步方式提交之作業的作業狀態和結果
Microsoft。RecoveryServices/Vaults/registeredIdentities/read 「取得容器」作業可用來取得為資源註冊的容器。
Microsoft。RecoveryServices/Vaults/backupstorageconfig/read 傳回復原服務保存庫的儲存體組態。
Microsoft。RecoveryServices/Vaults/backupconfig/read 傳回復原服務保存庫的組態。
Microsoft。RecoveryServices/Vaults/backupOperations/read 傳回復原服務保存庫的備份作業狀態。
Microsoft。RecoveryServices/Vaults/backupPolicies/operations/read 取得原則作業的狀態。
Microsoft。RecoveryServices/Vaults/backupEngines/read 傳回已向保存庫註冊的所有備份管理伺服器。
Microsoft。RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read 取得備份保護用途
Microsoft。RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read 取得容器中的所有項目
Microsoft。RecoveryServices/locations/backupStatus/action 檢查復原服務保存庫的備份狀態
Microsoft。RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft。RecoveryServices/Vaults/monitoringAlerts/write 解決警示。
Microsoft。RecoveryServices/operations/read 作業會傳回資源提供者的作業清單
Microsoft。RecoveryServices/locations/operationStatus/read 取得給定作業的作業狀態
Microsoft。RecoveryServices/Vaults/backupProtectionIntents/read 列出所有的備份保護用途
Microsoft。RecoveryServices/Vaults/usages/read 傳回復原服務保存庫的使用量詳細資料。
Microsoft。RecoveryServices/locations/backupValidateFeatures/action 驗證功能
Microsoft。RecoveryServices/locations/backupCrrJobs/action 列出復原服務保存庫次要區域中的跨區域還原作業。
Microsoft。RecoveryServices/locations/backupCrrJob/action 取得復原服務保存庫次要區域中的跨區域還原作業詳細資料。
Microsoft。RecoveryServices/locations/backupCrrOperationResults/read 傳回復原服務保存庫的 CRR 作業結果。
Microsoft。RecoveryServices/locations/backupCrrOperationsStatus/read 傳回復原服務保存庫的 CRR 作業狀態。
Microsoft。DataProtection/locations/getBackupStatus/action 檢查復原服務保存庫的備份狀態
Microsoft。DataProtection/backupVaults/backupInstances/write 建立備份實例
Microsoft。DataProtection/backupVaults/backupInstances/read 傳回所有備份實例
Microsoft。DataProtection/backupVaults/deletedBackupInstances/read 列出備份保存庫中虛刪除的備份實例。
Microsoft。DataProtection/backupVaults/backupInstances/backup/action 在備份實例上執行備份
Microsoft。DataProtection/backupVaults/backupInstances/validateRestore/action 驗證備份實例的還原
Microsoft。DataProtection/backupVaults/backupInstances/restore/action 觸發備份實例上的還原
Microsoft。DataProtection/backupVaults/backupPolicies/read 傳回所有備份原則
Microsoft。DataProtection/backupVaults/backupPolicies/read 傳回所有備份原則
Microsoft。DataProtection/backupVaults/backupInstances/recoveryPoints/read 傳回所有復原點
Microsoft。DataProtection/backupVaults/backupInstances/recoveryPoints/read 傳回所有復原點
Microsoft。DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action 尋找可還原的時間範圍
Microsoft。DataProtection/backupVaults/read 取得訂用帳戶中的備份保存庫清單
Microsoft。DataProtection/backupVaults/operationResults/read 取得備份保存庫修補作業的作業結果
Microsoft。DataProtection/backupVaults/operationStatus/read 傳回備份保存庫的備份作業狀態。
Microsoft。DataProtection/backupVaults/read 取得訂用帳戶中的備份保存庫清單
Microsoft。DataProtection/backupVaults/read 取得訂用帳戶中的備份保存庫清單
Microsoft。DataProtection/locations/operationStatus/read 傳回備份保存庫的備份作業狀態。
Microsoft。DataProtection/locations/operationResults/read 傳回備份保存庫的備份作業結果。
Microsoft。DataProtection/backupVaults/validateForBackup/action 驗證備份實例的備份
Microsoft。DataProtection/operations/read 作業會傳回資源提供者的作業清單
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view backup services, but can't make changes",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
  "name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/read",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/locations/backupCrrJobs/action",
        "Microsoft.RecoveryServices/locations/backupCrrJob/action",
        "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
        "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
        "Microsoft.DataProtection/locations/getBackupStatus/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/write",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/operationStatus/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/operations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

傳統儲存體帳戶參與者

可讓您管理傳統儲存體帳戶,但無法存取它們。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。ClassicStorage/storageAccounts/* 建立及管理儲存體帳戶
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic storage accounts, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
  "name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Storage Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

傳統儲存體帳戶金鑰操作員服務角色

傳統儲存體帳戶金鑰操作員可在傳統儲存體帳戶上列出和重新產生金鑰 深入瞭解

動作 描述
Microsoft。ClassicStorage/storageAccounts/listkeys/action 列出儲存體帳戶的存取金鑰。
Microsoft。ClassicStorage/storageAccounts/regeneratekey/action 重新產生儲存體帳戶的現有存取金鑰。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
  "name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ClassicStorage/storageAccounts/listkeys/action",
        "Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Storage Account Key Operator Service Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

資料箱參與者

可讓您管理資料箱服務下的所有項目,為他人賦予存取權除外。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Databox/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage everything under Data Box Service except giving access to others.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
  "name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Databox/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Box Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

資料箱讀者

可讓您管理資料箱服務,建立訂單或編輯訂單詳細資料和為他人賦予存取權除外。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Databox/*/read
Microsoft。Databox/jobs/listsecrets/action
Microsoft。Databox/jobs/listcredentials/action 列出與訂單相關的未加密認證。
Microsoft。Databox/locations/availableSkus/action 此方法會傳回可用的 SKU 清單。
Microsoft。Databox/locations/validateInputs/action 此方法會執行所有類型的驗證。
Microsoft。Databox/locations/regionConfiguration/action 此方法會傳回區域的設定。
Microsoft。Databox/locations/validateAddress/action 驗證出貨地址,並提供備用的地址 (若有的話)。
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
  "name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Databox/*/read",
        "Microsoft.Databox/jobs/listsecrets/action",
        "Microsoft.Databox/jobs/listcredentials/action",
        "Microsoft.Databox/locations/availableSkus/action",
        "Microsoft.Databox/locations/validateInputs/action",
        "Microsoft.Databox/locations/regionConfiguration/action",
        "Microsoft.Databox/locations/validateAddress/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Box Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Lake Analytics 開發人員

可讓您提交、監視及管理您自己的作業,但無法建立或刪除 Data Lake Analytics 帳戶。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft.BigAnalytics/accounts/*
Microsoft。DataLakeAnalytics/accounts/*
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
Microsoft.BigAnalytics/accounts/Delete
Microsoft.BigAnalytics/accounts/TakeOwnership/action
Microsoft.BigAnalytics/accounts/Write
Microsoft。DataLakeAnalytics/accounts/Delete 刪除 DataLakeAnalytics 帳戶。
Microsoft。DataLakeAnalytics/accounts/TakeOwnership/action 授與權限以取消其他使用者所提交的作業。
Microsoft。DataLakeAnalytics/accounts/Write 建立或更新 DataLakeAnalytics 帳戶。
Microsoft。DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write 建立或更新 DataLakeAnalytics 帳戶所連結的 DataLakeStore 帳戶。
Microsoft。DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete 取消 DataLakeStore 帳戶與 DataLakeAnalytics 帳戶的連結。
Microsoft。DataLakeAnalytics/accounts/storageAccounts/Write 建立或更新 DataLakeAnalytics 帳戶所連結的儲存體帳戶。
Microsoft。DataLakeAnalytics/accounts/storageAccounts/Delete 取消儲存體帳戶與 DataLakeAnalytics 帳戶的連結。
Microsoft。DataLakeAnalytics/accounts/firewallRules/Write 建立或更新防火牆規則。
Microsoft。DataLakeAnalytics/accounts/firewallRules/Delete 刪除防火牆規則。
Microsoft。DataLakeAnalytics/accounts/computePolicies/Write 建立或更新計算原則。
Microsoft。DataLakeAnalytics/accounts/computePolicies/Delete 刪除計算原則。
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
  "name": "47b7735b-770e-4598-a7da-8b91488b4c88",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.BigAnalytics/accounts/*",
        "Microsoft.DataLakeAnalytics/accounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.BigAnalytics/accounts/Delete",
        "Microsoft.BigAnalytics/accounts/TakeOwnership/action",
        "Microsoft.BigAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
        "Microsoft.DataLakeAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Lake Analytics Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

彈性 SAN 擁有者

允許完整存取 Azure Elastic SAN 下的所有資源,包括變更網路安全性原則以解除封鎖資料路徑存取

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ElasticSan/elasticSans/*
Microsoft。ElasticSan/locations/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406",
  "name": "80dcbedb-47ef-405d-95bd-188a1b4ac406",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

彈性 SAN 讀取器

允許控制 Azure Elastic SAN 的路徑讀取權限

動作 描述
Microsoft。Authorization/roleAssignments/read 取得關於角色指派的資訊。
Microsoft。Authorization/roleDefinitions/read 取得關於角色定義的資訊。
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ElasticSan/elasticSans/*/read
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for control path read access to Azure Elastic SAN",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
  "name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ElasticSan/elasticSans/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

彈性 SAN 磁片區群組擁有者

允許完整存取 Azure Elastic SAN 中的磁片區群組,包括變更網路安全性原則以解除封鎖資料路徑存取

動作 描述
Microsoft。Authorization/roleAssignments/read 取得關於角色指派的資訊。
Microsoft。Authorization/roleDefinitions/read 取得關於角色定義的資訊。
Microsoft。ElasticSan/elasticSans/volumeGroups/*
Microsoft。ElasticSan/locations/asyncoperations/read 輪詢非同步作業的狀態。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23",
  "name": "a8281131-f312-4f34-8d98-ae12be9f0d23",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Volume Group Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

讀取者及資料存取

可讓您檢視所有內容,但無法讓您刪除或建立儲存體帳戶或內含的資源。 也可透過存取儲存體帳戶金鑰,對儲存體帳戶中內含的所有資料進行讀取/寫入存取。

動作 描述
Microsoft。Storage/storageAccounts/listKeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft。Storage/storageAccounts/ListAccountSas/action 傳回指定儲存體帳戶的帳戶 SAS 權杖。
Microsoft。Storage/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
  "name": "c12c1c16-33a1-487b-954d-41c89c60f349",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/ListAccountSas/action",
        "Microsoft.Storage/storageAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader and Data Access",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體帳戶備份參與者

可讓您使用儲存體帳戶上的Azure 備份來執行備份和還原作業。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。授權/鎖定/讀取 取得指定範圍的鎖定。
Microsoft。授權/鎖定/寫入 新增指定範圍的鎖定。
Microsoft。Authorization/locks/delete 刪除指定範圍的鎖定。
Microsoft。功能/功能/讀取 取得訂用帳戶的功能。
Microsoft。功能/提供者/功能/讀取 取得給定資源提供者中某個訂用帳戶的功能。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。儲存體/作業/讀取 輪詢非同步作業的狀態。
Microsoft。Storage/storageAccounts/objectReplicationPolicies/delete 刪除物件複寫原則
Microsoft。Storage/storageAccounts/objectReplicationPolicies/read 列出物件複寫原則
Microsoft。Storage/storageAccounts/objectReplicationPolicies/write 建立或更新物件複寫原則
Microsoft。Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write 建立物件複寫還原點標記
Microsoft。Storage/storageAccounts/blobServices/containers/read 傳回容器的清單
Microsoft。Storage/storageAccounts/blobServices/containers/write 傳回放置 Blob 容器的結果
Microsoft。Storage/storageAccounts/blobServices/read 傳回 Blob 服務屬性或統計資料
Microsoft。Storage/storageAccounts/blobServices/write 傳回放置 Blob 服務屬性的結果
Microsoft。Storage/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft。Storage/storageAccounts/restoreBlobRanges/action 將 Blob 範圍還原至指定時間的狀態
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you perform backup and restore operations using Azure Backup on the storage account.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
  "name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/locks/read",
        "Microsoft.Authorization/locks/write",
        "Microsoft.Authorization/locks/delete",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/operations/read",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.Storage/storageAccounts/blobServices/write",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/restoreBlobRanges/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Backup Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體帳戶參與者

允許管理儲存體帳戶。 支援存取帳戶金鑰,以透過共用金鑰授權來存取資料。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/diagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft。Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Storage/storageAccounts/* 建立及管理儲存體帳戶
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
  "name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體帳戶金鑰操作員服務角色

允許列出及重新產生儲存體帳戶存取金鑰。 深入了解

動作 描述
Microsoft。Storage/storageAccounts/listkeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft。Storage/storageAccounts/regeneratekey/action 重新產生指定儲存體帳戶的存取金鑰。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
  "name": "81a9662b-bebf-436f-a333-f67b29880f12",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Key Operator Service Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體 Blob 資料參與者

讀取、寫入和刪除 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft。Storage/storageAccounts/blobServices/containers/delete 刪除容器。
Microsoft。Storage/storageAccounts/blobServices/containers/read 傳回一個容器或一份容器清單。
Microsoft。Storage/storageAccounts/blobServices/containers/write 修改容器的中繼資料或屬性。
Microsoft。Storage/storageAccounts/blobServices/generateUserDelegationKey/action 傳回 Blob 服務的使用者委派金鑰。
NotActions
DataActions
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/delete 刪除 Blob。
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/read 傳回一個 blob 或一份 blob 清單。
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/write 寫入 blob。
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/move/action 將 blob 從一個路徑移到另一個路徑
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/add/action 傳回新增 Blob 內容的結果
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write and delete access to Azure Storage blob containers and data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
  "name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體 Blob 資料擁有者

支援完整存取 Azure 儲存體 blob 容器和資料,包括指派 POSIX 存取控制。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft。Storage/storageAccounts/blobServices/containers/* 容器的完整權限。
Microsoft。Storage/storageAccounts/blobServices/generateUserDelegationKey/action 傳回 Blob 服務的使用者委派金鑰。
NotActions
DataActions
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/* Blob 的完整權限。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
  "name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/*",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體 Blob 資料讀者

讀取和列出 Azure 儲存體的容器和 blob。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft。Storage/storageAccounts/blobServices/containers/read 傳回一個容器或一份容器清單。
Microsoft。Storage/storageAccounts/blobServices/generateUserDelegationKey/action 傳回 Blob 服務的使用者委派金鑰。
NotActions
DataActions
Microsoft。Storage/storageAccounts/blobServices/containers/blobs/read 傳回一個 blob 或一份 blob 清單。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage blob containers and data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體 Blob 委派者

取得使用者委派金鑰,以針對使用 Azure AD 認證所簽署的容器或 blob,建立共用存取簽章。 如需詳細資訊,請參閱建立使用者委派 SAS深入了解

動作 描述
Microsoft。Storage/storageAccounts/blobServices/generateUserDelegationKey/action 傳回 Blob 服務的使用者委派金鑰。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
  "name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Delegator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體檔案資料 SMB 共用參與者

允許讀取、寫入及刪除 Azure 檔案共用上的檔案/目錄。 此角色在 Windows 檔案伺服器上沒有內建的對等項。 深入了解

動作 描述
NotActions
DataActions
Microsoft。Storage/storageAccounts/fileServices/fileshares/files/read 傳回一個檔案/資料夾,或一份檔案/資料夾清單。
Microsoft。Storage/storageAccounts/fileServices/fileshares/files/write 傳回寫入檔案或建立資料夾的結果。
Microsoft。Storage/storageAccounts/fileServices/fileshares/files/delete 傳回刪除檔案/資料夾的結果。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體檔案資料 SMB 共用提升權限的參與者

允許對 Azure 檔案共用上的檔案/目錄,讀取、寫入、刪除和修改 ACL。 此角色相當於 Windows 檔案伺服器上的「變更」檔案共用 ACL。 深入了解

動作 描述
NotActions
DataActions
Microsoft。Storage/storageAccounts/fileServices/fileshares/files/read 傳回一個檔案/資料夾,或一份檔案/資料夾清單。
Microsoft。Storage/storageAccounts/fileServices/fileshares/files/write 傳回寫入檔案或建立資料夾的結果。
Microsoft。Storage/storageAccounts/fileServices/fileshares/files/delete 傳回刪除檔案/資料夾的結果。
Microsoft。Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action 傳回修改檔案/資料夾權限的結果。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
  "name": "a7264617-510b-434b-a828-9731dc254ea7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Elevated Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體檔案資料 SMB 共用讀者

允許讀取 Azure 檔案共用上的檔案/目錄。 此角色相當於 Windows 檔案伺服器上的讀取檔案共用 ACL。 深入了解

動作 描述
NotActions
DataActions
Microsoft。Storage/storageAccounts/fileServices/fileshares/files/read 傳回一個檔案/資料夾,或一份檔案/資料夾清單。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure File Share over SMB",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
  "name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體佇列資料參與者

讀取、寫入及刪除 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft。Storage/storageAccounts/queueServices/queues/delete 刪除佇列。
Microsoft。Storage/storageAccounts/queueServices/queues/read 傳回一個佇列或一份佇列清單。
Microsoft。Storage/storageAccounts/queueServices/queues/write 修改佇列中繼資料或屬性。
NotActions
DataActions
Microsoft。Storage/storageAccounts/queueServices/queues/messages/delete 從佇列中刪除一或多個訊息。
Microsoft。Storage/storageAccounts/queueServices/queues/messages/read 從佇列中瞄核或取出一或多個訊息。
Microsoft。Storage/storageAccounts/queueServices/queues/messages/write 將訊息新增至佇列。
Microsoft。Storage/storageAccounts/queueServices/queues/messages/process/action 傳回處理訊息的結果
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
  "name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體佇列資料訊息處理者

從 Azure 儲存體佇列中瞄核、擷取和刪除訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
NotActions
DataActions
Microsoft。Storage/storageAccounts/queueServices/queues/messages/read 瞄核訊息。
Microsoft。Storage/storageAccounts/queueServices/queues/messages/process/action 取出和刪除訊息。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
  "name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Message Processor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體佇列資料訊息傳送者

將訊息新增至 Azure 儲存體佇列。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
NotActions
DataActions
Microsoft。Storage/storageAccounts/queueServices/queues/messages/add/action 將訊息新增至佇列。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for sending of Azure Storage queue messages",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
  "name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Message Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體佇列資料讀者

讀取和列出 Azure 儲存體的佇列和佇列訊息。 若要了解特定資料作業所需的動作,請參閱呼叫 blob 和佇列資料作業的權限深入了解

動作 描述
Microsoft。Storage/storageAccounts/queueServices/queues/read 傳回佇列或佇列清單。
NotActions
DataActions
Microsoft。Storage/storageAccounts/queueServices/queues/messages/read 從佇列中瞄核或取出一或多個訊息。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage queues and queue messages",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
  "name": "19e7f393-937e-4f77-808e-94535e297925",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體資料表資料參與者

允許對 Azure 儲存體資料表和實體進行讀取、寫入和刪除存取

動作 描述
Microsoft。Storage/storageAccounts/tableServices/tables/read 查詢資料表
Microsoft。Storage/storageAccounts/tableServices/tables/write 建立資料表
Microsoft。Storage/storageAccounts/tableServices/tables/delete 刪除資料表
NotActions
DataActions
Microsoft。Storage/storageAccounts/tableServices/tables/entities/read 查詢資料表實體
Microsoft。Storage/storageAccounts/tableServices/tables/entities/write 插入、合併或取代資料表實體
Microsoft。Storage/storageAccounts/tableServices/tables/entities/delete 刪除資料表實體
Microsoft。Storage/storageAccounts/tableServices/tables/entities/add/action 插入資料表實體
Microsoft。Storage/storageAccounts/tableServices/tables/entities/update/action 合併或更新資料表實體
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write and delete access to Azure Storage tables and entities",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
  "name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/read",
        "Microsoft.Storage/storageAccounts/tableServices/tables/write",
        "Microsoft.Storage/storageAccounts/tableServices/tables/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Table Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

儲存體資料表資料讀取器

允許對 Azure 儲存體資料表和實體進行讀取存取

動作 描述
Microsoft。Storage/storageAccounts/tableServices/tables/read 查詢資料表
NotActions
DataActions
Microsoft。Storage/storageAccounts/tableServices/tables/entities/read 查詢資料表實體
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage tables and entities",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6",
  "name": "76199698-9eea-4c19-bc75-cec21354c6b6",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Table Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Web

Azure 地圖服務資料參與者

授與從 Azure 地圖服務帳戶讀取、寫入和刪除對應相關資料的存取權。 深入了解

動作 描述
NotActions
DataActions
Microsoft。地圖/帳戶/*/read
Microsoft。地圖/帳戶/*/write
Microsoft。地圖/帳戶/*/delete
Microsoft。地圖/帳戶/*/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read, write, and delete access to map related data from an Azure maps account.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
  "name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read",
        "Microsoft.Maps/accounts/*/write",
        "Microsoft.Maps/accounts/*/delete",
        "Microsoft.Maps/accounts/*/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Maps Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 地圖服務資料讀者

授權從 Azure 地圖服務帳戶讀取地圖相關資料。 深入了解

動作 描述
NotActions
DataActions
Microsoft。地圖/帳戶/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read map related data from an Azure maps account.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
  "name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Maps/accounts/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Maps Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud 設定伺服器參與者

允許讀取、寫入和刪除 Azure Spring Cloud Config Server 的存取 權深入瞭解

動作 描述
NotActions
DataActions
Microsoft。AppPlatform/Spring/configService/read 例如,讀取特定 Azure Spring Apps 服務實例的 application.yaml) 組態內容 (
Microsoft。AppPlatform/Spring/configService/write 撰寫特定 Azure Spring Apps 服務實例的設定伺服器內容
Microsoft。AppPlatform/Spring/configService/delete 刪除特定 Azure Spring Apps 服務實例的設定伺服器內容
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read, write and delete access to Azure Spring Cloud Config Server",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
  "name": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/configService/read",
        "Microsoft.AppPlatform/Spring/configService/write",
        "Microsoft.AppPlatform/Spring/configService/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Config Server Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud 設定伺服器讀取器

允許讀取存取 Azure Spring Cloud Config Server 深入瞭解

動作 描述
NotActions
DataActions
Microsoft。AppPlatform/Spring/configService/read 例如,讀取特定 Azure Spring Apps 服務實例的 application.yaml) 組態內容 (
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Config Server",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7",
  "name": "d04c6db6-4947-4782-9e91-30a88feb7be7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/configService/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Config Server Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud 資料讀取器

允許對 Azure Spring Cloud 資料的讀取存取

動作 描述
NotActions
DataActions
Microsoft。AppPlatform/Spring/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c",
  "name": "b5537268-8956-4941-a8f0-646150406f0c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Service Registry 參與者

允許讀取、寫入和刪除 Azure Spring Cloud Service Registry 的存取 權深入瞭解

動作 描述
NotActions
DataActions
Microsoft。AppPlatform/Spring/eurekaService/read 讀取特定 Azure Spring Apps 服務實例的使用者應用程式 () 註冊資訊
Microsoft。AppPlatform/Spring/eurekaService/write 為特定 Azure Spring Apps 服務實例撰寫使用者應用程式 () 註冊資訊
Microsoft。AppPlatform/Spring/eurekaService/delete 刪除特定 Azure Spring Apps 服務實例的使用者應用程式註冊資訊
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read, write and delete access to Azure Spring Cloud Service Registry",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1",
  "name": "f5880b48-c26d-48be-b172-7927bfa1c8f1",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/eurekaService/read",
        "Microsoft.AppPlatform/Spring/eurekaService/write",
        "Microsoft.AppPlatform/Spring/eurekaService/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Service Registry Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Service Registry Reader

允許讀取存取 Azure Spring Cloud Service Registry 深入瞭解

動作 描述
NotActions
DataActions
Microsoft。AppPlatform/Spring/eurekaService/read 讀取特定 Azure Spring Apps 服務實例的使用者應用程式 () 註冊資訊
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allow read access to Azure Spring Cloud Service Registry",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65",
  "name": "cff1b556-2399-4e7e-856d-a8f754be7b65",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppPlatform/Spring/eurekaService/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Spring Cloud Service Registry Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒體服務帳戶管理員

建立、讀取、修改和刪除媒體服務帳戶;唯讀存取其他媒體服務資源。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/metrics/read 讀取計量
Microsoft。Insights/metricDefinitions/read 讀取計量定義
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Media/mediaservices/*/read
Microsoft。Media/mediaservices/assets/listStreamingLocators/action 列出資產的串流定位器
Microsoft。Media/mediaservices/streamingLocators/listPaths/action 列出路徑
Microsoft。Media/mediaservices/write 建立或更新任何媒體服務帳戶
Microsoft。Media/mediaservices/delete 刪除任何媒體服務帳戶
Microsoft。Media/mediaservices/privateEndpointConnectionsApproval/action 核准私人端點連線
Microsoft。Media/mediaservices/privateEndpointConnections/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466",
  "name": "054126f8-9a2b-4f1c-a9ad-eca461f08466",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/write",
        "Microsoft.Media/mediaservices/delete",
        "Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action",
        "Microsoft.Media/mediaservices/privateEndpointConnections/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Account Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒體服務即時活動管理員

建立、讀取、修改和刪除即時事件、資產、資產篩選和串流定位器;唯讀存取其他媒體服務資源。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/metrics/read 讀取計量
Microsoft。Insights/metricDefinitions/read 讀取計量定義
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Media/mediaservices/*/read
Microsoft。Media/mediaservices/assets/*
Microsoft。Media/mediaservices/assets/assetfilters/*
Microsoft。Media/mediaservices/streamingLocators/*
Microsoft。Media/mediaservices/liveEvents/*
NotActions
Microsoft。Media/mediaservices/assets/getEncryptionKey/action 取得資產加密金鑰
Microsoft。Media/mediaservices/streamingLocators/listContentKeys/action 列出內容金鑰
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77",
  "name": "532bc159-b25e-42c0-969e-a1d439f60d77",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/*",
        "Microsoft.Media/mediaservices/assets/assetfilters/*",
        "Microsoft.Media/mediaservices/streamingLocators/*",
        "Microsoft.Media/mediaservices/liveEvents/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
        "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Live Events Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒體服務媒體操作員

建立、讀取、修改和刪除資產、資產篩選、串流定位器及作業;唯讀存取其他媒體服務資源。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/metrics/read 讀取計量
Microsoft。Insights/metricDefinitions/read 讀取計量定義
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Media/mediaservices/*/read
Microsoft。Media/mediaservices/assets/*
Microsoft。Media/mediaservices/assets/assetfilters/*
Microsoft。Media/mediaservices/streamingLocators/*
Microsoft。Media/mediaservices/transforms/jobs/*
NotActions
Microsoft。Media/mediaservices/assets/getEncryptionKey/action 取得資產加密金鑰
Microsoft。Media/mediaservices/streamingLocators/listContentKeys/action 列出內容金鑰
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c",
  "name": "e4395492-1534-4db2-bedf-88c14621589c",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/*",
        "Microsoft.Media/mediaservices/assets/assetfilters/*",
        "Microsoft.Media/mediaservices/streamingLocators/*",
        "Microsoft.Media/mediaservices/transforms/jobs/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
        "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Media Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒體服務原則管理員

建立、讀取、修改和刪除帳戶篩選、串流原則、內容金鑰原則和轉換;唯讀存取其他媒體服務資源。 無法建立作業、資產或串流資源。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/metrics/read 讀取計量
Microsoft。Insights/metricDefinitions/read 讀取計量定義
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Media/mediaservices/*/read
Microsoft。Media/mediaservices/assets/listStreamingLocators/action 列出資產的串流定位器
Microsoft。Media/mediaservices/streamingLocators/listPaths/action 列出路徑
Microsoft。Media/mediaservices/accountFilters/*
Microsoft。Media/mediaservices/streamingPolicies/*
Microsoft。Media/mediaservices/contentKeyPolicies/*
Microsoft。Media/mediaservices/transforms/*
NotActions
Microsoft。Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action 取得含有祕密的原則屬性
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae",
  "name": "c4bba371-dacd-4a26-b320-7250bca963ae",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/accountFilters/*",
        "Microsoft.Media/mediaservices/streamingPolicies/*",
        "Microsoft.Media/mediaservices/contentKeyPolicies/*",
        "Microsoft.Media/mediaservices/transforms/*"
      ],
      "notActions": [
        "Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Policy Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

媒體服務串流端點管理員

建立、讀取、修改和刪除串流端點;唯讀存取其他媒體服務資源。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/metrics/read 讀取計量
Microsoft。Insights/metricDefinitions/read 讀取計量定義
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Media/mediaservices/*/read
Microsoft。Media/mediaservices/assets/listStreamingLocators/action 列出資產的串流定位器
Microsoft。Media/mediaservices/streamingLocators/listPaths/action 列出路徑
Microsoft。Media/mediaservices/streamingEndpoints/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804",
  "name": "99dba123-b5fe-44d5-874c-ced7199a5804",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Media/mediaservices/*/read",
        "Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
        "Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
        "Microsoft.Media/mediaservices/streamingEndpoints/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Media Services Streaming Endpoints Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

搜尋索引資料參與者

授與索引資料Azure 認知搜尋的完整存取權。

動作 描述
NotActions
DataActions
Microsoft。Search/searchServices/indexes/documents/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to Azure Cognitive Search index data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7",
  "name": "8ebe5a00-799e-43f5-93ac-243d3dce84a7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Search/searchServices/indexes/documents/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Search Index Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

搜尋索引資料讀取器

授與Azure 認知搜尋索引資料的讀取權限。

動作 描述
NotActions
DataActions
Microsoft。Search/searchServices/indexes/documents/read 從索引讀取檔或建議的查詢詞彙。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants read access to Azure Cognitive Search index data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f",
  "name": "1407120a-92aa-4202-b7e9-c0e197c71c8f",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Search/searchServices/indexes/documents/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Search Index Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

搜尋服務參與者

可讓您管理「搜尋」服務,但無法存取它們。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Search/searchServices/* 建立和管理搜尋服務
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Search services, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0",
  "name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Search/searchServices/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Search Service Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR AccessKey Reader

讀取SignalR Service存取金鑰

動作 描述
Microsoft。SignalRService/*/read
Microsoft。SignalRService/SignalR/listkeys/action 在管理入口網站中或透過 API 檢視 SignalR 存取金鑰
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read SignalR Service Access Keys",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e",
  "name": "04165923-9d83-45d5-8227-78b77b0a687e",
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*/read",
        "Microsoft.SignalRService/SignalR/listkeys/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR AccessKey Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR App Server

讓您的應用程式伺服器使用 AAD 驗證選項存取SignalR Service。

動作 描述
NotActions
DataActions
Microsoft。SignalRService/SignalR/auth/accessKey/action 產生 AccessKey 以簽署 AccessTokens,金鑰預設會在 90 分鐘內到期。
Microsoft。SignalRService/SignalR/serverConnection/write 啟動伺服器連線。
Microsoft。SignalRService/SignalR/clientConnection/write 關閉用戶端連線。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets your app server access SignalR Service with AAD auth options.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7",
  "name": "420fcaa2-552c-430f-98ca-3264be4806c7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/accessKey/action",
        "Microsoft.SignalRService/SignalR/serverConnection/write",
        "Microsoft.SignalRService/SignalR/clientConnection/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR App Server",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR REST API 擁有者

Azure SignalR Service REST API 的完整存取權

動作 描述
NotActions
DataActions
Microsoft。SignalRService/SignalR/auth/clientToken/action 為用戶端產生 AccessToken 以連線到 ASRS,權杖預設會在 5 分鐘內到期。
Microsoft。SignalRService/SignalR/hub/send/action 將訊息廣播到中樞中的所有用戶端連線。
Microsoft。SignalRService/SignalR/group/send/action 將訊息廣播到群組。
Microsoft。SignalRService/SignalR/group/read 檢查群組是否存在或使用者存在於群組中。
Microsoft。SignalRService/SignalR/group/write 加入/離開群組。
Microsoft。SignalRService/SignalR/clientConnection/send/action 將訊息直接傳送至用戶端連線。
Microsoft。SignalRService/SignalR/clientConnection/read 檢查用戶端連線是否存在。
Microsoft。SignalRService/SignalR/clientConnection/write 關閉用戶端連線。
Microsoft。SignalRService/SignalR/user/send/action 將訊息傳送給可能包含多個用戶端連線的使用者。
Microsoft。SignalRService/SignalR/user/read 檢查使用者是否存在。
Microsoft。SignalRService/SignalR/user/write 修改使用者。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to Azure SignalR Service REST APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521",
  "name": "fd53cd77-2268-407a-8f46-7e7863d0f521",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/clientToken/action",
        "Microsoft.SignalRService/SignalR/hub/send/action",
        "Microsoft.SignalRService/SignalR/group/send/action",
        "Microsoft.SignalRService/SignalR/group/read",
        "Microsoft.SignalRService/SignalR/group/write",
        "Microsoft.SignalRService/SignalR/clientConnection/send/action",
        "Microsoft.SignalRService/SignalR/clientConnection/read",
        "Microsoft.SignalRService/SignalR/clientConnection/write",
        "Microsoft.SignalRService/SignalR/user/send/action",
        "Microsoft.SignalRService/SignalR/user/read",
        "Microsoft.SignalRService/SignalR/user/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR REST API Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR REST API 讀取器

Azure SignalR Service REST API 的唯讀存取權

動作 描述
NotActions
DataActions
Microsoft。SignalRService/SignalR/group/read 檢查群組是否存在或使用者存在於群組中。
Microsoft。SignalRService/SignalR/clientConnection/read 檢查用戶端連線是否存在。
Microsoft。SignalRService/SignalR/user/read 檢查使用者是否存在。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only access to Azure SignalR Service REST APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035",
  "name": "ddde6b66-c0df-4114-a159-3618637b3035",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/group/read",
        "Microsoft.SignalRService/SignalR/clientConnection/read",
        "Microsoft.SignalRService/SignalR/user/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR REST API Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR Service擁有者

Azure SignalR Service REST API 的完整存取權

動作 描述
NotActions
DataActions
Microsoft。SignalRService/SignalR/auth/accessKey/action 產生 AccessKey 以簽署 AccessTokens,金鑰預設會在 90 分鐘內到期。
Microsoft。SignalRService/SignalR/auth/clientToken/action 為用戶端產生 AccessToken 以連線到 ASRS,權杖預設會在 5 分鐘內到期。
Microsoft。SignalRService/SignalR/hub/send/action 將訊息廣播到中樞中的所有用戶端連線。
Microsoft。SignalRService/SignalR/group/send/action 將訊息廣播到群組。
Microsoft。SignalRService/SignalR/group/read 檢查群組是否存在或使用者存在於群組中。
Microsoft。SignalRService/SignalR/group/write 加入/離開群組。
Microsoft。SignalRService/SignalR/clientConnection/send/action 將訊息直接傳送至用戶端連線。
Microsoft。SignalRService/SignalR/clientConnection/read 檢查用戶端連線是否存在。
Microsoft。SignalRService/SignalR/clientConnection/write 關閉用戶端連線。
Microsoft。SignalRService/SignalR/serverConnection/write 啟動伺服器連線。
Microsoft。SignalRService/SignalR/user/send/action 將訊息傳送給可能包含多個用戶端連線的使用者。
Microsoft。SignalRService/SignalR/user/read 檢查使用者是否存在。
Microsoft。SignalRService/SignalR/user/write 修改使用者。
Microsoft。SignalRService/SignalR/livetrace/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to Azure SignalR Service REST APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
  "name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.SignalRService/SignalR/auth/accessKey/action",
        "Microsoft.SignalRService/SignalR/auth/clientToken/action",
        "Microsoft.SignalRService/SignalR/hub/send/action",
        "Microsoft.SignalRService/SignalR/group/send/action",
        "Microsoft.SignalRService/SignalR/group/read",
        "Microsoft.SignalRService/SignalR/group/write",
        "Microsoft.SignalRService/SignalR/clientConnection/send/action",
        "Microsoft.SignalRService/SignalR/clientConnection/read",
        "Microsoft.SignalRService/SignalR/clientConnection/write",
        "Microsoft.SignalRService/SignalR/serverConnection/write",
        "Microsoft.SignalRService/SignalR/user/send/action",
        "Microsoft.SignalRService/SignalR/user/read",
        "Microsoft.SignalRService/SignalR/user/write",
        "Microsoft.SignalRService/SignalR/livetrace/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR Service Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SignalR/Web PubSub 參與者

建立、讀取、更新和刪除 SignalR 服務資源

動作 描述
Microsoft。SignalRService/*
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete SignalR service resources",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
  "name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
  "permissions": [
    {
      "actions": [
        "Microsoft.SignalRService/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SignalR/Web PubSub Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Web 方案參與者

管理網站的 Web 方案。 不允許您在 Azure RBAC 中指派角色。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Web/serverFarms/* 建立和管理伺服器陣列
Microsoft。Web/hostingEnvironments/Join/Action 加入 App Service 環境
Microsoft。Insights/autoscalesettings/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage the web plans for websites, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
  "name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/serverFarms/*",
        "Microsoft.Web/hostingEnvironments/Join/Action",
        "Microsoft.Insights/autoscalesettings/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Web Plan Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

網站參與者

管理網站,但不是 Web 方案。 不允許您在 Azure RBAC 中指派角色。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/components/* 建立和管理 Insights 元件
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Web/certificates/* 建立和管理網站憑證
Microsoft。Web/listSitesAssignedToHostName/read 取得指派給主機名稱之網站的名稱。
Microsoft。Web/serverFarms/join/action 加入App Service方案
Microsoft。Web/serverFarms/read 取得 App Service 方案的屬性
Microsoft。Web/sites/* 建立和管理網站 (建立網站也需要相關聯應用程式服務方案的寫入權限)
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage websites (not web plans), but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
  "name": "de139f84-1756-47ae-9be6-808fbbe84772",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/certificates/*",
        "Microsoft.Web/listSitesAssignedToHostName/read",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Website Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

容器

AcrDelete

從容器登錄中刪除存放庫、標記或資訊清單。 深入了解

動作 描述
Microsoft。ContainerRegistry/registries/artifacts/delete 刪除容器登錄中的成品。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr delete",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/artifacts/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrDelete",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner

將信任的映射推送至或從啟用內容信任的容器登錄提取信任映射。 深入了解

動作 描述
Microsoft。ContainerRegistry/registries/sign/write 推送/提取容器登錄的內容信任中繼資料。
NotActions
DataActions
Microsoft。ContainerRegistry/registries/trustedCollections/write 允許推送或發佈容器登錄內容的受信任集合。 這類似于Microsoft。ContainerRegistry/registries/sign/write 動作,但這是資料動作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr image signer",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
  "name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/sign/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/trustedCollections/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrImageSigner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull

從容器登錄提取成品。 深入了解

動作 描述
Microsoft。ContainerRegistry/registries/pull/read 從容器登錄中提取或取得映像。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr pull",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPull",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush

將成品推送至容器登錄,或從容器登錄提取成品。 深入了解

動作 描述
Microsoft。ContainerRegistry/registries/pull/read 從容器登錄中提取或取得映像。
Microsoft。ContainerRegistry/registries/push/write 將映像推送或寫入至容器登錄。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr push",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
  "name": "8311e382-0749-4cb8-b61a-304f252e45ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/pull/read",
        "Microsoft.ContainerRegistry/registries/push/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AcrPush",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader

從容器登錄提取隔離的映射。 深入了解

動作 描述
Microsoft。ContainerRegistry/registries/quarantine/read 從容器登錄中提取或取得隔離的映像
NotActions
DataActions
Microsoft。ContainerRegistry/registries/quarantinedArtifacts/read 允許從容器登錄提取或取得隔離成品。 這類似于Microsoft。ContainerRegistry/registries/quarantine/read,不同之處在于它是資料動作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data reader",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
  "name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineReader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter

將隔離的映射推送至容器登錄,或從容器登錄提取隔離的映射。 深入了解

動作 描述
Microsoft。ContainerRegistry/registries/quarantine/read 從容器登錄中提取或取得隔離的映像
Microsoft。ContainerRegistry/registries/quarantine/write 寫入/修改已隔離映像的隔離狀態
NotActions
DataActions
Microsoft。ContainerRegistry/registries/quarantinedArtifacts/read 允許從容器登錄提取或取得隔離成品。 這類似于Microsoft。ContainerRegistry/registries/quarantine/read,不同之處在于它是資料動作
Microsoft。ContainerRegistry/registries/quarantinedArtifacts/write 允許寫入或更新隔離成品的隔離狀態。 這類似于Microsoft。ContainerRegistry/registries/quarantine/write 動作,不同之處在于它是資料動作
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "acr quarantine data writer",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerRegistry/registries/quarantine/read",
        "Microsoft.ContainerRegistry/registries/quarantine/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
        "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "AcrQuarantineWriter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager RBAC 管理員

此角色會授與系統管理員存取權 - 提供命名空間內大部分物件的寫入權限,但 ResourceQuota 物件和命名空間物件本身除外。 在叢集範圍套用此角色將會提供所有命名空間的存取權。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ContainerService/fleets/read 取得車隊
Microsoft。ContainerService/fleets/listCredentials/action 列出車隊認證
NotActions
DataActions
Microsoft。ContainerService/fleets/apps/controllerrevisions/read 讀取控制器重新布建
Microsoft。ContainerService/fleets/apps/daemonsets/*
Microsoft。ContainerService/fleets/apps/deployments/*
Microsoft。ContainerService/fleets/apps/statefulsets/*
Microsoft。ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write 寫入區域變數accessreviews
Microsoft。ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft。ContainerService/fleets/batch/cronjobs/*
Microsoft。ContainerService/fleets/batch/jobs/*
Microsoft。ContainerService/fleets/configmaps/*
Microsoft。ContainerService/fleets/endpoints/*
Microsoft。ContainerService/fleets/events.k8s.io/events/read 讀取事件
Microsoft。ContainerService/fleets/events/read 讀取事件
Microsoft。ContainerService/fleets/extensions/daemonsets/*
Microsoft。ContainerService/fleets/extensions/deployments/*
Microsoft。ContainerService/fleets/extensions/ingresses/*
Microsoft。ContainerService/fleets/extensions/networkpolicies/*
Microsoft。ContainerService/fleets/limitranges/read 讀取限制範圍
Microsoft。ContainerService/fleets/namespaces/read 讀取命名空間
Microsoft。ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft。ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft。ContainerService/fleets/persistentvolumeclaims/*
Microsoft。ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft。ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*
Microsoft。ContainerService/fleets/rbac.authorization.k8s.io/roles/*
Microsoft。ContainerService/fleets/replicationcontrollers/*
Microsoft。ContainerService/fleets/replicationcontrollers/*
Microsoft。ContainerService/fleets/resourcequotas/read 讀取 resourcequotas
Microsoft。ContainerService/fleets/secrets/*
Microsoft。ContainerService/fleets/serviceaccounts/*
Microsoft。ContainerService/fleets/services/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager RBAC 叢集管理員

可讓您管理車隊經理叢集中的所有資源。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ContainerService/fleets/read 取得車隊
Microsoft。ContainerService/fleets/listCredentials/action 列出車隊認證
NotActions
DataActions
Microsoft。ContainerService/fleets/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the fleet manager cluster.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager RBAC 讀者

允許唯讀存取來查看命名空間中的大部分物件。 它不允許檢視角色或角色系結。 此角色不允許檢視秘密,因為讀取秘密的內容可存取命名空間中的 ServiceAccount 認證,因此允許 API 存取作為命名空間中的任何 ServiceAccount, (一種形式的許可權提升) 。 在叢集範圍套用此角色將會提供所有命名空間的存取權。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ContainerService/fleets/read 取得車隊
Microsoft。ContainerService/fleets/listCredentials/action 列出車隊認證
NotActions
DataActions
Microsoft。ContainerService/fleets/apps/controllerrevisions/read 讀取控制器重新布建
Microsoft。ContainerService/fleets/apps/daemonsets/read 讀取精靈集
Microsoft。ContainerService/fleets/apps/deployments/read 讀取部署
Microsoft。ContainerService/fleets/apps/statefulsets/read 讀取具狀態集
Microsoft。ContainerService/fleets/autoscaling/horizontalpodautoscalers/read 讀取 horizontalpodautoscalers
Microsoft。ContainerService/fleets/batch/cronjobs/read 讀取 cronjobs
Microsoft。ContainerService/fleets/batch/jobs/read 讀取作業
Microsoft。ContainerService/fleets/configmaps/read 讀取 configmaps
Microsoft。ContainerService/fleets/endpoints/read 讀取端點
Microsoft。ContainerService/fleets/events.k8s.io/events/read 讀取事件
Microsoft。ContainerService/fleets/events/read 讀取事件
Microsoft。ContainerService/fleets/extensions/daemonsets/read 讀取精靈集
Microsoft。ContainerService/fleets/extensions/deployments/read 讀取部署
Microsoft。ContainerService/fleets/extensions/ingresses/read 讀取輸入
Microsoft。ContainerService/fleets/extensions/networkpolicies/read 讀取網路原則
Microsoft。ContainerService/fleets/limitranges/read 讀取 limitranges
Microsoft。ContainerService/fleets/namespaces/read 讀取命名空間
Microsoft。ContainerService/fleets/networking.k8s.io/ingresses/read 讀取輸入
Microsoft。ContainerService/fleets/networking.k8s.io/networkpolicies/read 讀取網路原則
Microsoft。ContainerService/fleets/persistentvolumeclaims/read 讀取 persistentvolumeclaims
Microsoft。ContainerService/fleets/policy/poddisruptionbudgets/read 讀取 poddisruptionbudgets
Microsoft。ContainerService/fleets/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft。ContainerService/fleets/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft。ContainerService/fleets/resourcequotas/read 讀取 resourcequotas
Microsoft。ContainerService/fleets/serviceaccounts/read 讀取 serviceaccounts
Microsoft。ContainerService/fleets/services/read 讀取服務
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
  "name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/read",
        "Microsoft.ContainerService/fleets/apps/deployments/read",
        "Microsoft.ContainerService/fleets/apps/statefulsets/read",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/fleets/batch/cronjobs/read",
        "Microsoft.ContainerService/fleets/batch/jobs/read",
        "Microsoft.ContainerService/fleets/configmaps/read",
        "Microsoft.ContainerService/fleets/endpoints/read",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/read",
        "Microsoft.ContainerService/fleets/extensions/deployments/read",
        "Microsoft.ContainerService/fleets/extensions/ingresses/read",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/replicationcontrollers/read",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/serviceaccounts/read",
        "Microsoft.ContainerService/fleets/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager RBAC 寫入器

