Contributor 角色通常用來啟用 Horizon Cloud 應用程式登錄程序,以便在 Microsoft Azure 訂閱中進行 API 呼叫。如果您希望避免使用 Contributor 角色,您可以基於此目的而建立自訂角色。自訂角色具有某些必要權限和選用權限,您在建立服務主體時必須注意。

若要建立自訂角色,請使用 Azure PowerShell 或 Azure CLI 等工具,並建立一項自訂角色定義,且其中至少包含本主題中所列的必要權限。請參閱下面的 JSON 範例。如需此頁面所列特定 Microsoft Azure 權限的詳細資料,請參閱 Azure 資源提供者作業

必要權限

表 1. 在訂閱層級上指派權限時,自訂角色中必須允許的 Microsoft Azure 資源作業
作業
Microsoft.Authorization/*/read
Microsoft.Compute/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/disks/*
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/write
Microsoft.Compute/galleries/delete
Microsoft.Compute/galleries/images/*
Microsoft.Compute/galleries/images/versions/*
Microsoft.Compute/images/*
Microsoft.Compute/locations/*
Microsoft.Compute/snapshots/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.ContainerService/managedClusters/delete
Microsoft.ContainerService/managedClusters/read
Microsoft.ContainerService/managedClusters/write
Microsoft.ContainerService/managedClusters/commandResults/read
Microsoft.ContainerService/managedClusters/runcommand/action
Microsoft.ContainerService/managedClusters/upgradeProfiles/read
Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action
Microsoft.ManagedIdentity/userAssignedIdentities/*/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write
Microsoft.Network/loadBalancers/*
Microsoft.Network/networkInterfaces/*
Microsoft.Network/networkSecurityGroups/*
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/write
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read
Microsoft.Network/virtualNetworks/subnets/*
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
Microsoft.ResourceGraph/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Storage/*/read
Microsoft.Storage/storageAccounts/*

如果您打算使用 App Volumes,請確定您已在訂閱層級設定資料表中列出的權限。如需這些權限的詳細資訊,請參閱App Volumes 應用程式儲存區帳戶的 Azure 私人端點

作業
Microsoft.Network/locations/availablePrivateEndpointTypes/read
Microsoft.Network/privateEndpoints/read
Microsoft.Network/privateEndpoints/write
Microsoft.Network/privateEndpoints/delete
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read

選用權限

如果是在 Microsoft Azure 中部署 Horizon Edge,則以下權限不是必要的。但是,如果您沒有包含這些選用權限,Horizon Universal Console 中依賴這些權限的功能將無法運作。

表 2. 在訂閱層級指派權限時,在自訂角色中屬於選用的 Microsoft Azure 資源作業
作業
Microsoft.KeyVault/*/read
Microsoft.KeyVault/vaults/*
Microsoft.KeyVault/vaults/secrets/*
需要金鑰保存庫權限,才能將集區虛擬機器的磁碟加密。
Microsoft.Network/natGateways/join/action
如果在建立 Horizon Edge 時選取了 Azure Private Link 連線類型,並且管理子網路與 NAT 閘道相關聯,則需要此權限。需要此權限才能建立私人端點資源。
Microsoft.Network/natGateways/read
如果選取 [NAT 閘道] 作為 Horizon Edge 的叢集輸出類型,則需要此權限,才能驗證管理子網路的 NAT 閘道 (如果存在) 是否設定正確。
Microsoft.Network/privateEndpoints/write
Microsoft.Network/privateEndpoints/read
需要私人端點權限,才能使用 Azure Private Link 來部署 Horizon Edge。
Microsoft.Network/publicIPAddresses/* 需要公用 IP 權限,才能在具有公用 IP 位址的負載平衡器後方部署具有 Unified Access Gateway 執行個體的 Horizon Edge 執行個體。另外,需要此權限,以部署公用 IP 位址並將其新增至映像。
Microsoft.Network/routeTables/join/action
如果在建立 Horizon Edge 時選取了 Azure Private Link 連線類型,並且管理子網路已附加路由表,則需要此權限。需要此權限才能建立私人端點資源。
Microsoft.Network/routeTables/read
如果為 Horizon Edge 選取的叢集輸出類型為 [使用者定義的路由],則需要此權限。需要此權限,才能驗證管理子網路相關聯的路由表,以確保預設路由設定正確。
備註: 在刪除加入 Microsoft Entra ID 的集區或虛擬機器時,服務主體應具有從 Microsoft Entra ID 中刪除裝置項目的權限。

這些權限如下所示:

範圍:https://graph.microsoft.com/

權限:Device.ReadWrite.All Read and write devices

管理員同意:Yes

可導覽至以下位置來授與權限:

訂閱 > Azure Active Directory > 應用程式登錄 > 選取需要授與權限的應用程式 > API 權限 > 選取 Microsoft GRAPH > 選取 Device.ReadWriteAll

Microsoft Azure 自訂角色 JSON 範例

下列 JSON 程式碼區塊是一個範例,說明名為 Horizon Cloud 自訂角色 - Titan 的自訂角色定義在具有一組前述必要和選用作業時,可能呈現的內容。識別碼為自訂角色的唯一識別碼。使用 Azure PowerShell 或 Azure CLI 來建立自訂角色時,該程序會自動產生此識別碼。對於 my_subscription_ID 變數,請替換成將在其中使用自訂角色之訂閱的識別碼。

assignableScopes 區段中,您可以使用多個訂閱識別碼「/subscriptions/my_subscription_ID」,以允許在多項訂閱中使用自訂角色。

表 3. 在訂閱層級上指派權限時允許 Horizon Cloud 所需作業之角色的範例 JSON
{
    “id”: “uuid”,
    “properties”: {
        “roleName”: “Horizon Cloud Custom Role - Titan”,
        “description”: “All permissions required for deployment and operation of a Horizon Edge in Azure”,
        “assignableScopes”: [
              “/subscriptions/my_subscription_ID”
        ],
        “permissions”: [
            {
                “actions”: [
                    “Microsoft.Authorization/*/read”,
                    “Microsoft.Compute/*/read”,
                    “Microsoft.Compute/availabilitySets/*“,
                    “Microsoft.Compute/disks/*“,
                    “Microsoft.Compute/galleries/read”,
                    “Microsoft.Compute/galleries/write”,
                    “Microsoft.Compute/galleries/delete”,
                    “Microsoft.Compute/galleries/images/*”,
                    “Microsoft.Compute/galleries/images/versions/*”,
                    “Microsoft.Compute/images/*”,
                    “Microsoft.Compute/locations/*”,
                    “Microsoft.Compute/snapshots/*”,
                    “Microsoft.ContainerService/managedClusters/delete”,
                    “Microsoft.ContainerService/managedClusters/read”,
                    “Microsoft.ContainerService/managedClusters/write”,        
                    “Microsoft.ContainerService/managedClusters/commandResults/read”,
                    “Microsoft.ContainerService/managedClusters/runcommand/action”,
                    “Microsoft.ContainerService/managedClusters/upgradeProfiles/read”,
                    “Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action”,
                    “Microsoft.ManagedIdentity/userAssignedIdentities/*/read”,
                    “Microsoft.Compute/virtualMachines/*”,
                    “Microsoft.Compute/virtualMachineScaleSets/*”,
                    “Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read”,
                    “Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write”,
                    “Microsoft.Network/loadBalancers/*”,           
                    “Microsoft.Network/networkInterfaces/*”,
                    “Microsoft.Network/networkSecurityGroups/*”,
                    “Microsoft.Network/virtualNetworks/read”,
                    “Microsoft.Network/virtualNetworks/write”,
                    “Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read”,
                    “Microsoft.Network/virtualNetworks/subnets/*”,
                    “Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read”,
                    “Microsoft.ResourceGraph/*”,
                    “Microsoft.Resources/deployments/*”,
                    “Microsoft.Resources/subscriptions/read”,
                    “Microsoft.Resources/subscriptions/resourceGroups/*”,
                    “Microsoft.ResourceHealth/availabilityStatuses/read”,
                    “Microsoft.Storage/*/read”,
                    “Microsoft.Storage/storageAccounts/*”,
                    “Microsoft.KeyVault/*/read”,
                    “Microsoft.KeyVault/vaults/*”,
                    “Microsoft.KeyVault/vaults/secrets/*”,
                    “Microsoft.Network/natGateways/join/action”,
                    “Microsoft.Network/natGateways/read”,
                    “Microsoft.Network/privateEndpoints/write”,
                    “Microsoft.Network/privateEndpoints/read”,
                    “Microsoft.Network/publicIPAddresses/*”,
                    “Microsoft.Network/routeTables/join/action",
                    "Microsoft.Network/routeTables/read"
                ],
                “notActions”: [],
                “dataActions”: [],
                “notDataActions”: []
            }
        ]
    }
}