共用方式為


適用於安全性的 Azure 內建角色

本文列出安全性類別中的 Azure 內建角色。

應用程式合規性自動化系統管理員

建立、讀取、下載、修改和刪除報告物件和其他相關資源物件。

深入了解

動作 描述
Microsoft.AppComplianceAutomation/*
Microsoft.Storage/storageAccounts/blobServices/write 傳回放置 Blob 服務屬性的結果
Microsoft.Storage/storageAccounts/fileservices/write 放置檔案服務屬性
Microsoft.Storage/storageAccounts/listKeys/action 傳回指定儲存體帳戶的存取金鑰。
Microsoft.Storage/storageAccounts/write 使用指定參數來建立儲存體帳戶、更新指定儲存體帳戶的屬性或標記,或新增指定儲存體帳戶的自訂網域。
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action 傳回 Blob 服務的使用者委派金鑰
Microsoft.Storage/storageAccounts/read 傳回儲存體帳戶的清單,或取得指定之儲存體帳戶的屬性。
Microsoft.Storage/storageAccounts/blobServices/containers/read 傳回容器清單
Microsoft.Storage/storageAccounts/blobServices/containers/write 傳回放置 Blob 容器的結果
Microsoft.Storage/storageAccounts/blobServices/read 傳回 Blob 服務屬性或統計數據
Microsoft.PolicyInsights/policyStates/queryResults/action 查詢原則狀態的相關信息。
Microsoft.PolicyInsights/policyStates/triggerEvaluation/action 觸發所選範圍的新合規性評估。
Microsoft.Resources/resources/read 根據篩選取得資源清單。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Resources/subscriptions/resourceGroups/resources/read 取得資源群組的資源。
Microsoft.Resources/subscriptions/resources/read 取得訂用帳戶的資源。
Microsoft.Resources/subscriptions/resourceGroups/delete 刪除資源群組及其所有資源。
Microsoft.Resources/subscriptions/resourceGroups/write 建立或更新資源群組。
Microsoft.Resources/tags/read 取得資源上的所有標記。
Microsoft.Resources/deployments/validate/action 驗證部署。
Microsoft.Security/automations/read 取得範圍的自動化
Microsoft.Resources/deployments/write 建立或更新部署。
Microsoft.Security/automations/delete 刪除範圍的自動化
Microsoft.Security/automations/write 建立或更新範圍的自動化
Microsoft.Security/register/action 註冊 Azure 資訊安全中心 的訂用帳戶
Microsoft.Security/unregister/action 從 Azure 資訊安全中心 取消註冊訂用帳戶
*/read 讀取除了秘密以外的所有類型的資源。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Create, read, download, modify and delete reports objects and related other resource objects.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2",
  "name": "0f37683f-2463-46b6-9ce7-9b788b988ba2",
  "permissions": [
    {
      "actions": [
        "Microsoft.AppComplianceAutomation/*",
        "Microsoft.Storage/storageAccounts/blobServices/write",
        "Microsoft.Storage/storageAccounts/fileservices/write",
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.PolicyInsights/policyStates/queryResults/action",
        "Microsoft.PolicyInsights/policyStates/triggerEvaluation/action",
        "Microsoft.Resources/resources/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
        "Microsoft.Resources/subscriptions/resources/read",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/tags/read",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Security/automations/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Security/automations/delete",
        "Microsoft.Security/automations/write",
        "Microsoft.Security/register/action",
        "Microsoft.Security/unregister/action",
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Compliance Automation Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

應用程式合規性自動化讀取者

讀取、下載報告物件和其他相關資源物件。

深入了解

動作 描述
*/read 讀取除了秘密以外的所有類型的資源。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read, download the reports objects and related other resource objects.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
  "name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
  "permissions": [
    {
      "actions": [
        "*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "App Compliance Automation Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

證明參與者

可讀取、寫入或刪除證明提供者執行個體

深入了解

動作 描述
Microsoft.Attestation/attestationProviders/attestation/read 取得證明服務狀態。
Microsoft.Attestation/attestationProviders/attestation/write 新增證明服務。
Microsoft.Attestation/attestationProviders/attestation/delete 拿掉證明服務。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read write or delete the attestation provider instance",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/attestation/write",
        "Microsoft.Attestation/attestationProviders/attestation/delete"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

證明讀取者

可讀取證明提供者屬性

深入了解

動作 描述
Microsoft.Attestation/attestationProviders/attestation/read 取得證明服務狀態。
Microsoft.Attestation/attestationProviders/read 取得證明服務狀態。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can read the attestation provider properties",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Attestation/attestationProviders/attestation/read",
        "Microsoft.Attestation/attestationProviders/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Attestation Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 系統管理員

可在金鑰保存庫和其中的所有物件上執行所有資料平面作業,包括憑證、金鑰和祕密。 無法管理金鑰保存庫資源或管理角色指派。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read 檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read 檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

金鑰保存庫憑證使用者

讀取憑證內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
none
NotActions
none
DataActions
Microsoft.KeyVault/vaults/certificates/read 列出指定之金鑰保存庫中的憑證,或取得憑證的相關信息。
Microsoft.KeyVault/vaults/secrets/getSecret/action 取得密碼的值。
Microsoft.KeyVault/vaults/secrets/readMetadata/action 列出或檢視秘密的屬性,但不是其值。
Microsoft.KeyVault/vaults/keys/read 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開數據。 針對非對稱金鑰,此作業會公開公鑰,並包含執行公鑰演演算法的能力,例如加密和驗證簽章。 私鑰和對稱金鑰永遠不會公開。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
  "name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificates/read",
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
        "Microsoft.KeyVault/vaults/keys/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Certificate User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 憑證員

可對金鑰保存庫的憑證執行任何動作,但不能管理權限。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read 檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read 檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/certificatecas/*
Microsoft.KeyVault/vaults/certificates/*
Microsoft.KeyVault/vaults/certificatecontacts/write 管理憑證聯繫人
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
  "name": "a4417e6f-fecd-4de8-b567-7b0420556985",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/certificatecas/*",
        "Microsoft.KeyVault/vaults/certificates/*",
        "Microsoft.KeyVault/vaults/certificatecontacts/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Certificates Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 參與者

管理金鑰保存庫,但不允許您在 Azure RBAC 中指派角色,也不允許您存取秘密、金鑰或憑證。

深入了解

重要

使用存取原則許可權模型時,具有ContributorKey Vault Contributor或任何其他角色的使用者,包含Microsoft.KeyVault/vaults/write密鑰保存庫管理平面許可權的使用者可以藉由設定 金鑰保存庫 存取原則來授與自己數據平面存取權。 若要防止未經授權的密鑰保存庫、金鑰、秘密和憑證存取和管理,請務必限制存取原則許可權模型中密鑰保存庫的參與者角色存取權。 若要降低此風險,建議您使用角色型 存取控制 (RBAC) 許可權模型,以將許可權管理限制為「擁有者」和「使用者存取系統管理員」角色,以明確區分安全性作業與系統管理職責。 如需詳細資訊,請參閱 金鑰保存庫 RBAC 指南什麼是 Azure RBAC?

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.KeyVault/*
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
NotActions
Microsoft.KeyVault/locations/deletedVaults/purge/action 清除虛刪除的 Key Vault
Microsoft.KeyVault/hsmPools/*
Microsoft.KeyVault/managedHsms/*
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage key vaults, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
  "name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.KeyVault/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.KeyVault/locations/deletedVaults/purge/action",
        "Microsoft.KeyVault/hsmPools/*",
        "Microsoft.KeyVault/managedHsms/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯員

可對金鑰保存庫的金鑰執行任何動作,但不能管理權限。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read 檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read 檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/keys/*
Microsoft.KeyVault/vaults/keyrotationpolicies/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/*",
        "Microsoft.KeyVault/vaults/keyrotationpolicies/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯服務加密使用者

可讀取金鑰的中繼資料,並執行包裝/解除包裝作業。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
Microsoft.EventGrid/eventSubscriptions/write 建立或更新 eventSubscription
Microsoft.EventGrid/eventSubscriptions/read 讀取 eventSubscription
Microsoft.EventGrid/eventSubscriptions/delete 刪除 eventSubscription
NotActions
none
DataActions
Microsoft.KeyVault/vaults/keys/read 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開數據。 針對非對稱金鑰,此作業會公開公鑰,並包含執行公鑰演演算法的能力,例如加密和驗證簽章。 私鑰和對稱金鑰永遠不會公開。
Microsoft.KeyVault/vaults/keys/wrap/action 使用 金鑰保存庫 金鑰包裝對稱金鑰。 請注意,如果 金鑰保存庫 密鑰非對稱,則具有讀取許可權的主體可以執行這項作業。
Microsoft.KeyVault/vaults/keys/unwrap/action 使用 金鑰保存庫 金鑰解除包裝對稱金鑰。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
  "permissions": [
    {
      "actions": [
        "Microsoft.EventGrid/eventSubscriptions/write",
        "Microsoft.EventGrid/eventSubscriptions/read",
        "Microsoft.EventGrid/eventSubscriptions/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Service Encryption User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯服務發行使用者

發行金鑰。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
none
NotActions
none
DataActions
Microsoft.KeyVault/vaults/keys/release/action 從證明令牌使用KEK的公開部分來釋放金鑰。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/08bbd89e-9f13-488c-ac41-acfcb10c90ab",
  "name": "08bbd89e-9f13-488c-ac41-acfcb10c90ab",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/release/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto Service Release User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 密碼編譯使用者

使用金鑰執行密碼編譯作業。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
none
NotActions
none
DataActions
Microsoft.KeyVault/vaults/keys/read 列出指定保存庫中的金鑰,或讀取金鑰的屬性和公開數據。 針對非對稱金鑰,此作業會公開公鑰,並包含執行公鑰演演算法的能力,例如加密和驗證簽章。 私鑰和對稱金鑰永遠不會公開。
Microsoft.KeyVault/vaults/keys/update/action 更新與指定索引鍵相關聯的指定屬性。
Microsoft.KeyVault/vaults/keys/backup/action 建立金鑰的備份檔案。 檔案可用來還原相同訂用帳戶 金鑰保存庫 中的金鑰。 可能適用限制。
Microsoft.KeyVault/vaults/keys/encrypt/action 使用金鑰加密純文字。 請注意,如果密鑰非對稱,則此作業可由具有讀取許可權的主體執行。
Microsoft.KeyVault/vaults/keys/decrypt/action 使用金鑰解密加密文字。
Microsoft.KeyVault/vaults/keys/wrap/action 使用 金鑰保存庫 金鑰包裝對稱金鑰。 請注意,如果 金鑰保存庫 金鑰非對稱,則此作業可由具有讀取存取權的主體執行。
Microsoft.KeyVault/vaults/keys/unwrap/action 使用 金鑰保存庫 金鑰解除包裝對稱金鑰。
Microsoft.KeyVault/vaults/keys/sign/action 使用索引鍵簽署訊息摘要(哈希)。
Microsoft.KeyVault/vaults/keys/verify/action 使用金鑰驗證訊息摘要 (hash) 的簽章。 請注意,如果密鑰非對稱,則此作業可由具有讀取許可權的主體執行。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
  "name": "12338af0-0e69-4776-bea7-57ae8d297424",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/update/action",
        "Microsoft.KeyVault/vaults/keys/backup/action",
        "Microsoft.KeyVault/vaults/keys/encrypt/action",
        "Microsoft.KeyVault/vaults/keys/decrypt/action",
        "Microsoft.KeyVault/vaults/keys/wrap/action",
        "Microsoft.KeyVault/vaults/keys/unwrap/action",
        "Microsoft.KeyVault/vaults/keys/sign/action",
        "Microsoft.KeyVault/vaults/keys/verify/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Crypto User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 資料存取系統管理員

新增或移除 Key Vault 系統管理員、Key Vault 憑證人員、Key Vault 密碼編譯人員、Key Vault 密碼編譯服務加密使用者、Key Vault 密碼編譯使用者、Key Vault 讀者、Key Vault 祕密人員或 Key Vault 祕密使用者角色的角色指派,來管理 Azure Key Vault 的存取權。 包含用來限制角色指派的 ABAC 條件。

動作 描述
Microsoft.Authorization/roleAssignments/write 建立指定範圍的角色指派。
Microsoft.Authorization/roleAssignments/delete 刪除指定範圍內的角色指派。
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Resources/subscriptions/read 取得訂用帳戶的清單。
Microsoft.Management/managementGroups/read 列出已驗證使用者的管理群組。
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Support/* 建立和更新支援票證
Microsoft.KeyVault/vaults/*/read
NotActions
none
DataActions
none
NotDataActions
none
Condition
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}))OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7,4633458b-17de-408a-b874-0445c86b69e6})) 新增或移除下列角色的角色指派:
Key Vault 管理員
Key Vault 憑證長
Key Vault 密碼編譯長
Key Vault 密碼編譯服務加密使用者
Key Vault 密碼編譯使用者
Key Vault 讀取器
Key Vault 祕密長
Key Vault 祕密使用者
{
  "assignableScopes": [
    "/"
  ],
  "description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8",
  "name": "8b54135c-b56d-4d72-a534-26097cfdc8d8",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/vaults/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))"
    }
  ],
  "roleName": "Key Vault Data Access Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 讀者

可讀取金鑰保存庫的中繼資料及其憑證、金鑰和祕密。 無法讀取敏感值,例如秘密內容或金鑰內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read 檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read 檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/vaults/secrets/readMetadata/action 列出或檢視秘密的屬性,但不是其值。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
  "name": "21090545-7ca7-4776-b22c-e363652d74d2",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 祕密員

可對金鑰保存庫的祕密執行任何動作,但不能管理權限。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
Microsoft.KeyVault/checkNameAvailability/read 檢查金鑰保存庫名稱是否有效且未使用中
Microsoft.KeyVault/deletedVaults/read 檢視虛刪除金鑰保存庫的屬性
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read 列出 Microsoft.KeyVault 資源提供者上可用的作業
NotActions
none
DataActions
Microsoft.KeyVault/vaults/secrets/*
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.KeyVault/checkNameAvailability/read",
        "Microsoft.KeyVault/deletedVaults/read",
        "Microsoft.KeyVault/locations/*/read",
        "Microsoft.KeyVault/vaults/*/read",
        "Microsoft.KeyVault/operations/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets Officer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault 祕密使用者

可讀取秘密內容。 僅適用於使用「Azure 角色型存取控制」權限模型的金鑰保存庫。

深入了解

動作 描述
none
NotActions
none
DataActions
Microsoft.KeyVault/vaults/secrets/getSecret/action 取得密碼的值。
Microsoft.KeyVault/vaults/secrets/readMetadata/action 列出或檢視秘密的屬性,但不是其值。
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
  "name": "4633458b-17de-408a-b874-0445c86b69e6",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.KeyVault/vaults/secrets/getSecret/action",
        "Microsoft.KeyVault/vaults/secrets/readMetadata/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Key Vault Secrets User",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

受控 HSM 參與者

可讓您管理受控 HSM 集區,但無法加以存取。

深入了解

動作 描述
Microsoft.KeyVault/managedHSMs/*
Microsoft.KeyVault/deletedManagedHsms/read 檢視已刪除受控 hsm 的屬性
Microsoft.KeyVault/locations/deletedManagedHsms/read 檢視已刪除受控 hsm 的屬性
Microsoft.KeyVault/locations/deletedManagedHsms/purge/action 清除虛刪除的受控 hsm
Microsoft.KeyVault/locations/managedHsmOperationResults/read 檢查長時間執行作業的結果
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage managed HSM pools, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
  "name": "18500a29-7fe2-46b2-a342-b16a415e101d",
  "permissions": [
    {
      "actions": [
        "Microsoft.KeyVault/managedHSMs/*",
        "Microsoft.KeyVault/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/read",
        "Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
        "Microsoft.KeyVault/locations/managedHsmOperationResults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Managed HSM contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 自動化參與者

Microsoft Sentinel 自動化參與者

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Logic/workflows/triggers/read 讀取觸發程式。
Microsoft.Logic/workflows/triggers/listCallbackUrl/action 取得觸發程式的回呼 URL。
Microsoft.Logic/workflows/runs/read 讀取工作流程執行。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read 列出 Web Apps Hostruntime 工作流程觸發程式。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action 取得 Web Apps Hostruntime 工作流程觸發程式 URI。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read 列出 Web Apps Hostruntime 工作流程執行。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Automation Contributor",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Logic/workflows/triggers/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Logic/workflows/runs/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Automation Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 參與者

Microsoft Sentinel 參與者

深入了解

動作 描述
Microsoft.SecurityInsights/*
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎進行搜尋。
Microsoft.OperationalInsights/workspaces/*/read 檢視記錄分析數據
Microsoft.OperationalInsights/workspaces/savedSearches/*
Microsoft.OperationsManagement/solutions/read 取得現有的 OMS 解決方案
Microsoft.OperationalInsights/workspaces/query/read 對工作區中的數據執行查詢
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read 取得工作區底下的數據源。
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.Insights/workbooks/*
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
NotActions
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Contributor",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
  "name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/*",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/*",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 劇本操作員

Microsoft Sentinel 劇本操作員

深入了解

動作 描述
Microsoft.Logic/workflows/read 讀取工作流程。
Microsoft.Logic/workflows/triggers/listCallbackUrl/action 取得觸發程式的回呼 URL。
Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action 取得 Web Apps Hostruntime 工作流程觸發程式 URI。
Microsoft.Web/sites/read 取得 Web 應用程式的屬性
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Playbook Operator",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5",
  "name": "51d6186e-6489-4900-b93f-92e23144cca5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Logic/workflows/read",
        "Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
        "Microsoft.Web/sites/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Playbook Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 讀者

Microsoft Sentinel 讀者

深入了解

動作 描述
Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action 檢查使用者授權和授權
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action 查詢威脅情報指標
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action 查詢威脅情報指標
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎進行搜尋。
Microsoft.OperationalInsights/workspaces/*/read 檢視記錄分析數據
Microsoft.OperationalInsights/workspaces/LinkedServices/read 取得指定工作區底下的連結服務。
Microsoft.OperationalInsights/workspaces/savedSearches/read 取得已儲存的搜尋查詢。
Microsoft.OperationsManagement/solutions/read 取得現有的 OMS 解決方案
Microsoft.OperationalInsights/workspaces/query/read 對工作區中的數據執行查詢
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read 取得工作區底下的數據源。
Microsoft.Insights/workbooks/read 讀取活頁簿
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Resources/templateSpecs/*/read 取得或列出範本規格和範本規格版本
Microsoft.Support/* 建立和更新支援票證
NotActions
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/LinkedServices/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/templateSpecs/*/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel 回應程式

Microsoft Sentinel 回應程式

深入了解

動作 描述
Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action 檢查使用者授權和授權
Microsoft.SecurityInsights/automationRules/*
Microsoft.SecurityInsights/cases/*
Microsoft.SecurityInsights/incidents/*
Microsoft.SecurityInsights/entities/runPlaybook/action 在實體上執行劇本
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action 將標籤附加至威脅情報指標
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action 查詢威脅情報指標
Microsoft.SecurityInsights/threatIntelligence/bulkTag/action 大量標記威脅情報
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action 將標籤附加至威脅情報指標
Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action 取代威脅情報指標的標記
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action 查詢威脅情報指標
Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action 復原動作
Microsoft.OperationalInsights/workspaces/analytics/query/action 使用新引擎進行搜尋。
Microsoft.OperationalInsights/workspaces/*/read 檢視記錄分析數據
Microsoft.OperationalInsights/workspaces/dataSources/read 取得工作區底下的數據源。
Microsoft.OperationalInsights/workspaces/savedSearches/read 取得已儲存的搜尋查詢。
Microsoft.OperationsManagement/solutions/read 取得現有的 OMS 解決方案
Microsoft.OperationalInsights/workspaces/query/read 對工作區中的數據執行查詢
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read 取得工作區底下的數據源。
Microsoft.OperationalInsights/querypacks/*/read
Microsoft.Insights/workbooks/read 讀取活頁簿
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Support/* 建立和更新支援票證
NotActions
Microsoft.SecurityInsights/cases/*/Delete
Microsoft.SecurityInsights/incidents/*/Delete
Microsoft.SecurityInsights/ConfidentialWatchlists/*
Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft Sentinel Responder",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
  "permissions": [
    {
      "actions": [
        "Microsoft.SecurityInsights/*/read",
        "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
        "Microsoft.SecurityInsights/automationRules/*",
        "Microsoft.SecurityInsights/cases/*",
        "Microsoft.SecurityInsights/incidents/*",
        "Microsoft.SecurityInsights/entities/runPlaybook/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
        "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
        "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
        "Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action",
        "Microsoft.OperationalInsights/workspaces/analytics/query/action",
        "Microsoft.OperationalInsights/workspaces/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/workspaces/savedSearches/read",
        "Microsoft.OperationsManagement/solutions/read",
        "Microsoft.OperationalInsights/workspaces/query/read",
        "Microsoft.OperationalInsights/workspaces/query/*/read",
        "Microsoft.OperationalInsights/workspaces/dataSources/read",
        "Microsoft.OperationalInsights/querypacks/*/read",
        "Microsoft.Insights/workbooks/read",
        "Microsoft.Insights/myworkbooks/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.SecurityInsights/cases/*/Delete",
        "Microsoft.SecurityInsights/incidents/*/Delete",
        "Microsoft.SecurityInsights/ConfidentialWatchlists/*",
        "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Microsoft Sentinel Responder",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性系統管理員

檢視和更新適用於雲端的 Microsoft Defender 權限。 與安全性讀取者角色相同的權限,也可以更新安全性原則並關閉警示和建議。

如需適用於IoT的 Microsoft Defender,請參閱 適用於OT和企業IoT監視的 Azure 使用者角色。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Authorization/policyAssignments/* 建立和管理原則指派
Microsoft.Authorization/policyDefinitions/* 建立和管理原則定義
Microsoft.Authorization/policyExemptions/* 建立和管理原則豁免
Microsoft.Authorization/policySetDefinitions/* 建立和管理原則集
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.Management/managementGroups/read 列出已驗證使用者的管理群組。
Microsoft.operationalInsights/workspaces/*/read 檢視記錄分析數據
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Security/* 建立和管理安全性元件和原則
Microsoft.IoTSecurity/*
Microsoft.IoTFirmwareDefense/*
Microsoft.Support/* 建立和更新支援票證
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Admin Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/policyAssignments/*",
        "Microsoft.Authorization/policyDefinitions/*",
        "Microsoft.Authorization/policyExemptions/*",
        "Microsoft.Authorization/policySetDefinitions/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.IoTSecurity/*",
        "Microsoft.IoTFirmwareDefense/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性評量參與者

可讓您將評量推送至適用於雲端的 Microsoft Defender

動作 描述
Microsoft.Security/assessments/write 在您的訂用帳戶上建立或更新安全性評定
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you push assessments to Security Center",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Security/assessments/write"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Assessment Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性管理員 (舊版)

這是舊版角色。 請改用安全性系統管理員。

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.ClassicCompute/*/read 讀取設定資訊傳統虛擬機
Microsoft.ClassicCompute/virtualMachines/*/write 為傳統虛擬機撰寫組態
Microsoft.ClassicNetwork/*/read 閱讀傳統網路的組態資訊
Microsoft.Insights/alertRules/* 建立和管理傳統計量警示
Microsoft.ResourceHealth/availabilityStatuses/read 取得指定範圍中所有資源的可用性狀態
Microsoft.Resources/deployments/* 建立和管理部署
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Security/* 建立和管理安全性元件和原則
Microsoft.Support/* 建立和更新支援票證
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "This is a legacy role. Please use Security Administrator instead",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicCompute/*/read",
        "Microsoft.ClassicCompute/virtualMachines/*/write",
        "Microsoft.ClassicNetwork/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Manager (Legacy)",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

安全性讀取者

檢視適用於雲端的 Microsoft Defender 權限。 可以檢視建議、警示、安全性原則和安全性狀態,但無法進行變更。

如需適用於IoT的 Microsoft Defender,請參閱 適用於OT和企業IoT監視的 Azure 使用者角色。

深入了解

動作 描述
Microsoft.Authorization/*/read 讀取角色和角色指派
Microsoft.Insights/alertRules/read 讀取傳統計量警示
Microsoft.operationalInsights/workspaces/*/read 檢視記錄分析數據
Microsoft.Resources/deployments/*/read
Microsoft.Resources/subscriptions/resourceGroups/read 取得或列出資源群組。
Microsoft.Security/*/read 讀取安全性元件和原則
Microsoft.IoTSecurity/*/read
Microsoft.Support/*/read
Microsoft.Security/iotDefenderSettings/packageDownloads/action 取得可下載的IoT Defender套件資訊
Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action 下載具有訂用帳戶配額數據的管理員啟用檔案
Microsoft.Security/iotSensors/downloadResetPassword/action 下載IoT感測器的重設密碼檔案
Microsoft.IoTSecurity/defenderSettings/packageDownloads/action 取得可下載的IoT Defender套件資訊
Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action 下載管理員啟用檔案
Microsoft.Management/managementGroups/read 列出已驗證使用者的管理群組。
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Security Reader Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/read",
        "Microsoft.operationalInsights/workspaces/*/read",
        "Microsoft.Resources/deployments/*/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Security/*/read",
        "Microsoft.IoTSecurity/*/read",
        "Microsoft.Support/*/read",
        "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
        "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
        "Microsoft.Security/iotSensors/downloadResetPassword/action",
        "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
        "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
        "Microsoft.Management/managementGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Security Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

下一步