Roles integrados de Azure para Privileged
En este artículo se enumeran los roles integrados de Azure en la categoría Con privilegios.
Colaborador
Concede acceso completo para administrar todos los recursos, pero no le permite asignar roles en Azure RBAC, administrar asignaciones en Azure Blueprints ni compartir galerías de imágenes.
| Acciones | Descripción |
|---|---|
| * | Crear y administrar recursos de todos los tipos |
| NotActions | |
| Microsoft.Authorization/*/Delete | Eliminar roles, asignaciones de directivas, definiciones de directiva y definiciones del conjunto de directivas |
| Microsoft.Authorization/*/Write | Crear roles, asignaciones de roles, asignaciones de directivas, definiciones de directiva y definiciones del conjunto de directivas |
| Microsoft.Authorization/elevateAccess/action | Concesión al autor de llamada de acceso de administrador al acceso de usuarios en el ámbito de inquilinos |
| Microsoft.Blueprint/blueprintAssignments/write | Crear o actualizar cualquier asignación de planos técnicos |
| Microsoft.Blueprint/blueprintAssignments/delete | Eliminar cualquier asignación de planos técnicos |
| Microsoft.Compute/galleries/share/action | Permite compartir una galería con ámbitos diferentes. |
| Microsoft.Purview/consents/write | Cree o actualice un recurso de consentimiento. |
| Microsoft.Purview/consents/delete | Elimine el recurso de consentimiento. |
| Microsoft.Resources/deploymentStacks/manageDenySetting/action | Administre la propiedad denySettings de una pila de implementación. |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Purview/consents/write",
"Microsoft.Purview/consents/delete",
"Microsoft.Resources/deploymentStacks/manageDenySetting/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Owner
Permite conceder acceso total para administrar todos los recursos, incluida la posibilidad de asignar roles en Azure RBAC.
| Acciones | Descripción |
|---|---|
| * | Crear y administrar recursos de todos los tipos |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"permissions": [
{
"actions": [
"*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de reservas
Permite leer y administrar todas las reservas de un inquilino
| Acciones | Descripción |
|---|---|
| Microsoft.Capacity/*/read | |
| Microsoft.Capacity/*/action | |
| Microsoft.Capacity/*/write | |
| Microsoft.Authorization/roleAssignments/read | Obtiene información sobre una asignación de roles. |
| Microsoft.Authorization/roleDefinitions/read | Obtiene información sobre una definición de roles. |
| Microsoft.Authorization/roleAssignments/write | Crea una asignación de roles en el ámbito especificado. |
| Microsoft.Authorization/roleAssignments/delete | Elimine una asignación de roles en el ámbito especificado. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/providers/Microsoft.Capacity"
],
"description": "Lets one read and manage all the reservations in a tenant",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a8889054-8d42-49c9-bc1c-52486c10e7cd",
"name": "a8889054-8d42-49c9-bc1c-52486c10e7cd",
"permissions": [
{
"actions": [
"Microsoft.Capacity/*/read",
"Microsoft.Capacity/*/action",
"Microsoft.Capacity/*/write",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reservations Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de control de acceso basado en roles
Administra el acceso a los recursos de Azure asignando roles mediante RBAC de Azure. Este rol no permite administrar el acceso de otras formas, como Azure Policy.
| Acciones | Descripción |
|---|---|
| Microsoft.Authorization/roleAssignments/write | Crea una asignación de roles en el ámbito especificado. |
| Microsoft.Authorization/roleAssignments/delete | Elimine una asignación de roles en el ámbito especificado. |
| */read | Leer recursos de todos los tipos, excepto secretos. |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Role Based Access Control Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Administrador de acceso de usuario
Permite administrar el acceso de usuario a los recursos de Azure.
| Acciones | Descripción |
|---|---|
| */read | Leer recursos de todos los tipos, excepto secretos. |
| Microsoft.Authorization/* | Administrar la autorización |
| Microsoft.Support/* | Creación y actualización de una incidencia de soporte técnico |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage user access to Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Authorization/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "User Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}