使用角色管理原則來管理每個資源內每個角色的規則
角色管理原則可協助您控管任何角色資格要求或角色指派要求的規則。 例如,您可以設定工作分派作用中的最大持續時間,或甚至允許永久指派。 您可以更新每個指派的通知設定。 您也可以為每個角色啟用設定核准者。
列出資源的角色管理原則
若要列出角色管理原則,您可以使用 角色管理原則 - 範圍 REST API 的清單。 若要精簡您的結果,請指定範圍和選擇性篩選條件。 若要呼叫此 API,您必須有權存取指定範圍內的 Microsoft.Authorization/roleAssignments/read 作業。 所有 內建角色 都會獲得此作業的存取權。
重要
您不需要建立角色管理原則,因為每個資源中的每個角色都有預設原則
從下列要求著手:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleManagementPolicies?api-version=2020-10-01&$filter={filter}在 URI 中,將 {scope} 取代為您想要列出角色管理原則的範圍。
範圍 類型 providers/Microsoft.Management/managementGroups/{mg-name}管理群組 subscriptions/{subscriptionId}訂用帳戶 subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1資源群組 subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1資源 將 {filter} 取代為您要針對角色指派清單篩選套用的條件。
篩選 Description $filter=roleDefinitionId%20eq%20'{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}'列出資源範圍內指定角色定義的角色管理原則。
更新角色管理原則
選擇要更新的規則 () 。 這些是規則的類型 -
規則類型 Description RoleManagementPolicyEnablementRule 啟用 MFA、指派理由或票證資訊 RoleManagementPolicyExpirationRule 指定角色指派或啟用的最大持續時間 RoleManagementPolicyNotificationRule 設定指派、啟用和核准的電子郵件通知設定 RoleManagementPolicyApprovalRule 設定角色啟用的核准設定 RoleManagementPolicyAuthenticationCoNtextRule 設定條件式存取原則的 ACRS 規則 使用下列要求:
PATCH https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleManagementPolicies/{roleManagementPolicyId}?api-version=2020-10-01{ "properties": { "rules": [ { "isExpirationRequired": false, "maximumDuration": "P180D", "id": "Expiration_Admin_Eligibility", "ruleType": "RoleManagementPolicyExpirationRule", "target": { "caller": "Admin", "operations": [ "All" ], "level": "Eligibility", "targetObjects": null, "inheritableSettings": null, "enforcedSettings": null } }, { "notificationType": "Email", "recipientType": "Admin", "isDefaultRecipientsEnabled": false, "notificationLevel": "Critical", "notificationRecipients": [ "admin_admin_eligible@test.com" ], "id": "Notification_Admin_Admin_Eligibility", "ruleType": "RoleManagementPolicyNotificationRule", "target": { "caller": "Admin", "operations": [ "All" ], "level": "Eligibility", "targetObjects": null, "inheritableSettings": null, "enforcedSettings": null } }, { "enabledRules": [ "Justification", "MultiFactorAuthentication", "Ticketing" ], "id": "Enablement_EndUser_Assignment", "ruleType": "RoleManagementPolicyEnablementRule", "target": { "caller": "EndUser", "operations": [ "All" ], "level": "Assignment", "targetObjects": null, "inheritableSettings": null, "enforcedSettings": null } }, { "setting": { "isApprovalRequired": true, "isApprovalRequiredForExtension": false, "isRequestorJustificationRequired": true, "approvalMode": "SingleStage", "approvalStages": [ { "approvalStageTimeOutInDays": 1, "isApproverJustificationRequired": true, "escalationTimeInMinutes": 0, "primaryApprovers": [ { "id": "2385b0f3-5fa9-43cf-8ca4-b01dc97298cd", "description": "amansw_new_group", "isBackup": false, "userType": "Group" } ], "isEscalationEnabled": false, "escalationApprovers": null } ] }, "id": "Approval_EndUser_Assignment", "ruleType": "RoleManagementPolicyApprovalRule", "target": { "caller": "EndUser", "operations": [ "All" ], "level": "Assignment", "targetObjects": null, "inheritableSettings": null, "enforcedSettings": null } } ] } }