角色定义是可执行特权的集合,例如读取、写入和删除。 它通常直接称为“角色”。 Azure 基于角色的访问控制 (Azure RBAC) 具有超过 120 种内置角色,也可以创建自己的自定义角色。 本文介绍如何列出可用于授予 Azure 资源访问权限的内置角色和自定义角色。
若要查看 Microsoft Entra ID 的管理员角色列表,请参阅 Microsoft Entra ID 中的管理员角色权限。
你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
角色定义是可执行特权的集合,例如读取、写入和删除。 它通常直接称为“角色”。 Azure 基于角色的访问控制 (Azure RBAC) 具有超过 120 种内置角色,也可以创建自己的自定义角色。 本文介绍如何列出可用于授予 Azure 资源访问权限的内置角色和自定义角色。
若要查看 Microsoft Entra ID 的管理员角色列表,请参阅 Microsoft Entra ID 中的管理员角色权限。
按照以下步骤在 Azure 门户中列出所有角色。
在 Azure 门户中单击“所有服务”,然后选择任意范围。 例如,可以选择“管理组”、“订阅”、“资源组”或某个资源 。
单击特定的资源。
单击“访问控制(IAM)”。
单击“角色”选项卡以查看包含所有内置角色和自定义角色的列表。
若要查看特定角色的权限,请在“详细信息”列中,单击“查看”链接 。
“权限”窗格随即显示。
单击“权限”选项卡以查看和搜索所选角色的权限。
若要列出 Azure PowerShell 中的所有角色,请使用 Get-AzRoleDefinition。
Get-AzRoleDefinition | FT Name, Description
AcrImageSigner acr image signer
AcrQuarantineReader acr quarantine data reader
AcrQuarantineWriter acr quarantine data writer
API Management Service Contributor Can manage service and the APIs
API Management Service Operator Role Can manage service but not the APIs
API Management Service Reader Role Read-only access to service and APIs
Application Insights Component Contributor Can manage Application Insights components
Application Insights Snapshot Debugger Gives user permission to use Application Insights Snapshot Debugge...
Automation Job Operator Create and Manage Jobs using Automation Runbooks.
Automation Operator Automation Operators are able to start, stop, suspend, and resume ...
...
若要列出特定角色的详细信息,请使用 Get-AzRoleDefinition。
Get-AzRoleDefinition <role_name>
PS C:\> Get-AzRoleDefinition "Contributor"
Name : Contributor
Id : b24988ac-6180-42a0-ab88-20f7382dd24c
IsCustom : False
Description : Lets you manage everything except access to resources.
Actions : {*}
NotActions : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
Microsoft.Authorization/elevateAccess/Action}
DataActions : {}
NotDataActions : {}
AssignableScopes : {/}
若要以 JSON 格式列出角色,请使用 Get-AzRoleDefinition。
Get-AzRoleDefinition <role_name> | ConvertTo-Json
PS C:\> Get-AzRoleDefinition "Contributor" | ConvertTo-Json
{
"Name": "Contributor",
"Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"IsCustom": false,
"Description": "Lets you manage everything except access to resources.",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/"
]
}
若要列出特定角色的特权,请使用 Get-AzRoleDefinition。
Get-AzRoleDefinition <role_name> | FL Actions, NotActions
PS C:\> Get-AzRoleDefinition "Contributor" | FL Actions, NotActions
Actions : {*}
NotActions : {Microsoft.Authorization/*/Delete, Microsoft.Authorization/*/Write,
Microsoft.Authorization/elevateAccess/Action,
Microsoft.Blueprint/blueprintAssignments/write...}
(Get-AzRoleDefinition <role_name>).Actions
PS C:\> (Get-AzRoleDefinition "Virtual Machine Contributor").Actions
Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
...
若要列出 Azure CLI 中的所有角色,请使用 az role definition list。
az role definition list
以下示例列出了所有可用的角色定义的名称和说明:
az role definition list --output json --query '[].{roleName:roleName, description:description}'
[
{
"description": "Can manage service and the APIs",
"roleName": "API Management Service Contributor"
},
{
"description": "Can manage service but not the APIs",
"roleName": "API Management Service Operator Role"
},
{
"description": "Read-only access to service and APIs",
"roleName": "API Management Service Reader Role"
},
...
]
下面的示例列出了所有内置角色。
az role definition list --custom-role-only false --output json --query '[].{roleName:roleName, description:description, roleType:roleType}'
[
{
"description": "Can manage service and the APIs",
"roleName": "API Management Service Contributor",
"roleType": "BuiltInRole"
},
{
"description": "Can manage service but not the APIs",
"roleName": "API Management Service Operator Role",
"roleType": "BuiltInRole"
},
{
"description": "Read-only access to service and APIs",
"roleName": "API Management Service Reader Role",
"roleType": "BuiltInRole"
},
...
]
若要列出角色的详细信息,请使用 az role definition list。
az role definition list --name {roleName}
下面的示例列出了“参与者”角色定义:
az role definition list --name "Contributor"
[
{
"assignableScopes": [
"/"
],
"description": "Lets you manage everything except access to resources.",
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"dataActions": [],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
]
以下示例仅列出“参与者”角色的“actions”和“notActions” 。
az role definition list --name "Contributor" --output json --query '[].{actions:permissions[0].actions, notActions:permissions[0].notActions}'
[
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
]
}
]
The following example lists just the actions of the Virtual Machine Contributor role.
az role definition list --name "Virtual Machine Contributor" --output json --query '[].permissions[0].actions'
[
[
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
...
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
]
]
必须使用以下版本:
2015-07-01
或更高版本有关详细信息,请参阅 Azure RBAC REST API 的 API 版本。
若要列出租户中的角色定义,请使用角色定义 - 列出 REST API。
以下示例列出了租户中的所有角色定义:
请求
GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01
响应
{
"value": [
{
"properties": {
"roleName": "Billing Reader Plus",
"type": "CustomRole",
"description": "Read billing data and download invoices",
"assignableScopes": [
"/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Billing/*/read",
"Microsoft.Commerce/*/read",
"Microsoft.Consumption/*/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",
"Microsoft.Billing/invoices/download/action",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Microsoft.CostManagement/exports/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2021-05-22T21:57:23.5764138Z",
"updatedOn": "2021-05-22T21:57:23.5764138Z",
"createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
"updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
},
"id": "/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
},
{
"properties": {
"roleName": "AcrPush",
"type": "BuiltInRole",
"description": "acr push",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2018-10-29T17:52:32.5201177Z",
"updatedOn": "2021-11-11T20:13:07.4993029Z",
"createdBy": null,
"updatedBy": null
},
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec"
}
]
}
若要列出角色定义,请使用角色定义 - 列出 REST API。 若要优化结果,请指定一个范围和可选的筛选器。
从下面的请求开始:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?$filter={$filter}&api-version=2022-04-01
对于租户级范围,可以使用以下请求:
GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?filter={$filter}&api-version=2022-04-01
在 URI 中,将“{scope}”替换为要列出角色定义的范围。
作用域 | 类型 |
---|---|
providers/Microsoft.Management/managementGroups/{groupId1} |
管理组 |
subscriptions/{subscriptionId1} |
订阅 |
subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 |
资源组 |
subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 |
资源 |
在前面的示例中,microsoft.web 是引用应用服务实例的资源提供程序。 同样,可以使用任何其他资源提供程序并指定范围。 有关详细信息,请参阅 Azure 资源提供程序和类型和支持的 Azure 资源提供程序操作。
将 {filter} 替换为筛选角色定义列表时要应用的条件。
筛选器 | 说明 |
---|---|
$filter=type+eq+'{type}' |
列出指定类型的角色定义。 角色的类型可以是 CustomRole 或 BuiltInRole 。 |
以下示例列出了租户中的所有自定义角色:
请求
GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?$filter=type+eq+'CustomRole'&api-version=2022-04-01
响应
{
"value": [
{
"properties": {
"roleName": "Billing Reader Plus",
"type": "CustomRole",
"description": "Read billing data and download invoices",
"assignableScopes": [
"/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Billing/*/read",
"Microsoft.Commerce/*/read",
"Microsoft.Consumption/*/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",
"Microsoft.Billing/invoices/download/action",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Microsoft.CostManagement/exports/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2021-05-22T21:57:23.5764138Z",
"updatedOn": "2021-05-22T21:57:23.5764138Z",
"createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
"updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
},
"id": "/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
}
]
}
若要列出特定角色的详细信息,请使用角色定义 - 获取或角色定义 - 按 ID 获取 REST API。
从下面的请求开始:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01
对于租户级别的角色定义,可以使用以下请求:
GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01
在 URI 中,将“{scope}”替换为要列出角色定义的范围。
作用域 | 类型 |
---|---|
providers/Microsoft.Management/managementGroups/{groupId1} |
管理组 |
subscriptions/{subscriptionId1} |
订阅 |
subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1 |
资源组 |
subscriptions/{subscriptionId1}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1 |
资源 |
将“{roleDefinitionId}”替换为角色定义标识符。
以下示例列出了读取者角色定义:
Request
GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7?api-version=2022-04-01
Response
{
"properties": {
"roleName": "Reader",
"type": "BuiltInRole",
"description": "View all resources, but does not allow you to make any changes.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2015-02-02T21:55:09.8806423Z",
"updatedOn": "2021-11-11T20:13:47.8628684Z",
"createdBy": null,
"updatedBy": null
},
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "acdd72a7-3385-48ef-bd42-f606fba81ae7"
}