Azure RBAC 是附加的还是最少允许的角色获胜?
Are Azure RBAC additive or the least permissible role wins?
我想知道 Azure RBAC 资源角色的作用。如果说我在存储帐户级别分配了一个“存储 blob 数据贡献者”角色,并在容器级别分配了一个“存储 blob reader 角色”,那么哪个将生效,容器角色还是一组在存储帐户层,因为它处于更高级别?
Azure RBAC 角色是附加的。来自这个link
:
So what happens if you have multiple overlapping role assignments?
Azure RBAC is an additive model, so your effective permissions are the
sum of your role assignments. Consider the following example where a
user is granted the Contributor role at the subscription scope and the
Reader role on a resource group. The sum of the Contributor
permissions and the Reader permissions is effectively the Contributor
role for the subscription. Therefore, in this case, the Reader role
assignment has no impact.
在您的情况下,如果您在存储帐户级别分配了“存储 Blob 数据贡献者”角色,并在容器级别分配了“存储 Blob Reader 角色”,则用户将具有“容器级别的存储 Blob 数据贡献者”角色。
我想知道 Azure RBAC 资源角色的作用。如果说我在存储帐户级别分配了一个“存储 blob 数据贡献者”角色,并在容器级别分配了一个“存储 blob reader 角色”,那么哪个将生效,容器角色还是一组在存储帐户层,因为它处于更高级别?
Azure RBAC 角色是附加的。来自这个link
:
So what happens if you have multiple overlapping role assignments? Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments. Consider the following example where a user is granted the Contributor role at the subscription scope and the Reader role on a resource group. The sum of the Contributor permissions and the Reader permissions is effectively the Contributor role for the subscription. Therefore, in this case, the Reader role assignment has no impact.
在您的情况下,如果您在存储帐户级别分配了“存储 Blob 数据贡献者”角色,并在容器级别分配了“存储 Blob Reader 角色”,则用户将具有“容器级别的存储 Blob 数据贡献者”角色。