上一篇文章介绍了Azure基于ARM的RBAC，给不同的用户分配不同的权限。

但目前在国内使用的大部分用户还是以ASM的资源为主。比如：VM、Storage、Network、WebAPP、SQL Azure等等。

如果客户希望对这些资源给不同用户授予不同的权限，基于ARM的RBAC是否可以实现呢？

基于ARM的RBAC是可以对ASM的资源进行授权管理的。

本文将以VM为例子，介绍如何针对ASM中的资源进行授权的配置和管理。

1 建ASM的虚拟机

通过老portal管理界面：

创建两台虚拟机，如下图：

2 创建用户和Role

根据前一篇文章介绍的方法，新建一个vmops@xxxx.partner.onmschina.cn的账户，同时新建一个Virtual Machine Operator的Role。

具体方法请参考前面一篇文章：

Virtual Machine Operator拥有的权限如下，查询命令采用的是Azure CLI：

azure role show "Virtual Machine Operator" --json[{"Name": "Virtual Machine Operator","Actions": ["Microsoft.Authorization/*/read","Microsoft.ClassicCompute/*/read","Microsoft.ClassicCompute/virtualMachines/attachDisk/action","Microsoft.ClassicCompute/virtualMachines/detachDisk/action","Microsoft.ClassicCompute/virtualMachines/downloadRemoteDesktopConnectionFile/action","Microsoft.ClassicCompute/virtualMachines/restart/action","Microsoft.ClassicCompute/virtualMachines/shutdown/action","Microsoft.ClassicCompute/virtualMachines/start/action","Microsoft.ClassicCompute/virtualMachines/stop/action","Microsoft.Compute/*/read","Microsoft.Compute/virtualMachines/deallocate/action","Microsoft.Compute/virtualMachines/powerOff/action","Microsoft.Compute/virtualMachines/restart/action","Microsoft.Compute/virtualMachines/start/action","Microsoft.Insights/alertRules/*","Microsoft.Network/*/read","Microsoft.Network/*/read","Microsoft.Resources/subscriptions/resourceGroups/read","Microsoft.Storage/*/read","Microsoft.Storage/*/read"],"NotActions": [],"Id": "xxxx","AssignableScopes": ["/subscriptions/xxxx","/subscriptions/xxxx"],"Description": "Can monitor and start stop or restart virtual machines.","IsCustom": "true"}]

其中Microsoft.ClassicCompute指的就是基于ASM的VM资源。通过Powershell命令或CLI命令可以看到相关信息：

azure provider listinfo: Executing command provider list+ Getting ARM registered providersdata: Namespace Registereddata: -------------------------------------- -------------data: Microsoft.ApiManagement Registereddata: Microsoft.Batch Registereddata: Microsoft.Cache Registereddata: Microsoft.ClassicCompute Registereddata: Microsoft.ClassicNetwork Registereddata: Microsoft.ClassicStorage Registereddata: Microsoft.Compute Registereddata: Microsoft.Devices Registereddata: Microsoft.DocumentDB Registereddata: Microsoft.EventHub Registereddata: Microsoft.HDInsight Registeringdata: Microsoft.insights Registereddata: Microsoft.MySql Registereddata: Microsoft.Network Registeringdata: Microsoft.SiteRecovery Registereddata: Microsoft.Sql Registereddata: Microsoft.Storage Registereddata: Microsoft.StreamAnalytics Registereddata: Microsoft.Web Registereddata: Microsoft.Authorization Registereddata: Microsoft.ClassicInfrastructureMigrate NotRegistereddata: Microsoft.CognitiveServices NotRegistereddata: Microsoft.Features Registereddata: Microsoft.KeyVault NotRegistereddata: Microsoft.Media NotRegistereddata: Microsoft.Portal NotRegistereddata: Microsoft.Resources Registereddata: Microsoft.Scheduler Registereddata: Microsoft.ServiceBus NotRegistereddata: Microsoft.ServiceFabric NotRegisteredinfo: provider list command OK

或：

Get-AzureRmResourceProvider | ft ProviderNamespaceProviderNamespace-----------------Microsoft.ApiManagementMicrosoft.BatchMicrosoft.CacheMicrosoft.ClassicComputeMicrosoft.ClassicNetworkMicrosoft.ClassicStorageMicrosoft.ComputeMicrosoft.DevicesMicrosoft.DocumentDBMicrosoft.EventHubmicrosoft.insightsMicrosoft.MySqlMicrosoft.SiteRecoveryMicrosoft.SqlMicrosoft.StorageMicrosoft.StreamAnalyticsMicrosoft.WebMicrosoft.AuthorizationMicrosoft.FeaturesMicrosoft.ResourcesMicrosoft.Scheduler

 

3 把用户和Role关联

在新Portal上：

使用Admin登陆后，对两台虚拟机进行权限分配：

将vmops用户对这台虚拟机的管理角色分配为Virtual Machine Operator。

4 测试

使用vmops登陆后，对这两台虚拟机进行操作：

发现只有前面对ClassComputer拥有的Start、Stop、restart、connect权限。

而admin拥有的权限有：Start、Stop、restart、connect、Caputre、Reset Remote Access、Delete。如下图：

总结：

通过对ClassComputer的资源进行操作的授权，可以控制用户对ASM VM的操作权限。