所有者可以删除 Azure 中的只读锁或非删除锁吗?
Can an owner remove a read-only or non-delete lock in Azure?
我对 Azure 资源块有疑问。通过向资源添加只读或非删除锁,当您点击删除时,它无法被删除。所以我的问题是,所有者可以删除该锁吗?是否可以让主人也无法取下锁?
Who can create or delete locks
To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.
来源:Lock resources to prevent unexpected changes - Who can create or delete locks.
简而言之:答案是否定的。
此外,owner 是 Azure 中最有特权的角色,因为它
Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
来源:Azure built-in roles - All.
如果您按照 Principal of Least Privilege 工作,则应限制 Azure 订阅的所有者数量。
The Owner role grant full access to manage all resources, including the ability to assign roles in Azure RBAC. You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner.
我对 Azure 资源块有疑问。通过向资源添加只读或非删除锁,当您点击删除时,它无法被删除。所以我的问题是,所有者可以删除该锁吗?是否可以让主人也无法取下锁?
Who can create or delete locks
To create or delete management locks, you must have access to
Microsoft.Authorization/*orMicrosoft.Authorization/locks/*actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions.
来源:Lock resources to prevent unexpected changes - Who can create or delete locks.
简而言之:答案是否定的。
此外,owner 是 Azure 中最有特权的角色,因为它
Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
来源:Azure built-in roles - All.
如果您按照 Principal of Least Privilege 工作,则应限制 Azure 订阅的所有者数量。
The Owner role grant full access to manage all resources, including the ability to assign roles in Azure RBAC. You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner.