Anteckning
Åtkomst till den här sidan kräver auktorisering. Du kan prova att logga in eller ändra kataloger.
Åtkomst till den här sidan kräver auktorisering. Du kan prova att ändra kataloger.
Om de inbyggda Azure-rollerna inte uppfyller organisationens specifika krav kan du skapa egna, anpassade roller. This article describes how to list, create, update, or delete custom roles using the REST API.
Förutsättningar
Du måste använda följande version:
-
2015-07-01eller senare
Mer information finns i API-versioner av Azure RBAC REST API:er.
List all custom role definitions
To list all custom role definitions in a tenant, use the Role Definitions - List REST API.
The following example lists all custom role definitions in a tenant:
Förfrågan
GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?$filter=type+eq+'CustomRole'&api-version=2022-04-01Svar
{ "value": [ { "properties": { "roleName": "Billing Reader Plus", "type": "CustomRole", "description": "Read billing data and download invoices", "assignableScopes": [ "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Billing/*/read", "Microsoft.Commerce/*/read", "Microsoft.Consumption/*/read", "Microsoft.Management/managementGroups/read", "Microsoft.CostManagement/*/read", "Microsoft.Billing/invoices/download/action", "Microsoft.CostManagement/exports/*" ], "notActions": [ "Microsoft.CostManagement/exports/delete" ], "dataActions": [], "notDataActions": [] } ], "createdOn": "2021-05-22T21:57:23.5764138Z", "updatedOn": "2021-05-22T21:57:23.5764138Z", "createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70", "updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70" }, "id": "/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c", "type": "Microsoft.Authorization/roleDefinitions", "name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c" } ] }
List all custom role definitions at a scope
To list custom role definitions at a scope, use the Role Definitions - List REST API.
Börja med följande begäran:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?$filter={filter}&api-version=2022-04-01Within the URI, replace {scope} with the scope for which you want to list the roles.
Definitionsområde Typ subscriptions/{subscriptionId1}Prenumeration subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}Resursgrupp subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}/providers/Microsoft.Web/sites/{site1}Resurs providers/Microsoft.Management/managementGroups/{groupId1}Hanteringsgrupp Replace {filter} with the role type.
Filtrera Beskrivning $filter=type+eq+'CustomRole'Filter based on the CustomRole type The following example lists all custom role definitions in a subscription:
Förfrågan
GET https://management.azure.com/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions?$filter=type+eq+'CustomRole'&api-version=2022-04-01Svar
{ "value": [ { "properties": { "roleName": "Billing Reader Plus", "type": "CustomRole", "description": "Read billing data and download invoices", "assignableScopes": [ "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Billing/*/read", "Microsoft.Commerce/*/read", "Microsoft.Consumption/*/read", "Microsoft.Management/managementGroups/read", "Microsoft.CostManagement/*/read", "Microsoft.Billing/invoices/download/action", "Microsoft.CostManagement/exports/*" ], "notActions": [ "Microsoft.CostManagement/exports/delete" ], "dataActions": [], "notDataActions": [] } ], "createdOn": "2021-05-22T21:57:23.5764138Z", "updatedOn": "2021-05-22T21:57:23.5764138Z", "createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70", "updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70" }, "id": "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c", "type": "Microsoft.Authorization/roleDefinitions", "name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c" } ] }
List a custom role definition by name
To get information about a custom role definition by its display name, use the Role Definitions - Get REST API.
Börja med följande begäran:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?$filter={filter}&api-version=2022-04-01Within the URI, replace {scope} with the scope for which you want to list the roles.
Definitionsområde Typ subscriptions/{subscriptionId1}Prenumeration subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}Resursgrupp subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}/providers/Microsoft.Web/sites/{site1}Resurs providers/Microsoft.Management/managementGroups/{groupId1}Hanteringsgrupp Replace {filter} with the display name for the role.
Filtrera Beskrivning $filter=roleName+eq+'{roleDisplayName}'Use the URL encoded form of the exact display name of the role. For instance, $filter=roleName+eq+'Virtual%20Machine%20Contributor'The following example lists a custom role definition named Billing Reader Plus in a subscription:
Förfrågan
GET https://management.azure.com/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName+eq+'Billing Reader Plus'&api-version=2022-04-01Svar
{ "value": [ { "properties": { "roleName": "Billing Reader Plus", "type": "CustomRole", "description": "Read billing data and download invoices", "assignableScopes": [ "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Billing/*/read", "Microsoft.Commerce/*/read", "Microsoft.Consumption/*/read", "Microsoft.Management/managementGroups/read", "Microsoft.CostManagement/*/read", "Microsoft.Billing/invoices/download/action", "Microsoft.CostManagement/exports/*" ], "notActions": [ "Microsoft.CostManagement/exports/delete" ], "dataActions": [], "notDataActions": [] } ], "createdOn": "2021-05-22T21:57:23.5764138Z", "updatedOn": "2021-05-22T21:57:23.5764138Z", "createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70", "updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70" }, "id": "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c", "type": "Microsoft.Authorization/roleDefinitions", "name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c" } ] }
List a custom role definition by ID
To get information about a custom role definition by its unique identifier, use the Role Definitions - Get REST API.
Use the Role Definitions - List REST API to get the GUID identifier for the role.
Börja med följande begäran:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01Within the URI, replace {scope} with the scope for which you want to list the roles.
Definitionsområde Typ subscriptions/{subscriptionId1}Prenumeration subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}Resursgrupp subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}/providers/Microsoft.Web/sites/{site1}Resurs providers/Microsoft.Management/managementGroups/{groupId1}Hanteringsgrupp Replace {roleDefinitionId} with the GUID identifier of the role definition.
The following example lists a custom role definition with the identifier 17adabda-4bf1-4f4e-8c97-1f0cab6dea1c in a subscription:
Förfrågan
GET https://management.azure.com/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c?api-version=2022-04-01Svar
{ "properties": { "roleName": "Billing Reader Plus", "type": "CustomRole", "description": "Read billing data and download invoices", "assignableScopes": [ "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Billing/*/read", "Microsoft.Commerce/*/read", "Microsoft.Consumption/*/read", "Microsoft.Management/managementGroups/read", "Microsoft.CostManagement/*/read", "Microsoft.Billing/invoices/download/action", "Microsoft.CostManagement/exports/*" ], "notActions": [ "Microsoft.CostManagement/exports/delete" ], "dataActions": [], "notDataActions": [] } ], "createdOn": "2021-05-22T21:57:23.5764138Z", "updatedOn": "2021-05-22T21:57:23.5764138Z", "createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70", "updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70" }, "id": "/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-8c97-1f0cab6dea1c", "type": "Microsoft.Authorization/roleDefinitions", "name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c" }
Skapa en anpassad roll
To create a custom role, use the Role Definitions - Create Or Update REST API. To call this API, you must be signed in with a user that is assigned a role that has the Microsoft.Authorization/roleDefinitions/write permission on all the assignableScopes. Of the built-in roles, only Owner and User Access Administrator include this permission.
Review the list of resource provider operations that are available to create the permissions for your custom role.
Use a GUID tool to generate a unique identifier that will be used for the custom role identifier. The identifier has the format:
00000000-0000-0000-0000-000000000000Start with the following request and body:
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01{ "name": "{roleDefinitionId}", "properties": { "roleName": "", "description": "", "type": "CustomRole", "permissions": [ { "actions": [ ], "notActions": [ ] } ], "assignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}", "/subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}", "/subscriptions/{subscriptionId2}/resourceGroups/{resourceGroup2}", "/providers/Microsoft.Management/managementGroups/{groupId1}" ] } }Within the URI, replace {scope} with the first
assignableScopesof the custom role.Definitionsområde Typ subscriptions/{subscriptionId1}Prenumeration subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}Resursgrupp providers/Microsoft.Management/managementGroups/{groupId1}Hanteringsgrupp Replace {roleDefinitionId} with the GUID identifier of the custom role.
Within the request body, replace {roleDefinitionId} with the GUID identifier.
If
assignableScopesis a subscription or resource group, replace the {subscriptionId} or {resourceGroup} instances with your identifiers.If
assignableScopesis a management group, replace the {groupId} instance with your management group identifier.In the
actionsproperty, add the actions that the role allows to be performed.In the
notActionsproperty, add the actions that are excluded from the allowedactions.In the
roleNameanddescriptionproperties, specify a unique role name and a description. For more information about the properties, see Azure custom roles.The following shows an example of a request body:
{ "name": "88888888-8888-8888-8888-888888888888", "properties": { "roleName": "Virtual Machine Operator", "description": "Can monitor and restart virtual machines.", "type": "CustomRole", "permissions": [ { "actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Support/*" ], "notActions": [] } ], "assignableScopes": [ "/subscriptions/00000000-0000-0000-0000-000000000000", "/providers/Microsoft.Management/managementGroups/marketing-group" ] } }
Uppdatera en anpassad roll
To update a custom role, use the Role Definitions - Create Or Update REST API. To call this API, you must be signed in with a user that is assigned a role that has the Microsoft.Authorization/roleDefinitions/write permission on all the assignableScopes, such as User Access Administrator.
Use the Role Definitions - List or Role Definitions - Get REST API to get information about the custom role. For more information, see the earlier List all custom role definitions section.
Börja med följande begäran:
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01Within the URI, replace {scope} with the first
assignableScopesof the custom role.Definitionsområde Typ subscriptions/{subscriptionId1}Prenumeration subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}Resursgrupp providers/Microsoft.Management/managementGroups/{groupId1}Hanteringsgrupp Replace {roleDefinitionId} with the GUID identifier of the custom role.
Based on the information about the custom role, create a request body with the following format:
{ "name": "{roleDefinitionId}", "properties": { "roleName": "", "description": "", "type": "CustomRole", "permissions": [ { "actions": [ ], "notActions": [ ] } ], "assignableScopes": [ "/subscriptions/{subscriptionId1}", "/subscriptions/{subscriptionId2}", "/subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}", "/subscriptions/{subscriptionId2}/resourceGroups/{resourceGroup2}", "/providers/Microsoft.Management/managementGroups/{groupId1}" ] } }Update the request body with the changes you want to make to the custom role.
The following shows an example of a request body with a new diagnostic settings action added:
{ "name": "88888888-8888-8888-8888-888888888888", "properties": { "roleName": "Virtual Machine Operator", "description": "Can monitor and restart virtual machines.", "type": "CustomRole", "permissions": [ { "actions": [ "Microsoft.Storage/*/read", "Microsoft.Network/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Support/*" ], "notActions": [] } ], "assignableScopes": [ "/subscriptions/00000000-0000-0000-0000-000000000000", "/providers/Microsoft.Management/managementGroups/marketing-group" ] } }
Ta bort en anpassad roll
To delete a custom role, use the Role Definitions - Delete REST API. To call this API, you must be signed in with a user that is assigned a role that has the Microsoft.Authorization/roleDefinitions/delete permission on all the assignableScopes. Of the built-in roles, only Owner and User Access Administrator include this permission.
Ta bort alla rolltilldelningar som använder den anpassade rollen. Mer information finns i Hitta rolltilldelningar för att ta bort en anpassad roll.
Use the Role Definitions - List or Role Definitions - Get REST API to get the GUID identifier of the custom role. For more information, see the earlier List all custom role definitions section.
Börja med följande begäran:
DELETE https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}?api-version=2022-04-01Within the URI, replace {scope} with the scope that you want to delete the custom role.
Definitionsområde Typ subscriptions/{subscriptionId1}Prenumeration subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}Resursgrupp providers/Microsoft.Management/managementGroups/{groupId1}Hanteringsgrupp Replace {roleDefinitionId} with the GUID identifier of the custom role.