限制标签值修改 [英] Restrict tag value modification
问题描述
您好,
我正在写信,请求您就Azure重要主题提供帮助。
I am writing to ask your assistance regarding an important Azure topic.
场景1:
我在Azure中有30个不同的资源在订阅的不同资源组中。所有资源都有一个标记(所有者)。如果所有者标记的值是用户名,则唯一能够修改所有者标记的用户是用户名为
的用户,该用户的所有者标记的值等于。当然,如果user1将所有者标记的值修改为另一个现有用户名(user2),则user1将无法修改所有者标记的值。在这种情况下,唯一可以修改所有者标记值的人是user2。
是否可以在任何Azure资源上限制标记值修改?
I have 30 different resources in Azure in different resource groups in a subscription. There is a tag (owner) on all resources. If the value of owner tag is a username the only person who will be able to modify the owner tag is the user whose username is
equal the owner tag's value. Of course if user1 modified the owner tag's value to another existing username (user2) user1 wouldn't be able to modify the owner tag's value. In this case the only person who could modify the owner tag's value is user2.
Is it possible to restrict tag value modification at any Azure resources?
场景2:
我在Azure中有30个不同的资源在订阅的不同资源组中。我创建了一个自定义角色(ops-role),它在Azure中具有与贡献者类似的权限,但此角色没有权限来修改标记和标记的值。
然后我创建另一个自定义角色(tagger-role),它只有(或几乎只有)标签修改权限。
是否可以在Azure中创建这些角色?
I have 30 different resources in Azure in different resource groups in a subscription. I create a custom role (ops-role) which has similar privileges in Azure than a Contributor except this role doesn't have privilege to modify the tags and tags' value. Then I create a another custom role (tagger-role) which has only (or almost only) tag modification privileges. Is it possible to create these roles in Azure?
我需要第1个解决方案或第二种情况。我想限制Azure资源上的标签修改。
I need a solution for the 1st or the 2nd scenario. I would like to restrict the tags modification on the Azure resources.
如有任何问题,请随时与我们联系。
Feel free to get in touch with any questions.
感谢您对此事的帮助。
最诚挚的问候,
Tibor
推荐答案
如果您看一下本文,我们将讨论修改标签所需的角色
If you take a look at this article we discuss the roles needed to modify tags
https://docs.microsoft.com/en-us/azure/azure-resource-manager / resource-group-using-tags
要将标记应用于资源,用户必须具有对该资源类型的写入权限。要将标记应用于所有资源类型,请使用 贡献者  作用。
要将标记仅应用于一种资源类型,请使用该资源的参与者角色。例如,要将标记应用于虚拟机,请使用 虚拟
机器贡献者 。
因此,为了修改资源的标签,特定的人有很多贡献者分配给该资源的角色。例如:
So, in order to modify tags of a resource that specific person much have some contributor role assigned to that resource. So for example:
第1人拥有对资源1的贡献者访问权限。人员1可以将标记应用于此资源
Person 1 has contributor access to Resource 1. Person 1 can apply tags to this resource
第2个人拥有贡献者访问权限资源2.人员2可以将标签应用于此资源
Person 2 has contributor access to Resource 2. Person 2 can apply tags to this resource
人员1无法将标签应用于资源2.
Person 1 cannot apply tags to resource 2.
人员2无法将标签应用于资源1.
Person 2 cannot apply tags to resource 1.
根据我们现有的角色,没有一个只允许用户修改标签的角色。因此,您必须确定将标记添加到资源所需的最少访问量,如贡献者角色中所述。我没有办法限制这个
比设计更多。
Based on the current roles we have there is not one that only allows users to modify tags. So you would have to determine the least amount of access needed to add a tag to a resource which as mentioned in a contributor role. I don't see a way to limit this any more than designed.
这篇关于限制标签值修改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
