Azure 角色分配优先级
Azure role assignment precedence
假设用户分配了以下角色结构。
- 订阅范围的贡献者
- Reader 在资源组范围内。此资源组已订阅。
- Cosmos DB 帐户 Reader 在第 2 点的资源组内的 cosmos db 上的角色
用户可以对 cosmos db 进行写操作吗?
我找不到关于此用例的任何文档。
Can the user do write operations on cosmos db ?
是,因为用户在订阅级别处于 Contributor 角色,而 Azure RBAC 是一种附加模型,其中有效权限是根据所有角色分配计算的。从这个 link:
Multiple role assignments
So what happens if you have multiple overlapping role assignments?
Azure RBAC is an additive model, so your effective permissions are the
sum of your role assignments. Consider the following example where a
user is granted the Contributor role at the subscription scope and the
Reader role on a resource group. The sum of the Contributor
permissions and the Reader permissions is effectively the Contributor
role for the subscription. Therefore, in this case, the Reader role
assignment has no impact.
假设用户分配了以下角色结构。
- 订阅范围的贡献者
- Reader 在资源组范围内。此资源组已订阅。
- Cosmos DB 帐户 Reader 在第 2 点的资源组内的 cosmos db 上的角色
用户可以对 cosmos db 进行写操作吗?
我找不到关于此用例的任何文档。
Can the user do write operations on cosmos db ?
是,因为用户在订阅级别处于 Contributor 角色,而 Azure RBAC 是一种附加模型,其中有效权限是根据所有角色分配计算的。从这个 link:
Multiple role assignments
So what happens if you have multiple overlapping role assignments? Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments. Consider the following example where a user is granted the Contributor role at the subscription scope and the Reader role on a resource group. The sum of the Contributor permissions and the Reader permissions is effectively the Contributor role for the subscription. Therefore, in this case, the Reader role assignment has no impact.