問題描述
在使用APIM服務中,需要為專門的一組使用者賦予特殊的權限:審批APIM使用者的對産品的訂閱。需要自定義一個RBAC角色,那麼如何來設定最少的Action滿足需求呢?
問題解答
要對APIM訂閱進行審批,至少需要 Microsoft.ApiManagement/service/subscriptions/write (對subscriptions的write權限)。同時,也需要有APIM資源,目前資源組,Subscriptions的Read權限。是以總起來就是需要以下Actions:
- Microsoft.ApiManagement/service/subscriptions/write
- Microsoft.ApiManagement/service/subscriptions/read
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.ApiManagement/service/read
當需要在Azure門戶上建立自定義RBAC 角色時候,自定義JSON内容為:
{
"properties": {
"roleName": "APIM Only Approval Subscription User",
"description": "APIM Only Approval Subscription User",
"assignableScopes": [
"/subscriptions/<your azure subscription ID>"
],
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/subscriptions/write",
"Microsoft.ApiManagement/service/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ApiManagement/service/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
} 建立成功後,效果如下:
參考資料
使用 Azure 門戶建立 Azure 自定義角色 : https://docs.microsoft.com/zh-cn/azure/role-based-access-control/custom-roles-portal
當在複雜的環境中面臨問題,格物之道需:濁而靜之徐清,安以動之徐生。 雲中,恰是如此!