你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
用于存储的 Azure 内置角色
本文列出了存储类别的 Azure 内置角色。
Avere 参与者
可以创建和管理 Avere vFXT 群集。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Compute/*/read | |
Microsoft.Compute/availabilitySets/* | |
Microsoft.Compute/proximityPlacementGroups/* | |
Microsoft.Compute/virtualMachines/* | |
Microsoft.Compute/disks/* | |
Microsoft.Network/*/read | |
Microsoft.Network/networkInterfaces/* | |
Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
Microsoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。 不可发出警报。 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。 |
Microsoft.Network/networkSecurityGroups/join/action | 加入网络安全组。 不可发出警报。 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Storage/*/read | |
Microsoft.Storage/storageAccounts/* | 创建和管理存储帐户 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.Resources/subscriptions/resourceGroups/resources/read | 获取资源组的资源。 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | 返回删除 blob 的结果 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | 返回 blob 或 blob 列表 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | 返回写入 blob 的结果 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can create and manage an Avere vFXT cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/proximityPlacementGroups/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/disks/*",
"Microsoft.Network/*/read",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Avere 操作员
Avere vFXT 群集用来管理群集
操作 | 描述 |
---|---|
Microsoft.Compute/virtualMachines/read | 获取虚拟机的属性 |
Microsoft.Network/networkInterfaces/read | 获取网络接口定义。 |
Microsoft.Network/networkInterfaces/write | 创建网络接口,或更新现有的网络接口。 |
Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
Microsoft.Network/virtualNetworks/subnets/read | 获取虚拟网络子网定义 |
Microsoft.Network/virtualNetworks/subnets/join/action | 加入虚拟网络。 不可发出警报。 |
Microsoft.Network/networkSecurityGroups/join/action | 加入网络安全组。 不可发出警报。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Storage/storageAccounts/blobServices/containers/delete | 返回删除容器的结果 |
Microsoft.Storage/storageAccounts/blobServices/containers/read | 返回容器列表 |
Microsoft.Storage/storageAccounts/blobServices/containers/write | 返回放置 blob 容器的结果 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | 返回删除 blob 的结果 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | 返回 blob 或 blob 列表 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | 返回写入 blob 的结果 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Used by the Avere vFXT cluster to manage the cluster",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
备份参与者
允许管理备份服务,但不允许创建保管库以及授予其他人访问权限
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
Microsoft.RecoveryServices/locations/* | |
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* | 管理备份管理操作的结果 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* | 在恢复服务保管库的备份结构内创建和管理备份容器 |
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | 刷新容器列表 |
Microsoft.RecoveryServices/Vaults/backupJobs/* | 创建和管理备份作业 |
Microsoft.RecoveryServices/Vaults/backupJobsExport/action | 导出作业 |
Microsoft.RecoveryServices/Vaults/backupOperationResults/* | 创建和管理备份管理操作的结果 |
Microsoft.RecoveryServices/Vaults/backupPolicies/* | 创建和管理备份策略 |
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | 创建和管理可以备份的项 |
Microsoft.RecoveryServices/Vaults/backupProtectedItems/* | 创建和管理备份项 |
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* | 创建和管理保存备份项的容器 |
Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* | |
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | 返回恢复服务的受保护项和受保护服务器的摘要。 |
Microsoft.RecoveryServices/Vaults/certificates/* | 创建和管理与恢复服务保管库中的备份相关的证书 |
Microsoft.RecoveryServices/Vaults/extendedInformation/* | 创建和管理与保管库相关的扩展信息 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | 获取恢复服务保管库的警报。 |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
Microsoft.RecoveryServices/Vaults/read | “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/* | 创建和管理已注册标识 |
Microsoft.RecoveryServices/Vaults/usages/* | 创建和管理恢复服务保管库的使用情况 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。 |
Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
Microsoft.RecoveryServices/Vaults/backupconfig/* | |
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | 验证对受保护项的操作 |
Microsoft.RecoveryServices/Vaults/write | “创建保管库”操作创建“vault”类型的 Azure 资源 |
Microsoft.RecoveryServices/Vaults/backupOperations/read | 返回恢复服务保管库的备份操作状态。 |
Microsoft.RecoveryServices/Vaults/backupEngines/read | 返回使用保管库注册的所有备份管理服务器。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* | |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | 获取所有可保护的容器 |
Microsoft.RecoveryServices/vaults/operationStatus/read | 获取给定操作的操作状态 |
Microsoft.RecoveryServices/vaults/operationResults/read | “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果 |
Microsoft.RecoveryServices/locations/backupStatus/action | 检查恢复服务保管库的备份状态 |
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
Microsoft.RecoveryServices/locations/backupValidateFeatures/action | 验证功能 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | 解决警报。 |
Microsoft.RecoveryServices/operations/read | 操作返回资源提供程序的操作列表 |
Microsoft.RecoveryServices/locations/operationStatus/read | 获取给定操作的操作状态 |
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | 列出所有备份保护意向 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.DataProtection/locations/getBackupStatus/action | 检查恢复服务保管库的备份状态 |
Microsoft.DataProtection/backupVaults/backupInstances/write | 创建备份实例 |
Microsoft.DataProtection/backupVaults/backupInstances/delete | 删除备份实例 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 返回所有备份实例 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 返回所有备份实例 |
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | 列出备份保管库中软删除的备份实例。 |
Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action | 执行对软删除的备份实例的取消删除操作。 备份实例从 SoftDeleted 状态转为 ProtectionStopped 状态。 |
Microsoft.DataProtection/backupVaults/backupInstances/backup/action | 对备份实例执行备份 |
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | 验证是否已对备份实例执行还原 |
Microsoft.DataProtection/backupVaults/backupInstances/restore/action | 触发对备份实例的还原操作 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | 在给定的备份实例上触发跨区域还原操作。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | 对跨区域还原操作执行验证。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | 列出次要区域中备份实例的跨区域还原作业。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | 从次要区域获取跨区域还原作业详细信息。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | 从次要区域返回已启用跨区域还原的备份保管库的恢复点。 |
Microsoft.DataProtection/backupVaults/backupPolicies/write | 创建备份策略 |
Microsoft.DataProtection/backupVaults/backupPolicies/delete | 删除备份策略 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 返回所有备份策略 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 返回所有备份策略 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 返回全部恢复点 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 返回全部恢复点 |
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | 查找可还原的时间范围 |
Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | 返回备份保管库的备份操作结果。 |
Microsoft.DataProtection/backupVaults/write | “更新备份保管库”操作更新类型为“备份保管库”的 Azure 资源 |
Microsoft.DataProtection/backupVaults/read | 获取资源组中备份保管库的列表 |
Microsoft.DataProtection/backupVaults/operationResults/read | 获取备份保管库的修补操作的操作结果 |
Microsoft.DataProtection/backupVaults/operationStatus/read | 返回备份保管库的备份操作状态。 |
Microsoft.DataProtection/locations/checkNameAvailability/action | 检查请求获取的 BackupVault 名称是否可用 |
Microsoft.DataProtection/locations/checkFeatureSupport/action | 验证功能是否受支持 |
Microsoft.DataProtection/backupVaults/read | 获取资源组中备份保管库的列表 |
Microsoft.DataProtection/backupVaults/read | 获取资源组中备份保管库的列表 |
Microsoft.DataProtection/locations/operationStatus/read | 返回备份保管库的备份操作状态。 |
Microsoft.DataProtection/locations/operationResults/read | 返回备份保管库的备份操作结果。 |
Microsoft.DataProtection/backupVaults/validateForBackup/action | 验证是否已对备份实例执行备份 |
Microsoft.DataProtection/operations/read | 操作返回资源提供程序的操作列表 |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete | “删除 ResourceGuard 代理”操作删除类型为“ResourceGuard 代理”的指定 Azure 资源 |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | 获取资源的 ResourceGuard 代理列表 |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action | “解锁删除 ResourceGuard 代理”操作解锁下一删除关键操作 |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write | “创建 ResourceGuard 代理”操作创建类型为“ResourceGuard 代理”的 Azure 资源 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | “获取 ResourceGuard 代理”操作获取表示类型为“ResourceGuard 代理”的 Azure 资源的对象 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | “创建 ResourceGuard 代理”操作创建类型为“ResourceGuard 代理”的 Azure 资源 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | “删除 ResourceGuard 代理”操作删除类型为“ResourceGuard 代理”的指定 Azure 资源 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | “解锁删除 ResourceGuard 代理”操作解锁下一删除关键操作 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backups, but can't delete vaults and give access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
"name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/*",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/*",
"Microsoft.RecoveryServices/Vaults/extendedInformation/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
"Microsoft.RecoveryServices/Vaults/usages/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/vaults/operationStatus/read",
"Microsoft.RecoveryServices/vaults/operationResults/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/delete",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/write",
"Microsoft.DataProtection/backupVaults/backupPolicies/delete",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read",
"Microsoft.DataProtection/backupVaults/write",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/locations/checkNameAvailability/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/operations/read",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
备份多用户授权管理员
备份多用户授权。 可以建立/刪除ResourceGuard
操作 | 说明 |
---|---|
Microsoft.DataProtectio/*/read | |
Microsoft.DataProtection/*/resourceGuards/write | |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write | 更新 ResourceGuard 操作更新类型为“ResourceGuard”的 Azure 资源 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete | “删除 ResourceGuard”操作删除“ResourceGuard”类型的指定 Azure 资源 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read | 获取资源组中的 ResourceGuard 的列表 |
Microsoft.DataProtection/locations/operationResults/read | 返回备份保管库的备份操作结果。 |
Microsoft.DataProtection/locations/operationStatus/read | 返回备份保管库的备份操作状态。 |
Microsoft.DataProtection/locations/getBackupStatus/action | 检查恢复服务保管库的备份状态 |
Microsoft.DataProtection/locations/checkFeatureSupport/action | 验证功能是否受支持 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read | 返回备份保管库的备份操作状态。 |
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Features/features/read | 获取订阅的功能。 |
Microsoft.Features/providers/features/read | 获取给定资源提供程序中某个订阅的功能。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/operations/read | 获取或列出部署操作。 |
Microsoft.Resources/subscriptions/operationresults/read | 获取订阅操作结果。 |
Microsoft.Resources/subscriptions/read | 获取订阅的列表。 |
Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | “获取 ResourceGuard 代理”操作获取表示类型为“ResourceGuard 代理”的 Azure 资源的对象 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | “创建 ResourceGuard 代理”操作创建类型为“ResourceGuard 代理”的 Azure 资源 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | “删除 ResourceGuard 代理”操作删除类型为“ResourceGuard 代理”的指定 Azure 资源 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | “解锁删除 ResourceGuard 代理”操作解锁下一删除关键操作 |
Microsoft.DataProtection/subscriptions/providers/resourceGuards/read | 获取订阅中的 ResourceGuard 的列表 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read | 获取 ResourceGuard 默认操作请求信息 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Backup MultiUser-Authorization. Can create/delete ResourceGuard ",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8",
"name": "c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8",
"permissions": [
{
"actions": [
"Microsoft.DataProtection/*/read",
"Microsoft.DataProtection/*/resourceGuards/write",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read",
"Microsoft.Authorization/*/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action",
"Microsoft.DataProtection/subscriptions/providers/resourceGuards/read",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup MUA Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
运营商多用户管理备份
备份多用户授权。 允許使用者執行受資源保護保護的關鍵操作
操作 | 说明 |
---|---|
Microsoft.DataProtection/*/action | |
Microsoft.DataProtectio/*/read | |
Microsoft.Authorization/*/read | 读取角色和角色分配 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f54b6d04-23c6-443e-b462-9c16ab7b4a52",
"name": "f54b6d04-23c6-443e-b462-9c16ab7b4a52",
"permissions": [
{
"actions": [
"Microsoft.DataProtection/*/action",
"Microsoft.DataProtection/*/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup MUA Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
备份操作员
允许管理备份服务,但删除备份、创建保管库以及授予其他人访问权限除外
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Network/virtualNetworks/read | 获取虚拟网络定义 |
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | 返回操作状态 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | 获取对保护容器执行的操作的结果。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | 对受保护的项执行备份。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | 获取对受保护项执行的操作的结果。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | 返回对受保护项执行的操作的状态。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 返回受保护项的对象详细信息 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | 预配受保护项的即时项恢复 |
Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | 获取跨区域还原所需的 AccessToken。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | 获取受保护项的恢复点。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | 还原受保护项的恢复点。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | 吊销受保护项的即时项恢复 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | 创建备份受保护项 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | 返回所有已注册的容器 |
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | 刷新容器列表 |
Microsoft.RecoveryServices/Vaults/backupJobs/* | 创建和管理备份作业 |
Microsoft.RecoveryServices/Vaults/backupJobsExport/action | 导出作业 |
Microsoft.RecoveryServices/Vaults/backupOperationResults/* | 创建和管理备份管理操作的结果 |
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | 获取策略操作的结果。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/read | 返回所有保护策略 |
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | 创建和管理可以备份的项 |
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | 返回所有受保护项的列表。 |
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | 返回属于订阅的所有容器 |
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | 返回恢复服务的受保护项和受保护服务器的摘要。 |
Microsoft.RecoveryServices/Vaults/certificates/write | “更新资源证书”操作更新资源/保管库凭据证书。 |
Microsoft.RecoveryServices/Vaults/extendedInformation/read | “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息 |
Microsoft.RecoveryServices/Vaults/extendedInformation/write | “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | 获取恢复服务保管库的警报。 |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
Microsoft.RecoveryServices/Vaults/read | “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/read | “获取容器”操作可用于获取针对资源注册的容器。 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/write | “注册服务容器”操作可用于向恢复服务注册容器。 |
Microsoft.RecoveryServices/Vaults/usages/read | 返回恢复服务保管库的使用情况详细信息。 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。 |
Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | 验证对受保护项的操作 |
Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action | 验证对受保护项的操作 |
Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read | 验证对受保护项的操作 |
Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read | 验证对受保护项的操作 |
Microsoft.RecoveryServices/Vaults/backupOperations/read | 返回恢复服务保管库的备份操作状态。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | 获取策略操作的状态。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write | 创建已注册的容器 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action | 在容器内进行工作负荷的查询 |
Microsoft.RecoveryServices/Vaults/backupEngines/read | 返回使用保管库注册的所有备份管理服务器。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | 创建备份保护意向 |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | 获取备份保护意向 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | 获取所有可保护的容器 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | 获取容器中的所有项 |
Microsoft.RecoveryServices/locations/backupStatus/action | 检查恢复服务保管库的备份状态 |
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
Microsoft.RecoveryServices/locations/backupValidateFeatures/action | 验证功能 |
Microsoft.RecoveryServices/locations/backupAadProperties/read | 获取用于在第三区域进行身份验证的 AAD 属性,以便进行跨区域还原。 |
Microsoft.RecoveryServices/locations/backupCrrJobs/action | 列出恢复服务保管库的次要区域中的跨区域还原作业。 |
Microsoft.RecoveryServices/locations/backupCrrJob/action | 获取恢复服务保管库的次要区域中的跨区域还原作业详细信息。 |
Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action | 触发跨区域还原。 |
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | 返回恢复服务保管库的 CRR 操作结果。 |
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | 返回恢复服务保管库的 CRR 操作状态。 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | 解决警报。 |
Microsoft.RecoveryServices/operations/read | 操作返回资源提供程序的操作列表 |
Microsoft.RecoveryServices/locations/operationStatus/read | 获取给定操作的操作状态 |
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | 列出所有备份保护意向 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 返回所有备份实例 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 返回所有备份实例 |
Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | 返回备份保管库的备份操作结果。 |
Microsoft.DataProtection/backupVaults/backupInstances/write | 创建备份实例 |
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | 列出备份保管库中软删除的备份实例。 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 返回所有备份策略 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 返回所有备份策略 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 返回全部恢复点 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 返回全部恢复点 |
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | 查找可还原的时间范围 |
Microsoft.DataProtection/backupVaults/read | 获取资源组中备份保管库的列表 |
Microsoft.DataProtection/backupVaults/operationResults/read | 获取备份保管库的修补操作的操作结果 |
Microsoft.DataProtection/backupVaults/operationStatus/read | 返回备份保管库的备份操作状态。 |
Microsoft.DataProtection/backupVaults/read | 获取资源组中备份保管库的列表 |
Microsoft.DataProtection/backupVaults/read | 获取资源组中备份保管库的列表 |
Microsoft.DataProtection/locations/operationStatus/read | 返回备份保管库的备份操作状态。 |
Microsoft.DataProtection/locations/operationResults/read | 返回备份保管库的备份操作结果。 |
Microsoft.DataProtection/operations/read | 操作返回资源提供程序的操作列表 |
Microsoft.DataProtection/backupVaults/validateForBackup/action | 验证是否已对备份实例执行备份 |
Microsoft.DataProtection/backupVaults/backupInstances/backup/action | 对备份实例执行备份 |
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | 验证是否已对备份实例执行还原 |
Microsoft.DataProtection/backupVaults/backupInstances/restore/action | 触发对备份实例的还原操作 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | 在给定的备份实例上触发跨区域还原操作。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | 对跨区域还原操作执行验证。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | 列出次要区域中备份实例的跨区域还原作业。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | 从次要区域获取跨区域还原作业详细信息。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | 从次要区域返回已启用跨区域还原的备份保管库的恢复点。 |
Microsoft.DataProtection/locations/checkFeatureSupport/action | 验证功能是否受支持 |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete | “删除 ResourceGuard 代理”操作删除类型为“ResourceGuard 代理”的指定 Azure 资源 |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read | 获取资源的 ResourceGuard 代理列表 |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action | “解锁删除 ResourceGuard 代理”操作解锁下一删除关键操作 |
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write | “创建 ResourceGuard 代理”操作创建类型为“ResourceGuard 代理”的 Azure 资源 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read | “获取 ResourceGuard 代理”操作获取表示类型为“ResourceGuard 代理”的 Azure 资源的对象 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write | “创建 ResourceGuard 代理”操作创建类型为“ResourceGuard 代理”的 Azure 资源 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete | “删除 ResourceGuard 代理”操作删除类型为“ResourceGuard 代理”的指定 Azure 资源 |
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action | “解锁删除 ResourceGuard 代理”操作解锁下一删除关键操作 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
"name": "00c29273-979b-4161-815c-10b084fb9324",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/write",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/write",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read",
"Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupAadProperties/read",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",
"Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/operations/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
备份读取器
可以查看备份服务,但是不能进行更改
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp 是服务使用的内部操作 |
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | 返回操作状态 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | 获取对保护容器执行的操作的结果。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | 获取对受保护项执行的操作的结果。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | 返回对受保护项执行的操作的状态。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 返回受保护项的对象详细信息 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | 获取受保护项的恢复点。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | 返回所有已注册的容器 |
Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read | 返回作业操作的结果。 |
Microsoft.RecoveryServices/Vaults/backupJobs/read | 返回所有作业对象 |
Microsoft.RecoveryServices/Vaults/backupJobsExport/action | 导出作业 |
Microsoft.RecoveryServices/Vaults/backupOperationResults/read | 返回恢复服务保管库的备份操作结果。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | 获取策略操作的结果。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/read | 返回所有保护策略 |
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | 返回所有受保护项的列表。 |
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | 返回属于订阅的所有容器 |
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | 返回恢复服务的受保护项和受保护服务器的摘要。 |
Microsoft.RecoveryServices/Vaults/extendedInformation/read | “获取扩展信息”操作获取表示“vault”类型的 Azure 资源的对象扩展信息 |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | 获取恢复服务保管库的警报。 |
Microsoft.RecoveryServices/Vaults/read | “获取保管库”操作获取表示“vault”类型的 Azure 资源的对象 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | “获取操作结果”操作可用于获取异步提交的操作的操作状态和结果 |
Microsoft.RecoveryServices/Vaults/registeredIdentities/read | “获取容器”操作可用于获取针对资源注册的容器。 |
Microsoft.RecoveryServices/Vaults/backupstorageconfig/read | 返回恢复服务保管库的存储配置。 |
Microsoft.RecoveryServices/Vaults/backupconfig/read | 返回恢复服务保管库的配置。 |
Microsoft.RecoveryServices/Vaults/backupOperations/read | 返回恢复服务保管库的备份操作状态。 |
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | 获取策略操作的状态。 |
Microsoft.RecoveryServices/Vaults/backupEngines/read | 返回使用保管库注册的所有备份管理服务器。 |
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | 获取备份保护意向 |
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | 获取容器中的所有项 |
Microsoft.RecoveryServices/locations/backupStatus/action | 检查恢复服务保管库的备份状态 |
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | 解决警报。 |
Microsoft.RecoveryServices/operations/read | 操作返回资源提供程序的操作列表 |
Microsoft.RecoveryServices/locations/operationStatus/read | 获取给定操作的操作状态 |
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | 列出所有备份保护意向 |
Microsoft.RecoveryServices/Vaults/usages/read | 返回恢复服务保管库的使用情况详细信息。 |
Microsoft.RecoveryServices/locations/backupValidateFeatures/action | 验证功能 |
Microsoft.RecoveryServices/locations/backupCrrJobs/action | 列出恢复服务保管库的次要区域中的跨区域还原作业。 |
Microsoft.RecoveryServices/locations/backupCrrJob/action | 获取恢复服务保管库的次要区域中的跨区域还原作业详细信息。 |
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | 返回恢复服务保管库的 CRR 操作结果。 |
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | 返回恢复服务保管库的 CRR 操作状态。 |
Microsoft.DataProtection/locations/getBackupStatus/action | 检查恢复服务保管库的备份状态 |
Microsoft.DataProtection/backupVaults/backupInstances/write | 创建备份实例 |
Microsoft.DataProtection/backupVaults/backupInstances/read | 返回所有备份实例 |
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | 列出备份保管库中软删除的备份实例。 |
Microsoft.DataProtection/backupVaults/backupInstances/backup/action | 对备份实例执行备份 |
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | 验证是否已对备份实例执行还原 |
Microsoft.DataProtection/backupVaults/backupInstances/restore/action | 触发对备份实例的还原操作 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 返回所有备份策略 |
Microsoft.DataProtection/backupVaults/backupPolicies/read | 返回所有备份策略 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 返回全部恢复点 |
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | 返回所有恢复点 |
Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read | 返回备份保管库的备份操作结果。 |
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | 查找可还原的时间范围 |
Microsoft.DataProtection/backupVaults/read | 获取资源组中备份保管库的列表 |
Microsoft.DataProtection/backupVaults/operationResults/read | 获取备份保管库的修补操作的操作结果 |
Microsoft.DataProtection/backupVaults/operationStatus/read | 返回备份保管库的备份操作状态。 |
Microsoft.DataProtection/backupVaults/read | 获取资源组中备份保管库的列表 |
Microsoft.DataProtection/backupVaults/read | 获取资源组中备份保管库的列表 |
Microsoft.DataProtection/locations/operationStatus/read | 返回备份保管库的备份操作状态。 |
Microsoft.DataProtection/locations/operationResults/read | 返回备份保管库的备份操作结果。 |
Microsoft.DataProtection/backupVaults/validateForBackup/action | 验证是否已对备份实例执行备份 |
Microsoft.DataProtection/operations/read | 操作返回资源提供程序的操作列表 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | 列出次要区域中备份实例的跨区域还原作业。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | 从次要区域获取跨区域还原作业详细信息。 |
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | 从次要区域返回已启用跨区域还原的备份保管库的恢复点。 |
Microsoft.DataProtection/locations/checkFeatureSupport/action | 验证功能是否受支持 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Can view backup services, but can't make changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
"name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/read",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
"Microsoft.RecoveryServices/Vaults/backupconfig/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",
"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/operations/read",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
经典存储帐户参与者
允许管理经典存储帐户,但不允许对其进行访问。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.ClassicStorage/storageAccounts/* | 创建和管理存储帐户 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic storage accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
经典存储帐户密钥操作员服务角色
允许经典存储帐户密钥操作员在经典存储帐户上列出和再生成密钥
操作 | 说明 |
---|---|
Microsoft.ClassicStorage/storageAccounts/listkeys/action | 列出存储帐户的访问密钥。 |
Microsoft.ClassicStorage/storageAccounts/regeneratekey/action | 再生成存储帐户的现有访问密钥。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"permissions": [
{
"actions": [
"Microsoft.ClassicStorage/storageAccounts/listkeys/action",
"Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Box 参与者
可让你管理 Data Box 服务下的所有内容,但不能向其他人授予访问权限。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
Microsoft.Databox/* | |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage everything under Data Box Service except giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
"name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Databox/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Box 读者
可让你管理 Data Box 服务,但不能创建订单或编辑订单详细信息,以及向其他人授予访问权限。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Databox/*/read | |
Microsoft.Databox/jobs/listsecrets/action | |
Microsoft.Databox/jobs/listcredentials/action | 列出与订单相关的未加密凭据。 |
Microsoft.Databox/locations/availableSkus/action | 此方法返回可用 SKU 列表。 |
Microsoft.Databox/locations/validateInputs/action | 此方法执行所有类型的验证。 |
Microsoft.Databox/locations/regionConfiguration/action | 此方法返回区域的配置。 |
Microsoft.Databox/locations/validateAddress/action | 验证送货地址,并提供备用地址(如有)。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Databox/*/read",
"Microsoft.Databox/jobs/listsecrets/action",
"Microsoft.Databox/jobs/listcredentials/action",
"Microsoft.Databox/locations/availableSkus/action",
"Microsoft.Databox/locations/validateInputs/action",
"Microsoft.Databox/locations/regionConfiguration/action",
"Microsoft.Databox/locations/validateAddress/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Lake Analytics 开发人员
允许提交、监视和管理自己的作业,但是不允许创建或删除 Data Lake Analytics 帐户。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.BigAnalytics/accounts/* | |
Microsoft.DataLakeAnalytics/accounts/* | |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
Microsoft.BigAnalytics/accounts/Delete | |
Microsoft.BigAnalytics/accounts/TakeOwnership/action | |
Microsoft.BigAnalytics/accounts/Write | |
Microsoft.DataLakeAnalytics/accounts/Delete | 删除 DataLakeAnalytics 帐户。 |
Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action | 授予取消由其他用户提交的作业的权限。 |
Microsoft.DataLakeAnalytics/accounts/Write | 创建或更新 DataLakeAnalytics 帐户。 |
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write | 获取或更新 DataLakeAnalytics 帐户的链接 DataLakeStore 帐户。 |
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete | 从 DataLakeAnalytics 帐户取消链接 DataLakeStore 帐户。 |
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write | 创建或更新 DataLakeAnalytics 帐户的链接存储帐户。 |
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete | 从 DataLakeAnalytics 帐户取消链接存储帐户。 |
Microsoft.DataLakeAnalytics/accounts/firewallRules/Write | 创建或更新防火墙规则。 |
Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete | 删除防火墙规则。 |
Microsoft.DataLakeAnalytics/accounts/computePolicies/Write | 创建或更新计算策略。 |
Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete | 删除计算策略。 |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
"name": "47b7735b-770e-4598-a7da-8b91488b4c88",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.BigAnalytics/accounts/*",
"Microsoft.DataLakeAnalytics/accounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.BigAnalytics/accounts/Delete",
"Microsoft.BigAnalytics/accounts/TakeOwnership/action",
"Microsoft.BigAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
"Microsoft.DataLakeAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Lake Analytics Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Defender for Storage 数据扫描程序
授予读取 blob 和更新索引标记所需的访问权限。 此角色由 Defender for Storage 的数据扫描程序使用。
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/blobServices/containers/read | 返回容器列表 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | 返回 blob 或 blob 列表 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | 返回写入 blob 标记的结果 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read | 返回读取 blob 标记的结果 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
"name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read"
],
"notDataActions": []
}
],
"roleName": "Defender for Storage Data Scanner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
弹性 SAN 网络管理员
允許存取以在 SAN 資源上建立專用端點以及讀取 SAN 資源
操作 | 说明 |
---|---|
Microsoft.ElasticSan/elasticSans/*/read | |
Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action | |
Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write | |
Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete | |
Microsoft.ElasticSan/locations/asyncoperations/read | 轮询异步操作的状态。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows access to create Private Endpoints on SAN resources, and to read SAN resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fa6cecf6-5db3-4c43-8470-c540bcb4eafa",
"name": "fa6cecf6-5db3-4c43-8470-c540bcb4eafa",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*/read",
"Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action",
"Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write",
"Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete",
"Microsoft.ElasticSan/locations/asyncoperations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Network Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
弹性 SAN 所有者
享有对 Azure 弹性 SAN 下所有资源的完全访问权限,包括更改网络安全策略以取消阻止数据路径访问
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.ElasticSan/elasticSans/* | |
Microsoft.ElasticSan/locations/* | |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406",
"name": "80dcbedb-47ef-405d-95bd-188a1b4ac406",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
弹性 SAN 读取者
允许控制对 Azure 弹性 SAN 的路径读取访问权限
操作 | 说明 |
---|---|
Microsoft.Authorization/roleAssignments/read | 获取有关角色分配的信息。 |
Microsoft.Authorization/roleDefinitions/read | 获取有关角色定义的信息。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.ElasticSan/elasticSans/*/read | |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for control path read access to Azure Elastic SAN",
"id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
"name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ElasticSan/elasticSans/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
弹性 SAN 卷组所有者
享有对 Azure 弹性 SAN 中的卷组的完全访问权限,包括更改网络安全策略以取消阻止数据路径访问
操作 | 说明 |
---|---|
Microsoft.Authorization/roleAssignments/read | 获取有关角色分配的信息。 |
Microsoft.Authorization/roleDefinitions/read | 获取有关角色定义的信息。 |
Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
Microsoft.ElasticSan/locations/asyncoperations/read | 轮询异步操作的状态。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23",
"name": "a8281131-f312-4f34-8d98-ae12be9f0d23",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/locations/asyncoperations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Volume Group Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
读取器和数据访问
允许查看所有内容,但不允许删除或创建存储帐户或包含的资源。 它还允许使用存储帐户密钥对存储帐户中包含的所有数据进行读/写访问。
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/listKeys/action | 返回指定存储帐户的访问密钥。 |
Microsoft.Storage/storageAccounts/ListAccountSas/action | 返回指定存储帐户的帐户 SAS 令牌。 |
Microsoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
"name": "c12c1c16-33a1-487b-954d-41c89c60f349",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/ListAccountSas/action",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader and Data Access",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储帐户备份参与者
可在存储帐户上使用 Azure 备份执行备份和还原操作。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Authorization/locks/read | 获取指定范围的锁。 |
Microsoft.Authorization/locks/write | 添加指定范围的锁。 |
Microsoft.Authorization/locks/delete | 删除指定范围的锁。 |
Microsoft.Features/features/read | 获取订阅的功能。 |
Microsoft.Features/providers/features/read | 获取给定资源提供程序中某个订阅的功能。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Storage/operations/read | 轮询异步操作的状态。 |
Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete | 删除对象复制策略 |
Microsoft.Storage/storageAccounts/objectReplicationPolicies/read | 列出对象复制策略 |
Microsoft.Storage/storageAccounts/objectReplicationPolicies/write | 创建或更新对象复制策略 |
Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | 创建对象复制还原点标记 |
Microsoft.Storage/storageAccounts/blobServices/containers/read | 返回容器列表 |
Microsoft.Storage/storageAccounts/blobServices/containers/write | 返回放置 blob 容器的结果 |
Microsoft.Storage/storageAccounts/blobServices/read | 返回 blob 服务属性或统计信息 |
Microsoft.Storage/storageAccounts/blobServices/write | 返回放置 blob 服务属性的结果 |
Microsoft.Storage/storageAccounts/read | 返回存储帐户的列表,或获取指定存储帐户的属性。 |
Microsoft.Storage/storageAccounts/restoreBlobRanges/action | 将 Blob 范围还原到指定时间的状态 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you perform backup and restore operations using Azure Backup on the storage account.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
"name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/operations/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/restoreBlobRanges/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储帐户参与者
允许管理存储帐户。 提供对帐户密钥的访问权限,而帐户密钥可以用来通过共享密钥授权对数据进行访问。
操作 | 说明 |
---|---|
Microsoft.Authorization/*/read | 读取角色和角色分配 |
Microsoft.Insights/alertRules/* | 创建和管理经典指标警报 |
Microsoft.Insights/diagnosticSettings/* | 创建、更新或读取 Analysis Server 的诊断设置 |
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | 将存储帐户或 SQL 数据库等资源加入到子网。 不可发出警报。 |
Microsoft.ResourceHealth/availabilityStatuses/read | 获取指定范围内所有资源的可用性状态 |
Microsoft.Resources/deployments/* | 创建和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 获取或列出资源组。 |
Microsoft.Storage/storageAccounts/* | 创建和管理存储帐户 |
Microsoft.Support/* | 创建和更新支持票证 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储帐户密钥操作员服务角色
允许列出和重新生成存储帐户访问密钥。
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/listkeys/action | 返回指定存储帐户的访问密钥。 |
Microsoft.Storage/storageAccounts/regeneratekey/action | 再生成指定存储帐户的访问密钥。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
"name": "81a9662b-bebf-436f-a333-f67b29880f12",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储 Blob 数据参与者
读取、写入和删除 Azure 存储容器和 Blob。 若要了解给定数据操作所需的操作,请参阅调用数据操作的权限。
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/blobServices/containers/delete | 删除容器。 |
Microsoft.Storage/storageAccounts/blobServices/containers/read | 返回容器或容器列表。 |
Microsoft.Storage/storageAccounts/blobServices/containers/write | 修改容器的元数据或属性。 |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 返回 Blob 服务的用户委托密钥。 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | 删除 Blob。 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | 返回 Blob 或 Blob 列表。 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | 写入到 Blob。 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | 将 Blob 从一个路径移到另一个路径 |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | 返回添加 blob 内容的结果 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage blob containers and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储 Blob 数据所有者
提供对 Azure 存储 Blob 容器和数据的完全访问权限,包括分配 POSIX 访问控制。 若要了解给定数据操作所需的操作,请参阅调用数据操作的权限。
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/blobServices/containers/* | 对容器的完全权限。 |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 返回 Blob 服务的用户委托密钥。 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* | 对 Blob 的完全权限。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/*",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储 Blob 数据读取者
读取和列出 Azure 存储容器和 Blob。 若要了解给定数据操作所需的操作,请参阅调用数据操作的权限。
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/blobServices/containers/read | 返回容器或容器列表。 |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 返回 Blob 服务的用户委托密钥。 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | 返回 Blob 或 Blob 列表。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage blob containers and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储 Blob 委托者
获取用户委托密钥,该密钥随后可用于为使用 Azure AD 凭据签名的容器或 Blob 创建共享访问签名。 有关详细信息,请参阅创建用户委托 SAS。
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 返回 Blob 服务的用户委托密钥。 |
不操作 | |
无 | |
DataActions | |
无 | |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Blob Delegator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储文件数据特权参与者
通过重写现有的 ACL/NTFS 权限,允许读取、写入、删除和修改 Azure 文件共享中文件/目录上的 ACL。 在 Windows 文件服务器上,此角色没有内置的等效角色。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | 返回某个文件/文件夹,或文件/文件夹列表 |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | 返回写入文件或创建文件夹的结果 |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | 返回删除文件/文件夹的结果 |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | 返回修改文件/文件夹权限的结果 |
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | 读取文件备份语义特权 |
Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action | 写入文件备份语义特权 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd",
"name": "69566ab7-960f-475b-8e7c-b3118f30c6bd",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action",
"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action",
"Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data Privileged Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储文件数据特权读取者
通过重写现有的 ACL/NTFS 权限,允许对 Azure 文件共享中的文件/目录进行读取访问。 在 Windows 文件服务器上,此角色没有内置的等效角色。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | 返回某个文件/文件夹,或文件/文件夹列表 |
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | 读取文件备份语义特权 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Customer has read access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d",
"name": "b8eda974-7b85-4f76-af95-65846b26df6d",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data Privileged Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储文件数据 SMB 共享参与者
允许针对 Azure 文件共享中的文件/目录的读取、写入和删除权限。 在 Windows 文件服务器上,此角色没有内置的等效角色。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | 返回某个文件/文件夹,或文件/文件夹列表。 |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | 返回写入文件或创建文件夹的结果。 |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | 返回删除文件/文件夹的结果。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储文件数据 SMB 共享提升参与者
允许读取、写入、删除和修改 Azure 文件共享中文件/目录上的 ACL。 此角色等效于 Windows 文件服务器上更改的文件共享 ACL。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | 返回某个文件/文件夹,或文件/文件夹列表。 |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | 返回写入文件或创建文件夹的结果。 |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | 返回删除文件/文件夹的结果。 |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | 返回修改文件/文件夹权限的结果。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
"name": "a7264617-510b-434b-a828-9731dc254ea7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Elevated Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储文件数据 SMB 共享读取者
允许针对 Azure 文件共享中的文件/目录的读取权限。 此角色等效于 Windows 文件服务器上的文件共享读取 ACL。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | 返回某个文件/文件夹,或文件/文件夹列表。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure File Share over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
"name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储队列数据参与者
读取、写入和删除 Azure 存储队列和队列消息。 若要了解给定数据操作所需的操作,请参阅调用数据操作的权限。
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/queueServices/queues/delete | 删除队列。 |
Microsoft.Storage/storageAccounts/queueServices/queues/read | 返回队列或队列列表。 |
Microsoft.Storage/storageAccounts/queueServices/queues/write | 修改队列元数据或属性。 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete | 从队列中删除一个或多个消息。 |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | 扫视或检索队列中的一个或多个消息。 |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/write | 向队列添加消息。 |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | 返回处理消息的结果 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储队列数据消息处理器
速览、检索和删除 Azure 存储队列中的消息。 若要了解给定数据操作所需的操作,请参阅调用数据操作的权限。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | 扫视消息。 |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | 检索和删除消息。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
"name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Processor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储队列数据消息发送者
将消息添加到 Azure 存储队列。 若要了解给定数据操作所需的操作,请参阅调用数据操作的权限。
操作 | 说明 |
---|---|
无 | |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action | 向队列添加消息。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for sending of Azure Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储队列数据读取者
读取并列出 Azure 存储队列和队列消息。 若要了解给定数据操作所需的操作,请参阅调用数据操作的权限。
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/queueServices/queues/read | 返回队列或队列列表。 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | 扫视或检索队列中的一个或多个消息。 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage queues and queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
"name": "19e7f393-937e-4f77-808e-94535e297925",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储表数据参与者
用于对 Azure 存储表和实体进行读取、写入和删除访问
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/tableServices/tables/read | 查询表 |
Microsoft.Storage/storageAccounts/tableServices/tables/write | 创建表 |
Microsoft.Storage/storageAccounts/tableServices/tables/delete | 删除表 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | 查询表实体 |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | 插入、合并或替换表实体 |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete | 删除表实体 |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | 插入表实体 |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action | 合并或更新表实体 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage tables and entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read",
"Microsoft.Storage/storageAccounts/tableServices/tables/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
存储表数据读取者
用于对 Azure 存储表和实体进行读取访问
操作 | 说明 |
---|---|
Microsoft.Storage/storageAccounts/tableServices/tables/read | 查询表 |
不操作 | |
无 | |
DataActions | |
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | 查询表实体 |
NotDataActions | |
无 |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage tables and entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6",
"name": "76199698-9eea-4c19-bc75-cec21354c6b6",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}