下圖為Azure 基於用戶角色控制的架構圖，可以清楚的看出，通過三個層面進行控制；

1. 安全主體：安全主體是一個對象，表示請求訪問 Azure 資源的用戶、組或服務主體。
2. 角色定義：角色定義是權限的集合。 它有時簡稱為“角色”。 角色定義列出可以執行的操作，例如讀取、寫入和刪除。Azure自帶了幾個角色，如果覺得不能滿足企業需求，也可以創建自定義角色。
3. 範圍：範圍是訪問權限適用的邊界。 分配角色時，可以通過定義範圍來進一步限制允許的操作。

當我們創建角色的時候，也遵循以下三步。

Azure自帶的角色定義，大家可以參考https://docs.azure.cn/zh-cn/role-based-access-control/built-in-roles 了解他們直接的區別。

了解了RBAC的過程以後，我們測試一下，企業需求的場景。

1. 讓某個外包項目的公司緊緊可以操作摸一個資源組下的所有資源，其他資源組均對其不可見。

• 在AAD創建用戶的步驟省略
• 將創建好的用戶分配到改資源組的IAM下，並分配權限。可以看出該用戶僅僅可以對該資源組進行操作。

• 登錄改賬戶驗證，如果該訂閱嘗試創建新的資源組會提示失敗。

1. 創建自定義資源組，使用戶rbacuser可以對資源組rbacgroup中的虛擬機進行開機，關機，重啟操作。

• 了解適用於 Microsoft.Support 資源提供程序的操作列表。

Get-AzureRMProviderOperation "Microsoft.Compute/virtualMachines/*" | FT OperationName, Operation, Description -AutoSize

OperationName Operation Description

------------- --------- -----------

Get Virtual Machine Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Create or Update Virtual Machine Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates ...

Delete Virtual Machine Microsoft.Compute/virtualMachines/delete Deletes the virtual machine

Start Virtual Machine Microsoft.Compute/virtualMachines/start/action Starts the virtual machine

Power Off Virtual Machine Microsoft.Compute/virtualMachines/powerOff/action Powers off the virtual machine. Note that...

Redeploy Virtual Machine Microsoft.Compute/virtualMachines/redeploy/action Redeploys virtual machine

Restart Virtual Machine Microsoft.Compute/virtualMachines/restart/action Restarts the virtual machine

Deallocate Virtual Machine Microsoft.Compute/virtualMachines/deallocate/action Powers off the virtual machine and releas...

Generalize Virtual Machine Microsoft.Compute/virtualMachines/generalize/action Sets the virtual machine state to General...

Capture Virtual Machine Microsoft.Compute/virtualMachines/capture/action Captures the virtual machine by copying v...

Run Command on Virtual Machine Microsoft.Compute/virtualMachines/runCommand/action Executes a predefined script on the virtu...

Convert Virtual Machine disks to Managed Disks Microsoft.Compute/virtualMachines/convertToManagedDisks/action Converts the blob based disks of the virt...

Perform Maintenance Redeploy Microsoft.Compute/virtualMachines/performMaintenance/action Performs Maintenance Operation on the VM.

Reimage Virtual Machine Microsoft.Compute/virtualMachines/reimage/action Reimages virtual machine which is using d...

Log in to Virtual Machine Microsoft.Compute/virtualMachines/login/action Log in to a virtual machine as a regular ...

Log in to Virtual Machine as administrator Microsoft.Compute/virtualMachines/loginAsAdmin/action Log in to a virtual machine with Windows ...

Get Virtual Machine Instance View Microsoft.Compute/virtualMachines/instanceView/read Gets the detailed runtime status of the v...

Lists Available Virtual Machine Sizes Microsoft.Compute/virtualMachines/vmSizes/read Lists available sizes the virtual machine...

Get Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/read Get the properties of a virtual machine e...

Create or Update Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/write Creates a new virtual machine extension o...

Delete Virtual Machine Extension Microsoft.Compute/virtualMachines/extensions/delete Deletes the virtual machine extension

• 準備訂閱信息，資源組信息

Get-AzureRmSubscription | ft SubscriptionID

SubscriptionId

--------------

Xxxxxx

Get-AzureRmResourceGroup | ft ResourceId

• 本方案通過Virtual Machine Contributor的模板修改
  • 查看Virtual Machine Contributor

Get-AzureRmRoleDefinition -Name "Virtual Machine Contributor"

Name : Virtual Machine Contributor

Id : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c

IsCustom : False

Description : Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they‘re connected to.

Actions : {Microsoft.Authorization/*/read, Microsoft.Compute/availabilitySets/*, Microsoft.Compute/locations/*, Microsoft.Compute/virtualMachines

/*...}

NotActions : {}

DataActions : {}

NotDataActions : {}

AssignableScopes : {/}

• 修改virtual Machine Contributor

#獲取"Virtual Machine Contributor"配置

$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"

$role.Id = $null

$role.Name = "Virtual Machine Operator"

$role.Description = "Can monitor and start stop or restart virtual machines."

$role.Actions.Clear()

#添加周邊資源讀的權限

$role.Actions.Add("Microsoft.Storage/*/read")

$role.Actions.Add("Microsoft.Network/*/read")

$role.Actions.Add("Microsoft.Compute/*/read")

$role.Actions.Add("Microsoft.Authorization/*/read")

$role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")

#添加VM相關的操作權限

$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")

$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")

$role.Actions.Add("Microsoft.Compute/virtualMachines/powerOff/action")

$role.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action")

$role.Actions.Add("Microsoft.Insights/alertRules/*")

#把兩個Subscription加入到這個Role管理範圍中

$role.AssignableScopes.Clear()

$role.AssignableScopes.Add("/subscriptions/xxxxx")

#添加角色

New-AzureRmRoleDefinition -Role $role

Name : Virtual Machine Operator

Id : 55aca895-61dc-4162-b7a6-fbab532d14a2

IsCustom : True

Description : Can monitor and start stop or restart virtual machines.

Actions : {Microsoft.Storage/*/read, Microsoft.Network/*/read, Microsoft.Compute/*/read, Microsoft.Compute/virtualMachines/start/action...}

NotActions : {}

AssignableScopes : {/subscriptions/xxxxx}

• 分配rbacuser到rbacgroup資源組中。

New-AzureRmRoleAssignment -SignInName [email protected] -Scope /subscriptions/xxxxxx/resourceGroups/rbacgroup -RoleDefinitionName "Virtual Machine Operator"

RoleAssignmentId : /subscriptions/xxxxx/resourceGroups/rbacgroup/providers/Microsoft.Authorization/roleAssignments/336b10

d9-4ae7-4832-87a8-7f3d1dccb834

Scope : /subscriptions/xxxxxx/resourceGroups/rbacgroup

DisplayName : RBACUSER

SignInName : [email protected]

RoleDefinitionName : Virtual Machine Operator

RoleDefinitionId : d0b203bd-37e1-4006-871c-8b0330d657f6

ObjectId : 42bfdd38-4d2c-4abb-8b4c-fcf5ab1e7f11

ObjectType : User

CanDelegate : False

• 驗證

僅僅可以看到看到rbacgroup資源組，並且刪除虛擬機的時候提示沒有權限

【Azure】通過RBAC對資源進行管理