堆栈内存溢出
  简体   繁体   English

在 Azure RBAC 中管理资源与访问资源之间的区别

[英]Difference between managing resources vs accessing resources in Azure RBAC

 原文  2022-06-01 05:37:51       azure/ rbac/ azure-rbac

问题描述

What is the difference between managing resources vs accessing resource in Azure RBAC .Azure RBAC管理资源与访问资源有什么区别。 If I can manage the resource then definitely I can access them.如果我可以管理资源,那么我绝对可以访问它们。 I am unable to understand the difference.我无法理解其中的区别。 Can someone pls provide me the clarity有人可以帮我澄清一下吗

1 个解决方案

解决方案1
 0  2022-06-01 09:11:53

If I can manage the resource then definitely I can access them.如果我可以管理资源,那么我绝对可以访问它们。

Sure you can, lets take Azure Storage as an example, management can be done by assigning the Storage Account Contributor role.当然可以,我们以 Azure Storage 为例,可以通过分配Storage Account Contributor角色来进行管理。 The docs learns us that this role文档告诉我们这个角色

Permits management of storage accounts.允许管理存储帐户。 Provides access to the account key, which can be used to access data via Shared Key authorization.提供对帐户密钥的访问,可用于通过共享密钥授权访问数据。

So yes, having management permissions can include having access to the data plane of Azure Resources.所以是的,拥有管理权限可以包括访问 Azure 资源的数据平面。

So when assigning roles you need to be careful.因此,在分配角色时,您需要小心。 Always assign roles based on the principle of least privilege .始终根据最小权限原则分配角色。 A DevOps person might need to have the Storage Account Contributor assigned. DevOps 人员可能需要分配存储帐户参与者。 But a web app that uses a managed identity to read blobs inside the storage account is better of having the Storage Blob Data Reader assigned so it has no more access than it really needs preventing the web app from accidentally deleting blobs for example.但是,使用托管标识读取存储帐户内的 blob 的 web 应用程序最好分配存储 blob 数据读取器,这样它就没有比它真正需要的访问权限,例如防止 web 应用程序意外删除 blob。

Another example: in my organisation some people have access to certain Azure Monitor logs and metrics.另一个例子:在我的组织中,有些人可以访问某些 Azure Monitor 日志和指标。 Instead of assigning them management permissions we assign them the Azure Monitoring Reader role instead of the Monitoring Contributor because we don't want them to modify any settings related to the monitoring.我们没有为他们分配管理权限,而是为他们分配了 Azure 监控读者角色而不是监控参与者,因为我们不希望他们修改与监控相关的任何设置。

Hope this clears things up regarding the different permission scopes and when to use them.希望这可以清除有关不同权限范围以及何时使用它们的问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure资源API和存储API之间的区别 - Difference between Azure Resources API and Storage API 所有 Azure 资源的 RBAC 权限列表 - List of RBAC permissions for all Azure Resources 使用Azure Active Directory组管理对资源的访问 - Managing access to resources with Azure Active Directory groups Azure VNET-从WebApp访问VNET资源 - Azure VNET - Accessing VNET Resources from WebApp Azure 资源 - Azure resources Azure 资源未显示在 VS 代码扩展中 - Azure resources not showing up in VS Code Extension Azure 函数访问私有资源 - 从 AWS 迁移 - Azure Functions Accessing Private Resources - Migrating from AWS 如何限制Azure登台环境访问资源 - How do you limit the Azure Staging Environment from accessing Resources VS 2015 Azure发布向导不处理ARM创建的资源吗? - Does VS 2015 Azure Publish wizard not deal with ARM created resources? 用域路由管理同一个域名下的两个不同的Azure资源 - Managing two different Azure resources under the same domain name with domain routing
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM