Contributor
角色通常用來啟用 Horizon Cloud 應用程式登錄程序,以便在 Microsoft Azure 訂閱中進行 API 呼叫。如果您希望避免使用 Contributor
角色,您可以基於此目的而建立自訂角色。自訂角色具有某些必要權限和選用權限,您在建立服務主體時必須注意。
若要建立自訂角色,請使用 Azure PowerShell 或 Azure CLI 等工具,並建立一項自訂角色定義,且其中至少包含本主題中所列的必要權限。請參閱下面的 JSON 範例。如需此頁面所列特定 Microsoft Azure 權限的詳細資料,請參閱 Azure 資源提供者作業。
必要權限
作業 |
---|
Microsoft.Authorization/*/read |
Microsoft.Compute/*/read |
Microsoft.Compute/availabilitySets/* |
Microsoft.Compute/disks/* |
Microsoft.Compute/galleries/read Microsoft.Compute/galleries/write Microsoft.Compute/galleries/delete Microsoft.Compute/galleries/images/* Microsoft.Compute/galleries/images/versions/* |
Microsoft.Compute/images/* |
Microsoft.Compute/locations/* |
Microsoft.Compute/snapshots/* |
Microsoft.Compute/virtualMachines/* |
Microsoft.Compute/virtualMachineScaleSets/* |
Microsoft.ContainerService/managedClusters/delete |
Microsoft.ContainerService/managedClusters/read |
Microsoft.ContainerService/managedClusters/write |
Microsoft.ContainerService/managedClusters/commandResults/read |
Microsoft.ContainerService/managedClusters/runcommand/action |
Microsoft.ContainerService/managedClusters/upgradeProfiles/read |
Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action |
Microsoft.ManagedIdentity/userAssignedIdentities/*/read |
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write |
Microsoft.Network/loadBalancers/* |
Microsoft.Network/networkInterfaces/* |
Microsoft.Network/networkSecurityGroups/* |
Microsoft.Network/virtualNetworks/read |
Microsoft.Network/virtualNetworks/write |
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read |
Microsoft.Network/virtualNetworks/subnets/* |
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read |
Microsoft.ResourceGraph/* |
Microsoft.Resources/deployments/* |
Microsoft.Resources/subscriptions/read |
Microsoft.Resources/subscriptions/resourceGroups/* |
Microsoft.ResourceHealth/availabilityStatuses/read |
Microsoft.Storage/*/read |
Microsoft.Storage/storageAccounts/* |
如果您打算使用 App Volumes,請確定您已在訂閱層級設定資料表中列出的權限。如需這些權限的詳細資訊,請參閱App Volumes 應用程式儲存區帳戶的 Azure 私人端點。
作業 |
---|
Microsoft.Network/locations/availablePrivateEndpointTypes/read |
Microsoft.Network/privateEndpoints/read |
Microsoft.Network/privateEndpoints/write |
Microsoft.Network/privateEndpoints/delete |
Microsoft.Network/virtualNetworks/read |
Microsoft.Network/virtualNetworks/subnets/read |
Microsoft.Network/virtualNetworks/subnets/write |
Microsoft.Network/virtualNetworks/subnets/join/action |
Microsoft.Resources/deployments/* |
Microsoft.Resources/subscriptions/read |
Microsoft.Resources/subscriptions/resourceGroups/read |
選用權限
如果是在 Microsoft Azure 中部署 Horizon Edge,則以下權限不是必要的。但是,如果您沒有包含這些選用權限,Horizon Universal Console 中依賴這些權限的功能將無法運作。
作業 | |
---|---|
Microsoft.KeyVault/*/read Microsoft.KeyVault/vaults/* Microsoft.KeyVault/vaults/secrets/* |
需要金鑰保存庫權限,才能將集區虛擬機器的磁碟加密。 |
Microsoft.Network/natGateways/join/action |
如果在建立 Horizon Edge 時選取了 Azure Private Link 連線類型,並且管理子網路與 NAT 閘道相關聯,則需要此權限。需要此權限才能建立私人端點資源。 |
Microsoft.Network/natGateways/read |
如果選取 [NAT 閘道] 作為 Horizon Edge 的叢集輸出類型,則需要此權限,才能驗證管理子網路的 NAT 閘道 (如果存在) 是否設定正確。 |
Microsoft.Network/privateEndpoints/write Microsoft.Network/privateEndpoints/read |
需要私人端點權限,才能使用 Azure Private Link 來部署 Horizon Edge。 |
Microsoft.Network/publicIPAddresses/* |
需要公用 IP 權限,才能在具有公用 IP 位址的負載平衡器後方部署具有 Unified Access Gateway 執行個體的 Horizon Edge 執行個體。另外,需要此權限,以部署公用 IP 位址並將其新增至映像。 |
Microsoft.Network/routeTables/join/action |
如果在建立 Horizon Edge 時選取了 Azure Private Link 連線類型,並且管理子網路已附加路由表,則需要此權限。需要此權限才能建立私人端點資源。 |
Microsoft.Network/routeTables/read |
如果為 Horizon Edge 選取的叢集輸出類型為 [使用者定義的路由],則需要此權限。需要此權限,才能驗證管理子網路相關聯的路由表,以確保預設路由設定正確。 |
這些權限如下所示:
範圍:https://graph.microsoft.com/
權限:Device.ReadWrite.All Read and write devices
管理員同意:Yes
可導覽至以下位置來授與權限:
Microsoft Azure 自訂角色 JSON 範例
下列 JSON 程式碼區塊是一個範例,說明名為 Horizon Cloud 自訂角色 - Titan 的自訂角色定義在具有一組前述必要和選用作業時,可能呈現的內容。識別碼為自訂角色的唯一識別碼。使用 Azure PowerShell 或 Azure CLI 來建立自訂角色時,該程序會自動產生此識別碼。對於 my_subscription_ID 變數,請替換成將在其中使用自訂角色之訂閱的識別碼。
在 assignableScopes 區段中,您可以使用多個訂閱識別碼「/subscriptions/my_subscription_ID」,以允許在多項訂閱中使用自訂角色。
{ “id”: “uuid”, “properties”: { “roleName”: “Horizon Cloud Custom Role - Titan”, “description”: “All permissions required for deployment and operation of a Horizon Edge in Azure”, “assignableScopes”: [ “/subscriptions/my_subscription_ID” ], “permissions”: [ { “actions”: [ “Microsoft.Authorization/*/read”, “Microsoft.Compute/*/read”, “Microsoft.Compute/availabilitySets/*“, “Microsoft.Compute/disks/*“, “Microsoft.Compute/galleries/read”, “Microsoft.Compute/galleries/write”, “Microsoft.Compute/galleries/delete”, “Microsoft.Compute/galleries/images/*”, “Microsoft.Compute/galleries/images/versions/*”, “Microsoft.Compute/images/*”, “Microsoft.Compute/locations/*”, “Microsoft.Compute/snapshots/*”, “Microsoft.ContainerService/managedClusters/delete”, “Microsoft.ContainerService/managedClusters/read”, “Microsoft.ContainerService/managedClusters/write”, “Microsoft.ContainerService/managedClusters/commandResults/read”, “Microsoft.ContainerService/managedClusters/runcommand/action”, “Microsoft.ContainerService/managedClusters/upgradeProfiles/read”, “Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action”, “Microsoft.ManagedIdentity/userAssignedIdentities/*/read”, “Microsoft.Compute/virtualMachines/*”, “Microsoft.Compute/virtualMachineScaleSets/*”, “Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read”, “Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write”, “Microsoft.Network/loadBalancers/*”, “Microsoft.Network/networkInterfaces/*”, “Microsoft.Network/networkSecurityGroups/*”, “Microsoft.Network/virtualNetworks/read”, “Microsoft.Network/virtualNetworks/write”, “Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read”, “Microsoft.Network/virtualNetworks/subnets/*”, “Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read”, “Microsoft.ResourceGraph/*”, “Microsoft.Resources/deployments/*”, “Microsoft.Resources/subscriptions/read”, “Microsoft.Resources/subscriptions/resourceGroups/*”, “Microsoft.ResourceHealth/availabilityStatuses/read”, “Microsoft.Storage/*/read”, “Microsoft.Storage/storageAccounts/*”, “Microsoft.KeyVault/*/read”, “Microsoft.KeyVault/vaults/*”, “Microsoft.KeyVault/vaults/secrets/*”, “Microsoft.Network/natGateways/join/action”, “Microsoft.Network/natGateways/read”, “Microsoft.Network/privateEndpoints/write”, “Microsoft.Network/privateEndpoints/read”, “Microsoft.Network/publicIPAddresses/*”, “Microsoft.Network/routeTables/join/action", "Microsoft.Network/routeTables/read" ], “notActions”: [], “dataActions”: [], “notDataActions”: [] } ] } } |