Roles integrados de Azure para identity
En este artículo se enumeran los roles integrados de Azure en la categoría Identidad.
Colaborador de Domain Services
Permite administrar Azure AD Domain Services y la configuración de red relacionada.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/deployments/read | Obtiene o enumera implementaciones. |
| Microsoft.Resources/deployments/write | Crea o actualiza una implementación. |
| Microsoft.Resources/deployments/delete | Elimina una implementación. |
| Microsoft.Resources/deployments/cancel/action | Cancela una implementación. |
| Microsoft.Resources/deployments/validate/action | Valida una implementación. |
| Microsoft.Resources/deployments/whatIf/action | Predice los cambios de implementación de plantilla. |
| Microsoft.Resources/deployments/exportTemplate/action | Exporta la plantilla para una implementación. |
| Microsoft.Resources/deployments/operations/read | Obtiene o enumera las operaciones de implementación. |
| Microsoft.Resources/deployments/operationstatuses/read | Obtiene o enumera los estados de la operación de implementación. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Insights/AlertRules/Write | Crea o actualiza una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Delete | Elimina una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Read | Lee una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Activated/Action | Alerta de métrica clásica activada. |
| Microsoft.Insights/AlertRules/Resolved/Action | Alerta de métrica clásica resuelta. |
| Microsoft.Insights/AlertRules/Throttled/Action | Regla de alerta de métrica clásica acelerada. |
| Microsoft.Insights/AlertRules/Incidents/Read | Lee el incidente de una alerta de métrica clásica. |
| Microsoft.Insights/Logs/Read | Lee datos de todos los registros. |
| Microsoft.Insights/Metrics/Read | Lee métricas |
| Microsoft.Insights/DiagnosticSettings/* | Crea, actualiza o lee la configuración de diagnóstico de Analysis Server. |
| Microsoft.Insights/DiagnosticSettingsCategories/Read | Lee las categorías de la configuración de diagnóstico. |
| Microsoft.AAD/register/action | Registra el servicio de dominio. |
| Microsoft.AAD/unregister/action | Anula el registro del servicio de dominio. |
| Microsoft.AAD/domainServices/* | |
| Microsoft.Network/register/action | Registra la suscripción |
| Microsoft.Network/unregister/action | Anula el registro de la suscripción |
| Microsoft.Network/virtualNetworks/read | Obtiene la definición de red virtual |
| Microsoft.Network/virtualNetworks/write | Crea una red virtual o actualiza una que ya existe |
| Microsoft.Network/virtualNetworks/delete | Elimina una red virtual |
| Microsoft.Network/virtualNetworks/peer/action | Empareja una red virtual con otra red virtual |
| Microsoft.Network/virtualNetworks/join/action | Se une a una red virtual. No genera alertas. |
| Microsoft.Network/virtualNetworks/subnets/read | Obtiene una definición de subred de red virtual |
| Microsoft.Network/virtualNetworks/subnets/write | Crea una subred de red virtual o actualiza una que ya existe |
| Microsoft.Network/virtualNetworks/subnets/delete | Elimina una subred de red virtual |
| Microsoft.Network/virtualNetworks/subnets/join/action | Se une a una red virtual. No genera alertas. |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | Obtiene una definición de emparejamiento de redes virtuales |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write | Crea un emparejamiento de redes virtuales o actualiza uno que ya existe |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete | Elimina un emparejamiento de redes virtuales |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | Obtiene la configuración de diagnóstico de Virtual Network. |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Obtiene las métricas disponibles para PingMesh. |
| Microsoft.Network/azureFirewalls/read | Obtiene Azure Firewall. |
| Microsoft.Network/ddosProtectionPlans/read | Obtiene un plan DDoS Protection. |
| Microsoft.Network/ddosProtectionPlans/join/action | Unirse a un plan de DDoS Protection. No genera alertas. |
| Microsoft.Network/loadBalancers/read | Obtiene una definición del equilibrador de carga |
| Microsoft.Network/loadBalancers/delete | Elimina un equilibrador de carga |
| Microsoft.Network/loadBalancers/*/read | |
| Microsoft.Network/loadBalancers/backendAddressPools/join/action | Se une a un grupo de direcciones de back-end del equilibrador de carga. No genera alertas. |
| Microsoft.Network/loadBalancers/inboundNatRules/join/action | Se une a una regla NAT de entrada del equilibrador de carga. No genera alertas. |
| Microsoft.Network/natGateways/join/action | Une a una puerta de enlace NAT Gateway. |
| Microsoft.Network/networkInterfaces/read | Obtiene una definición de interfaz de red. |
| Microsoft.Network/networkInterfaces/write | Crea una interfaz de red o actualiza una interfaz de red existente. |
| Microsoft.Network/networkInterfaces/delete | Elimina una interfaz de red |
| Microsoft.Network/networkInterfaces/join/action | Une una máquina virtual a una interfaz de red. No genera alertas. |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | Obtiene una definición de regla de seguridad predeterminada |
| Microsoft.Network/networkSecurityGroups/read | Obtiene una definición de grupo de seguridad de red |
| Microsoft.Network/networkSecurityGroups/write | Crea un grupo de seguridad de red o actualiza uno que ya existe |
| Microsoft.Network/networkSecurityGroups/delete | Elimina un grupo de seguridad de red |
| Microsoft.Network/networkSecurityGroups/join/action | Se une a un grupo de seguridad de red. No genera alertas. |
| Microsoft.Network/networkSecurityGroups/securityRules/read | Obtiene una definición de regla de seguridad |
| Microsoft.Network/networkSecurityGroups/securityRules/write | Crea una regla de seguridad o actualiza una que ya existe |
| Microsoft.Network/networkSecurityGroups/securityRules/delete | Elimina una regla de seguridad |
| Microsoft.Network/routeTables/read | Obtiene una definición de tabla de rutas |
| Microsoft.Network/routeTables/write | Crea una tabla de rutas o actualiza una que ya existe. |
| Microsoft.Network/routeTables/delete | Elimina una definición de tabla de rutas |
| Microsoft.Network/routeTables/join/action | Unirse a una tabla de rutas. No genera alertas. |
| Microsoft.Network/routeTables/routes/read | Obtiene una definición de rutas |
| Microsoft.Network/routeTables/routes/write | Crea una ruta o actualiza una que ya existe |
| Microsoft.Network/routeTables/routes/delete | Elimina una definición de rutas |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
"name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.Insights/DiagnosticSettings/*",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/register/action",
"Microsoft.AAD/unregister/action",
"Microsoft.AAD/domainServices/*",
"Microsoft.Network/register/action",
"Microsoft.Network/unregister/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/natGateways/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lector de Domain Services
Permite ver Azure AD Domain Services y la configuración de red relacionada.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Resources/deployments/read | Obtiene o enumera implementaciones. |
| Microsoft.Resources/deployments/operations/read | Obtiene o enumera las operaciones de implementación. |
| Microsoft.Resources/deployments/operationstatuses/read | Obtiene o enumera los estados de la operación de implementación. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Insights/AlertRules/Read | Lee una alerta de métrica clásica. |
| Microsoft.Insights/AlertRules/Incidents/Read | Lee el incidente de una alerta de métrica clásica. |
| Microsoft.Insights/Logs/Read | Lee datos de todos los registros. |
| Microsoft.Insights/Metrics/read | Lee métricas |
| Microsoft.Insights/DiagnosticSettings/read | Lee la configuración de diagnóstico de un recurso. |
| Microsoft.Insights/DiagnosticSettingsCategories/Read | Lee las categorías de la configuración de diagnóstico. |
| Microsoft.AAD/domainServices/*/read | |
| Microsoft.Network/virtualNetworks/read | Obtiene la definición de red virtual |
| Microsoft.Network/virtualNetworks/subnets/read | Obtiene una definición de subred de red virtual |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | Obtiene una definición de emparejamiento de redes virtuales |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | Obtiene la configuración de diagnóstico de Virtual Network. |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Obtiene las métricas disponibles para PingMesh. |
| Microsoft.Network/azureFirewalls/read | Obtiene Azure Firewall. |
| Microsoft.Network/ddosProtectionPlans/read | Obtiene un plan DDoS Protection. |
| Microsoft.Network/loadBalancers/read | Obtiene una definición del equilibrador de carga |
| Microsoft.Network/loadBalancers/*/read | |
| Microsoft.Network/natGateways/read | Obtiene una definición de puerta de enlace NAT. |
| Microsoft.Network/networkInterfaces/read | Obtiene una definición de interfaz de red. |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | Obtiene una definición de regla de seguridad predeterminada |
| Microsoft.Network/networkSecurityGroups/read | Obtiene una definición de grupo de seguridad de red |
| Microsoft.Network/networkSecurityGroups/securityRules/read | Obtiene una definición de regla de seguridad |
| Microsoft.Network/routeTables/read | Obtiene una definición de tabla de rutas |
| Microsoft.Network/routeTables/routes/read | Obtiene una definición de rutas |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
"name": "361898ef-9ed1-48c2-849c-a832951106bb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Insights/DiagnosticSettings/read",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/routes/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Colaborador de identidad administrada
Le permite crear, leer, actualizar y eliminar identidades asignadas por el usuario.
| Acciones | Descripción |
|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities/read | Obtiene la identidad asignada a un usuario existente. |
| Microsoft.ManagedIdentity/userAssignedIdentities/write | Crea una nueva identidad asignada a un usuario o actualiza las etiquetas asociadas a una identidad asignada a un usuario existente. |
| Microsoft.ManagedIdentity/userAssignedIdentities/delete | Elimina la identidad asignada a un usuario existente. |
| Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read | Obtiene o enumera las credenciales de identidad federada. |
| Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write | Crea o actualiza una credencial de identidad federada |
| Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete | Eliminación de una credencial de identidad federada |
| Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action | Revocó todos los tokens existentes en una identidad asignada por el usuario |
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Operador de identidad administrada
Le permite leer y asignar identidades asignadas por el usuario.
| Acciones | Descripción |
|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities/*/read | |
| Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action | |
| Microsoft.Authorization/*/read | Leer roles y asignaciones de roles |
| Microsoft.Insights/alertRules/* | Creación y administración de una alerta de métricas clásica |
| Microsoft.Resources/subscriptions/resourceGroups/read | Obtiene o enumera los grupos de recursos. |
| Microsoft.Resources/deployments/* | Creación y administración de una implementación |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read and Assign User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
"name": "f1a07417-d97a-45cb-824c-7a7467783830",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}