允許命名空間中大部分物件的讀取/寫入存取權。 此角色不允許檢視或修改角色或角色系結。 不過,此角色允許以命名空間中的任何 ServiceAccount 的形式存取秘密,因此可用來取得命名空間中任何 ServiceAccount 的 API 存取層級。 在叢集範圍套用此角色將會提供所有命名空間的存取權。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ContainerService/fleets/read 取得車隊
Microsoft。ContainerService/fleets/listCredentials/action 列出車隊認證
NotActions
DataActions
Microsoft。ContainerService/fleets/apps/controllerrevisions/read 讀取控制器重新布建
Microsoft。ContainerService/fleets/apps/daemonsets/*
Microsoft。ContainerService/fleets/apps/deployments/*
Microsoft。ContainerService/fleets/apps/statefulsets/*
Microsoft。ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
Microsoft。ContainerService/fleets/batch/cronjobs/*
Microsoft。ContainerService/fleets/batch/jobs/*
Microsoft。ContainerService/fleets/configmaps/*
Microsoft。ContainerService/fleets/endpoints/*
Microsoft。ContainerService/fleets/events.k8s.io/events/read 讀取事件
Microsoft。ContainerService/fleets/events/read 讀取事件
Microsoft。ContainerService/fleets/extensions/daemonsets/*
Microsoft。ContainerService/fleets/extensions/deployments/*
Microsoft。ContainerService/fleets/extensions/ingresses/*
Microsoft。ContainerService/fleets/extensions/networkpolicies/*
Microsoft。ContainerService/fleets/limitranges/read 讀取 limitranges
Microsoft。ContainerService/fleets/namespaces/read 讀取命名空間
Microsoft。ContainerService/fleets/networking.k8s.io/ingresses/*
Microsoft。ContainerService/fleets/networking.k8s.io/networkpolicies/*
Microsoft。ContainerService/fleets/persistentvolumeclaims/*
Microsoft。ContainerService/fleets/policy/poddisruptionbudgets/*
Microsoft。ContainerService/fleets/replicationcontrollers/*
Microsoft。ContainerService/fleets/replicationcontrollers/*
Microsoft。ContainerService/fleets/resourcequotas/read 讀取 resourcequotas
Microsoft。ContainerService/fleets/secrets/*
Microsoft。ContainerService/fleets/serviceaccounts/*
Microsoft。ContainerService/fleets/services/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.  Applying this role at cluster scope will give access across all namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/fleets/read",
        "Microsoft.ContainerService/fleets/listCredentials/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
        "Microsoft.ContainerService/fleets/apps/daemonsets/*",
        "Microsoft.ContainerService/fleets/apps/deployments/*",
        "Microsoft.ContainerService/fleets/apps/statefulsets/*",
        "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/fleets/batch/cronjobs/*",
        "Microsoft.ContainerService/fleets/batch/jobs/*",
        "Microsoft.ContainerService/fleets/configmaps/*",
        "Microsoft.ContainerService/fleets/endpoints/*",
        "Microsoft.ContainerService/fleets/events.k8s.io/events/read",
        "Microsoft.ContainerService/fleets/events/read",
        "Microsoft.ContainerService/fleets/extensions/daemonsets/*",
        "Microsoft.ContainerService/fleets/extensions/deployments/*",
        "Microsoft.ContainerService/fleets/extensions/ingresses/*",
        "Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
        "Microsoft.ContainerService/fleets/limitranges/read",
        "Microsoft.ContainerService/fleets/namespaces/read",
        "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
        "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/replicationcontrollers/*",
        "Microsoft.ContainerService/fleets/resourcequotas/read",
        "Microsoft.ContainerService/fleets/secrets/*",
        "Microsoft.ContainerService/fleets/serviceaccounts/*",
        "Microsoft.ContainerService/fleets/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service 叢集管理員角色

列出叢集管理員認證動作。 深入了解

動作 描述
Microsoft。ContainerService/managedClusters/listClusterAdminCredential/action 列出受控叢集的 clusterAdmin 認證
Microsoft。ContainerService/managedClusters/accessProfiles/listCredential/action 使用清單認證依角色名稱取得受控叢集存取設定檔
Microsoft。ContainerService/managedClusters/read 取得受控叢集
Microsoft。ContainerService/managedClusters/runcommand/action 對受控 Kubernetes 伺服器執行使用者發出的命令。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster admin credential action.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
        "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/runcommand/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster Admin Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service 叢集使用者角色

列出叢集使用者認證動作。 深入了解

動作 描述
Microsoft。ContainerService/managedClusters/listClusterUserCredential/action 列出受控叢集的 clusterUser 認證
Microsoft。ContainerService/managedClusters/read 取得受控叢集
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credential action.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
        "Microsoft.ContainerService/managedClusters/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service參與者角色

授與讀取和寫入Azure Kubernetes Service叢集的存取權深入瞭解

動作 描述
Microsoft。ContainerService/managedClusters/read 取得受控叢集
Microsoft。ContainerService/managedClusters/write 建立新的受控叢集,或更新現有的受控叢集
Microsoft。Resources/deployments/* 建立和管理部署
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read and write Azure Kubernetes Service clusters",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
  "permissions": [
    {
      "actions": [
        "Microsoft.ContainerService/managedClusters/read",
        "Microsoft.ContainerService/managedClusters/write",
        "Microsoft.Resources/deployments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service Contributor Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 管理員

可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ContainerService/managedClusters/listClusterUserCredential/action 列出受控叢集的 clusterUser 認證
NotActions
DataActions
Microsoft。ContainerService/managedClusters/*
NotDataActions
Microsoft。ContainerService/managedClusters/resourcequotas/write 寫入 resourcequotas
Microsoft。ContainerService/managedClusters/resourcequotas/delete 刪除 resourcequotas
Microsoft。ContainerService/managedClusters/namespaces/write 寫入命名空間
Microsoft。ContainerService/managedClusters/namespaces/delete 刪除命名空間
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
  "name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": [
        "Microsoft.ContainerService/managedClusters/resourcequotas/write",
        "Microsoft.ContainerService/managedClusters/resourcequotas/delete",
        "Microsoft.ContainerService/managedClusters/namespaces/write",
        "Microsoft.ContainerService/managedClusters/namespaces/delete"
      ]
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 叢集管理員

可讓您管理叢集中的所有資源。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。ContainerService/managedClusters/listClusterUserCredential/action 列出受控叢集的 clusterUser 認證
NotActions
DataActions
Microsoft。ContainerService/managedClusters/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 讀取者

允許唯讀存取來查看命名空間中的大部分物件。 它不允許檢視角色或角色系結。 此角色不允許檢視秘密,因為讀取秘密的內容可存取命名空間中的 ServiceAccount 認證,因此允許 API 存取作為命名空間中的任何 ServiceAccount, (一種形式的許可權提升) 。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
Microsoft。ContainerService/managedClusters/apps/controllerrevisions/read 讀取控制器重新布建
Microsoft。ContainerService/managedClusters/apps/daemonsets/read 讀取精靈集
Microsoft。ContainerService/managedClusters/apps/deployments/read 讀取部署
Microsoft。ContainerService/managedClusters/apps/replicasets/read 讀取複本集
Microsoft。ContainerService/managedClusters/apps/statefulsets/read 讀取具狀態集
Microsoft。ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read 讀取 horizontalpodautoscalers
Microsoft。ContainerService/managedClusters/batch/cronjobs/read 讀取 cronjobs
Microsoft。ContainerService/managedClusters/batch/jobs/read 讀取作業
Microsoft。ContainerService/managedClusters/configmaps/read 讀取 configmap
Microsoft。ContainerService/managedClusters/endpoints/read 讀取端點
Microsoft。ContainerService/managedClusters/events.k8s.io/events/read 讀取事件
Microsoft。ContainerService/managedClusters/events/read 讀取事件
Microsoft。ContainerService/managedClusters/extensions/daemonsets/read 讀取精靈集
Microsoft。ContainerService/managedClusters/extensions/deployments/read 讀取部署
Microsoft。ContainerService/managedClusters/extensions/ingresses/read 讀取輸入
Microsoft。ContainerService/managedClusters/extensions/networkpolicies/read 讀取網路原則
Microsoft。ContainerService/managedClusters/extensions/replicasets/read 讀取複本集
Microsoft。ContainerService/managedClusters/limitranges/read 讀取 limitranges
Microsoft。ContainerService/managedClusters/namespaces/read 讀取命名空間
Microsoft。ContainerService/managedClusters/networking.k8s.io/ingresses/read 讀取輸入
Microsoft。ContainerService/managedClusters/networking.k8s.io/networkpolicies/read 讀取網路原則
Microsoft。ContainerService/managedClusters/persistentvolumeclaims/read 讀取 persistentvolumeclaims
Microsoft。ContainerService/managedClusters/pods/read 讀取 Pod
Microsoft。ContainerService/managedClusters/policy/poddisruptionbudgets/read 讀取 poddisruptionbudgets
Microsoft。ContainerService/managedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft。ContainerService/managedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft。ContainerService/managedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft。ContainerService/managedClusters/serviceaccounts/read 讀取 serviceaccounts
Microsoft。ContainerService/managedClusters/services/read 讀取服務
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/apps/deployments/read",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
        "Microsoft.ContainerService/managedClusters/batch/jobs/read",
        "Microsoft.ContainerService/managedClusters/configmaps/read",
        "Microsoft.ContainerService/managedClusters/endpoints/read",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
        "Microsoft.ContainerService/managedClusters/pods/read",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
        "Microsoft.ContainerService/managedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC 寫入者

允許命名空間中大部分物件的讀取/寫入存取權。 此角色不允許檢視或修改角色或角色系結。 然而,此角色允許以命名空間中的任何 ServiceAccount 身分存取秘密並執行 Pod,因此可用來取得命名空間中任何 ServiceAccount 的 API 存取層級。 在叢集範圍套用此角色將會提供所有命名空間的存取權。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
Microsoft。ContainerService/managedClusters/apps/controllerrevisions/read 讀取控制器重新布建
Microsoft。ContainerService/managedClusters/apps/daemonsets/*
Microsoft。ContainerService/managedClusters/apps/deployments/*
Microsoft。ContainerService/managedClusters/apps/replicasets/*
Microsoft。ContainerService/managedClusters/apps/statefulsets/*
Microsoft。ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft。ContainerService/managedClusters/batch/cronjobs/*
Microsoft。ContainerService/managedClusters/batch/jobs/*
Microsoft。ContainerService/managedClusters/configmaps/*
Microsoft。ContainerService/managedClusters/endpoints/*
Microsoft。ContainerService/managedClusters/events.k8s.io/events/read 讀取事件
Microsoft。ContainerService/managedClusters/events/read 讀取事件
Microsoft。ContainerService/managedClusters/extensions/daemonsets/*
Microsoft。ContainerService/managedClusters/extensions/deployments/*
Microsoft。ContainerService/managedClusters/extensions/ingresses/*
Microsoft。ContainerService/managedClusters/extensions/networkpolicies/*
Microsoft。ContainerService/managedClusters/extensions/replicasets/*
Microsoft。ContainerService/managedClusters/limitranges/read 讀取限制範圍
Microsoft。ContainerService/managedClusters/namespaces/read 讀取命名空間
Microsoft。ContainerService/managedClusters/networking.k8s.io/ingresses/*
Microsoft。ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
Microsoft。ContainerService/managedClusters/persistentvolumeclaims/*
Microsoft。ContainerService/managedClusters/pods/*
Microsoft。ContainerService/managedClusters/policy/poddisruptionbudgets/*
Microsoft。ContainerService/managedClusters/replicationcontrollers/*
Microsoft。ContainerService/managedClusters/replicationcontrollers/*
Microsoft。ContainerService/managedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft。ContainerService/managedClusters/secrets/*
Microsoft。ContainerService/managedClusters/serviceaccounts/*
Microsoft。ContainerService/managedClusters/services/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
        "Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/apps/deployments/*",
        "Microsoft.ContainerService/managedClusters/apps/replicasets/*",
        "Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
        "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
        "Microsoft.ContainerService/managedClusters/batch/jobs/*",
        "Microsoft.ContainerService/managedClusters/configmaps/*",
        "Microsoft.ContainerService/managedClusters/endpoints/*",
        "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
        "Microsoft.ContainerService/managedClusters/events/read",
        "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
        "Microsoft.ContainerService/managedClusters/extensions/deployments/*",
        "Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
        "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
        "Microsoft.ContainerService/managedClusters/limitranges/read",
        "Microsoft.ContainerService/managedClusters/namespaces/read",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
        "Microsoft.ContainerService/managedClusters/pods/*",
        "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
        "Microsoft.ContainerService/managedClusters/resourcequotas/read",
        "Microsoft.ContainerService/managedClusters/secrets/*",
        "Microsoft.ContainerService/managedClusters/serviceaccounts/*",
        "Microsoft.ContainerService/managedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Kubernetes Service RBAC Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

資料庫

Azure 連線SQL Server上線

允許在已啟用 Arc 的伺服器上讀取和寫入 Azure 資源的SQL Server存取權。 深入了解

動作 描述
Microsoft.AzureArcData/sqlServerInstances/read 擷取SQL Server實例資源
Microsoft.AzureArcData/sqlServerInstances/write 更新 SQL Server 實例資源
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508",
  "name": "e8113dce-c529-4d33-91fa-e9b972617508",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureArcData/sqlServerInstances/read",
        "Microsoft.AzureArcData/sqlServerInstances/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Connected SQL Server Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Cosmos DB 帳戶讀者角色

可以讀取 Azure Cosmos DB 帳戶資料。 請參閱 DocumentDB 帳戶參與者以管理 Azure Cosmos DB 帳戶。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。DocumentDB/*/read 讀取任何集合
Microsoft。DocumentDB/databaseAccounts/readonlykeys/action 讀取資料庫帳戶的唯讀金鑰。
Microsoft。Insights/MetricDefinitions/read 讀取計量定義
Microsoft。Insights/Metrics/read 讀取計量
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read Azure Cosmos DB Accounts data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDB/*/read",
        "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
        "Microsoft.Insights/MetricDefinitions/read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cosmos DB Account Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Cosmos DB 操作員

可讓您管理 Azure Cosmos DB 帳戶,但無法存取其中的資料。 防止存取帳戶金鑰和連接字串。 深入了解

動作 描述
Microsoft。DocumentDb/databaseAccounts/*
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
NotActions
Microsoft。DocumentDB/databaseAccounts/readonlyKeys/*
Microsoft。DocumentDB/databaseAccounts/regenerateKey/*
Microsoft。DocumentDB/databaseAccounts/listKeys/*
Microsoft。DocumentDB/databaseAccounts/listConnectionStrings/*
Microsoft。DocumentDB/databaseAccounts/sqlRoleDefinitions/write 建立或更新 SQL 角色定義
Microsoft。DocumentDB/databaseAccounts/sqlRoleDefinitions/delete 刪除 SQL 角色定義
Microsoft。DocumentDB/databaseAccounts/sqlRoleAssignments/write 建立或更新 SQL 角色指派
Microsoft。DocumentDB/databaseAccounts/sqlRoleAssignments/delete 刪除 SQL 角色指派
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
  "name": "230815da-be43-4aae-9cb4-875f7bd000aa",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDb/databaseAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
      ],
      "notActions": [
        "Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
        "Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
        "Microsoft.DocumentDB/databaseAccounts/listKeys/*",
        "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
        "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cosmos DB Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CosmosBackupOperator

可以提交 Cosmos DB 資料庫的還原要求或帳戶的容器 深入瞭解

動作 描述
Microsoft。DocumentDB/databaseAccounts/backup/action 提交要求以設定備份
Microsoft。DocumentDB/databaseAccounts/restore/action 提交還原要求
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can submit restore request for a Cosmos DB database or a container for an account",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
  "name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDB/databaseAccounts/backup/action",
        "Microsoft.DocumentDB/databaseAccounts/restore/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CosmosBackupOperator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

CosmosRestoreOperator

可以針對具有連續備份模式的 Cosmos DB 資料庫帳戶執行還原動作

動作 描述
Microsoft。DocumentDB/locations/restoreableDatabaseAccounts/restore/action 提交還原要求
Microsoft。DocumentDB/locations/restorableDatabaseAccounts/*/read
Microsoft。DocumentDB/locations/restorableDatabaseAccounts/read 讀取可還原的資料庫帳戶或列出所有可還原的資料庫帳戶
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
  "name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
  "permissions": [
    {
      "actions": [
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
        "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "CosmosRestoreOperator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DocumentDB 帳戶參與者

可以管理 Azure Cosmos DB 帳戶。 Azure Cosmos DB 先前稱為 DocumentDB。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。DocumentDb/databaseAccounts/* 建立及管理 Azure Cosmos DB 帳戶
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage DocumentDB accounts, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
  "name": "5bd9cd88-fe45-4216-938b-f97437e15450",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DocumentDb/databaseAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "DocumentDB Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Redis 快取參與者

可讓您管理 Redis 快取,但無法存取它們。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。快取/暫存器/動作 向訂用帳戶註冊 'Microsoft.Cache' 資源提供者
Microsoft。Cache/redis/* 建立和管理 Redis 快取
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Redis caches, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
  "name": "e0f68234-74aa-48ed-b826-c38b57376e17",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Cache/register/action",
        "Microsoft.Cache/redis/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Redis Cache Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL DB 參與者

可讓您管理 SQL 資料庫,但無法存取它們。 此外,您也無法管理其安全性相關原則或其父 SQL 伺服器。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Sql/locations/*/read
Microsoft。Sql/servers/databases/* 建立和管理 SQL 資料庫
Microsoft。Sql/servers/read 傳回伺服器清單,或取得指定伺服器的屬性。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Insights/metrics/read 讀取計量
Microsoft。Insights/metricDefinitions/read 讀取計量定義
NotActions
Microsoft。Sql/servers/databases/ledgerDigestUploads/write 啟用上傳總帳摘要
Microsoft。Sql/servers/databases/ledgerDigestUploads/disable/action 停用上傳總帳摘要
Microsoft。Sql/managedInstances/databases/currentSensitivityLabels/*
Microsoft。Sql/managedInstances/databases/recommendedSensitivityLabels/*
Microsoft。Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft。Sql/managedInstances/databases/securityAlertPolicies/*
Microsoft。Sql/managedInstances/databases/sensitivityLabels/*
Microsoft。Sql/managedInstances/databases/vulnerabilityAssessments/*
Microsoft。Sql/managedInstances/securityAlertPolicies/*
Microsoft。Sql/managedInstances/vulnerabilityAssessments/*
Microsoft。Sql/servers/databases/auditingSettings/* 編輯稽核設定
Microsoft。Sql/servers/databases/auditRecords/read 擷取資料庫 Blob 稽核記錄
Microsoft。Sql/servers/databases/currentSensitivityLabels/*
Microsoft。Sql/servers/databases/dataMaskingPolicies/* 編輯資料遮罩原則
Microsoft。Sql/servers/databases/extendedAuditingSettings/*
Microsoft。Sql/servers/databases/recommendedSensitivityLabels/*
Microsoft。Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft。Sql/servers/databases/securityAlertPolicies/* 編輯安全性警示原則
Microsoft。Sql/servers/databases/securityMetrics/* 編輯安全性計量
Microsoft。Sql/servers/databases/sensitivityLabels/*
Microsoft。Sql/servers/databases/vulnerabilityAssessments/*
Microsoft。Sql/servers/databases/vulnerabilityAssessmentScans/*
Microsoft。Sql/servers/databases/vulnerabilityAssessmentSettings/*
Microsoft。Sql/servers/vulnerabilityAssessments/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
  "name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/servers/databases/*",
        "Microsoft.Sql/servers/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
        "Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL DB Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL 受控執行個體參與者

可讓您管理 SQL 受控執行個體和必要的網路設定,但無法將存取權授與其他人。

動作 描述
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Network/networkSecurityGroups/*
Microsoft。Network/routeTables/*
Microsoft。Sql/locations/*/read
Microsoft。Sql/locations/instanceFailoverGroups/*
Microsoft。Sql/managedInstances/*
Microsoft。支援/* 建立和更新支援票證
Microsoft。Network/virtualNetworks/subnets/*
Microsoft。Network/virtualNetworks/*
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/metrics/read 讀取計量
Microsoft。Insights/metricDefinitions/read 讀取計量定義
NotActions
Microsoft。Sql/managedInstances/azureADOnlyAuthentications/delete 刪除特定的受控伺服器 Azure Active Directory 僅限驗證物件
Microsoft。Sql/managedInstances/azureADOnlyAuthentications/write 新增或更新特定的受控伺服器 Azure Active Directory 僅限驗證物件
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
  "name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Network/networkSecurityGroups/*",
        "Microsoft.Network/routeTables/*",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/locations/instanceFailoverGroups/*",
        "Microsoft.Sql/managedInstances/*",
        "Microsoft.Support/*",
        "Microsoft.Network/virtualNetworks/subnets/*",
        "Microsoft.Network/virtualNetworks/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL Managed Instance Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL 安全性管理員

可讓您管理 SQL 伺服器及資料庫的安全性相關原則,但無法存取它們。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 將資源 (例如,儲存體帳戶或 SQL Database) 加入至子網路。 不可警示。
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Sql/locations/administratorAzureAsyncOperation/read 取得受控實例 azure 非同步管理員作業結果。
Microsoft。Sql/managedInstances/databases/currentSensitivityLabels/*
Microsoft。Sql/managedInstances/databases/recommendedSensitivityLabels/*
Microsoft。Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft。Sql/managedInstances/databases/securityAlertPolicies/*
Microsoft。Sql/managedInstances/databases/sensitivityLabels/*
Microsoft。Sql/managedInstances/databases/vulnerabilityAssessments/*
Microsoft。Sql/managedInstances/securityAlertPolicies/*
Microsoft。Sql/managedInstances/databases/transparentDataEncryption/*
Microsoft。Sql/managedInstances/vulnerabilityAssessments/*
Microsoft。Sql/servers/auditingSettings/* 建立和管理 SQL Server 稽核設定
Microsoft。Sql/servers/extendedAuditingSettings/read 擷取指定伺服器上所設定之擴充伺服器 Blob 稽核原則的詳細資料
Microsoft。Sql/servers/databases/auditingSettings/* 建立和管理 SQL Server 資料庫稽核設定
Microsoft。Sql/servers/databases/auditRecords/read 擷取資料庫 Blob 稽核記錄
Microsoft。Sql/servers/databases/currentSensitivityLabels/*
Microsoft。Sql/servers/databases/dataMaskingPolicies/* 建立和管理 SQL Server 資料庫資料遮罩原則
Microsoft。Sql/servers/databases/extendedAuditingSettings/read 擷取指定資料庫上所設定之擴充 Blob 稽核原則的詳細資料
Microsoft。Sql/servers/databases/read 傳回資料庫清單,或取得指定資料庫的屬性。
Microsoft。Sql/servers/databases/recommendedSensitivityLabels/*
Microsoft。Sql/servers/databases/schemas/read 取得資料庫結構描述。
Microsoft。Sql/servers/databases/schemas/tables/columns/read 取得資料庫資料行。
Microsoft。Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft。Sql/servers/databases/schemas/tables/read 取得資料庫資料表。
Microsoft。Sql/servers/databases/securityAlertPolicies/* 建立和管理 SQL Server 資料庫安全性警示原則
Microsoft。Sql/servers/databases/securityMetrics/* 建立和管理 SQL Server 資料庫安全性度量
Microsoft。Sql/servers/databases/sensitivityLabels/*
Microsoft。Sql/servers/databases/transparentDataEncryption/*
Microsoft。Sql/servers/databases/vulnerabilityAssessments/*
Microsoft。Sql/servers/databases/vulnerabilityAssessmentScans/*
Microsoft。Sql/servers/databases/vulnerabilityAssessmentSettings/*
Microsoft。Sql/servers/devOpsAuditingSettings/*
Microsoft。Sql/servers/firewallRules/*
Microsoft。Sql/servers/read 傳回伺服器清單,或取得指定伺服器的屬性。
Microsoft。Sql/servers/securityAlertPolicies/* 建立和管理 SQL Server 安全性警示原則
Microsoft。Sql/servers/vulnerabilityAssessments/*
Microsoft。支援/* 建立和更新支援票證
Microsoft。Sql/servers/azureADOnlyAuthentications/*
Microsoft。Sql/managedInstances/read 傳回受控執行個體的清單,或取得指定受控執行個體的屬性。
Microsoft。Sql/managedInstances/azureADOnlyAuthentications/*
Microsoft。Security/sqlVulnerabilityAssessments/*
Microsoft。Sql/managedInstances/administrators/read 取得受控執行個體系統管理員的清單。
Microsoft。Sql/servers/administrators/read 取得特定的 Azure Active Directory 系統管理員物件
Microsoft。Sql/servers/externalPolicyBasedAuthorizations/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
  "name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/auditingSettings/*",
        "Microsoft.Sql/servers/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
        "Microsoft.Sql/servers/databases/read",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/read",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/read",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/read",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/transparentDataEncryption/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/devOpsAuditingSettings/*",
        "Microsoft.Sql/servers/firewallRules/*",
        "Microsoft.Sql/servers/read",
        "Microsoft.Sql/servers/securityAlertPolicies/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*",
        "Microsoft.Support/*",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/*",
        "Microsoft.Sql/managedInstances/read",
        "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
        "Microsoft.Security/sqlVulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/administrators/read",
        "Microsoft.Sql/servers/administrators/read",
        "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL Security Manager",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

SQL Server 參與者

可讓您管理 SQL 伺服器及資料庫,但無法存取這些伺服器及資料庫,也無法存取其安全性相關原則。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Sql/locations/*/read
Microsoft。Sql/servers/* 建立和管理 SQL Server
Microsoft。支援/* 建立和更新支援票證
Microsoft。Insights/metrics/read 讀取計量
Microsoft。Insights/metricDefinitions/read 讀取計量定義
NotActions
Microsoft。Sql/managedInstances/databases/currentSensitivityLabels/*
Microsoft。Sql/managedInstances/databases/recommendedSensitivityLabels/*
Microsoft。Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft。Sql/managedInstances/databases/securityAlertPolicies/*
Microsoft。Sql/managedInstances/databases/sensitivityLabels/*
Microsoft。Sql/managedInstances/databases/vulnerabilityAssessments/*
Microsoft。Sql/managedInstances/securityAlertPolicies/*
Microsoft。Sql/managedInstances/vulnerabilityAssessments/*
Microsoft。Sql/servers/auditingSettings/* 編輯 SQL Server 稽核設定
Microsoft。Sql/servers/databases/auditingSettings/* 編輯 SQL Server 資料庫稽核設定
Microsoft。Sql/servers/databases/auditRecords/read 擷取資料庫 Blob 稽核記錄
Microsoft。Sql/servers/databases/currentSensitivityLabels/*
Microsoft。Sql/servers/databases/dataMaskingPolicies/* 編輯 SQL Server 資料庫資料遮罩原則
Microsoft。Sql/servers/databases/extendedAuditingSettings/*
Microsoft。Sql/servers/databases/recommendedSensitivityLabels/*
Microsoft。Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft。Sql/servers/databases/securityAlertPolicies/* 編輯 SQL Server 資料庫安全性警示原則
Microsoft。Sql/servers/databases/securityMetrics/* 編輯 SQL Server 資料庫安全性度量
Microsoft。Sql/servers/databases/sensitivityLabels/*
Microsoft。Sql/servers/databases/vulnerabilityAssessments/*
Microsoft。Sql/servers/databases/vulnerabilityAssessmentScans/*
Microsoft。Sql/servers/databases/vulnerabilityAssessmentSettings/*
Microsoft。Sql/servers/devOpsAuditingSettings/*
Microsoft。Sql/servers/extendedAuditingSettings/*
Microsoft。Sql/servers/securityAlertPolicies/* 編輯 SQL Server 安全性警示原則
Microsoft。Sql/servers/vulnerabilityAssessments/*
Microsoft。Sql/servers/azureADOnlyAuthentications/delete 只刪除特定伺服器 Azure Active Directory 驗證物件
Microsoft。Sql/servers/azureADOnlyAuthentications/write 新增或更新特定伺服器 Azure Active Directory 僅限驗證物件
Microsoft。Sql/servers/externalPolicyBasedAuthorizations/delete 刪除特定伺服器外部原則型授權屬性
Microsoft。Sql/servers/externalPolicyBasedAuthorizations/write 新增或更新特定伺服器外部原則型授權屬性
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
  "name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Sql/locations/*/read",
        "Microsoft.Sql/servers/*",
        "Microsoft.Support/*",
        "Microsoft.Insights/metrics/read",
        "Microsoft.Insights/metricDefinitions/read"
      ],
      "notActions": [
        "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
        "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/managedInstances/securityAlertPolicies/*",
        "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditingSettings/*",
        "Microsoft.Sql/servers/databases/auditRecords/read",
        "Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
        "Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
        "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/securityAlertPolicies/*",
        "Microsoft.Sql/servers/databases/securityMetrics/*",
        "Microsoft.Sql/servers/databases/sensitivityLabels/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
        "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
        "Microsoft.Sql/servers/devOpsAuditingSettings/*",
        "Microsoft.Sql/servers/extendedAuditingSettings/*",
        "Microsoft.Sql/servers/securityAlertPolicies/*",
        "Microsoft.Sql/servers/vulnerabilityAssessments/*",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
        "Microsoft.Sql/servers/azureADOnlyAuthentications/write",
        "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete",
        "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "SQL Server Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

分析

Azure 事件中樞資料擁有者

允許完整存取 Azure 事件中樞資源。 深入了解

動作 描述
Microsoft。EventHub/*
NotActions
DataActions
Microsoft。EventHub/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Event Hubs resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec",
  "name": "f526a384-b230-433a-b45c-95f59c4a2dec",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Event Hubs Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 事件中樞資料接收者

允許接收 Azure 事件中樞資源。 深入了解

動作 描述
Microsoft。EventHub/*/eventhubs/consumergroups/read
NotActions
DataActions
Microsoft。EventHub/*/receive/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows receive access to Azure Event Hubs resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
  "name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*/eventhubs/consumergroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*/receive/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Event Hubs Data Receiver",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 事件中樞資料傳送者

允許傳送 Azure 事件中樞資源。 深入了解

動作 描述
Microsoft。EventHub/*/eventhubs/read
NotActions
DataActions
Microsoft。EventHub/*/send/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows send access to Azure Event Hubs resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975",
  "name": "2b629674-e913-4c01-ae53-ef4638d8f975",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/*/eventhubs/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Event Hubs Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Factory 參與者

建立和管理 Data Factory,以及其中的子資源。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。DataFactory/dataFactories/* 建立和管理 Data Factory 以及其中的子資源。
Microsoft。DataFactory/factories/* 建立和管理 Data Factory 以及其中的子資源。
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。EventGrid/eventSubscriptions/write 建立或更新 eventSubscription
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create and manage data factories, as well as child resources within them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5",
  "name": "673868aa-7521-48a0-acc6-0f60742d39f5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.DataFactory/dataFactories/*",
        "Microsoft.DataFactory/factories/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.EventGrid/eventSubscriptions/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Factory Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

資料清除者

從 Log Analytics 工作區刪除私人資料。 深入了解

動作 描述
Microsoft。Insights/components/*/read
Microsoft。Insights/components/purge/action 從 Application Insights 清除資料
Microsoft。OperationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft。OperationalInsights/workspaces/purge/action 從工作區刪除指定的資料
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can purge analytics data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90",
  "name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/components/*/read",
        "Microsoft.Insights/components/purge/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/purge/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Purger",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

HDInsight 叢集操作員

可讓您讀取和修改 HDInsight 叢集設定。 深入了解

動作 描述
Microsoft。HDInsight/*/read
Microsoft。HDInsight/clusters/getGatewaySettings/action 取得 HDInsight 叢集的閘道設定
Microsoft。HDInsight/clusters/updateGatewaySettings/action 更新 HDInsight 叢集的閘道設定
Microsoft。HDInsight/clusters/configurations/*
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Resources/deployments/operations/read 取得或列出部署作業。
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read and modify HDInsight cluster configurations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a",
  "name": "61ed4efc-fab3-44fd-b111-e24485cc132a",
  "permissions": [
    {
      "actions": [
        "Microsoft.HDInsight/*/read",
        "Microsoft.HDInsight/clusters/getGatewaySettings/action",
        "Microsoft.HDInsight/clusters/updateGatewaySettings/action",
        "Microsoft.HDInsight/clusters/configurations/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "HDInsight Cluster Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

HDInsight 網域服務參與者

HDInsight 企業安全性套件所需的讀取、建立、修改和刪除網域服務相關作業 深入瞭解

動作 描述
Microsoft。AAD/*/read
Microsoft。AAD/domainServices/*/read
Microsoft。AAD/domainServices/oucontainer/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c",
  "name": "8d8d5a11-05d3-4bda-a417-a08778121c7c",
  "permissions": [
    {
      "actions": [
        "Microsoft.AAD/*/read",
        "Microsoft.AAD/domainServices/*/read",
        "Microsoft.AAD/domainServices/oucontainer/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "HDInsight Domain Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Log Analytics 參與者

「Log Analytics 參與者」角色可以讀取所有監視資料和編輯監視設定。 編輯監視設定包括將 VM 擴充功能新增至 VM;讀取儲存體帳戶金鑰,以設定從 Azure 儲存體收集記錄;新增解決方案;和 在所有 Azure 資源上設定 Azure 診斷。 深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft。ClassicCompute/virtualMachines/extensions/*
Microsoft。ClassicStorage/storageAccounts/listKeys/action 列出儲存體帳戶的存取金鑰。
Microsoft。Compute/virtualMachines/extensions/*
Microsoft。HybridCompute/machines/extensions/write 安裝或更新 Azure Arc 擴充
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/diagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft。OperationalInsights/*
Microsoft。OperationsManagement/*
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourcegroups/deployments/*
Microsoft。Storage/storageAccounts/listKeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
  "name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.ClassicCompute/virtualMachines/extensions/*",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.Compute/virtualMachines/extensions/*",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.OperationalInsights/*",
        "Microsoft.OperationsManagement/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Log Analytics Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Log Analytics 讀者

「Log Analytics 讀者」可以檢視和搜尋所有監視資料,以及檢視監視設定,包括檢視所有 Azure 資源上的 Azure 診斷設定。 深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft。OperationalInsights/workspaces/analytics/query/action 使用新的引擎進行搜尋。
Microsoft。OperationalInsights/workspaces/search/action 執行搜尋查詢
Microsoft。支援/* 建立和更新支援票證
NotActions
Microsoft。OperationalInsights/workspaces/sharedKeys/read 擷取工作區的共用金鑰。 這些金鑰可用來將 Microsoft Operational Insights 代理程式連線到工作區。
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893",
  "name": "73c42c96-874c-492b-b04d-ab87d138a893",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.OperationalInsights/workspaces/sharedKeys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Log Analytics Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

結構描述登錄參與者 (預覽)

讀取、寫入及刪除結構描述登錄群組和結構描述。

動作 描述
Microsoft。EventHub/namespaces/schemagroups/*
NotActions
DataActions
Microsoft。EventHub/namespaces/schemas/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, write, and delete Schema Registry groups and schemas.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25",
  "name": "5dffeca3-4936-4216-b2bc-10343a5abb25",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/namespaces/schemagroups/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/namespaces/schemas/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Schema Registry Contributor (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

結構描述登錄讀取器 (預覽)

讀取並列出結構描述登錄群組和結構描述。

動作 描述
Microsoft。EventHub/namespaces/schemagroups/read 取得 SchemaGroup 資源描述的清單
NotActions
DataActions
Microsoft。EventHub/namespaces/schemas/read 擷取架構
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and list Schema Registry groups and schemas.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
  "name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventHub/namespaces/schemagroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventHub/namespaces/schemas/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Schema Registry Reader (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

串流分析查詢測試人員

可讓您先執行查詢測試,而不需建立串流分析作業

動作 描述
Microsoft。StreamAnalytics/locations/TestQuery/action 串流分析資源提供者的測試查詢
Microsoft。StreamAnalytics/locations/OperationResults/read 讀取串流分析作業結果
Microsoft。StreamAnalytics/locations/SampleInput/action 串流分析資源提供者的範例輸入
Microsoft。StreamAnalytics/locations/CompileQuery/action 編譯串流分析資源提供者的查詢
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you perform query testing without creating a stream analytics job first",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
  "name": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
  "permissions": [
    {
      "actions": [
        "Microsoft.StreamAnalytics/locations/TestQuery/action",
        "Microsoft.StreamAnalytics/locations/OperationResults/read",
        "Microsoft.StreamAnalytics/locations/SampleInput/action",
        "Microsoft.StreamAnalytics/locations/CompileQuery/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Stream Analytics Query Tester",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

AI + 機器學習

AzureML 資料科學家

可以在 Azure Machine Learning 工作區內執行所有動作,但建立或删除計算資源以及修改工作區本身除外。

動作 描述
Microsoft。MachineLearningServices/workspaces/*/read
Microsoft。MachineLearningServices/workspaces/*/action
Microsoft。MachineLearningServices/workspaces/*/delete
Microsoft。MachineLearningServices/workspaces/*/write
NotActions
Microsoft。MachineLearningServices/workspaces/delete 刪除機器學習服務工作區
Microsoft。MachineLearningServices/workspaces/write 建立或更新機器學習服務工作區
Microsoft。MachineLearningServices/workspaces/computes/*/write
Microsoft。MachineLearningServices/workspaces/computes/*/delete
Microsoft。MachineLearningServices/workspaces/computes/listKeys/action 列出機器學習服務工作區中的計算資源祕密
Microsoft。MachineLearningServices/workspaces/listKeys/action 列出機器學習服務工作區的祕密
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121",
  "name": "f6c7c914-8db3-469d-8ca1-694a8f32e121",
  "permissions": [
    {
      "actions": [
        "Microsoft.MachineLearningServices/workspaces/*/read",
        "Microsoft.MachineLearningServices/workspaces/*/action",
        "Microsoft.MachineLearningServices/workspaces/*/delete",
        "Microsoft.MachineLearningServices/workspaces/*/write"
      ],
      "notActions": [
        "Microsoft.MachineLearningServices/workspaces/delete",
        "Microsoft.MachineLearningServices/workspaces/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/write",
        "Microsoft.MachineLearningServices/workspaces/computes/*/delete",
        "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
        "Microsoft.MachineLearningServices/workspaces/listKeys/action"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "AzureML Data Scientist",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務參與者

可讓您建立、讀取、更新、刪除及管理認知服務的金鑰。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。CognitiveServices/*
Microsoft。功能/功能/讀取 取得訂用帳戶的功能。
Microsoft。功能/提供者/功能/讀取 取得給定資源提供者中某個訂用帳戶的功能。
Microsoft。功能/提供者/功能/註冊/動作 註冊給定資源提供者中某個訂用帳戶的功能。
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/diagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft。Insights/logDefinitions/read 讀取記錄定義
Microsoft。Insights/metricdefinitions/read 讀取計量定義
Microsoft。Insights/metrics/read 讀取計量
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/deployments/operations/read 取得或列出部署作業。
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourcegroups/deployments/*
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you create, read, update, delete and manage keys of Cognitive Services.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
  "name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.CognitiveServices/*",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Features/providers/features/register/action",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Insights/logDefinitions/read",
        "Microsoft.Insights/metricdefinitions/read",
        "Microsoft.Insights/metrics/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺參與者

專案的完整存取權,包括檢視、建立、編輯或刪除專案的能力。 深入了解

動作 描述
Microsoft。CognitiveServices/*/read
NotActions
DataActions
Microsoft。CognitiveServices/accounts/CustomVision/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to the project, including the ability to view, create, edit, or delete projects.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
  "name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Custom Vision Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺部署

發佈、取消發佈或匯出模型。 部署可以檢視專案,但無法更新。 深入了解

動作 描述
Microsoft。CognitiveServices/*/read
NotActions
DataActions
Microsoft。CognitiveServices/accounts/CustomVision/*/read
Microsoft。CognitiveServices/accounts/CustomVision/projects/predictions/*
Microsoft。CognitiveServices/accounts/CustomVision/projects/iterations/publish/*
Microsoft。CognitiveServices/accounts/CustomVision/projects/iterations/export/*
Microsoft。CognitiveServices/accounts/CustomVision/projects/quicktest/*
Microsoft。CognitiveServices/accounts/CustomVision/classify/*
Microsoft。CognitiveServices/accounts/CustomVision/detect/*
NotDataActions
Microsoft。CognitiveServices/accounts/CustomVision/projects/export/read 匯出專案。
{
  "assignableScopes": [
    "/"
  ],
  "description": "Publish, unpublish or export models. Deployment can view the project but can't update.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f",
  "name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/classify/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/detect/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Deployment",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺標籤器

檢視、編輯定型影像,並建立、新增、移除或刪除影像標籤。 標籤器可以檢視專案,但無法更新定型影像和標籤以外的任何專案。 深入了解

動作 描述
Microsoft。CognitiveServices/*/read
NotActions
DataActions
Microsoft。CognitiveServices/accounts/CustomVision/*/read
Microsoft。CognitiveServices/accounts/CustomVision/projects/predictions/query/action 取得傳送至預測端點的影像。
Microsoft。CognitiveServices/accounts/CustomVision/projects/images/*
Microsoft。CognitiveServices/accounts/CustomVision/projects/tags/*
Microsoft。CognitiveServices/accounts/CustomVision/projects/images/suggested/*
Microsoft。CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action 此 API 會取得陣列/批次未標記影像的建議標籤和區域,以及標記的信賴度。 如果找不到標記,它會傳回空陣列。
NotDataActions
Microsoft。CognitiveServices/accounts/CustomVision/projects/export/read 匯出專案。
{
  "assignableScopes": [
    "/"
  ],
  "description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c",
  "name": "88424f51-ebe7-446f-bc41-7fa16989e96c",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Labeler",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺讀者

專案中的唯讀動作。 讀者無法建立或更新專案。 深入了解

動作 描述
Microsoft。CognitiveServices/*/read
NotActions
DataActions
Microsoft。CognitiveServices/accounts/CustomVision/*/read
Microsoft。CognitiveServices/accounts/CustomVision/projects/predictions/query/action 取得傳送至預測端點的影像。
NotDataActions
Microsoft。CognitiveServices/accounts/CustomVision/projects/export/read 匯出專案。
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only actions in the project. Readers can't create or update the project.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73",
  "name": "93586559-c37d-4a6b-ba08-b9f0940c2d73",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*/read",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務自訂視覺定型器

檢視、編輯專案並定型模型,包括發佈、取消發佈、匯出模型的能力。 定型人員無法建立或刪除專案。 深入了解

動作 描述
Microsoft。CognitiveServices/*/read
NotActions
DataActions
Microsoft。CognitiveServices/accounts/CustomVision/*
NotDataActions
Microsoft。CognitiveServices/accounts/CustomVision/projects/action 建立專案。
Microsoft。CognitiveServices/accounts/CustomVision/projects/delete 刪除特定專案。
Microsoft。CognitiveServices/accounts/CustomVision/projects/import/action 匯入專案。
Microsoft。CognitiveServices/accounts/CustomVision/projects/export/read 匯出專案。
{
  "assignableScopes": [
    "/"
  ],
  "description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
  "name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/*"
      ],
      "notDataActions": [
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/delete",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action",
        "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
      ]
    }
  ],
  "roleName": "Cognitive Services Custom Vision Trainer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務資料讀者 (預覽)

可讓您讀取認知服務資料。

動作 描述
NotActions
DataActions
Microsoft。CognitiveServices/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read Cognitive Services data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c",
  "name": "b59867f0-fa02-499b-be73-45a86b5b3e1c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Data Reader (Preview)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務臉部辨識器

可讓您在臉部 API 上執行偵測、驗證、識別、分組及尋找類似的作業。 此角色不允許建立或刪除作業,這使其非常適合只需要推斷功能的端點,遵循「最低許可權」最佳做法。

動作 描述
NotActions
DataActions
Microsoft。CognitiveServices/accounts/Face/detect/action 偵測影像中的人臉、傳回臉部矩形,以及選擇性地使用 faceId、地標和屬性。
Microsoft。CognitiveServices/accounts/Face/verify/action 確認兩張臉部是否屬於同一個人,或一張臉部是否屬於某個人。
Microsoft。CognitiveServices/accounts/Face/identify/action 1 對多識別,從人員群組或大型人員群組尋找特定查詢人員臉部最接近的相符專案。
Microsoft。CognitiveServices/accounts/Face/group/action 根據臉部相似度,將候選臉部分成群組。
Microsoft。CognitiveServices/accounts/Face/findsimilars/action 給定查詢臉部的 faceId,從 faceId 陣列、臉部清單或大型臉部清單搜尋類似外觀的臉部。 faceId
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7",
  "name": "9894cab4-e18a-44aa-828b-cb588cd6f2d7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/Face/detect/action",
        "Microsoft.CognitiveServices/accounts/Face/verify/action",
        "Microsoft.CognitiveServices/accounts/Face/identify/action",
        "Microsoft.CognitiveServices/accounts/Face/group/action",
        "Microsoft.CognitiveServices/accounts/Face/findsimilars/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Face Recognizer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務計量建議程式管理員

專案的完整存取權,包括系統層級組態。 深入了解

動作 描述
Microsoft。CognitiveServices/*/read
NotActions
DataActions
Microsoft。CognitiveServices/accounts/MetricsAdvisor/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Full access to the project, including the system level configuration.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a",
  "name": "cb43c632-a144-4ec5-977c-e80c4affc34a",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services Metrics Advisor Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務 QnA Maker 編輯器

讓我們來建立、編輯、匯入和匯出 KB。 您無法發佈或刪除 KB。 深入了解

動作 描述
Microsoft。CognitiveServices/*/read
Microsoft。Authorization/roleAssignments/read 取得關於角色指派的資訊。
Microsoft。Authorization/roleDefinitions/read 取得關於角色定義的資訊。
NotActions
DataActions
Microsoft。CognitiveServices/accounts/QnAMaker/knowledgebases/read 取得特定知識庫的知識庫或詳細資料清單。
Microsoft。CognitiveServices/accounts/QnAMaker/knowledgebases/download/read 下載知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker/knowledgebases/create/write 建立新知識庫的非同步作業。
Microsoft。CognitiveServices/accounts/QnAMaker/knowledgebases/write 用來修改知識庫或取代知識庫內容的非同步作業。
Microsoft。CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker/knowledgebases/train/action 訓練呼叫以將建議新增至知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker/變更/read 從執行時間下載變更。
Microsoft。CognitiveServices/accounts/QnAMaker/變更/寫入 取代變更資料。
Microsoft。CognitiveServices/accounts/QnAMaker/endpointkeys/read 取得端點的端點金鑰
Microsoft。CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action 重新產生端點金鑰。
Microsoft。CognitiveServices/accounts/QnAMaker/endpointsettings/read 取得端點的端點設定
Microsoft。CognitiveServices/accounts/QnAMaker/endpointsettings/write 更新端點查看端點。
Microsoft。CognitiveServices/accounts/QnAMaker/operations/read 取得特定長時間執行作業的詳細資料。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read 取得特定知識庫的知識庫或詳細資料清單。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read 下載知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write 建立新知識庫的非同步作業。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write 用來修改知識庫或取代知識庫內容的非同步作業。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action 訓練呼叫以將建議新增至知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/變更/read 從執行時間下載變更。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/變更/寫入 取代變更資料。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read 取得端點的端點金鑰
Microsoft。CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action 重新產生端點金鑰。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read 取得端點的端點設定
Microsoft。CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write 更新端點查看端點。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/operations/read 取得特定長時間執行作業的詳細資料。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read 取得特定知識庫的知識庫或詳細資料清單。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read 下載知識庫。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write 建立新知識庫的非同步作業。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write 用來修改知識庫或取代知識庫內容的非同步作業。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action 訓練呼叫以將建議新增至知識庫。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/變更/read 從執行時間下載變更。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write 取代變更資料。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read 取得端點的端點金鑰
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action 重新產生端點金鑰。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read 取得端點的端點設定
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write 更新端點查看端點。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read 取得特定長時間執行作業的詳細資料。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Let's you create, edit, import and export a KB. You cannot publish or delete a KB.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025",
  "name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker/operations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services QnA Maker Editor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務 QnA Maker 讀取器

讓我們只閱讀並測試 KB。 深入了解

動作 描述
Microsoft。CognitiveServices/*/read
Microsoft。Authorization/roleAssignments/read 取得關於角色指派的資訊。
Microsoft。Authorization/roleDefinitions/read 取得關於角色定義的資訊。
NotActions
DataActions
Microsoft。CognitiveServices/accounts/QnAMaker/knowledgebases/read 取得特定知識庫的知識庫或詳細資料清單。
Microsoft。CognitiveServices/accounts/QnAMaker/knowledgebases/download/read 下載知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker/變更/read 從執行時間下載變更。
Microsoft。CognitiveServices/accounts/QnAMaker/endpointkeys/read 取得端點的端點金鑰
Microsoft。CognitiveServices/accounts/QnAMaker/endpointsettings/read 取得端點的端點設定
Microsoft。CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read 取得特定知識庫的知識庫或詳細資料清單。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read 下載知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/變更/read 從執行時間下載變更。
Microsoft。CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read 取得端點的端點金鑰
Microsoft。CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read 取得端點的端點設定
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read 取得特定知識庫的知識庫或詳細資料清單。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read 下載知識庫。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer 呼叫以查詢知識庫。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/變更/read 從執行時間下載變更。
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read 取得端點的端點金鑰
Microsoft。CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read 取得端點的端點設定
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Let's you read and test a KB only.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126",
  "name": "466ccd10-b268-4a11-b098-b4849f024126",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
        "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services QnA Maker Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

認知服務使用者

可讓您讀取和列出認知服務的金鑰。 深入了解

動作 描述
Microsoft。CognitiveServices/*/read
Microsoft。CognitiveServices/accounts/listkeys/action 列出金鑰
Microsoft。Insights/alertRules/read 讀取傳統計量警示
Microsoft。Insights/diagnosticSettings/read 讀取資源診斷設定
Microsoft。Insights/logDefinitions/read 讀取記錄定義
Microsoft。Insights/metricdefinitions/read 讀取計量定義
Microsoft。Insights/metrics/read 讀取計量
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/operations/read 取得或列出部署作業。
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft。CognitiveServices/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read and list keys of Cognitive Services.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908",
  "name": "a97b65f3-24c7-4388-baec-2e87135dc908",
  "permissions": [
    {
      "actions": [
        "Microsoft.CognitiveServices/*/read",
        "Microsoft.CognitiveServices/accounts/listkeys/action",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Insights/logDefinitions/read",
        "Microsoft.Insights/metricdefinitions/read",
        "Microsoft.Insights/metrics/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.CognitiveServices/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Cognitive Services User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

物聯網

Device Update 系統管理員

讓您完整存取管理和內容作業 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft。DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
Microsoft。DeviceUpdate/accounts/instances/updates/write 執行與更新相關的寫入作業
Microsoft。DeviceUpdate/accounts/instances/updates/delete 執行與更新相關的刪除作業
Microsoft。DeviceUpdate/accounts/instances/management/read 執行與管理相關的讀取作業
Microsoft。DeviceUpdate/accounts/instances/management/write 執行與管理相關的寫入作業
Microsoft。DeviceUpdate/accounts/instances/management/delete 執行與管理相關的刪除作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to management and content operations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a",
  "name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete",
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新內容管理員

讓您完整存取內容作業 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft。DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
Microsoft。DeviceUpdate/accounts/instances/updates/write 執行與更新相關的寫入作業
Microsoft。DeviceUpdate/accounts/instances/updates/delete 執行與更新相關的刪除作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to content operations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98",
  "name": "0378884a-3af5-44ab-8323-f5b22f9f3c98",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/write",
        "Microsoft.DeviceUpdate/accounts/instances/updates/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Content Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新內容讀取者

可讓您讀取內容作業的存取權,但不允許進行變更 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft。DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to content operations, but does not allow making changes",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
  "name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Content Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新部署管理員

讓您完整存取管理作業 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft。DeviceUpdate/accounts/instances/management/read 執行與管理相關的讀取作業
Microsoft。DeviceUpdate/accounts/instances/management/write 執行與管理相關的寫入作業
Microsoft。DeviceUpdate/accounts/instances/management/delete 執行與管理相關的刪除作業
Microsoft。DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you full access to management operations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432",
  "name": "e4237640-0e3d-4a46-8fda-70bc94856432",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/write",
        "Microsoft.DeviceUpdate/accounts/instances/management/delete",
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Deployments Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Device Update 部署讀取者

可讓您讀取管理作業的存取權,但不允許進行變更 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft。DeviceUpdate/accounts/instances/management/read 執行與管理相關的讀取作業
Microsoft。DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to management operations, but does not allow making changes",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f",
  "name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/management/read",
        "Microsoft.DeviceUpdate/accounts/instances/updates/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Deployments Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

裝置更新讀取者

可讓您讀取管理與內容作業的存取權,但不允許進行變更 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
NotActions
DataActions
Microsoft。DeviceUpdate/accounts/instances/updates/read 執行與更新相關的讀取作業
Microsoft。DeviceUpdate/accounts/instances/management/read 執行與管理相關的讀取作業
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives you read access to management and content operations, but does not allow making changes",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
  "name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/alertRules/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.DeviceUpdate/accounts/instances/updates/read",
        "Microsoft.DeviceUpdate/accounts/instances/management/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Device Update Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中樞資料參與者

允許完整存取IoT 中樞資料平面作業。 深入了解

動作 描述
NotActions
DataActions
Microsoft。裝置/IotHubs/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to IoT Hub data plane operations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f",
  "name": "4fc6c259-987e-4a07-842e-c321cc9d413f",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中樞資料讀者

允許完整讀取存取IoT 中樞資料平面屬性深入瞭解

動作 描述
NotActions
DataActions
Microsoft。Devices/IotHubs/*/read
Microsoft。Devices/IotHubs/fileUpload/notifications/action 接收、完成或放棄檔案上傳通知
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full read access to IoT Hub data-plane properties",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3",
  "name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/*/read",
        "Microsoft.Devices/IotHubs/fileUpload/notifications/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中樞登錄參與者

允許完整存取IoT 中樞裝置登錄。 深入了解

動作 描述
NotActions
DataActions
Microsoft。裝置/IotHubs/devices/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to IoT Hub device registry.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
  "name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/devices/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Registry Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

IoT 中樞對應項參與者

允許讀取和寫入所有IoT 中樞裝置和模組對應項。 深入了解

動作 描述
NotActions
DataActions
Microsoft。Devices/IotHubs/twins/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read and write access to all IoT Hub device and module twins.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c",
  "name": "494bdba2-168f-4f31-a0a1-191d2f7c028c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Devices/IotHubs/twins/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "IoT Hub Twin Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

混合實境

遠端轉譯系統管理員

為使用者提供 Azure 轉換、管理會話、轉譯和診斷功能遠端轉譯深入瞭解

動作 描述
NotActions
DataActions
Microsoft。MixedReality/RemoteRenderingAccounts/convert/action 開始資產轉換
Microsoft。MixedReality/RemoteRenderingAccounts/convert/read 取得資產轉換屬性
Microsoft。MixedReality/RemoteRenderingAccounts/convert/delete 停止資產轉換
Microsoft。MixedReality/RemoteRenderingAccounts/managesessions/read 取得會話屬性
Microsoft。MixedReality/RemoteRenderingAccounts/managesessions/action 啟動會話
Microsoft。MixedReality/RemoteRenderingAccounts/managesessions/delete 停止會話
Microsoft。MixedReality/RemoteRenderingAccounts/render/read 連接到一個工作階段
Microsoft。MixedReality/RemoteRenderingAccounts/diagnostic/read 連線到遠端轉譯偵測器
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
  "name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Remote Rendering Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

遠端轉譯用戶端

為使用者提供 Azure 遠端轉譯的管理會話、轉譯和診斷功能。 深入了解

動作 描述
NotActions
DataActions
Microsoft。MixedReality/RemoteRenderingAccounts/managesessions/read 取得會話屬性
Microsoft。MixedReality/RemoteRenderingAccounts/managesessions/action 啟動會話
Microsoft。MixedReality/RemoteRenderingAccounts/managesessions/delete 停止會話
Microsoft。MixedReality/RemoteRenderingAccounts/render/read 連接到一個工作階段
Microsoft。MixedReality/RemoteRenderingAccounts/diagnostic/read 連線到遠端轉譯偵測器
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a",
  "name": "d39065c4-c120-43c9-ab0a-63eed9795f0a",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
        "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
        "Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
        "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Remote Rendering Client",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

空間錨點帳戶參與者

可讓您管理帳戶中的空間錨點,但無法將其刪除 深入瞭解

動作 描述
NotActions
DataActions
Microsoft。MixedReality/SpatialAnchorsAccounts/create/action 建立空間錨點
Microsoft。MixedReality/SpatialAnchorsAccounts/discovery/read 探索附近的空間錨點
Microsoft。MixedReality/SpatialAnchorsAccounts/properties/read 取得空間錨點的屬性
Microsoft。MixedReality/SpatialAnchorsAccounts/query/read 找出空間錨點
Microsoft。MixedReality/SpatialAnchorsAccounts/submitdiag/read 提交診斷資料,以協助改善 Azure 空間錨點服務的品質
Microsoft。MixedReality/SpatialAnchorsAccounts/write 更新空間錨點屬性
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage spatial anchors in your account, but not delete them",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
  "name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Spatial Anchors Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

空間錨點帳戶擁有者

可讓您管理帳戶中的空間錨點,包括刪除它們 深入瞭解

動作 描述
NotActions
DataActions
Microsoft。MixedReality/SpatialAnchorsAccounts/create/action 建立空間錨點
Microsoft。MixedReality/SpatialAnchorsAccounts/delete 刪除空間錨點
Microsoft。MixedReality/SpatialAnchorsAccounts/discovery/read 探索附近的空間錨點
Microsoft。MixedReality/SpatialAnchorsAccounts/properties/read 取得空間錨點的屬性
Microsoft。MixedReality/SpatialAnchorsAccounts/query/read 找出空間錨點
Microsoft。MixedReality/SpatialAnchorsAccounts/submitdiag/read 提交診斷資料,以協助改善 Azure 空間錨點服務的品質
Microsoft。MixedReality/SpatialAnchorsAccounts/write 更新空間錨點屬性
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage spatial anchors in your account, including deleting them",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c",
  "name": "70bbe301-9835-447d-afdd-19eb3167307c",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/delete",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Spatial Anchors Account Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

空間錨點帳戶讀者

可讓您在帳戶中尋找和讀取空間錨點的屬性 深入瞭解

動作 描述
NotActions
DataActions
Microsoft。MixedReality/SpatialAnchorsAccounts/discovery/read 探索附近的空間錨點
Microsoft。MixedReality/SpatialAnchorsAccounts/properties/read 取得空間錨點的屬性
Microsoft。MixedReality/SpatialAnchorsAccounts/query/read 找出空間錨點
Microsoft。MixedReality/SpatialAnchorsAccounts/submitdiag/read 提交診斷資料,以協助改善 Azure 空間錨點服務的品質
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you locate and read properties of spatial anchors in your account",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413",
  "name": "5d51204f-eb77-4b1c-b86a-2ec626c49413",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
        "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Spatial Anchors Account Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

整合

API 管理服務參與者

可以管理服務和 API 深入瞭解

動作 描述
Microsoft。ApiManagement/service/* 建立和管理 API 管理服務
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage service and the APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c",
  "name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理服務操作員角色

可以管理服務,但無法管理 API 深入瞭解

動作 描述
Microsoft。ApiManagement/service/*/read 讀取 API 管理服務執行個體
Microsoft。ApiManagement/service/backup/action 將 API 管理服務備份到使用者所提供之儲存體帳戶中的指定容器
Microsoft。ApiManagement/service/delete 刪除 API 管理服務執行個體
Microsoft。ApiManagement/service/managedeployments/action 變更 SKU/單位、新增/移除 API 管理服務的區域部署
Microsoft。ApiManagement/service/read 讀取 API 管理服務執行個體的中繼資料
Microsoft。ApiManagement/service/restore/action 從使用者所提供之儲存體帳戶中的指定容器來還原 API 管理服務
Microsoft。ApiManagement/service/updatecertificate/action 上傳 API 管理服務的 TLS/SSL 憑證
Microsoft。ApiManagement/service/updatehostname/action 設定、更新或移除 API 管理服務的自訂網域名稱
Microsoft。ApiManagement/service/write 建立或更新 API 管理服務執行個體
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
Microsoft。ApiManagement/service/users/keys/read 取得與使用者相關聯的金鑰
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage service but not the APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61",
  "name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/backup/action",
        "Microsoft.ApiManagement/service/delete",
        "Microsoft.ApiManagement/service/managedeployments/action",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.ApiManagement/service/restore/action",
        "Microsoft.ApiManagement/service/updatecertificate/action",
        "Microsoft.ApiManagement/service/updatehostname/action",
        "Microsoft.ApiManagement/service/write",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Operator Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

API 管理服務讀取者角色

服務與 API 的唯讀存取 權深入瞭解

動作 描述
Microsoft。ApiManagement/service/*/read 讀取 API 管理服務執行個體
Microsoft。ApiManagement/service/read 讀取 API 管理服務執行個體的中繼資料
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
Microsoft。ApiManagement/service/users/keys/read 取得與使用者相關聯的金鑰
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read-only access to service and APIs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d",
  "name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ApiManagement/service/*/read",
        "Microsoft.ApiManagement/service/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.ApiManagement/service/users/keys/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "API Management Service Reader Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

應用程式組態資料擁有者

允許完整存取應用程式組態資料。 深入了解

動作 描述
NotActions
DataActions
Microsoft。AppConfiguration/configurationStores/*/read
Microsoft。AppConfiguration/configurationStores/*/write
Microsoft。AppConfiguration/configurationStores/*/delete
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows full access to App Configuration data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
  "name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read",
        "Microsoft.AppConfiguration/configurationStores/*/write",
        "Microsoft.AppConfiguration/configurationStores/*/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

應用程式組態資料讀者

允許讀取應用程式組態資料。 深入了解

動作 描述
NotActions
DataActions
Microsoft。AppConfiguration/configurationStores/*/read
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows read access to App Configuration data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071",
  "name": "516239f1-63e1-4d78-a4de-a74fb236a071",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.AppConfiguration/configurationStores/*/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "App Configuration Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 轉接聽程式

允許接聽 Azure 轉寄資源的存取。

動作 描述
Microsoft。Relay/*/wcfRelays/read
Microsoft。Relay/*/hybridConnections/read
NotActions
DataActions
Microsoft。Relay/*/listen/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for listen access to Azure Relay resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d",
  "name": "26e0b698-aa6d-4085-9386-aadae190014d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*/wcfRelays/read",
        "Microsoft.Relay/*/hybridConnections/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*/listen/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Relay Listener",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 轉送擁有者

允許完整存取 Azure 轉寄資源。

動作 描述
Microsoft。繼 電器/*
NotActions
DataActions
Microsoft。繼 電器/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Relay resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38",
  "name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38",
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Relay Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 轉送傳送者

允許傳送對 Azure 轉送資源的存取。

動作 描述
Microsoft。Relay/*/wcfRelays/read
Microsoft。Relay/*/hybridConnections/read
NotActions
DataActions
Microsoft。Relay/*/send/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for send access to Azure Relay resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d",
  "name": "26baccc8-eea7-41f1-98f4-1762cc7f685d",
  "permissions": [
    {
      "actions": [
        "Microsoft.Relay/*/wcfRelays/read",
        "Microsoft.Relay/*/hybridConnections/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Relay/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Relay Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 服務匯流排資料擁有者

允許完整存取 Azure 服務匯流排資源。 深入了解

動作 描述
Microsoft。ServiceBus/*
NotActions
DataActions
Microsoft。ServiceBus/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Service Bus resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
  "name": "090c5cfd-751d-490a-894a-3ce6f1109419",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 服務匯流排資料接收者

允許接收 Azure 服務匯流排資源。 深入了解

動作 描述
Microsoft。ServiceBus/*/queues/read
Microsoft。ServiceBus/*/topics/read
Microsoft。ServiceBus/*/topics/subscriptions/read
NotActions
DataActions
Microsoft。ServiceBus/*/receive/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for receive access to Azure Service Bus resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
  "name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/receive/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Receiver",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure 服務匯流排資料傳送者

允許傳送 Azure 服務匯流排資源。 深入了解

動作 描述
Microsoft。ServiceBus/*/queues/read
Microsoft。ServiceBus/*/topics/read
Microsoft。ServiceBus/*/topics/subscriptions/read
NotActions
DataActions
Microsoft。ServiceBus/*/send/action
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for send access to Azure Service Bus resources.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
  "permissions": [
    {
      "actions": [
        "Microsoft.ServiceBus/*/queues/read",
        "Microsoft.ServiceBus/*/topics/read",
        "Microsoft.ServiceBus/*/topics/subscriptions/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.ServiceBus/*/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Service Bus Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack 註冊擁有者

可讓您管理 Azure Stack 註冊。

動作 描述
Microsoft。AzureStack/edgeSubscriptions/read
Microsoft。AzureStack/registrations/products/*/action
Microsoft。AzureStack/registrations/products/read 取得 Azure Stack Marketplace 產品的屬性
Microsoft。AzureStack/registrations/read 取得 Azure Stack 註冊的屬性
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Stack registrations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStack/edgeSubscriptions/read",
        "Microsoft.AzureStack/registrations/products/*/action",
        "Microsoft.AzureStack/registrations/products/read",
        "Microsoft.AzureStack/registrations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack Registration Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid 參與者

可讓您管理 EventGrid 作業。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。EventGrid/* 建立和管理事件方格資源
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage EventGrid operations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de",
  "name": "1e241071-0855-49ea-94dc-649edcd759de",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid 資料傳送者

允許傳送事件方格事件的存取權。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。EventGrid/topics/read 讀取主題
Microsoft。EventGrid/domains/read 讀取網域
Microsoft。EventGrid/partnerNamespaces/read 讀取夥伴命名空間
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
Microsoft。EventGrid/events/send/action 將事件傳送至主題
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows send access to event grid events.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7",
  "name": "d5a91429-5739-47e2-a06b-3470a27159e7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/topics/read",
        "Microsoft.EventGrid/domains/read",
        "Microsoft.EventGrid/partnerNamespaces/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.EventGrid/events/send/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid Data Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription 參與者

可讓您管理 EventGrid 事件訂用帳戶作業。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。EventGrid/eventSubscriptions/* 建立和管理區域事件訂用帳戶
Microsoft。EventGrid/topicTypes/eventSubscriptions/read 依主題類型列出全域事件訂用帳戶
Microsoft。EventGrid/locations/eventSubscriptions/read 列出區域事件訂用帳戶
Microsoft。EventGrid/locations/topicTypes/eventSubscriptions/read 依主題類型列出區域事件訂用帳戶
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage EventGrid event subscription operations.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
  "name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/*",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid EventSubscription Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription 讀者

可讓您讀取 EventGrid 事件訂用帳戶。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。EventGrid/eventSubscriptions/read 讀取 eventSubscription
Microsoft。EventGrid/topicTypes/eventSubscriptions/read 依主題類型列出全域事件訂用帳戶
Microsoft。EventGrid/locations/eventSubscriptions/read 列出區域事件訂用帳戶
Microsoft。EventGrid/locations/topicTypes/eventSubscriptions/read 依主題類型列出區域事件訂用帳戶
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read EventGrid event subscriptions.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405",
  "name": "2414bbcf-6497-4faf-8c65-045460748405",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/eventSubscriptions/read",
        "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "EventGrid EventSubscription Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 資料參與者

角色可讓使用者或主體完整存取 FHIR 資料 深入瞭解

動作 描述
NotActions
DataActions
Microsoft。HealthcareApis/services/fhir/resources/*
Microsoft。HealthcareApis/workspaces/fhirservices/resources/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal full access to FHIR Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd",
  "name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/*",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 資料匯出工具

角色可讓使用者或主體讀取和匯出 FHIR 資料 深入瞭解

動作 描述
NotActions
DataActions
Microsoft。HealthcareApis/services/fhir/resources/read 讀取 FHIR 資源 (包括搜尋和建立版本記錄) 。
Microsoft。HealthcareApis/services/fhir/resources/export/action 匯出作業 ($export) 。
Microsoft。HealthcareApis/workspaces/fhirservices/resources/read 讀取 FHIR 資源 (包括搜尋和建立版本記錄) 。
Microsoft。HealthcareApis/workspaces/fhirservices/resources/export/action 匯出作業 ($export) 。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and export FHIR Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",
  "name": "3db33094-8700-4567-8da5-1501d4e7e843",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/services/fhir/resources/export/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Exporter",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 資料讀取器

角色可讓使用者或主體閱讀 FHIR 資料 深入瞭解

動作 描述
NotActions
DataActions
Microsoft。HealthcareApis/services/fhir/resources/read 讀取 FHIR 資源 (包括搜尋和建立版本記錄) 。
Microsoft。HealthcareApis/workspaces/fhirservices/resources/read 讀取 FHIR 資源 (包括搜尋和版本設定的歷程記錄) 。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read FHIR Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508",
  "name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/read",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "FHIR Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

FHIR 資料寫入器

角色可讓使用者或主體讀取和寫入 FHIR 資料 深入瞭解

動作 描述
NotActions
DataActions
Microsoft。HealthcareApis/services/fhir/resources/*
Microsoft。HealthcareApis/workspaces/fhirservices/resources/*
NotDataActions
Microsoft。HealthcareApis/services/fhir/resources/hardDelete/action 硬式刪除 (包括版本歷程記錄) 。
Microsoft。HealthcareApis/workspaces/fhirservices/resources/hardDelete/action 硬式刪除 (包括版本歷程記錄) 。
{
  "assignableScopes": [
    "/"
  ],
  "description": "Role allows user or principal to read and write FHIR Data",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913",
  "name": "3f88fce4-5892-4214-ae73-ba5294559913",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/*",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
      ],
      "notDataActions": [
        "Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action",
        "Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action"
      ]
    }
  ],
  "roleName": "FHIR Data Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Integration Service Environment 參與者

可讓您管理整合服務環境,但無法存取它們。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。支援/* 建立和更新支援票證
Microsoft。Logic/integrationServiceEnvironments/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage integration service environments, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
  "name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*",
        "Microsoft.Logic/integrationServiceEnvironments/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Integration Service Environment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Integration Service Environment Developer

可讓開發人員在整合服務環境中建立和更新工作流程、整合帳戶和 API 連線。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。支援/* 建立和更新支援票證
Microsoft。Logic/integrationServiceEnvironments/read 讀取整合服務環境。
Microsoft。Logic/integrationServiceEnvironments/*/join/action
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
  "name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Support/*",
        "Microsoft.Logic/integrationServiceEnvironments/read",
        "Microsoft.Logic/integrationServiceEnvironments/*/join/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Integration Service Environment Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Intelligent Systems 帳戶參與者

可讓您管理「智慧型系統」帳戶,但無法存取它們。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.IntelligentSystems/accounts/* 建立及管理 Intelligent Systems 帳戶
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Intelligent Systems accounts, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e",
  "name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.IntelligentSystems/accounts/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Intelligent Systems Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

邏輯應用程式參與者

可讓您管理邏輯應用程式,但無法變更對邏輯應用程式的存取。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。ClassicStorage/storageAccounts/listKeys/action 列出儲存體帳戶的存取金鑰。
Microsoft。ClassicStorage/storageAccounts/read 傳回具有給定帳戶的儲存體帳戶。
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/metricAlerts/*
Microsoft。Insights/diagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft。Insights/logdefinitions/* 此為使用者需要透過入口網站存取活動記錄時所需的權限。 列出活動記錄檔中的記錄檔分類。
Microsoft。Insights/metricDefinitions/* 讀取度量定義 (可用資源的度量類型清單)。
Microsoft。邏輯/* 管理 Logic Apps 資源。
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Storage/storageAccounts/listkeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft。Storage/storageAccounts/read 傳回儲存體帳戶清單,或取得指定儲存體帳戶的屬性。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Web/connectionGateways/* 建立及管理「連線閘道」。
Microsoft。Web/connections/* 建立及管理「連線」。
Microsoft。Web/customApis/* 建立及管理「自訂 API」。
Microsoft。Web/serverFarms/join/action 加入App Service方案
Microsoft。Web/serverFarms/read 取得 App Service 方案的屬性
Microsoft。Web/sites/functions/listSecrets/action 列出函式秘密。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage logic app, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e",
  "name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/listKeys/action",
        "Microsoft.ClassicStorage/storageAccounts/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/metricAlerts/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Insights/logdefinitions/*",
        "Microsoft.Insights/metricDefinitions/*",
        "Microsoft.Logic/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Support/*",
        "Microsoft.Web/connectionGateways/*",
        "Microsoft.Web/connections/*",
        "Microsoft.Web/customApis/*",
        "Microsoft.Web/serverFarms/join/action",
        "Microsoft.Web/serverFarms/read",
        "Microsoft.Web/sites/functions/listSecrets/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic App Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

邏輯應用程式操作員

可讓您讀取、啟用及停用邏輯應用程式,但無法編輯或更新邏輯應用程式。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/*/read 讀取 Insights 警示規則
Microsoft。Insights/metricAlerts/*/read
Microsoft。Insights/diagnosticSettings/*/read 取得 Logic Apps 的診斷設定
Microsoft。Insights/metricDefinitions/*/read 取得 Logic Apps 的可用計量。
Microsoft。Logic/*/read 讀取 Logic Apps 資源。
Microsoft。邏輯/工作流程/停用/動作 停用工作流程。
Microsoft。邏輯/工作流程/啟用/動作 啟用工作流程。
Microsoft。邏輯/工作流程/驗證/動作 驗證工作流程。
Microsoft。Resources/deployments/operations/read 取得或列出部署作業。
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Web/connectionGateways/*/read 讀取「連線閘道」。
Microsoft。Web/connections/*/read 讀取「連線」。
Microsoft。Web/customApis/*/read 讀取「自訂 API」。
Microsoft。Web/serverFarms/read 取得 App Service 方案的屬性
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you read, enable and disable logic app.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
  "name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*/read",
        "Microsoft.Insights/metricAlerts/*/read",
        "Microsoft.Insights/diagnosticSettings/*/read",
        "Microsoft.Insights/metricDefinitions/*/read",
        "Microsoft.Logic/*/read",
        "Microsoft.Logic/workflows/disable/action",
        "Microsoft.Logic/workflows/enable/action",
        "Microsoft.Logic/workflows/validate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Web/connectionGateways/*/read",
        "Microsoft.Web/connections/*/read",
        "Microsoft.Web/customApis/*/read",
        "Microsoft.Web/serverFarms/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Logic App Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

身分識別

網域服務參與者

可以管理 Azure AD Domain Services 和相關網路組態 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/read 取得或列出部署。
Microsoft。Resources/deployments/write 建立或更新部署。
Microsoft。Resources/deployments/delete 刪除部署。
Microsoft。Resources/deployments/cancel/action 取消部署。
Microsoft。Resources/deployments/validate/action 驗證部署。
Microsoft。Resources/deployments/whatIf/action 預測範本部署變更。
Microsoft。Resources/deployments/exportTemplate/action 匯出部署的範本
Microsoft。Resources/deployments/operations/read 取得或列出部署作業。
Microsoft。Resources/deployments/operationstatuses/read 取得或列出部署作業狀態。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Insights/AlertRules/Write 建立或更新傳統計量警示
Microsoft。Insights/AlertRules/Delete 刪除傳統計量警示
Microsoft。Insights/AlertRules/Read 讀取傳統計量警示
Microsoft。Insights/AlertRules/Activated/Action 傳統計量警示已啟用
Microsoft。Insights/AlertRules/Resolved/Action 傳統計量警示已解決
Microsoft。Insights/AlertRules/Throttled/Action 傳統計量警示規則已節流
Microsoft。Insights/AlertRules/Incidents/Read 讀取傳統計量警示事件
Microsoft。Insights/Logs/Read 從您的所有記錄讀取資料
Microsoft。Insights/Metrics/Read 讀取計量
Microsoft.Insights/DiagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft。Insights/DiagnosticSettingsCategories/Read 讀取診斷設定類別
Microsoft。AAD/register/action 註冊網域服務
Microsoft。AAD/unregister/action 取消註冊網域服務
Microsoft。AAD/domainServices/*
Microsoft。網路/註冊/動作 註冊訂用帳戶
Microsoft。網路/取消註冊/動作 取消註冊訂用帳戶
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。Network/virtualNetworks/write 建立虛擬網路,或更新現有的虛擬網路
Microsoft。Network/virtualNetworks/delete 刪除虛擬網路
Microsoft。Network/virtualNetworks/peer/action 讓某個虛擬網路與另一個虛擬網路對等互連
Microsoft。Network/virtualNetworks/join/action 加入虛擬網路。 不可警示。
Microsoft。Network/virtualNetworks/subnets/read 取得虛擬網路子網路定義
Microsoft。Network/virtualNetworks/subnets/write 建立虛擬網路子網路,或更新現有的虛擬網路子網路
Microsoft。Network/virtualNetworks/subnets/delete 刪除虛擬網路子網路
Microsoft。Network/virtualNetworks/subnets/join/action 加入虛擬網路。 不可警示。
Microsoft。Network/virtualNetworks/virtualNetworkPeerings/read 取得虛擬網路對等互連定義
Microsoft。Network/virtualNetworks/virtualNetworkPeerings/write 建立虛擬網路對等互連,或更新現有的虛擬網路對等互連
Microsoft。Network/virtualNetworks/virtualNetworkPeerings/delete 刪除虛擬網路對等互連
Microsoft。Network/virtualNetworks/providers/Microsoft。Insights/diagnosticSettings/read 取得虛擬網路的診斷設定
Microsoft。Network/virtualNetworks/providers/Microsoft。Insights/metricDefinitions/read 取得 PingMesh 的可用計量
Microsoft。Network/azureFirewalls/read 取得 Azure 防火牆
Microsoft。Network/ddosProtectionPlans/read 取得 DDoS 保護計劃
Microsoft。Network/ddosProtectionPlans/join/action 加入 DDoS 保護方案。 不可警示。
Microsoft。Network/loadBalancers/read 取得負載平衡器定義
Microsoft。Network/loadBalancers/delete 刪除負載平衡器
Microsoft。Network/loadBalancers/*/read
Microsoft。Network/loadBalancers/backendAddressPools/join/action 加入負載平衡器後端位址集區。 不可警示。
Microsoft。Network/loadBalancers/inboundNatRules/join/action 加入負載平衡器輸入 nat 規則。 不可警示。
Microsoft。Network/natGateways/join/action 加入 NAT 閘道
Microsoft。Network/networkInterfaces/read 取得網路介面定義。
Microsoft。Network/networkInterfaces/write 建立網路介面,或更新現有的網路介面。
Microsoft。Network/networkInterfaces/delete 刪除網路介面
Microsoft。Network/networkInterfaces/join/action 將虛擬機器加入網路介面。 不可警示。
Microsoft。Network/networkSecurityGroups/defaultSecurityRules/read 取得預設的安全性規則定義
Microsoft。Network/networkSecurityGroups/read 取得網路安全性群組定義
Microsoft。Network/networkSecurityGroups/write 建立網路安全性群組,或更新現有的網路安全性群組
Microsoft。Network/networkSecurityGroups/delete 刪除網路安全性群組
Microsoft。Network/networkSecurityGroups/join/action 加入網路安全性群組。 不可警示。
Microsoft。Network/networkSecurityGroups/securityRules/read 取得安全性規則定義
Microsoft。Network/networkSecurityGroups/securityRules/write 建立安全性規則,或更新現有的安全性規則
Microsoft。Network/networkSecurityGroups/securityRules/delete 刪除安全性規則
Microsoft。Network/routeTables/read 取得路由表定義
Microsoft。Network/routeTables/write 建立路由表或更新現有的路由表
Microsoft。Network/routeTables/delete 刪除路由表定義
Microsoft。Network/routeTables/join/action 聯結路由表。 不可警示。
Microsoft。Network/routeTables/routes/read 取得路由定義
Microsoft。Network/routeTables/routes/write 建立路由,或更新現有路由
Microsoft。Network/routeTables/routes/delete 刪除路由定義
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage Azure AD Domain Services and related network configurations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
  "name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/deployments/whatIf/action",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Insights/Logs/Read",
        "Microsoft.Insights/Metrics/Read",
        "Microsoft.Insights/DiagnosticSettings/*",
        "Microsoft.Insights/DiagnosticSettingsCategories/Read",
        "Microsoft.AAD/register/action",
        "Microsoft.AAD/unregister/action",
        "Microsoft.AAD/domainServices/*",
        "Microsoft.Network/register/action",
        "Microsoft.Network/unregister/action",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/write",
        "Microsoft.Network/virtualNetworks/delete",
        "Microsoft.Network/virtualNetworks/peer/action",
        "Microsoft.Network/virtualNetworks/join/action",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/write",
        "Microsoft.Network/virtualNetworks/subnets/delete",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Network/azureFirewalls/read",
        "Microsoft.Network/ddosProtectionPlans/read",
        "Microsoft.Network/ddosProtectionPlans/join/action",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/delete",
        "Microsoft.Network/loadBalancers/*/read",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/natGateways/join/action",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkInterfaces/delete",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/networkSecurityGroups/delete",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/write",
        "Microsoft.Network/networkSecurityGroups/securityRules/delete",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/routeTables/write",
        "Microsoft.Network/routeTables/delete",
        "Microsoft.Network/routeTables/join/action",
        "Microsoft.Network/routeTables/routes/read",
        "Microsoft.Network/routeTables/routes/write",
        "Microsoft.Network/routeTables/routes/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Domain Services Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

網域服務讀取者

可以檢視 Azure AD Domain Services 和相關網路設定

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/read 取得或列出部署。
Microsoft。Resources/deployments/operations/read 取得或列出部署作業。
Microsoft。Resources/deployments/operationstatuses/read 取得或列出部署作業狀態。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Insights/AlertRules/Read 讀取傳統計量警示
Microsoft。Insights/AlertRules/Incidents/Read 讀取傳統計量警示事件
Microsoft。Insights/Logs/Read 從您的所有記錄讀取資料
Microsoft。Insights/Metrics/read 讀取計量
Microsoft。Insights/DiagnosticSettings/read 讀取資源診斷設定
Microsoft。Insights/DiagnosticSettingsCategories/Read 讀取診斷設定類別
Microsoft。AAD/domainServices/*/read
Microsoft。Network/virtualNetworks/read 取得虛擬網路定義
Microsoft。Network/virtualNetworks/subnets/read 取得虛擬網路子網路定義
Microsoft。Network/virtualNetworks/virtualNetworkPeerings/read 取得虛擬網路對等互連定義
Microsoft。Network/virtualNetworks/providers/Microsoft。Insights/diagnosticSettings/read 取得虛擬網路的診斷設定
Microsoft。Network/virtualNetworks/providers/Microsoft。Insights/metricDefinitions/read 取得 PingMesh 的可用計量
Microsoft。Network/azureFirewalls/read 取得 Azure 防火牆
Microsoft。Network/ddosProtectionPlans/read 取得 DDoS 保護計劃
Microsoft。Network/loadBalancers/read 取得負載平衡器定義
Microsoft。Network/loadBalancers/*/read
Microsoft。Network/natGateways/read 取得 Nat 閘道定義
Microsoft。Network/networkInterfaces/read 取得網路介面定義。
Microsoft。Network/networkSecurityGroups/defaultSecurityRules/read 取得預設的安全性規則定義
Microsoft。Network/networkSecurityGroups/read 取得網路安全性群組定義
Microsoft。Network/networkSecurityGroups/securityRules/read 取得安全性規則定義
Microsoft。Network/routeTables/read 取得路由表定義
Microsoft。Network/routeTables/routes/read 取得路由定義
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view Azure AD Domain Services and related network configurations",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
  "name": "361898ef-9ed1-48c2-849c-a832951106bb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Insights/Logs/Read",
        "Microsoft.Insights/Metrics/read",
        "Microsoft.Insights/DiagnosticSettings/read",
        "Microsoft.Insights/DiagnosticSettingsCategories/Read",
        "Microsoft.AAD/domainServices/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
        "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
        "Microsoft.Network/azureFirewalls/read",
        "Microsoft.Network/ddosProtectionPlans/read",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/*/read",
        "Microsoft.Network/natGateways/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/securityRules/read",
        "Microsoft.Network/routeTables/read",
        "Microsoft.Network/routeTables/routes/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Domain Services Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控身分識別參與者

建立、讀取、更新和刪除使用者指派的身分識別 深入瞭解

動作 描述
Microsoft。ManagedIdentity/userAssignedIdentities/read 取得現有已指派使用者的身分識別
Microsoft。ManagedIdentity/userAssignedIdentities/write 建立新的已指派使用者的身分識別,或更新與現有已指派使用者之身分識別相關聯的標記
Microsoft。ManagedIdentity/userAssignedIdentities/delete 刪除現有已指派使用者的身分識別
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, Read, Update, and Delete User Assigned Identity",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控身分識別操作員

深入瞭解並指派使用者指派的身分識別

動作 描述
Microsoft。ManagedIdentity/userAssignedIdentities/*/read
Microsoft。ManagedIdentity/userAssignedIdentities/*/assign/action
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read and Assign User Assigned Identity",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
  "name": "f1a07417-d97a-45cb-824c-7a7467783830",
  "permissions": [
    {
      "actions": [
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed Identity Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性

證明參與者

可讀取寫入或刪除證明提供者實例 深入瞭解

動作 描述
Microsoft.Attestation/attestationProviders/attestation/read
Microsoft.Attestation/attestationProviders/attestation/write
Microsoft.Attestation/attestationProviders/attestation/delete
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read write or delete the attestation provider instance",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/attestation/write",
        "Microsoft.Attestation/attestationProviders/attestation/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

證明讀取器

可閱讀證明提供者屬性 深入瞭解

動作 描述
Microsoft.Attestation/attestationProviders/attestation/read
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read the attestation provider properties",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 管理員

在金鑰保存庫和其中的所有物件上執行所有資料平面作業,包括憑證、金鑰和秘密。 無法管理金鑰保存庫資源或管理角色指派。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft。KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft。KeyVault/locations/*/read
Microsoft。KeyVault/vaults/*/read
Microsoft。KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft。KeyVault/vaults/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 憑證長

在金鑰保存庫的憑證上執行任何動作 (管理權限除外)。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft。KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft。KeyVault/locations/*/read
Microsoft。KeyVault/vaults/*/read
Microsoft。KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft。KeyVault/vaults/certificatecas/*
Microsoft。KeyVault/vaults/certificates/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
  "name": "a4417e6f-fecd-4de8-b567-7b0420556985",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificatecas/*",
        "Microsoft.KeyVault/vaults/certificates/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Certificates Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 參與者

管理金鑰保存庫,但不允許您在 Azure RBAC 中指派角色,而且不允許您存取秘密、金鑰或憑證。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。KeyVault/*
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
Microsoft。KeyVault/locations/deletedVaults/purge/action 清除虛刪除的 Key Vault
Microsoft。KeyVault/hsmPools/*
Microsoft。KeyVault/managedHsms/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage key vaults, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
  "name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.KeyVault/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.KeyVault/locations/deletedVaults/purge/action",
        "Microsoft.KeyVault/hsmPools/*",
        "Microsoft.KeyVault/managedHsms/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯長

在金鑰保存庫的金鑰上執行任何動作 (管理權限除外)。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft。KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft。KeyVault/locations/*/read
Microsoft。KeyVault/vaults/*/read
Microsoft。KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft。KeyVault/vaults/keys/*
Microsoft。KeyVault/vaults/keyrotationpolicies/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/*",
        "Microsoft.KeyVault/vaults/keyrotationpolicies/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯服務加密使用者

讀取金鑰的中繼資料,並執行包裝/解除包裝作業。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 深入了解

動作 描述
Microsoft。EventGrid/eventSubscriptions/write 建立或更新 eventSubscription
Microsoft。EventGrid/eventSubscriptions/read 讀取 eventSubscription
Microsoft。EventGrid/eventSubscriptions/delete 刪除 eventSubscription
NotActions
DataActions
Microsoft。KeyVault/vaults/keys/read 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開內容。 對於非對稱金鑰,這項作業會公開公開金鑰,並包含執行公開金鑰演算法的能力,例如加密和驗證簽章。 私密金鑰和對稱金鑰永遠不會公開。
Microsoft。KeyVault/vaults/keys/wrap/action 使用金鑰保存庫金鑰包裝對稱金鑰。 請注意,如果金鑰保存庫金鑰為非對稱,則此作業可由具有讀取權限的主體執行。
Microsoft。KeyVault/vaults/keys/unwrap/action 使用金鑰保存庫金鑰解除包裝對稱金鑰。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventGrid/eventSubscriptions/write",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/eventSubscriptions/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Service Encryption User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯使用者

使用金鑰執行密碼編譯作業。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 深入了解

動作 描述
NotActions
DataActions
Microsoft。KeyVault/vaults/keys/read 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開內容。 對於非對稱金鑰,這項作業會公開公開金鑰,並包含執行公開金鑰演算法的能力,例如加密和驗證簽章。 私密金鑰和對稱金鑰永遠不會公開。
Microsoft。KeyVault/vaults/keys/update/action 更新與指定索引鍵相關聯的指定屬性。
Microsoft。KeyVault/vaults/keys/backup/action 建立金鑰的備份檔案。 檔案可用來在相同訂用帳戶的金鑰保存庫中還原金鑰。 可能會套用限制。
Microsoft。KeyVault/vaults/keys/encrypt/action 使用金鑰加密純文字。 請注意,如果金鑰非對稱,則此作業可由具有讀取權限的主體執行。
Microsoft。KeyVault/vaults/keys/decrypt/action 使用金鑰解密加密文字。
Microsoft。KeyVault/vaults/keys/wrap/action 使用金鑰保存庫金鑰包裝對稱金鑰。 請注意,如果金鑰保存庫金鑰為非對稱,則此作業可由具有讀取權限的主體執行。
Microsoft。KeyVault/vaults/keys/unwrap/action 使用金鑰保存庫金鑰解除包裝對稱金鑰。
Microsoft。KeyVault/vaults/keys/sign/action 使用索引鍵簽署訊息摘要 (雜湊) 。
Microsoft。KeyVault/vaults/keys/verify/action 使用金鑰驗證訊息摘要的簽章 (雜湊) 。 請注意,如果金鑰非對稱,則此作業可由具有讀取權限的主體執行。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
  "name": "12338af0-0e69-4776-bea7-57ae8d297424",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/update/action",
        "Microsoft.KeyVault/vaults/keys/backup/action",
        "Microsoft.KeyVault/vaults/keys/encrypt/action",
        "Microsoft.KeyVault/vaults/keys/decrypt/action",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action",
        "Microsoft.KeyVault/vaults/keys/sign/action",
        "Microsoft.KeyVault/vaults/keys/verify/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 讀者

讀取金鑰保存庫的中繼資料及其憑證、金鑰和秘密。 無法讀取敏感值,例如秘密內容或金鑰內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft。KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft。KeyVault/locations/*/read
Microsoft。KeyVault/vaults/*/read
Microsoft。KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft。KeyVault/vaults/*/read
Microsoft。KeyVault/vaults/secrets/readMetadata/action 列出或檢視秘密的屬性,而不是其值。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "name": "21090545-7ca7-4776-b22c-e363652d74d2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 祕密長

在金鑰保存庫的祕密上執行任何動作 (管理權限除外)。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。KeyVault/checkNameAvailability/read 確認 Key Vault 名稱有效,且並非使用中
Microsoft。KeyVault/deletedVaults/read 檢視虛刪除之 Key Vault 的屬性
Microsoft。KeyVault/locations/*/read
Microsoft。KeyVault/vaults/*/read
Microsoft。KeyVault/operations/read 列出可以對 Microsoft.KeyVault 資源提供者執行的作業
NotActions
DataActions
Microsoft。KeyVault/vaults/secrets/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 祕密使用者

讀取秘密的內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。 深入了解

動作 描述
NotActions
DataActions
Microsoft。KeyVault/vaults/secrets/getSecret/action 取得秘密的值。
Microsoft。KeyVault/vaults/secrets/readMetadata/action 列出或檢視秘密的屬性,而不是其值。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
  "name": "4633458b-17de-408a-b874-0445c86b69e6",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控 HSM 參與者

可讓您管理受控 HSM 集區,但無法存取它們。 深入了解

動作 描述
Microsoft。KeyVault/managedHSMs/*
Microsoft。KeyVault/deletedManagedHsms/read 檢視已刪除受控 hsm 的屬性
Microsoft。KeyVault/locations/deletedManagedHsms/read 檢視已刪除受控 hsm 的屬性
Microsoft。KeyVault/locations/deletedManagedHsms/purge/action 清除虛刪除的受控 hsm
Microsoft。KeyVault/locations/managedHsmOperationResults/read 檢查長時間執行之作業的結果
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage managed HSM pools, but not access to them.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
  "name": "18500a29-7fe2-46b2-a342-b16a415e101d",
  "permissions": [
    {
      "actions": [
        "Microsoft.KeyVault/managedHSMs/*",
        "Microsoft.KeyVault/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
        "Microsoft.KeyVault/locations/managedHsmOperationResults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed HSM contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 自動化參與者

Microsoft Sentinel 自動化參與者深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。邏輯/工作流程/觸發程式/讀取 讀取觸發程序。
Microsoft。Logic/workflows/triggers/listCallbackUrl/action 取得觸發程序的回呼 URL。
Microsoft。邏輯/工作流程/執行/讀取 讀取工作流程的執行。
Microsoft。Web/sites/hostruntime/webhooks/api/workflows/triggers/read 列出Web Apps Hostruntime 工作流程觸發程式。
Microsoft。Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action 取得 Web Apps Hostruntime 工作流程觸發程式 URI。
Microsoft。Web/sites/hostruntime/webhooks/api/workflows/run/read 列出Web Apps Hostruntime 工作流程執行。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Automation Contributor",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Logic/workflows/triggers/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Logic/workflows/runs/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Automation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 參與者

Microsoft Sentinel 參與者深入瞭解

動作 描述
Microsoft。SecurityInsights/*
Microsoft。OperationalInsights/workspaces/analytics/query/action 使用新的引擎進行搜尋。
Microsoft。OperationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft。OperationalInsights/workspaces/savedSearches/*
Microsoft。OperationsManagement/solutions/read 取得現有的 OMS 解決方案
Microsoft。OperationalInsights/workspaces/query/read 針對工作區中的資料執行查詢
Microsoft。OperationalInsights/workspaces/query/*/read
Microsoft。OperationalInsights/workspaces/dataSources/read 取得工作區下的資料來源。
Microsoft。OperationalInsights/querypacks/*/read
Microsoft。Insights/workbooks/*
Microsoft。Insights/myworkbooks/read 讀取私人活頁簿
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
Microsoft。SecurityInsights/ConfidentialWatchlists/*
Microsoft。OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Contributor",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
  "name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 讀者

Microsoft Sentinel 讀者深入瞭解

動作 描述
Microsoft。SecurityInsights/*/read
Microsoft。SecurityInsights/dataConnectorsCheckRequirements/action 檢查使用者授權和使用權
Microsoft。SecurityInsights/threatIntelligence/indicators/query/action 查詢威脅情報指標
Microsoft。SecurityInsights/threatIntelligence/queryIndicators/action 查詢威脅情報指標
Microsoft。OperationalInsights/workspaces/analytics/query/action 使用新的引擎進行搜尋。
Microsoft。OperationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft。OperationalInsights/workspaces/LinkedServices/read 取得指定工作區下已連結的服務。
Microsoft。OperationalInsights/workspaces/savedSearches/read 取得已儲存的搜尋查詢
Microsoft。OperationsManagement/solutions/read 取得現有的 OMS 解決方案
Microsoft。OperationalInsights/workspaces/query/read 針對工作區中的資料執行查詢
Microsoft。OperationalInsights/workspaces/query/*/read
Microsoft。OperationalInsights/querypacks/*/read
Microsoft。OperationalInsights/workspaces/dataSources/read 取得工作區下的資料來源。
Microsoft。Insights/workbooks/read 讀取活頁簿
Microsoft。Insights/myworkbooks/read 讀取私人活頁簿
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Resources/templateSpecs/*/read 取得或列出範本規格和範本規格版本
Microsoft。支援/* 建立和更新支援票證
NotActions
Microsoft。SecurityInsights/ConfidentialWatchlists/*
Microsoft。OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Reader",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/templateSpecs/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 回應程式

Microsoft Sentinel 回應程式深入瞭解

動作 描述
Microsoft。SecurityInsights/*/read
Microsoft。SecurityInsights/dataConnectorsCheckRequirements/action 檢查使用者授權和使用權
Microsoft。SecurityInsights/automationRules/*
Microsoft。SecurityInsights/cases/*
Microsoft。SecurityInsights/incidents/*
Microsoft。SecurityInsights/threatIntelligence/indicators/appendTags/action 將標記附加至威脅情報指標
Microsoft。SecurityInsights/threatIntelligence/indicators/query/action 查詢威脅情報指標
Microsoft。SecurityInsights/threatIntelligence/bulkTag/action 大量標記威脅情報
Microsoft。SecurityInsights/threatIntelligence/indicators/appendTags/action 將標記附加至威脅情報指標
Microsoft。SecurityInsights/threatIntelligence/indicators/replaceTags/action 取代威脅情報指標的標記
Microsoft。SecurityInsights/threatIntelligence/queryIndicators/action 查詢威脅情報指標
Microsoft。OperationalInsights/workspaces/analytics/query/action 使用新的引擎進行搜尋。
Microsoft。OperationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft。OperationalInsights/workspaces/dataSources/read 取得工作區下的資料來源。
Microsoft。OperationalInsights/workspaces/savedSearches/read 取得已儲存的搜尋查詢
Microsoft。OperationsManagement/solutions/read 取得現有的 OMS 解決方案
Microsoft。OperationalInsights/workspaces/query/read 針對工作區中的資料執行查詢
Microsoft。OperationalInsights/workspaces/query/*/read
Microsoft。OperationalInsights/workspaces/dataSources/read 取得工作區下的資料來源。
Microsoft。OperationalInsights/querypacks/*/read
Microsoft。Insights/workbooks/read 讀取活頁簿
Microsoft。Insights/myworkbooks/read 讀取私人活頁簿
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
Microsoft。SecurityInsights/cases/*/Delete
Microsoft。SecurityInsights/incidents/*/Delete
Microsoft。SecurityInsights/ConfidentialWatchlists/*
Microsoft。OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Responder",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/automationRules/*",
        "Microsoft.SecurityInsights/cases/*",
        "Microsoft.SecurityInsights/incidents/*",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/cases/*/Delete",
        "Microsoft.SecurityInsights/incidents/*/Delete",
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Responder",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性系統管理員

檢視和更新雲端Microsoft Defender的許可權。 與「安全性讀者」角色的權限相同,還可以更新安全性原則及關閉警示和建議。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Authorization/policyAssignments/* 建立及管理原則指派
Microsoft。Authorization/policyDefinitions/* 建立及管理原則定義
Microsoft。Authorization/policyExemptions/* 建立和管理原則豁免
Microsoft。Authorization/policySetDefinitions/* 建立及管理原則集合
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Management/managementGroups/read 列出已驗證之使用者的管理群組。
Microsoft.operationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。安全/* 建立和管理安全性元件和原則
Microsoft。IoTSecurity/*
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Admin Role",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/policyAssignments/*",
        "Microsoft.Authorization/policyDefinitions/*",
        "Microsoft.Authorization/policyExemptions/*",
        "Microsoft.Authorization/policySetDefinitions/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.IoTSecurity/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性評量參與者

可讓您將評量推送至雲端Microsoft Defender

動作 描述
Microsoft。安全性/評量/寫入 在您的訂用帳戶上建立或更新安全性評量
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you push assessments to Security Center",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Security/assessments/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Assessment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性管理員 (舊版)

此為舊版角色。 請改用「安全性系統管理員」。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。ClassicCompute/*/read 讀取傳統虛擬機器的設定資訊
Microsoft。ClassicCompute/virtualMachines/*/write 撰寫傳統虛擬機器的設定
Microsoft。ClassicNetwork/*/read 讀取傳統網路的組態資訊
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。安全/* 建立和管理安全性元件和原則
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "This is a legacy role. Please use Security Administrator instead",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/*/read",
        "Microsoft.ClassicCompute/virtualMachines/*/write",
        "Microsoft.ClassicNetwork/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Manager (Legacy)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性讀取者

檢視雲端Microsoft Defender的許可權。 可以檢視建議、警示、安全性原則和安全性狀態,但無法變更。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/read 讀取傳統計量警示
Microsoft.operationalInsights/workspaces/*/read 檢視記錄分析資料
Microsoft。Resources/deployments/*/read
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。安全性/*/read 讀取安全性元件和原則
Microsoft。IoTSecurity/*/read
Microsoft。支援/*/read
Microsoft。Security/iotDefenderSettings/packageDownloads/action 取得可下載的 IoT Defender 套件資訊
Microsoft。Security/iotDefenderSettings/downloadManagerActivation/action 下載具有訂用帳戶配額資料的管理員啟用檔案
Microsoft。Security/iotSensors/downloadResetPassword/action 下載 IoT 感應器的重設密碼檔案
Microsoft。IoTSecurity/defenderSettings/packageDownloads/action 取得可下載的 IoT Defender 套件資訊
Microsoft。IoTSecurity/defenderSettings/downloadManagerActivation/action 下載管理員啟用檔案
Microsoft。Management/managementGroups/read 列出已驗證之使用者的管理群組。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Reader Role",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*/read",
        "Microsoft.IoTSecurity/*/read",
        "Microsoft.Support/*/read",
        "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
        "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
        "Microsoft.Security/iotSensors/downloadResetPassword/action",
        "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
        "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
        "Microsoft.Management/managementGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

DevOps

DevTest Labs 使用者

可讓您連線、啟動、重新啟及關閉您 Azure DevTest Labs 中的虛擬機器。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Compute/availabilitySets/read 取得可用性設定組的屬性
Microsoft。Compute/virtualMachines/*/read 讀取虛擬機器的屬性 (VM 大小、執行階段狀態、VM 擴充功能等)
Microsoft。Compute/virtualMachines/deallocate/action 關閉虛擬機器的電源,並將計算資源釋出
Microsoft。Compute/virtualMachines/read 取得虛擬機器的屬性
Microsoft。Compute/virtualMachines/restart/action 重新啟動虛擬機器
Microsoft。Compute/virtualMachines/start/action 啟動虛擬機器
Microsoft。DevTestLab/*/read 讀取實驗室的屬性
Microsoft。DevTestLab/labs/claimAnyVm/action 在實驗室中宣告隨機的可宣告虛擬機器。
Microsoft。DevTestLab/labs/createEnvironment/action 在實驗室中建立虛擬機器。
Microsoft。DevTestLab/labs/ensureCurrentUserProfile/action 請確認目前的使用者在實驗室中具備有效的設定檔。
Microsoft。DevTestLab/labs/formulas/delete 刪除公式。
Microsoft。DevTestLab/labs/formulas/read 讀取公式。
Microsoft。DevTestLab/labs/formulas/write 新增或修改公式。
Microsoft。DevTestLab/labs/policySets/evaluatePolicies/action 評估實驗室原則。
Microsoft。DevTestLab/labs/virtualMachines/claim/action 取得現有虛擬機器的擁有權
Microsoft。DevTestLab/labs/virtualmachines/listApplicableSchedules/action 列出適用的啟動/停止排程 (若有的話)。
Microsoft。DevTestLab/labs/virtualMachines/getRdpFileContents/action 取得代表虛擬機器 RDP 檔案內容的字串
Microsoft。Network/loadBalancers/backendAddressPools/join/action 加入負載平衡器後端位址集區。 不可警示。
Microsoft。Network/loadBalancers/inboundNatRules/join/action 加入負載平衡器輸入 nat 規則。 不可警示。
Microsoft。Network/networkInterfaces/*/read 讀取網路介面的屬性 (例如網路介面所屬的所有負載平衡器)
Microsoft。Network/networkInterfaces/join/action 將虛擬機器加入網路介面。 不可警示。
Microsoft。Network/networkInterfaces/read 取得網路介面定義。
Microsoft。Network/networkInterfaces/write 建立網路介面,或更新現有的網路介面。
Microsoft。Network/publicIPAddresses/*/read 讀取公用 IP 位址的屬性
Microsoft。Network/publicIPAddresses/join/action 加入公用 IP 位址。 不可警示。
Microsoft。Network/publicIPAddresses/read 取得公用 IP 位址定義。
Microsoft。Network/virtualNetworks/subnets/join/action 加入虛擬網路。 不可警示。
Microsoft。Resources/deployments/operations/read 取得或列出部署作業。
Microsoft。Resources/deployments/read 取得或列出部署。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Storage/storageAccounts/listKeys/action 傳回指定儲存體帳戶的存取金鑰。
NotActions
Microsoft。Compute/virtualMachines/vmSizes/read 列出虛擬機器所能更新成的大小
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64",
  "name": "76283e04-6283-4c54-8f91-bcf1374a3c64",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/availabilitySets/read",
        "Microsoft.Compute/virtualMachines/*/read",
        "Microsoft.Compute/virtualMachines/deallocate/action",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/restart/action",
        "Microsoft.Compute/virtualMachines/start/action",
        "Microsoft.DevTestLab/*/read",
        "Microsoft.DevTestLab/labs/claimAnyVm/action",
        "Microsoft.DevTestLab/labs/createEnvironment/action",
        "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action",
        "Microsoft.DevTestLab/labs/formulas/delete",
        "Microsoft.DevTestLab/labs/formulas/read",
        "Microsoft.DevTestLab/labs/formulas/write",
        "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action",
        "Microsoft.DevTestLab/labs/virtualMachines/claim/action",
        "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action",
        "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/loadBalancers/inboundNatRules/join/action",
        "Microsoft.Network/networkInterfaces/*/read",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/publicIPAddresses/*/read",
        "Microsoft.Network/publicIPAddresses/join/action",
        "Microsoft.Network/publicIPAddresses/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/listKeys/action"
      ],
      "notActions": [
        "Microsoft.Compute/virtualMachines/vmSizes/read"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "DevTest Labs User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

實驗室助理

可讓您檢視現有的實驗室、對實驗室 VM 執行動作,並將邀請傳送給實驗室。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。LabServices/labPlans/images/read 取得影像的屬性。
Microsoft。LabServices/labPlans/read 取得實驗室計畫的屬性。
Microsoft。LabServices/labs/read 取得實驗室的屬性。
Microsoft。LabServices/labs/schedules/read 取得排程的屬性。
Microsoft。LabServices/labs/users/read 取得使用者的屬性。
Microsoft。LabServices/labs/users/invite/action 傳送電子郵件邀請給使用者以加入實驗室。
Microsoft。LabServices/labs/virtualMachines/read 取得虛擬機器的屬性。
Microsoft。LabServices/labs/virtualMachines/start 啟動虛擬機器。
Microsoft。LabServices/labs/virtualMachines/stop 停用及取消配置虛擬機器。
Microsoft。LabServices/labs/virtualMachines/reimage 將虛擬機器重新映射至最後一個已發佈的映射。
Microsoft。LabServices/labs/virtualMachines/deploy 將虛擬機器重新部署至不同的計算節點。
Microsoft。LabServices/locations/usages/read 取得位置中的使用量
Microsoft。LabServices/skus/read 取得實驗室服務 SKU 的屬性。
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
NotDataActions
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1",
    "properties": {
        "roleName": "Lab Assistant",
        "description": "The lab assistant role",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.LabServices/labPlans/images/read",
                    "Microsoft.LabServices/labPlans/read",
                    "Microsoft.LabServices/labs/read",
                    "Microsoft.LabServices/labs/schedules/read",
                    "Microsoft.LabServices/labs/users/read",
                    "Microsoft.LabServices/labs/users/invite/action",
                    "Microsoft.LabServices/labs/virtualMachines/read",
                    "Microsoft.LabServices/labs/virtualMachines/start/action",
                    "Microsoft.LabServices/labs/virtualMachines/stop/action",
                    "Microsoft.LabServices/labs/virtualMachines/reimage/action",
                    "Microsoft.LabServices/labs/virtualMachines/redeploy/action",
                    "Microsoft.LabServices/locations/usages/read",
                    "Microsoft.LabServices/skus/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

實驗室參與者

套用在實驗室層級,可讓您管理實驗室。 套用至資源群組,可讓您建立和管理實驗室。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。LabServices/labPlans/images/read 取得影像的屬性。
Microsoft。LabServices/labPlans/read 取得實驗室計畫的屬性。
Microsoft。LabServices/labPlans/saveImage/action 從連結至實驗室計畫之資源庫中的虛擬機器建立映射。
Microsoft。LabServices/labs/read 取得實驗室的屬性。
Microsoft。LabServices/labs/write 建立新的或更新現有的實驗室。
Microsoft。LabServices/labs/delete 刪除實驗室及其所有使用者、排程和虛擬機器。
Microsoft。LabServices/labs/publish/action 將範本虛擬機器的映射傳播至實驗室中的所有虛擬機器,以發佈實驗室。
Microsoft。LabServices/labs/syncGroup/action 更新指派給實驗室的 Active Directory 群組中的使用者清單。
Microsoft。LabServices/labs/schedules/read 取得排程的屬性。
Microsoft。LabServices/labs/schedules/write 建立新的或更新現有的排程。
Microsoft。LabServices/labs/schedules/delete 刪除排程。
Microsoft。LabServices/labs/users/read 取得使用者的屬性。
Microsoft。LabServices/labs/users/write 建立新的或更新現有的使用者。
Microsoft。LabServices/labs/users/delete 刪除使用者。
Microsoft。LabServices/labs/users/invite/action 傳送電子郵件邀請給使用者以加入實驗室。
Microsoft。LabServices/labs/virtualMachines/read 取得虛擬機器的屬性。
Microsoft。LabServices/labs/virtualMachines/start 啟動虛擬機器。
Microsoft。LabServices/labs/virtualMachines/stop 停用及取消配置虛擬機器。
Microsoft。LabServices/labs/virtualMachines/reimage 將虛擬機器重新映射到最後一個已發佈的映射。
Microsoft。LabServices/labs/virtualMachines/deploy 將虛擬機器重新部署至不同的計算節點。
Microsoft。LabServices/labs/virtualMachines/resetPassword/action 重設虛擬機器上的本機使用者密碼。
Microsoft。LabServices/locations/usages/read 取得位置中的使用量
Microsoft。LabServices/skus/read 取得實驗室服務 SKU 的屬性。
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
Microsoft。LabServices/labPlans/createLab/action 從實驗室計畫建立新的實驗室。
NotDataActions
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270",
    "properties": {
        "roleName": "Lab Contributor",
        "description": "The lab contributor role",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.LabServices/labPlans/images/read",
                    "Microsoft.LabServices/labPlans/read",
                    "Microsoft.LabServices/labPlans/saveImage/action",
                    "Microsoft.LabServices/labs/read",
                    "Microsoft.LabServices/labs/write",
                    "Microsoft.LabServices/labs/delete",
                    "Microsoft.LabServices/labs/publish/action",
                    "Microsoft.LabServices/labs/syncGroup/action",
                    "Microsoft.LabServices/labs/schedules/read",
                    "Microsoft.LabServices/labs/schedules/write",
                    "Microsoft.LabServices/labs/schedules/delete",
                    "Microsoft.LabServices/labs/users/read",
                    "Microsoft.LabServices/labs/users/write",
                    "Microsoft.LabServices/labs/users/delete",
                    "Microsoft.LabServices/labs/users/invite/action",
                    "Microsoft.LabServices/labs/virtualMachines/read",
                    "Microsoft.LabServices/labs/virtualMachines/start/action",
                    "Microsoft.LabServices/labs/virtualMachines/stop/action",
                    "Microsoft.LabServices/labs/virtualMachines/reimage/action",
                    "Microsoft.LabServices/labs/virtualMachines/redeploy/action",
                    "Microsoft.LabServices/labs/virtualMachines/resetPassword/action",
                    "Microsoft.LabServices/locations/usages/read",
                    "Microsoft.LabServices/skus/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.LabServices/labPlans/createLab/action"
                ],
                "notDataActions": []
            }
        ]
    }
}

實驗室建立者

可讓您在 Azure 實驗室帳戶下建立新的實驗室。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。LabServices/labAccounts/*/read
Microsoft。LabServices/labAccounts/createLab/action 在實驗室帳戶中建立實驗室。
Microsoft。LabServices/labAccounts/getPricingAndAvailability/action 依大小、地理位置和作業系統的各種組合,取得實驗室帳戶的價格和可用性。
Microsoft。LabServices/labAccounts/getRestrictionsAndUsage/action 取得此訂用帳戶的核心限制及使用量
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。LabServices/labPlans/images/read 取得影像的屬性。
Microsoft。LabServices/labPlans/read 取得實驗室計畫的屬性。
Microsoft。LabServices/labPlans/saveImage/action 從連結至實驗室計畫之資源庫中的虛擬機器建立映射。
Microsoft。LabServices/labs/read 取得實驗室的屬性。
Microsoft。LabServices/labs/schedules/read 取得排程的屬性。
Microsoft。LabServices/labs/users/read 取得使用者的屬性。
Microsoft。LabServices/labs/virtualMachines/read 取得虛擬機器的屬性。
Microsoft。LabServices/locations/usages/read 取得位置中的使用量
Microsoft。LabServices/skus/read 取得實驗室服務 SKU 的屬性。
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft。LabServices/labPlans/createLab/action 從實驗室計畫建立新的實驗室。
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you create new labs under your Azure Lab Accounts.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead",
  "name": "b97fb8bc-a8b2-4522-a38b-dd33c7e65ead",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.LabServices/labAccounts/*/read",
        "Microsoft.LabServices/labAccounts/createLab/action",
        "Microsoft.LabServices/labAccounts/getPricingAndAvailability/action",
        "Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.LabServices/labPlans/images/read",
        "Microsoft.LabServices/labPlans/read",
        "Microsoft.LabServices/labPlans/saveImage/action",
        "Microsoft.LabServices/labs/read",
        "Microsoft.LabServices/labs/schedules/read",
        "Microsoft.LabServices/labs/users/read",
        "Microsoft.LabServices/labs/virtualMachines/read",
        "Microsoft.LabServices/locations/usages/read",
        "Microsoft.LabServices/skus/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.LabServices/labPlans/createLab/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Lab Creator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

實驗室操作員

可讓您有限地管理現有的實驗室。

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。LabServices/labPlans/images/read 取得影像的屬性。
Microsoft。LabServices/labPlans/read 取得實驗室計畫的屬性。
Microsoft。LabServices/labPlans/saveImage/action 從連結至實驗室計畫之資源庫中的虛擬機器建立映射。
Microsoft。LabServices/labs/publish/action 將範本虛擬機器的映射傳播至實驗室中的所有虛擬機器,以發佈實驗室。
Microsoft。LabServices/labs/read 取得實驗室的屬性。
Microsoft。LabServices/labs/schedules/read 取得排程的屬性。
Microsoft。LabServices/labs/schedules/write 建立新的或更新現有的排程。
Microsoft。LabServices/labs/schedules/delete 刪除排程。
Microsoft。LabServices/labs/users/read 取得使用者的屬性。
Microsoft。LabServices/labs/users/write 建立新的或更新現有的使用者。
Microsoft。LabServices/labs/users/delete 刪除使用者。
Microsoft。LabServices/labs/users/invite/action 傳送電子郵件邀請給使用者以加入實驗室。
Microsoft。LabServices/labs/virtualMachines/read 取得虛擬機器的屬性。
Microsoft。LabServices/labs/virtualMachines/start/action 啟動虛擬機器。
Microsoft。LabServices/labs/virtualMachines/stop/action 停用及取消配置虛擬機器。
Microsoft。LabServices/labs/virtualMachines/reimage/action 將虛擬機器重新映射至最後一個已發佈的映射。
Microsoft。LabServices/labs/virtualMachines/deploy/action 將虛擬機器重新部署至不同的計算節點。
Microsoft。LabServices/labs/virtualMachines/resetPassword/action 重設虛擬機器上的本機使用者密碼。
Microsoft。LabServices/locations/usages/read 取得位置中的使用量。
Microsoft。LabServices/skus/read 取得實驗室服務 SKU 的屬性。
Microsoft。Resources/deployments/* 建立和管理部署。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
NotDataActions
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d",
    "properties": {
        "roleName": "Lab Operator",
        "description": "The lab operator role",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.LabServices/labPlans/images/read",
                    "Microsoft.LabServices/labPlans/read",
                    "Microsoft.LabServices/labPlans/saveImage/action",
                    "Microsoft.LabServices/labs/publish/action",
                    "Microsoft.LabServices/labs/read",
                    "Microsoft.LabServices/labs/schedules/read",
                    "Microsoft.LabServices/labs/schedules/write",
                    "Microsoft.LabServices/labs/schedules/delete",
                    "Microsoft.LabServices/labs/users/read",
                    "Microsoft.LabServices/labs/users/write",
                    "Microsoft.LabServices/labs/users/delete",
                    "Microsoft.LabServices/labs/users/invite/action",
                    "Microsoft.LabServices/labs/virtualMachines/read",
                    "Microsoft.LabServices/labs/virtualMachines/start/action",
                    "Microsoft.LabServices/labs/virtualMachines/stop/action",
                    "Microsoft.LabServices/labs/virtualMachines/reimage/action",
                    "Microsoft.LabServices/labs/virtualMachines/redeploy/action",
                    "Microsoft.LabServices/labs/virtualMachines/resetPassword/action",
                    "Microsoft.LabServices/locations/usages/read",
                    "Microsoft.LabServices/skus/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

實驗室服務參與者

可讓您完全控制資源群組中的所有實驗室服務案例。

動作 描述
Microsoft。LabServices/* 建立和管理實驗室服務元件。
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
Microsoft。LabServices/labPlans/createLab/action 從實驗室計畫建立新的實驗室。
NotDataActions
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f",
    "properties": {
        "roleName": "Lab Services Contributor",
        "description": "The lab services contributor role",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.LabServices/*",
                    "Microsoft.Insights/alertRules/*",
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.LabServices/labPlans/createLab/action"
                ],
                "notDataActions": []
            }
        ]
    }
}

實驗室服務讀者

可讓您檢視所有實驗室方案和實驗室資源,但無法變更。

動作 描述
Microsoft。LabServices/*/read 讀取實驗室服務屬性。
Microsoft。Authorization/*/read 讀取角色和角色指派。
Microsoft。Resources/deployments/* 建立和管理部署。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
NotDataActions
{
    "id": "/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc",
    "properties": {
        "roleName": "Lab Services Reader",
        "description": "The lab services reader role",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.LabServices/*/read",
                    "Microsoft.Authorization/*/read",
                    "Microsoft.Resources/deployments/*",
                    "Microsoft.Resources/subscriptions/resourceGroups/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

監視

Application Insights 元件參與者

可以管理 Application Insights 元件 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統警示規則
Microsoft。Insights/generateLiveToken/read 即時計量取得權杖
Microsoft。Insights/metricAlerts/* 建立和管理新的警示規則
Microsoft。Insights/components/* 建立和管理 Insights 元件
Microsoft。Insights/scheduledqueryrules/*
Microsoft。Insights/topology/read 讀取拓撲
Microsoft。Insights/transactions/read 讀取交易
Microsoft。Insights/webtests/* 建立和管理 Insights web 測試
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can manage Application Insights components",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e",
  "name": "ae349356-3a1b-4a5e-921d-050484c6347e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/generateLiveToken/read",
        "Microsoft.Insights/metricAlerts/*",
        "Microsoft.Insights/components/*",
        "Microsoft.Insights/scheduledqueryrules/*",
        "Microsoft.Insights/topology/read",
        "Microsoft.Insights/transactions/read",
        "Microsoft.Insights/webtests/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Application Insights Component Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Application Insights 快照集偵錯工具

給予使用者權限,以便檢視及下載使用 Application Insights 快照偵錯工具所收集的偵錯快照。 請注意,擁有者參與者角色未包含這些權限。 將 Application Insights 快照偵錯者角色指派給使用者時,您必須直接將此角色授與使用者。 此角色若新增至自訂角色,則無法辨識。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Insights/components/*/read
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Gives user permission to use Application Insights Snapshot Debugger features",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b",
  "name": "08954f03-6346-4c2e-81c0-ec3a5cfae23b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/components/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Application Insights Snapshot Debugger",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

監視參與者

可以讀取所有監視資料並編輯監視設定。 請參閱開始使用 Azure 監視器的角色、權限和安全性深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft。AlertsManagement/alerts/*
Microsoft。AlertsManagement/alertsSummary/*
Microsoft。Insights/actiongroups/*
Microsoft。Insights/activityLogAlerts/*
Microsoft。Insights/AlertRules/* 建立和管理傳統計量警示
Microsoft。Insights/components/* 建立和管理 Insights 元件
Microsoft。Insights/createNotifications/*
Microsoft。Insights/dataCollectionEndpoints/*
Microsoft。Insights/dataCollectionRules/*
Microsoft。Insights/dataCollectionRuleAssociations/*
Microsoft.Insights/DiagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft。Insights/eventtypes/* 列出訂用帳戶中的活動記錄檔事件 (管理事件)。 此權限適用於以程式設計方式存取和入口網站存取活動記錄檔。
Microsoft。Insights/LogDefinitions/* 此為使用者需要透過入口網站存取活動記錄時所需的權限。 列出活動記錄檔中的記錄檔分類。
Microsoft。Insights/metricalerts/*
Microsoft。Insights/MetricDefinitions/* 讀取度量定義 (可用資源的度量類型清單)。
Microsoft。Insights/Metrics/* 讀取資源的度量。
Microsoft。Insights/notificationStatus/*
Microsoft。Insights/Register/Action 註冊 Microsoft Insights 提供者
Microsoft。Insights/scheduledqueryrules/*
Microsoft。Insights/webtests/* 建立和管理 Insights web 測試
Microsoft。Insights/workbooks/*
Microsoft。Insights/workbooktemplates/*
Microsoft。Insights/privateLinkScopes/*
Microsoft。Insights/privateLinkScopeOperationStatuses/*
Microsoft。OperationalInsights/workspaces/write 建立新的工作區,或藉由提供來自現有工作區的客戶識別碼來連結至現有工作區。
Microsoft。OperationalInsights/workspaces/intelligencepacks/* 讀取/寫入/刪除記錄分析解決方案套件。
Microsoft。OperationalInsights/workspaces/savedSearches/* 讀取/寫入/刪除記錄分析已儲存的搜尋。
Microsoft。OperationalInsights/workspaces/search/action 執行搜尋查詢
Microsoft。OperationalInsights/workspaces/sharedKeys/action 擷取工作區的共用金鑰。 這些金鑰可用來將 Microsoft Operational Insights 代理程式連線到工作區。
Microsoft。OperationalInsights/workspaces/storageinsightconfigs/* 讀取/寫入/刪除記錄分析儲存體深入解析設定。
Microsoft。支援/* 建立和更新支援票證
Microsoft。WorkloadMonitor/monitors/* 取得客體 VM 健康情況監視器的相關資訊。
Microsoft。AlertsManagement/smartDetectorAlertRules/*
Microsoft。AlertsManagement/actionRules/*
Microsoft。AlertsManagement/smartGroups/*
Microsoft。AlertsManagement/migrateFromSmartDetection/*
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read all monitoring data and update monitoring settings.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
  "name": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.AlertsManagement/alerts/*",
        "Microsoft.AlertsManagement/alertsSummary/*",
        "Microsoft.Insights/actiongroups/*",
        "Microsoft.Insights/activityLogAlerts/*",
        "Microsoft.Insights/AlertRules/*",
        "Microsoft.Insights/components/*",
        "Microsoft.Insights/createNotifications/*",
        "Microsoft.Insights/dataCollectionEndpoints/*",
        "Microsoft.Insights/dataCollectionRules/*",
        "Microsoft.Insights/dataCollectionRuleAssociations/*",
        "Microsoft.Insights/DiagnosticSettings/*",
        "Microsoft.Insights/eventtypes/*",
        "Microsoft.Insights/LogDefinitions/*",
        "Microsoft.Insights/metricalerts/*",
        "Microsoft.Insights/MetricDefinitions/*",
        "Microsoft.Insights/Metrics/*",
        "Microsoft.Insights/notificationStatus/*",
        "Microsoft.Insights/Register/Action",
        "Microsoft.Insights/scheduledqueryrules/*",
        "Microsoft.Insights/webtests/*",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/workbooktemplates/*",
        "Microsoft.Insights/privateLinkScopes/*",
        "Microsoft.Insights/privateLinkScopeOperationStatuses/*",
        "Microsoft.OperationalInsights/workspaces/write",
        "Microsoft.OperationalInsights/workspaces/intelligencepacks/*",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.OperationalInsights/workspaces/sharedKeys/action",
        "Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*",
        "Microsoft.Support/*",
        "Microsoft.WorkloadMonitor/monitors/*",
        "Microsoft.AlertsManagement/smartDetectorAlertRules/*",
        "Microsoft.AlertsManagement/actionRules/*",
        "Microsoft.AlertsManagement/smartGroups/*",
        "Microsoft.AlertsManagement/migrateFromSmartDetection/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Monitoring Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

監視計量發行者

針對 Azure 資源啟用發佈計量 深入瞭解

動作 描述
Microsoft。Insights/Register/Action 註冊 Microsoft Insights 提供者
Microsoft。支援/* 建立和更新支援票證
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
NotActions
DataActions
Microsoft。Insights/Metrics/Write 寫入計量
Microsoft。Insights/Telemetry/Write 寫入遙測
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Enables publishing metrics against Azure resources",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb",
  "name": "3913510d-42f4-4e42-8a64-420c390055eb",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/Register/Action",
        "Microsoft.Support/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Insights/Metrics/Write",
        "Microsoft.Insights/Telemetry/Write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Monitoring Metrics Publisher",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

監視讀取器

可以讀取所有監視資料 (計量、記錄等等)。 請參閱開始使用 Azure 監視器的角色、權限和安全性深入了解

動作 描述
*/read 讀取密碼以外的所有類型的資源。
Microsoft。OperationalInsights/workspaces/search/action 執行搜尋查詢
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read all monitoring data.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05",
  "name": "43d0d8ad-25c7-4714-9337-8ba259a9fe05",
  "permissions": [
    {
      "actions": [
        "*/read",
        "Microsoft.OperationalInsights/workspaces/search/action",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Monitoring Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

活頁簿參與者

可以儲存共用活頁簿。 深入了解

動作 描述
Microsoft。Insights/workbooks/write 建立或更新活頁簿
Microsoft。Insights/workbooks/delete 刪除活頁簿
Microsoft。Insights/workbooks/read 讀取活頁簿
Microsoft。Insights/workbooktemplates/write 建立或更新活頁簿範本
Microsoft。Insights/workbooktemplates/delete 刪除活頁簿範本
Microsoft。Insights/workbooktemplates/read 讀取活頁簿範本
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can save shared workbooks.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad",
  "name": "e8ddcd69-c73f-4f9f-9844-4100522f16ad",
  "permissions": [
    {
      "actions": [
        "Microsoft.Insights/workbooks/write",
        "Microsoft.Insights/workbooks/delete",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/workbooktemplates/write",
        "Microsoft.Insights/workbooktemplates/delete",
        "Microsoft.Insights/workbooktemplates/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Workbook Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

活頁簿讀者

可以讀取活頁簿。 深入了解

動作 描述
microsoft.insights/workbooks/read 讀取活頁簿
microsoft.insights/workbooktemplates/read 讀取活頁簿範本
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read workbooks.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d",
  "name": "b279062a-9be3-42a0-92ae-8b3cf002ec4d",
  "permissions": [
    {
      "actions": [
        "microsoft.insights/workbooks/read",
        "microsoft.insights/workbooktemplates/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Workbook Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

管理與治理

自動化參與者

使用 Azure 自動化管理 Azure 自動化資源和其他資源。 深入了解

動作 描述
Microsoft。Automation/automationAccounts/*
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
Microsoft。Insights/ActionGroups/*
Microsoft。Insights/ActivityLogAlerts/*
Microsoft。Insights/MetricAlerts/*
Microsoft。Insights/ScheduledQueryRules/*
Microsoft。Insights/diagnosticSettings/* 建立、更新或讀取 Analysis Server 的診斷設定
Microsoft。OperationalInsights/workspaces/sharedKeys/action 擷取工作區的共用金鑰。 這些金鑰可用來將 Microsoft Operational Insights 代理程式連線到工作區。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage azure automation resources and other resources using azure automation.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867",
  "name": "f353d9bd-d4a6-484e-a77a-8050b599b867",
  "permissions": [
    {
      "actions": [
        "Microsoft.Automation/automationAccounts/*",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Insights/ActionGroups/*",
        "Microsoft.Insights/ActivityLogAlerts/*",
        "Microsoft.Insights/MetricAlerts/*",
        "Microsoft.Insights/ScheduledQueryRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.OperationalInsights/workspaces/sharedKeys/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

自動化作業運算子

使用「自動化 Runbook」來建立及管理作業。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Automation/automationAccounts/hybridRunbookWorkerGroups/read 讀取混合式 Runbook 背景工作角色群組
Microsoft。Automation/automationAccounts/jobs/read 取得 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobs/resume/action 繼續 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobs/stop/action 停止 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobs/streams/read 取得 Azure 自動化作業串流
Microsoft。Automation/automationAccounts/jobs/suspend/action 暫止 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobs/write 建立 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobs/output/read 取得作業的輸出
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create and Manage Jobs using Automation Runbooks.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f",
  "name": "4fe576fe-1146-4730-92eb-48519fa6bf9f",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
        "Microsoft.Automation/automationAccounts/jobs/read",
        "Microsoft.Automation/automationAccounts/jobs/resume/action",
        "Microsoft.Automation/automationAccounts/jobs/stop/action",
        "Microsoft.Automation/automationAccounts/jobs/streams/read",
        "Microsoft.Automation/automationAccounts/jobs/suspend/action",
        "Microsoft.Automation/automationAccounts/jobs/write",
        "Microsoft.Automation/automationAccounts/jobs/output/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Job Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

自動化運算子

自動化操作員能夠啟動、停止、暫停和繼續作業 深入瞭解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Automation/automationAccounts/hybridRunbookWorkerGroups/read 讀取混合式 Runbook 背景工作角色群組
Microsoft。Automation/automationAccounts/jobs/read 取得 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobs/resume/action 繼續 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobs/stop/action 停止 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobs/streams/read 取得 Azure 自動化作業串流
Microsoft。Automation/automationAccounts/jobs/suspend/action 暫止 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobs/write 建立 Azure 自動化作業
Microsoft。Automation/automationAccounts/jobSchedules/read 取得 Azure 自動化作業排程
Microsoft。Automation/automationAccounts/jobSchedules/write 建立 Azure 自動化作業排程
Microsoft。Automation/automationAccounts/linkedWorkspace/read 取得連結至自動化帳戶的工作區
Microsoft。Automation/automationAccounts/read 取得 Azure 自動化帳戶
Microsoft。Automation/automationAccounts/Runbooks/read 取得 Azure 自動化 Runbook
Microsoft。Automation/automationAccounts/schedules/read 取得 Azure 自動化排程資產
Microsoft。Automation/automationAccounts/schedules/write 建立或更新 Azure 自動化排程資產
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Automation/automationAccounts/jobs/output/read 取得作業的輸出
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Automation Operators are able to start, stop, suspend, and resume jobs",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404",
  "name": "d3881f73-407a-4167-8283-e981cbba0404",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
        "Microsoft.Automation/automationAccounts/jobs/read",
        "Microsoft.Automation/automationAccounts/jobs/resume/action",
        "Microsoft.Automation/automationAccounts/jobs/stop/action",
        "Microsoft.Automation/automationAccounts/jobs/streams/read",
        "Microsoft.Automation/automationAccounts/jobs/suspend/action",
        "Microsoft.Automation/automationAccounts/jobs/write",
        "Microsoft.Automation/automationAccounts/jobSchedules/read",
        "Microsoft.Automation/automationAccounts/jobSchedules/write",
        "Microsoft.Automation/automationAccounts/linkedWorkspace/read",
        "Microsoft.Automation/automationAccounts/read",
        "Microsoft.Automation/automationAccounts/runbooks/read",
        "Microsoft.Automation/automationAccounts/schedules/read",
        "Microsoft.Automation/automationAccounts/schedules/write",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Automation/automationAccounts/jobs/output/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

自動化 Runbook 運算子

讀取 Runbook 屬性 - 以便能夠建立 Runbook 的作業。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Automation/automationAccounts/Runbooks/read 取得 Azure 自動化 Runbook
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/* 建立和管理部署
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read Runbook properties - to be able to create Jobs of the runbook.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5",
  "name": "5fb5aef8-1081-4b8e-bb16-9d5d0385bab5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Automation/automationAccounts/runbooks/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Automation Runbook Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

已啟用 Azure Arc 的 Kubernetes 叢集使用者角色

列出叢集使用者認證動作。

動作 描述
Microsoft。Resources/deployments/write 建立或更新部署。
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。Kubernetes/connectedClusters/listClusterUserCredentials/action 列出 clusterUser 認證 (預覽)
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。支援/* 建立和更新支援票證
Microsoft。Kubernetes/connectedClusters/listClusterUserCredential/action 列出 clusterUser 認證
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "List cluster user credentials action.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Support/*",
        "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 管理員

可讓您管理叢集/命名空間下的所有資源,但更新或刪除資源配額和命名空間除外。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/write 建立或更新部署。
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft。Kubernetes/connectedClusters/apps/controllerrevisions/read 讀取控制器重新布建
Microsoft。Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft。Kubernetes/connectedClusters/apps/deployments/*
Microsoft。Kubernetes/connectedClusters/apps/replicasets/*
Microsoft。Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft。Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write 寫入區域變數accessreviews
Microsoft。Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft。Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft。Kubernetes/connectedClusters/batch/jobs/*
Microsoft。Kubernetes/connectedClusters/configmaps/*
Microsoft。Kubernetes/connectedClusters/endpoints/*
Microsoft。Kubernetes/connectedClusters/events.k8s.io/events/read 讀取事件
Microsoft。Kubernetes/connectedClusters/events/read 讀取事件
Microsoft。Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft。Kubernetes/connectedClusters/extensions/deployments/*
Microsoft。Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft。Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft。Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft。Kubernetes/connectedClusters/limitranges/read 讀取限制範圍
Microsoft。Kubernetes/connectedClusters/namespaces/read 讀取命名空間
Microsoft。Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft。Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft。Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft。Kubernetes/connectedClusters/pods/*
Microsoft。Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft。Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
Microsoft。Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
Microsoft。Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft。Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft。Kubernetes/connectedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft。Kubernetes/connectedClusters/secrets/*
Microsoft。Kubernetes/connectedClusters/serviceaccounts/*
Microsoft。Kubernetes/connectedClusters/services/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*",
        "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 叢集管理員

可讓您管理叢集中的所有資源。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/write 建立或更新部署。
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft。Kubernetes/connectedClusters/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage all resources in the cluster.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Cluster Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes Viewer

可讓您檢視叢集/命名空間中的所有資源,但秘密除外。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/write 建立或更新部署。
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft。Kubernetes/connectedClusters/apps/controllerrevisions/read 讀取控制器重新布建
Microsoft。Kubernetes/connectedClusters/apps/daemonsets/read 讀取精靈集
Microsoft。Kubernetes/connectedClusters/apps/deployments/read 讀取部署
Microsoft。Kubernetes/connectedClusters/apps/replicasets/read 讀取複本集
Microsoft。Kubernetes/connectedClusters/apps/statefulsets/read 讀取具狀態集
Microsoft。Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read 讀取 horizontalpodautoscalers
Microsoft。Kubernetes/connectedClusters/batch/cronjobs/read 讀取 cronjobs
Microsoft。Kubernetes/connectedClusters/batch/jobs/read 讀取作業
Microsoft。Kubernetes/connectedClusters/configmaps/read 讀取 configmaps
Microsoft。Kubernetes/connectedClusters/endpoints/read 讀取端點
Microsoft。Kubernetes/connectedClusters/events.k8s.io/events/read 讀取事件
Microsoft。Kubernetes/connectedClusters/events/read 讀取事件
Microsoft。Kubernetes/connectedClusters/extensions/daemonsets/read 讀取精靈集
Microsoft。Kubernetes/connectedClusters/extensions/deployments/read 讀取部署
Microsoft。Kubernetes/connectedClusters/extensions/ingresses/read 讀取輸入
Microsoft。Kubernetes/connectedClusters/extensions/networkpolicies/read 讀取網路原則
Microsoft。Kubernetes/connectedClusters/extensions/replicasets/read 讀取複本集
Microsoft。Kubernetes/connectedClusters/limitranges/read 讀取限制範圍
Microsoft。Kubernetes/connectedClusters/namespaces/read 讀取命名空間
Microsoft。Kubernetes/connectedClusters/networking.k8s.io/ingresses/read 讀取輸入
Microsoft。Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read 讀取網路原則
Microsoft。Kubernetes/connectedClusters/persistentvolumeclaims/read 讀取 persistentvolumeclaims
Microsoft。Kubernetes/connectedClusters/pods/read 讀取 Pod
Microsoft。Kubernetes/connectedClusters/policy/poddisruptionbudgets/read 讀取 poddisruptionbudgets
Microsoft。Kubernetes/connectedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft。Kubernetes/connectedClusters/replicationcontrollers/read 讀取 replicationcontrollers
Microsoft。Kubernetes/connectedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft。Kubernetes/connectedClusters/serviceaccounts/read 讀取 serviceaccounts
Microsoft。Kubernetes/connectedClusters/services/read 讀取服務
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view all resources in cluster/namespace, except secrets.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4",
  "name": "63f0a09d-1495-4db4-a681-037d84835eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
        "Microsoft.Kubernetes/connectedClusters/configmaps/read",
        "Microsoft.Kubernetes/connectedClusters/endpoints/read",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
        "Microsoft.Kubernetes/connectedClusters/pods/read",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
        "Microsoft.Kubernetes/connectedClusters/services/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Viewer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes 寫入器

可讓您更新叢集/命名空間中的所有專案,但 (叢集) 角色和 (叢集) 角色系結除外。 深入了解

動作 描述
Microsoft。Authorization/*/read 讀取角色和角色指派
Microsoft。Insights/alertRules/* 建立和管理傳統計量警示
Microsoft。Resources/deployments/write 建立或更新部署。
Microsoft。Resources/subscriptions/operationresults/read 取得訂用帳戶作業結果。
Microsoft。資源/訂用帳戶/讀取 取得訂用帳戶清單。
Microsoft。Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft。支援/* 建立和更新支援票證
NotActions
DataActions
Microsoft。Kubernetes/connectedClusters/apps/controllerrevisions/read 讀取控制器重新布建
Microsoft。Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft。Kubernetes/connectedClusters/apps/deployments/*
Microsoft。Kubernetes/connectedClusters/apps/replicasets/*
Microsoft。Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft。Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft。Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft。Kubernetes/connectedClusters/batch/jobs/*
Microsoft。Kubernetes/connectedClusters/configmaps/*
Microsoft。Kubernetes/connectedClusters/endpoints/*
Microsoft。Kubernetes/connectedClusters/events.k8s.io/events/read 讀取事件
Microsoft。Kubernetes/connectedClusters/events/read 讀取事件
Microsoft。Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft。Kubernetes/connectedClusters/extensions/deployments/*
Microsoft。Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft。Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft。Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft。Kubernetes/connectedClusters/limitranges/read 讀取 limitranges
Microsoft。Kubernetes/connectedClusters/namespaces/read 讀取命名空間
Microsoft。Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft。Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft。Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft。Kubernetes/connectedClusters/pods/*
Microsoft。Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft。Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft。Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft。Kubernetes/connectedClusters/resourcequotas/read 讀取 resourcequotas
Microsoft。Kubernetes/connectedClusters/secrets/*
Microsoft。Kubernetes/connectedClusters/serviceaccounts/*
Microsoft。Kubernetes/connectedClusters/services/*
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1",
  "name": "5b999177-9696-4545-85c7-50de3797e5a1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
        "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",
        "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*",
        "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
        "Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
        "Microsoft.Kubernetes/connectedClusters/configmaps/*",
        "Microsoft.Kubernetes/connectedClusters/endpoints/*",
        "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
        "Microsoft.Kubernetes/connectedClusters/events/read",
        "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
        "Microsoft.Kubernetes/connectedClusters/limitranges/read",
        "Microsoft.Kubernetes/connectedClusters/namespaces/read",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",
        "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*",
        "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
        "Microsoft.Kubernetes/connectedClusters/pods/*",
        "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
        "Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
        "Microsoft.Kubernetes/connectedClusters/secrets/*",
        "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
        "Microsoft.Kubernetes/connectedClusters/services/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Arc Kubernetes Writer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine 上線

可以讓 Azure Connected Machine 上線。 深入了解

動作 描述
Microsoft。HybridCompute/machines/read 讀取任何 Azure Arc 機器
Microsoft。HybridCompute/machines/write 寫入 Azure Arc 機器
Microsoft。HybridCompute/privateLinkScopes/read 讀取任何 Azure Arc privateLinkScopes
Microsoft。GuestConfiguration/guestConfigurationAssignments/read 取得來賓組態指派。
NotActions
DataActions
NotDataActions
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can onboard Azure Connected Machines.",
  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7",
  "name": "b64e21ea-ac4e-4cdf-9dc9-5b892992bee7",
  "permissions": [
    {
      "actions": [
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/privateLinkScopes/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Connected Machine Onboarding",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine 資源管理員

可以讀取、寫入、刪除 Azure Connected Machine 及使之重新上線。

動作 描述
Microsoft