Horizon Cloud 用來在您的 Microsoft Azure 訂閱和資源群組中執行作業的服務主體需要指派的角色,以指定服務主體可在該訂閱及其資源群組中執行的允許作業。即便使用 Microsoft Azure 內建的參與者角色可以執行 Horizon Cloud 所需的所有作業,但必須授與最大範圍的權限。您可以不在訂閱層級上使用 Microsoft Azure 內建的參與者角色,而改為建立具有最低權限集的自訂角色 (範圍限制在 Horizon Cloud 在相關聯訂閱中所需的最少一組作業),並在訂閱層級上將該自訂角色指派給服務主體。如果您採用將個別訂閱用於網繭的外部 Unified Access Gateway 組態的方法,並選擇將閘道資源部署至您所建立並維護的資源群組中,則您可以選擇在該個別訂閱中為服務主體指派更精細且範圍較窄的權限。

最主要的概念是,Horizon Cloud 需要在您的訂閱及其資源群組中執行特定作業,以成功建立並維護為網繭及其閘道進行設定所需的資源。其中一個簡單的範例是,由於網繭和閘道架構需要具有 NIC 的虛擬機器,因此 Horizon Cloud 必須在您的訂閱中建立虛擬機器和 NIC,並將這些 NIC 連結至訂閱 VNet 中的子網路。您為網繭和閘道部署選擇的部分選項,將決定 Horizon Cloud 所需執行的一組特定作業。您可以依照以下說明的規則,根據您為了部署網繭及設定其外部閘道而採用的選項,將 Horizon Cloud 在您訂閱中的能力限制在所需作業的最小範圍。

如需 Microsoft Azure 中自訂角色和建立自訂角色所採取步驟的詳細資料,請參閱 Microsoft Azure 說明文件主題 適用於 Azure 資源的自訂角色。如需有關角色運作方式、其結構和管理作業結構的詳細資料,請參閱 Microsoft Azure 說明文件中的瞭解 Azure 資源的角色定義。如該說明文件主題中所述,角色定義為權限的集合。此角色定義簡稱為角色。角色會列出該角色獲指派服務主體可執行的管理作業,以及無法執行的作業。管理作業為在該資源上所執行資源與動作的組合。

此主題包含以下小節。

可用使用案例的概觀

討論 Horizon Cloud 在您的 Microsoft Azure 訂閱和資源群組中所需的作業時,涉及下列使用案例。

備註: 服務主體的角色若是針對為雙訂閱使用案例中剩餘網繭資源指定的訂閱而建立的,則必須遵循單一訂閱使用案例所需的相同規則。
使用案例 說明
Horizon Cloud 會將單一訂閱用於網繭及其外部 Unified Access Gateway 組態。

在此案例中,必須在訂閱層級為服務主體授與存取權。在該層級指派給服務主體的角色,必須允許 Horizon Cloud 在您的訂閱中必須執行的相關動作,以在該訂閱中成功建立所需的資源,並在一段時間內對這些資源執行作業。舉例來說,在此案例中,該角色必須提供建立預設資源群組、網路安全性群組、虛擬機器等項目的能力。

您有兩個訂閱,並且想要讓 Horizon Cloud 在外部閘道的指定訂閱中自動建立閘道所需的資源群組和資源,並以相同方式在另一個訂閱中建立剩餘網繭資源。
  • 一個訂閱指定用於外部 Unified Access Gateway 組態資源
  • 另一個訂閱用於剩餘網繭資源

使用此選項時,必須在訂閱層級為每個訂閱的服務主體授與存取權,以及允許前述單一訂閱使用案例之相同動作的權限。

同樣有兩個訂閱,但不要讓 Horizon Cloud 自動建立外部閘道所需的資源群組和資源,而是在該外部閘道的指定訂閱中預先建立資源群組,並且讓 Horizon Cloud 將外部閘道的資源部署至那個現有的資源群組中。

要為服務主體授與部署外部閘道的存取權,可使用兩個選項:

  • 在訂閱層級上授與存取權的方式與上述案例相同。
  • 使用下列組合:
    • 在訂閱層級上,使用內建的讀取者角色授與存取權。
    • 在具名資源群組的層級上,使用自訂角色中定義的權限授與存取權。在資源群組層級授與的權限必須可支援 Horizon Cloud 需要在資源群組中執行的相關作業,以在該處部署和設定外部閘道的資源。

      除了資源群組的權限以外,取決於您的部署計劃,Horizon Cloud 需要執行下列動作的權限:

      • 如果此部署將使用您在該訂閱的 VNet 上預先建立的子網路,則 Horizon Cloud 需要能夠在這些子網路上建立 NIC 和網路安全性群組 (NSG)。對子網路所屬 VNet 所需的權限為 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/*
      • 如果此部署要讓 Horizon Cloud 產生子網路,則除了上方的 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/* 權限以外,Horizon Cloud 也需要能夠建立子網路。對 VNet 所需的權限為 Microsoft.Network/virtualNetworks/write
      • 如果您的外部閘道部署將指定使用公用 IP 位址,則 Horizon Cloud 必須能夠在具名資源群組中建立公用 IP 位址。對具名資源群組所需的權限為 Microsoft.Network/publicIPAddresses

將單一訂閱用於網繭及其閘道組態時,或將個別的訂閱用於外部 Unified Access Gateway 組態,且在訂閱層級上設定權限集時

在這些使用案例中,應在訂閱層級上指派權限。若您在 Horizon Cloud 工作流程的「訂閱」步驟中所指定服務主體上設定了自訂角色,則自訂角色定義中需要下列動作。* (萬用字元) 允許存取與列出的資源提供者作業中的字串相符合的所有作業。如需作業的說明,請參閱以下列出連結中的 Microsoft Azure 說明文件。

表 1. 在訂閱層級上指派權限時,自訂角色中必須允許的 Microsoft Azure 資源作業
作業 Microsoft Azure 說明文件中的描述
Microsoft.Authorization/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
Microsoft.Compute/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/availabilitySets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/disks/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/images/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/locations/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/snapshots/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachines/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachineScaleSets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.DBforPostgreSQL/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftdbforpostgresql
Microsoft.KeyVault/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/secrets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.Network/loadBalancers/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkInterfaces/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkSecurityGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/publicIPAddresses/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/write https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/subnets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.ResourceHealth/availabilityStatuses/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresourcehealth
Microsoft.Resources/subscriptions/resourceGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Resources/deployments/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Storage/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Storage/storageAccounts/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage

下列 JSON 程式碼區塊是一個範例,說明名為 Horizon Cloud Pod 的自訂角色定義在具有一組前述作業時可能呈現的內容。如需內容和使用量資訊的描述,請參閱 Microsoft Azure 說明文件主題 Azure 資源的自訂角色中的自訂角色內容區段。識別碼為自訂角色的唯一識別碼。使用 Azure PowerShell 或 Azure CLI 建立自訂角色時,此識別碼會在建立新角色時自動產生。如教學課程:使用 Azure CLI 為 Azure 資源建立自訂角色中所述,mysubscriptionId1 為您自己的訂閱識別碼。

表 2. 在訂閱層級上指派權限時允許 Horizon Cloud 所需作業之角色的範例 JSON
{
"Name": "Horizon Cloud Pod",
"Id": "uuid",
"IsCustom": true,
"Description": "Minimum set of Horizon Cloud pod required operations",
"Actions": [
  "Microsoft.Authorization/*/read"
  "Microsoft.Compute/*/read"
  "Microsoft.Compute/availabilitySets/*"
  "Microsoft.Compute/disks/*"
  "Microsoft.Compute/images/*"
  "Microsoft.Compute/locations/*"
  "Microsoft.Compute/virtualMachines/*"
  "Microsoft.Compute/virtualMachineScaleSets/*"
  "Microsoft.Compute/snapshots/*"
  "Microsoft.DBforPostgreSQL/*"
  "Microsoft.KeyVault/*/read"
  "Microsoft.KeyVault/vaults/*"
  "Microsoft.KeyVault/vaults/secrets/*"
  "Microsoft.Network/loadBalancers/*"
  "Microsoft.Network/networkInterfaces/*"
  "Microsoft.Network/networkSecurityGroups/*"
  "Microsoft.Network/publicIPAddresses/*"
  "Microsoft.Network/virtualNetworks/read"
  "Microsoft.Network/virtualNetworks/write"
  "Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read"
  "Microsoft.Network/virtualNetworks/subnets/*"
  "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read"
  "Microsoft.Resources/subscriptions/resourceGroups/*"
  "Microsoft.ResourceHealth/availabilityStatuses/read"
  "Microsoft.Resources/deployments/*"
  "Microsoft.Storage/*/read"
  "Microsoft.Storage/storageAccounts/*"
  ],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
  "/subscriptions/mysubscriptionId1"
  ]
}

將個別的訂閱用於外部 Unified Access Gateway 組態時,在訂閱層級指派讀取者角色,並且在精細的層級上指派其他所需權限,以部署至自訂資源群組中

在此使用案例中,您可以在訂閱層級將內建的讀取者角色指派給服務主體,然後使用指定下表所含權限的自訂角色在具名資源群組的層級授與存取權。根據您計劃的部署選項,在子網路上和 VNet 上必須要有某些其他權限:

  • 如果此外部閘道部署將使用您預先建立的子網路,則 Horizon Cloud 需要能夠在這些子網路上建立 NIC 和網路安全性群組 (NSG)。對子網路所屬的 VNet 所需的權限為 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/*
  • 如果此外部閘道部署要讓 Horizon Cloud 產生子網路,則除了前述的 Microsoft.Network/virtualNetworks/subnets/*Microsoft.Network/networkSecurityGroups/* 權限以外,Horizon Cloud 還必須能夠建立子網路。對訂閱的 VNet 所需的權限為 Microsoft.Network/virtualNetworks/write
  • 如果您的部署將為外部閘道組態指定使用公用 IP 位址,則 Horizon Cloud 需要能夠在具名資源群組中建立公用 IP 位址。對具名資源群組所需的權限為 Microsoft.Network/publicIPAddresses

具名資源群組中需要下列允許的作業。* (萬用字元) 允許存取與列出的資源提供者作業中的字串相符合的所有作業。如需作業的說明,請參閱以下列出連結中的 Microsoft Azure 說明文件。

表 3. 必須在指定資源群組上允許的 Microsoft Azure 資源作業
作業 Microsoft Azure 說明文件中的描述
Microsoft.Authorization/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
Microsoft.Compute/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/availabilitySets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/disks/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/images/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/locations/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/snapshots/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachines/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.Compute/virtualMachineScaleSets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftcompute
Microsoft.DBforPostgreSQL/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftdbforpostgresql
Microsoft.KeyVault/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.KeyVault/vaults/secrets/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkeyvault
Microsoft.Network/loadBalancers/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/networkInterfaces/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/publicIPAddresses/* (如果您的部署要指定將公用 IP 位址用於外部閘道部署)。 https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftnetwork
Microsoft.ResourceHealth/availabilityStatuses/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresourcehealth
Microsoft.Resources/subscriptions/resourceGroups/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Resources/deployments/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
Microsoft.Storage/*/read https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage
Microsoft.Storage/storageAccounts/* https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage