適用於安全性的 Azure 內建角色
本文列出安全性類別中的 Azure 內建角色。
應用程式合規性自動化系統管理員
建立、讀取、下載、修改和刪除報告物件和其他相關資源物件。
動作 | 描述 |
---|---|
Microsoft.AppComplianceAutomation/* | |
Microsoft.Storage/storageAccounts/blobServices/write | 傳回放置 Blob 服務屬性的結果 |
Microsoft.Storage/storageAccounts/fileservices/write | 放置檔案服務屬性 |
Microsoft.Storage/storageAccounts/listKeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
Microsoft.Storage/storageAccounts/write | 使用指定參數來建立儲存體帳戶、更新指定儲存體帳戶的屬性或標記,或新增指定儲存體帳戶的自訂網域。 |
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | 傳回 Blob 服務的使用者委派金鑰 |
Microsoft.Storage/storageAccounts/read | 傳回儲存體帳戶的清單,或取得指定之儲存體帳戶的屬性。 |
Microsoft.Storage/storageAccounts/blobServices/containers/read | 傳回容器清單 |
Microsoft.Storage/storageAccounts/blobServices/containers/write | 傳回放置 Blob 容器的結果 |
Microsoft.Storage/storageAccounts/blobServices/read | 傳回 Blob 服務屬性或統計數據 |
Microsoft.PolicyInsights/policyStates/queryResults/action | 查詢原則狀態的相關信息。 |
Microsoft.PolicyInsights/policyStates/triggerEvaluation/action | 觸發所選範圍的新合規性評估。 |
Microsoft.Resources/resources/read | 根據篩選取得資源清單。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Resources/subscriptions/resourceGroups/resources/read | 取得資源群組的資源。 |
Microsoft.Resources/subscriptions/resources/read | 取得訂用帳戶的資源。 |
Microsoft.Resources/subscriptions/resourceGroups/delete | 刪除資源群組及其所有資源。 |
Microsoft.Resources/subscriptions/resourceGroups/write | 建立或更新資源群組。 |
Microsoft.Resources/tags/read | 取得資源上的所有標記。 |
Microsoft.Resources/deployments/validate/action | 驗證部署。 |
Microsoft.Security/automations/read | 取得範圍的自動化 |
Microsoft.Resources/deployments/write | 建立或更新部署。 |
Microsoft.Security/automations/delete | 刪除範圍的自動化 |
Microsoft.Security/automations/write | 建立或更新範圍的自動化 |
Microsoft.Security/register/action | 註冊 Azure 資訊安全中心 的訂用帳戶 |
Microsoft.Security/unregister/action | 從 Azure 資訊安全中心 取消註冊訂用帳戶 |
*/read | 讀取除了秘密以外的所有類型的資源。 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Create, read, download, modify and delete reports objects and related other resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2",
"name": "0f37683f-2463-46b6-9ce7-9b788b988ba2",
"permissions": [
{
"actions": [
"Microsoft.AppComplianceAutomation/*",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/fileservices/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.PolicyInsights/policyStates/queryResults/action",
"Microsoft.PolicyInsights/policyStates/triggerEvaluation/action",
"Microsoft.Resources/resources/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/tags/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Security/automations/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Security/automations/delete",
"Microsoft.Security/automations/write",
"Microsoft.Security/register/action",
"Microsoft.Security/unregister/action",
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
應用程式合規性自動化讀取者
讀取、下載報告物件和其他相關資源物件。
動作 | 描述 |
---|---|
*/read | 讀取除了秘密以外的所有類型的資源。 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Read, download the reports objects and related other resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
"name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
證明參與者
可讀取、寫入或刪除證明提供者執行個體
動作 | 描述 |
---|---|
Microsoft.Attestation/attestationProviders/attestation/read | 取得證明服務狀態。 |
Microsoft.Attestation/attestationProviders/attestation/write | 新增證明服務。 |
Microsoft.Attestation/attestationProviders/attestation/delete | 拿掉證明服務。 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Can read write or delete the attestation provider instance",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/attestation/write",
"Microsoft.Attestation/attestationProviders/attestation/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
證明讀取者
可讀取證明提供者屬性
動作 | 描述 |
---|---|
Microsoft.Attestation/attestationProviders/attestation/read | 取得證明服務狀態。 |
Microsoft.Attestation/attestationProviders/read | 取得證明服務狀態。 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Can read the attestation provider properties",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 系統管理員
可在金鑰保存庫和其中的所有物件上執行所有資料平面作業,包括憑證、金鑰和祕密。 無法管理金鑰保存庫資源或管理角色指派。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 檢查金鑰保存庫名稱是否有效且未使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除金鑰保存庫的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出 Microsoft.KeyVault 資源提供者上可用的作業 |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
"name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
金鑰保存庫憑證使用者
讀取憑證內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
none | |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/certificates/read | 列出指定之金鑰保存庫中的憑證,或取得憑證的相關信息。 |
Microsoft.KeyVault/vaults/secrets/getSecret/action | 取得密碼的值。 |
Microsoft.KeyVault/vaults/secrets/readMetadata/action | 列出或檢視秘密的屬性,但不是其值。 |
Microsoft.KeyVault/vaults/keys/read | 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開數據。 針對非對稱金鑰,此作業會公開公鑰,並包含執行公鑰演演算法的能力,例如加密和驗證簽章。 私鑰和對稱金鑰永遠不會公開。 |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
"name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificates/read",
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action",
"Microsoft.KeyVault/vaults/keys/read"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificate User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 憑證員
可對金鑰保存庫的憑證執行任何動作,但不能管理權限。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 檢查金鑰保存庫名稱是否有效且未使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除金鑰保存庫的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出 Microsoft.KeyVault 資源提供者上可用的作業 |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/certificatecas/* | |
Microsoft.KeyVault/vaults/certificates/* | |
Microsoft.KeyVault/vaults/certificatecontacts/write | 管理憑證聯繫人 |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
"name": "a4417e6f-fecd-4de8-b567-7b0420556985",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificatecas/*",
"Microsoft.KeyVault/vaults/certificates/*",
"Microsoft.KeyVault/vaults/certificatecontacts/write"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificates Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 參與者
管理金鑰保存庫,但不允許您在 Azure RBAC 中指派角色,也不允許您存取秘密、金鑰或憑證。
重要
使用存取原則許可權模型時,具有Contributor
、 Key Vault Contributor
或任何其他角色的使用者,包含Microsoft.KeyVault/vaults/write
密鑰保存庫管理平面許可權的使用者可以藉由設定 金鑰保存庫 存取原則來授與自己數據平面存取權。 若要防止未經授權的密鑰保存庫、金鑰、秘密和憑證存取和管理,請務必限制存取原則許可權模型中密鑰保存庫的參與者角色存取權。 若要降低此風險,建議您使用角色型 存取控制 (RBAC) 許可權模型,以將許可權管理限制為「擁有者」和「使用者存取系統管理員」角色,以明確區分安全性作業與系統管理職責。 如需詳細資訊,請參閱 金鑰保存庫 RBAC 指南和什麼是 Azure RBAC?
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.KeyVault/* | |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.KeyVault/locations/deletedVaults/purge/action | 清除虛刪除的 Key Vault |
Microsoft.KeyVault/hsmPools/* | |
Microsoft.KeyVault/managedHsms/* | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage key vaults, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
"name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.KeyVault/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.KeyVault/hsmPools/*",
"Microsoft.KeyVault/managedHsms/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Key Vault Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 密碼編譯員
可對金鑰保存庫的金鑰執行任何動作,但不能管理權限。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 檢查金鑰保存庫名稱是否有效且未使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除金鑰保存庫的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出 Microsoft.KeyVault 資源提供者上可用的作業 |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/keys/* | |
Microsoft.KeyVault/vaults/keyrotationpolicies/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/*",
"Microsoft.KeyVault/vaults/keyrotationpolicies/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 密碼編譯服務加密使用者
可讀取金鑰的中繼資料,並執行包裝/解除包裝作業。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
Microsoft.EventGrid/eventSubscriptions/write | 建立或更新 eventSubscription |
Microsoft.EventGrid/eventSubscriptions/read | 讀取 eventSubscription |
Microsoft.EventGrid/eventSubscriptions/delete | 刪除 eventSubscription |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/keys/read | 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開數據。 針對非對稱金鑰,此作業會公開公鑰,並包含執行公鑰演演算法的能力,例如加密和驗證簽章。 私鑰和對稱金鑰永遠不會公開。 |
Microsoft.KeyVault/vaults/keys/wrap/action | 使用 金鑰保存庫 金鑰包裝對稱金鑰。 請注意,如果 金鑰保存庫 密鑰非對稱,則具有讀取許可權的主體可以執行這項作業。 |
Microsoft.KeyVault/vaults/keys/unwrap/action | 使用 金鑰保存庫 金鑰解除包裝對稱金鑰。 |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
"name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
"permissions": [
{
"actions": [
"Microsoft.EventGrid/eventSubscriptions/write",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/eventSubscriptions/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Encryption User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 密碼編譯服務發行使用者
發行金鑰。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
none | |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/keys/release/action | 從證明令牌使用KEK的公開部分來釋放金鑰。 |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08bbd89e-9f13-488c-ac41-acfcb10c90ab",
"name": "08bbd89e-9f13-488c-ac41-acfcb10c90ab",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/release/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Release User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 密碼編譯使用者
使用金鑰執行密碼編譯作業。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
none | |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/keys/read | 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開數據。 針對非對稱金鑰,此作業會公開公鑰,並包含執行公鑰演演算法的能力,例如加密和驗證簽章。 私鑰和對稱金鑰永遠不會公開。 |
Microsoft.KeyVault/vaults/keys/update/action | 更新與指定索引鍵相關聯的指定屬性。 |
Microsoft.KeyVault/vaults/keys/backup/action | 建立金鑰的備份檔案。 檔案可用來還原相同訂用帳戶 金鑰保存庫 中的金鑰。 可能適用限制。 |
Microsoft.KeyVault/vaults/keys/encrypt/action | 使用金鑰加密純文字。 請注意,如果密鑰非對稱,則此作業可由具有讀取許可權的主體執行。 |
Microsoft.KeyVault/vaults/keys/decrypt/action | 使用金鑰解密加密文字。 |
Microsoft.KeyVault/vaults/keys/wrap/action | 使用 金鑰保存庫 金鑰包裝對稱金鑰。 請注意,如果 金鑰保存庫 金鑰非對稱,則此作業可由具有讀取存取權的主體執行。 |
Microsoft.KeyVault/vaults/keys/unwrap/action | 使用 金鑰保存庫 金鑰解除包裝對稱金鑰。 |
Microsoft.KeyVault/vaults/keys/sign/action | 使用索引鍵簽署訊息摘要(哈希)。 |
Microsoft.KeyVault/vaults/keys/verify/action | 使用金鑰驗證訊息摘要 (hash) 的簽章。 請注意,如果密鑰非對稱,則此作業可由具有讀取許可權的主體執行。 |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
"name": "12338af0-0e69-4776-bea7-57ae8d297424",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/update/action",
"Microsoft.KeyVault/vaults/keys/backup/action",
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action",
"Microsoft.KeyVault/vaults/keys/sign/action",
"Microsoft.KeyVault/vaults/keys/verify/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 資料存取系統管理員
新增或移除 Key Vault 系統管理員、Key Vault 憑證人員、Key Vault 密碼編譯人員、Key Vault 密碼編譯服務加密使用者、Key Vault 密碼編譯使用者、Key Vault 讀者、Key Vault 祕密人員或 Key Vault 祕密使用者角色的角色指派,來管理 Azure Key Vault 的存取權。 包含用來限制角色指派的 ABAC 條件。
動作 | 描述 |
---|---|
Microsoft.Authorization/roleAssignments/write | 建立指定範圍的角色指派。 |
Microsoft.Authorization/roleAssignments/delete | 刪除指定範圍內的角色指派。 |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
Microsoft.Management/managementGroups/read | 列出已驗證使用者的管理群組。 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/vaults/*/read | |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none | |
Condition | |
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}))OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7,4633458b-17de-408a-b874-0445c86b69e6})) | 新增或移除下列角色的角色指派: Key Vault 管理員 Key Vault 憑證長 Key Vault 密碼編譯長 Key Vault 密碼編譯服務加密使用者 Key Vault 密碼編譯使用者 Key Vault 讀取器 Key Vault 祕密長 Key Vault 祕密使用者 |
{
"assignableScopes": [
"/"
],
"description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8",
"name": "8b54135c-b56d-4d72-a534-26097cfdc8d8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*",
"Microsoft.KeyVault/vaults/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))"
}
],
"roleName": "Key Vault Data Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 讀者
可讀取金鑰保存庫的中繼資料及其憑證、金鑰和祕密。 無法讀取敏感值,例如秘密內容或金鑰內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 檢查金鑰保存庫名稱是否有效且未使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除金鑰保存庫的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出 Microsoft.KeyVault 資源提供者上可用的作業 |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/vaults/secrets/readMetadata/action | 列出或檢視秘密的屬性,但不是其值。 |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
"name": "21090545-7ca7-4776-b22c-e363652d74d2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 祕密員
可對金鑰保存庫的祕密執行任何動作,但不能管理權限。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
Microsoft.KeyVault/checkNameAvailability/read | 檢查金鑰保存庫名稱是否有效且未使用中 |
Microsoft.KeyVault/deletedVaults/read | 檢視虛刪除金鑰保存庫的屬性 |
Microsoft.KeyVault/locations/*/read | |
Microsoft.KeyVault/vaults/*/read | |
Microsoft.KeyVault/operations/read | 列出 Microsoft.KeyVault 資源提供者上可用的作業 |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/secrets/* | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault 祕密使用者
可讀取秘密內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。
動作 | 描述 |
---|---|
none | |
NotActions | |
none | |
DataActions | |
Microsoft.KeyVault/vaults/secrets/getSecret/action | 取得密碼的值。 |
Microsoft.KeyVault/vaults/secrets/readMetadata/action | 列出或檢視秘密的屬性,但不是其值。 |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
"name": "4633458b-17de-408a-b874-0445c86b69e6",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控 HSM 參與者
可讓您管理受控 HSM 集區,但無法加以存取。
動作 | 描述 |
---|---|
Microsoft.KeyVault/managedHSMs/* | |
Microsoft.KeyVault/deletedManagedHsms/read | 檢視已刪除受控 hsm 的屬性 |
Microsoft.KeyVault/locations/deletedManagedHsms/read | 檢視已刪除受控 hsm 的屬性 |
Microsoft.KeyVault/locations/deletedManagedHsms/purge/action | 清除虛刪除的受控 hsm |
Microsoft.KeyVault/locations/managedHsmOperationResults/read | 檢查長時間執行作業的結果 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage managed HSM pools, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
"name": "18500a29-7fe2-46b2-a342-b16a415e101d",
"permissions": [
{
"actions": [
"Microsoft.KeyVault/managedHSMs/*",
"Microsoft.KeyVault/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
"Microsoft.KeyVault/locations/managedHsmOperationResults/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed HSM contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 自動化參與者
Microsoft Sentinel 自動化參與者
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Logic/workflows/triggers/read | 讀取觸發程式。 |
Microsoft.Logic/workflows/triggers/listCallbackUrl/action | 取得觸發程式的回呼 URL。 |
Microsoft.Logic/workflows/runs/read | 讀取工作流程執行。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read | 列出 Web Apps Hostruntime 工作流程觸發程式。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | 取得 Web Apps Hostruntime 工作流程觸發程式 URI。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read | 列出 Web Apps Hostruntime 工作流程執行。 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Automation Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Logic/workflows/triggers/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Logic/workflows/runs/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Automation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 參與者
Microsoft Sentinel 參與者
動作 | 描述 |
---|---|
Microsoft.SecurityInsights/* | |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新引擎進行搜尋。 |
Microsoft.OperationalInsights/workspaces/*/read | 檢視記錄分析數據 |
Microsoft.OperationalInsights/workspaces/savedSearches/* | |
Microsoft.OperationsManagement/solutions/read | 取得現有的 OMS 解決方案 |
Microsoft.OperationalInsights/workspaces/query/read | 對工作區中的數據執行查詢 |
Microsoft.OperationalInsights/workspaces/query/*/read | |
Microsoft.OperationalInsights/workspaces/dataSources/read | 取得工作區底下的數據源。 |
Microsoft.OperationalInsights/querypacks/*/read | |
Microsoft.Insights/workbooks/* | |
Microsoft.Insights/myworkbooks/read | |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
"name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/*",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 劇本操作員
Microsoft Sentinel 劇本操作員
動作 | 描述 |
---|---|
Microsoft.Logic/workflows/read | 讀取工作流程。 |
Microsoft.Logic/workflows/triggers/listCallbackUrl/action | 取得觸發程式的回呼 URL。 |
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | 取得 Web Apps Hostruntime 工作流程觸發程式 URI。 |
Microsoft.Web/sites/read | 取得 Web 應用程式的屬性 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Playbook Operator",
"id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5",
"name": "51d6186e-6489-4900-b93f-92e23144cca5",
"permissions": [
{
"actions": [
"Microsoft.Logic/workflows/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Playbook Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 讀者
Microsoft Sentinel 讀者
動作 | 描述 |
---|---|
Microsoft.SecurityInsights/*/read | |
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action | 檢查使用者授權和授權 |
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action | 查詢威脅情報指標 |
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action | 查詢威脅情報指標 |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新引擎進行搜尋。 |
Microsoft.OperationalInsights/workspaces/*/read | 檢視記錄分析數據 |
Microsoft.OperationalInsights/workspaces/LinkedServices/read | 取得指定工作區底下的連結服務。 |
Microsoft.OperationalInsights/workspaces/savedSearches/read | 取得已儲存的搜尋查詢。 |
Microsoft.OperationsManagement/solutions/read | 取得現有的 OMS 解決方案 |
Microsoft.OperationalInsights/workspaces/query/read | 對工作區中的數據執行查詢 |
Microsoft.OperationalInsights/workspaces/query/*/read | |
Microsoft.OperationalInsights/querypacks/*/read | |
Microsoft.OperationalInsights/workspaces/dataSources/read | 取得工作區底下的數據源。 |
Microsoft.Insights/workbooks/read | 讀取活頁簿 |
Microsoft.Insights/myworkbooks/read | |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Resources/templateSpecs/*/read | 取得或列出範本規格和範本規格版本 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/LinkedServices/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/templateSpecs/*/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel 回應程式
Microsoft Sentinel 回應程式
動作 | 描述 |
---|---|
Microsoft.SecurityInsights/*/read | |
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action | 檢查使用者授權和授權 |
Microsoft.SecurityInsights/automationRules/* | |
Microsoft.SecurityInsights/cases/* | |
Microsoft.SecurityInsights/incidents/* | |
Microsoft.SecurityInsights/entities/runPlaybook/action | 在實體上執行劇本 |
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action | 將標籤附加至威脅情報指標 |
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action | 查詢威脅情報指標 |
Microsoft.SecurityInsights/threatIntelligence/bulkTag/action | 大量標記威脅情報 |
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action | 將標籤附加至威脅情報指標 |
Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action | 取代威脅情報指標的標記 |
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action | 查詢威脅情報指標 |
Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action | 復原動作 |
Microsoft.OperationalInsights/workspaces/analytics/query/action | 使用新引擎進行搜尋。 |
Microsoft.OperationalInsights/workspaces/*/read | 檢視記錄分析數據 |
Microsoft.OperationalInsights/workspaces/dataSources/read | 取得工作區底下的數據源。 |
Microsoft.OperationalInsights/workspaces/savedSearches/read | 取得已儲存的搜尋查詢。 |
Microsoft.OperationsManagement/solutions/read | 取得現有的 OMS 解決方案 |
Microsoft.OperationalInsights/workspaces/query/read | 對工作區中的數據執行查詢 |
Microsoft.OperationalInsights/workspaces/query/*/read | |
Microsoft.OperationalInsights/workspaces/dataSources/read | 取得工作區底下的數據源。 |
Microsoft.OperationalInsights/querypacks/*/read | |
Microsoft.Insights/workbooks/read | 讀取活頁簿 |
Microsoft.Insights/myworkbooks/read | |
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
Microsoft.SecurityInsights/cases/*/Delete | |
Microsoft.SecurityInsights/incidents/*/Delete | |
Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Responder",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/automationRules/*",
"Microsoft.SecurityInsights/cases/*",
"Microsoft.SecurityInsights/incidents/*",
"Microsoft.SecurityInsights/entities/runPlaybook/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/cases/*/Delete",
"Microsoft.SecurityInsights/incidents/*/Delete",
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Responder",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全性系統管理員
檢視和更新適用於雲端的 Microsoft Defender 權限。 與安全性讀取者角色相同的權限,也可以更新安全性原則並關閉警示和建議。
如需適用於IoT的 Microsoft Defender,請參閱 適用於OT和企業IoT監視的 Azure 使用者角色。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Authorization/policyAssignments/* | 建立和管理原則指派 |
Microsoft.Authorization/policyDefinitions/* | 建立和管理原則定義 |
Microsoft.Authorization/policyExemptions/* | 建立和管理原則豁免 |
Microsoft.Authorization/policySetDefinitions/* | 建立和管理原則集 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.Management/managementGroups/read | 列出已驗證使用者的管理群組。 |
Microsoft.operationalInsights/workspaces/*/read | 檢視記錄分析數據 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Security/* | 建立和管理安全性元件和原則 |
Microsoft.IoTSecurity/* | |
Microsoft.IoTFirmwareDefense/* | |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Security Admin Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
"name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Management/managementGroups/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.IoTSecurity/*",
"Microsoft.IoTFirmwareDefense/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全性評量參與者
可讓您將評量推送至適用於雲端的 Microsoft Defender
動作 | 描述 |
---|---|
Microsoft.Security/assessments/write | 在您的訂用帳戶上建立或更新安全性評定 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Lets you push assessments to Security Center",
"id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"permissions": [
{
"actions": [
"Microsoft.Security/assessments/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Assessment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全性管理員 (舊版)
這是舊版角色。 請改用安全性系統管理員。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.ClassicCompute/*/read | 讀取設定資訊傳統虛擬機 |
Microsoft.ClassicCompute/virtualMachines/*/write | 為傳統虛擬機撰寫組態 |
Microsoft.ClassicNetwork/*/read | 閱讀傳統網路的組態資訊 |
Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
Microsoft.Resources/deployments/* | 建立和管理部署 |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Security/* | 建立和管理安全性元件和原則 |
Microsoft.Support/* | 建立和更新支援票證 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "This is a legacy role. Please use Security Administrator instead",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/*/read",
"Microsoft.ClassicCompute/virtualMachines/*/write",
"Microsoft.ClassicNetwork/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Manager (Legacy)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
安全性讀取者
檢視適用於雲端的 Microsoft Defender 權限。 可以檢視建議、警示、安全性原則和安全性狀態,但無法進行變更。
如需適用於IoT的 Microsoft Defender,請參閱 適用於OT和企業IoT監視的 Azure 使用者角色。
動作 | 描述 |
---|---|
Microsoft.Authorization/*/read | 讀取角色和角色指派 |
Microsoft.Insights/alertRules/read | 讀取傳統計量警示 |
Microsoft.operationalInsights/workspaces/*/read | 檢視記錄分析數據 |
Microsoft.Resources/deployments/*/read | |
Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
Microsoft.Security/*/read | 讀取安全性元件和原則 |
Microsoft.IoTSecurity/*/read | |
Microsoft.Support/*/read | |
Microsoft.Security/iotDefenderSettings/packageDownloads/action | 取得可下載的IoT Defender套件資訊 |
Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action | 下載具有訂用帳戶配額數據的管理員啟用檔案 |
Microsoft.Security/iotSensors/downloadResetPassword/action | 下載IoT感測器的重設密碼檔案 |
Microsoft.IoTSecurity/defenderSettings/packageDownloads/action | 取得可下載的IoT Defender套件資訊 |
Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action | 下載管理員啟用檔案 |
Microsoft.Management/managementGroups/read | 列出已驗證使用者的管理群組。 |
NotActions | |
none | |
DataActions | |
none | |
NotDataActions | |
none |
{
"assignableScopes": [
"/"
],
"description": "Security Reader Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*/read",
"Microsoft.IoTSecurity/*/read",
"Microsoft.Support/*/read",
"Microsoft.Security/iotDefenderSettings/packageDownloads/action",
"Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
"Microsoft.Security/iotSensors/downloadResetPassword/action",
"Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
"Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
"Microsoft.Management/managementGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}