若要讓 Horizon Cloud 應用程式登錄能夠在網繭的訂閱 (或選用的外部閘道訂閱) 中進行 API 呼叫,並執行其 VDI 相關作業,必須指派一個角色給它。通常會使用 Contributor 角色來達成此目的。如果組織想避開使用 Contributor 角色,他們可以建立自訂角色,讓自訂角色得以賦予 Horizon Cloud 應用程式登錄執行必要 API 呼叫的能力。

除了將自訂角色用於網繭訂閱中的 Horizon Cloud 應用程式登錄外,如果您的組織希望採用將個別的訂閱用於網繭外部 Unified Access Gateway 組態的方法,並選取將閘道資源部署您貴組織為實現此目的而設定的特定資源群組中,該閘道訂閱的自訂角色可以擁有比網繭訂閱的自訂角色更精細且範圍更窄的權限。

自訂角色簡介

最主要的概念是,Horizon Cloud 需要在網繭的訂閱及其資源群組中執行特定作業,以成功建立並維護為網繭及其閘道進行設定所需的資源。

其中一個簡單的範例是,由於網繭和閘道架構需要具有 NIC 的虛擬機器,因此 Horizon Cloud 必須在您的訂閱中建立虛擬機器和 NIC,並將這些 NIC 連結至訂閱 VNet 中的子網路。

在 Microsoft Azure 中,角色將提供一組可供應用程式登錄的服務主體執行的管理作業。管理作業為在該資源上所執行資源與動作的組合。

您可以按照下面所述的規則,限制網繭訂閱和 (選用) 閘道訂閱中的 Horizon Cloud 應用程式登錄功能只能執行所需最少作業。

可用使用案例的概觀

當討論 Horizon Cloud 在訂閱和資源群組中所需的作業時,涉及下列使用案例。

備註: 在雙項訂閱使用案例中,用於網繭訂閱中之應用程式登錄的角色必須遵循單一訂閱使用案例所需的相同規則。
使用案例 說明
Horizon Cloud 會將單一訂閱用於網繭及其外部 Unified Access Gateway 組態。

在此案例中,必須在網繭訂閱層級為服務主體授與存取權。在該層級指派給服務主體的角色,必須允許 Horizon Cloud 在您的訂閱中必須執行的相關動作,以在該訂閱中成功建立所需的資源,並在一段時間內對這些資源執行作業。舉例來說,在此案例中,該角色必須提供建立預設資源群組、網路安全性群組、虛擬機器等項目的能力。

您有兩項訂閱,且您希望 Horizon Cloud 在外部閘道的指定訂閱中自動建立閘道所需的資源群組和資源,這與在網繭的訂閱中相同。
  • 一個訂閱指定用於外部 Unified Access Gateway 組態資源
  • 另一個訂閱用於剩餘網繭資源

使用此選項時,必須在訂閱層級為每個訂閱的服務主體授與存取權,以及允許前述單一訂閱使用案例之相同動作的權限。

同樣有兩個訂閱,但不要讓 Horizon Cloud 自動建立外部閘道所需的資源群組和資源,而是在該外部閘道的指定訂閱中預先建立資源群組,並且讓 Horizon Cloud 將外部閘道的資源部署至那個現有的資源群組中。

要為服務主體授與部署外部閘道的存取權,可使用兩個選項:

  • 在訂閱層級上授與存取權的方式與上述案例相同。
  • 使用下列組合:
    • 在訂閱層級上,使用內建的讀取者角色授與存取權。
    • 在具名資源群組的層級上,使用自訂角色中定義的權限授與存取權。在資源群組層級授與的權限必須可支援 Horizon Cloud 需要在資源群組中執行的相關作業,以在該處部署和設定外部閘道的資源。

      除了資源群組的權限以外,取決於您的部署計劃,Horizon Cloud 需要執行下列動作的權限:

      • 如果此部署將使用您在該訂閱的 VNet 上預先建立的子網路,則 Horizon Cloud 需要能夠在這些子網路上建立 NIC 和網路安全性群組 (NSG)。對子網路所屬的 VNet 所需的權限為 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/*
      • 如果此部署要讓 Horizon Cloud 產生子網路,則除了上方的 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/* 權限以外,Horizon Cloud 也需要能夠建立子網路。對 VNet 所需的權限為 Microsoft.Network/virtualNetworks/write
      • 如果您的外部閘道部署將指定使用公用 IP 位址,則 Horizon Cloud 必須能夠在具名資源群組中建立公用 IP 位址。對具名資源群組所需的權限為 Microsoft.Network/publicIPAddresses
當您的 VNet 有自訂路由時。Microsoft Azure 雲端有一個稱為自訂路由的功能。 如果您的 VNet 有自訂路由,則除了上述使用案例的所有權限外,還需要一項權限:Microsoft.Network/routeTables/join/action

將單一訂閱用於網繭及其閘道組態時,或將個別的訂閱用於外部 Unified Access Gateway 組態,且在訂閱層級上設定權限集時

在這些使用案例中,應在訂閱層級上指派權限。自訂角色必須允許執行下表中的作業。* (萬用字元) 允許存取與列出的作業中的字串相符合的所有作業。

表 1. 在訂閱層級上指派權限時,自訂角色中必須允許的 Microsoft Azure 資源作業
作業 Microsoft Azure 說明文件中的描述
Microsoft.Authorization/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
Microsoft.Compute/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/availabilitySets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/disks/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/images/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/locations/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/snapshots/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachines/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachineScaleSets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.DBforPostgreSQL/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftdbforpostgresql
Microsoft.KeyVault/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/secrets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.Network/loadBalancers/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkInterfaces/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkSecurityGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/publicIPAddresses/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/write https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/subnets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.ResourceHealth/availabilityStatuses/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresourcehealth
Microsoft.Resources/subscriptions/resourceGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Resources/deployments/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Storage/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Storage/storageAccounts/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/write
Microsoft.Compute/galleries/delete
Microsoft.Compute/galleries/images/*
Microsoft.Compute/galleries/images/versions/*
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftmarketplaceordering

下列 JSON 程式碼區塊是一個範例,說明名為 Horizon Cloud Pod 的自訂角色定義在具有一組前述作業時可能呈現的內容。識別碼為自訂角色的唯一識別碼。使用 Azure PowerShell 或 Azure CLI 建立自訂角色時,將自動產生此識別碼。對於 mysubscriptionId1 變數,會替換成將在其中使用自訂角色之訂閱的識別碼,即網繭的訂閱或選用的閘道訂閱。

表 2. 在訂閱層級上指派權限時允許 Horizon Cloud 所需作業之角色的範例 JSON
{
"Name": "Horizon Cloud Pod",
"Id": "uuid",
"IsCustom": true,
"Description": "Minimum set of Horizon Cloud pod required operations",
"Actions": [
  "Microsoft.Authorization/*/read"
  "Microsoft.Compute/*/read"
  "Microsoft.Compute/availabilitySets/*"
  "Microsoft.Compute/disks/*"
  "Microsoft.Compute/images/*"
  "Microsoft.Compute/locations/*"
  "Microsoft.Compute/virtualMachines/*"
  "Microsoft.Compute/virtualMachineScaleSets/*"
  "Microsoft.Compute/snapshots/*"
  "Microsoft.DBforPostgreSQL/*"
  "Microsoft.KeyVault/*/read"
  "Microsoft.KeyVault/vaults/*"
  "Microsoft.KeyVault/vaults/secrets/*"
  "Microsoft.Network/loadBalancers/*"
  "Microsoft.Network/networkInterfaces/*"
  "Microsoft.Network/networkSecurityGroups/*"
  "Microsoft.Network/publicIPAddresses/*"
  "Microsoft.Network/virtualNetworks/read"
  "Microsoft.Network/virtualNetworks/write"
  "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read"
  "Microsoft.Network/virtualNetworks/subnets/*"
  "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read"
  "Microsoft.Resources/subscriptions/resourceGroups/*"
  "Microsoft.ResourceHealth/availabilityStatuses/read"
  "Microsoft.Resources/deployments/*"
  "Microsoft.Storage/*/read"
  "Microsoft.Storage/storageAccounts/*"
  "Microsoft.Compute/galleries/read"
  "Microsoft.Compute/galleries/write"
  "Microsoft.Compute/galleries/delete"
  "Microsoft.Compute/galleries/images/*"
  "Microsoft.Compute/galleries/images/versions/*"
  "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read"
  "Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write"
  ],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
  "/subscriptions/mysubscriptionId1"
  ]
}

當自訂路由位於 VNet 及其子網路中時

Microsoft Azure 雲端有一個稱為自訂路由的功能。

如果將此類路由新增至 VNet 及其子網路中,則需要此其他權限。

表 3. 必須在您的 VNet 有自訂路由時允許的 Microsoft Azure 資源作業
作業 Microsoft Azure 說明文件中的描述
Microsoft.Network/routeTables/join/action https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork

將個別的訂閱用於外部 Unified Access Gateway 組態時,在訂閱層級指派讀取者角色,並且在精細的層級上指派其他所需權限,以部署至自訂資源群組中

對於此使用案例,在外部閘道的訂閱層級,您的組織可以將內建 Reader 角色用於 Horizon Cloud 應用程式登錄,並在指名的資源群組層級使用自訂角色。

您的組織將建立一個自訂角色,以用來指定下表中的權限。然後,該自訂角色將指派給 Horizon Cloud 應用程式登錄,以用於外部閘道訂閱中具體指名的資源群組。您或您的組織將在要部署外部閘道的訂閱中,預先建立指名的資源群組。

根據您計劃的部署選項,在子網路上和 VNet 上還需要有某些特定權限:

  • 如果此外部閘道部署將使用您預先建立的子網路,則 Horizon Cloud 需要能夠在這些子網路上建立 NIC 和網路安全性群組 (NSG)。對子網路所屬的 VNet 所需的權限為 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/*
  • 如果此外部閘道部署要讓 Horizon Cloud 產生子網路,則除了前述的 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/* 權限以外,Horizon Cloud 還必須能夠建立子網路。對訂閱的 VNet 所需的權限為 Microsoft.Network/virtualNetworks/write
  • 如果您的部署將為外部閘道組態指定使用公用 IP 位址,則 Horizon Cloud 需要能夠在具名資源群組中建立公用 IP 位址。對具名資源群組所需的權限為 Microsoft.Network/publicIPAddresses

具名資源群組中需要下列允許的作業。* (萬用字元) 允許存取與列出的資源提供者作業中的字串相符合的所有作業。

表 4. 必須在指定資源群組上允許的 Microsoft Azure 資源作業
作業 Microsoft Azure 說明文件中的描述
Microsoft.Authorization/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
Microsoft.Compute/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/availabilitySets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/disks/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/images/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/locations/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/snapshots/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachines/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachineScaleSets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.DBforPostgreSQL/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftdbforpostgresql
Microsoft.KeyVault/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/secrets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.Network/loadBalancers/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkInterfaces/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/publicIPAddresses/* (如果您的部署要指定將公用 IP 位址用於外部閘道部署)。 https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.ResourceHealth/availabilityStatuses/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresourcehealth
Microsoft.Resources/subscriptions/resourceGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Resources/deployments/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Storage/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Storage/storageAccounts/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftmarketplaceordering