檢視次數:
檢閱將資源部署和連接 Azure 訂閱到 TrendAI Vision One™ 時所需的必要的權限和授予的權限。
以下權限是成功部署 TrendAI Vision One™ Cloud Security 資源到您的 Azure Subscription 所需的。
注意
注意
此處列出的權限是單一 Azure 訂閱所需的。如果您正在部署 Azure 管理群組,請參閱 Azure 管理群組所需的權限
  • 對於 Microsoft Entra ID 使用者,您的登入必須具備以下角色:
    • 應用程式管理員
    • 特權角色管理員
  • 對於 Microsoft Azure 使用者,您登入的帳戶在您所連接的訂閱中必須具有以下或更高的角色:
    • 使用者存取管理員
    • 貢獻者
  • 若要啟用 Microsoft Defender 端點收集或 Azure 活動記錄,您的 Microsoft Azure 登入必須具備以下角色:
    • 密碼保險箱機密管理員
Terraform 程序會指派某些權限給自身,以建立與 Cloud Accounts 和 TrendAI Vision One™ 雲端安全服務的連接。這些權限包括啟用 Cloud Accounts 應用程式和安全服務,以獲取臨時憑證並在您的 Azure 雲端環境中完成任務。
選擇一個功能以查看其所需的權限:

核心功能

權限類型
所需權限
Azure Resource Manager (ARM) 權限
  • Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
  • Microsoft.ContainerService/managedClusters/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read
  • */read
API 權限
  • Azure Active Directory Graph (4)
    • Directory.Read.All | Delegated
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
  • Microsoft Graph (4)
    • Directory.Read.All | Application
    • User.Read | Delegated
    • User.Read.All | Delegated
    • User.Read.All | Application

Server & Workload Protection

權限類別
所需權限
訂閱權限
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/providers/read
  • Microsoft.Resources/resources/read
虛擬機 (VM) 權限
  • Microsoft.Compute/virtualMachines/read
虛擬機器規模設定 (VMSS) 權限
  • Microsoft.Compute/virtualMachineScaleSets/read
經典虛擬機 (VM) 權限
  • Microsoft.ClassicCompute/virtualMachines/read
  • Microsoft.ClassicCompute/domainNames/read
網路權限
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/virtualNetworks/read
Azure 中繼資料 API 權限
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Compute/locations/read
驗證和 IAM 權限
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleDefinitions/read

Cloud Security Posture

權限類別
所需權限
requiredResourceAccess
  • resourceAppName: Microsoft Graph
  • 資源存取:
    • 名稱:User.Read
    • 類型: Delegated
    • 名稱:User.Read.All
    • 類型: Delegated
    • 名稱:Directory.Read.All
    • 類型: Application
    • 名稱:User.Read.All
    • 類型: Application
    • 名稱: Policy.Read.All
    • 類型: Application
requiredRoleAccess
  • resourceAppName: Microsoft App Configuration
    角色操作:
    • 名稱:Microsoft.AppConfiguration/configurationStores/ListKeyValue/action
  • resourceAppName: Microsoft Network
    角色操作:
    • 名稱:Microsoft.Network/networkWatchers/queryFlowLogStatus/action
  • resourceAppName: Microsoft Web
    角色操作:
    • 名稱:Microsoft.Web/sites/config/list/Action
  • resourceAppName: Microsoft Key Vault
    資料操作:
    • 名稱:Microsoft.KeyVault/vaults/keys/read
    • 名稱:Microsoft.KeyVault/vaults/secrets/readMetadata/action
requiredTenantScopeRoleAccess
  • resourceAppName: Microsoft Management
    角色操作:
    • 名稱:Microsoft.Management/managementGroups/read

無代理弱點與安全威脅偵測

權限類別
所需權限
Azure Resource Manager (ARM) 權限
  • Microsoft.ContainerRegistry/registries/generateCredentials/action
  • Microsoft.ContainerRegistry/registries/read
  • Microsoft.ContainerRegistry/registries/pull/read
  • Microsoft.ContainerRegistry/registries/tokens/write
  • Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
  • Microsoft.ContainerRegistry/registries/scopeMaps/read
  • Microsoft.ContainerRegistry/registries/tokens/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/virtualMachines//read
  • Microsoft.HybridCompute/machines//read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Quota/quotas/read
TrendAI™ 資源群組權限
Azure 內建角色:貢獻者
  • 操作:
    • Allow Actions:*
  • NotActions:
    • Microsoft.Authorization/*/Delete
    • Microsoft.Authorization/*/Write
    • Microsoft.Authorization/elevateAccess/Action
    • Microsoft.Blueprint/blueprintAssignments/write
    • Microsoft.Blueprint/blueprintAssignments/delete
    • Microsoft.Compute/galleries/share/action
    • Microsoft.Purview/consents/write
    • Microsoft.Purview/consents/delete
    • Microsoft.Resources/deploymentStacks/manageDenySetting/action
    • Microsoft.Subscription/cancel/action
    • Microsoft.Subscription/enable/action
Azure 內建角色:AcrPull
  • Microsoft.ContainerRegistry/registries/pull/read
Azure 內建角色:儲存 Blob 資料防護擁有者
  • Microsoft.Storage/storageAccounts/blobServices/containers/*
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
TrendAI™ 儲存 ID 權限
Azure 內建角色:儲存 Blob 資料防護讀取者
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Data Security Posture

權限類型
所需權限
Azure Resource Manager (ARM) 權限
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkSecurityGroups/write
  • Microsoft.Network/networkSecurityGroups/delete
  • Microsoft.Network/networkSecurityGroups/securityRules/read
  • Microsoft.Network/networkSecurityGroups/securityRules/write
  • Microsoft.Network/networkSecurityGroups/securityRules/delete
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.Automation/automationAccounts/read
  • Microsoft.Automation/automationAccounts/write
  • Microsoft.Automation/automationAccounts/delete
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Automation/automationAccounts/webhooks/read
  • Microsoft.Automation/automationAccounts/webhooks/write
  • Microsoft.Automation/automationAccounts/webhooks/delete
  • Microsoft.Insights/actionGroups/read
  • Microsoft.Insights/actionGroups/write
  • Microsoft.Insights/actionGroups/delete
  • Microsoft.Automation/automationAccounts/python3Packages/read
  • Microsoft.Automation/automationAccounts/python3Packages/write
  • Microsoft.Automation/automationAccounts/python3Packages/delete
  • Microsoft.Automation/automationAccounts/runbooks/read
  • Microsoft.Automation/automationAccounts/runbooks/write
  • Microsoft.Automation/automationAccounts/runbooks/delete
  • Microsoft.Automation/automationAccounts/jobSchedules/read
  • Microsoft.Automation/automationAccounts/jobSchedules/write
  • Microsoft.Automation/automationAccounts/jobSchedules/delete
  • Microsoft.Network/publicIPAddresses/read
  • Microsoft.Network/publicIPAddresses/write
  • Microsoft.Network/publicIPAddresses/delete
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/write
  • Microsoft.Network/virtualNetworks/subnets/delete
  • Microsoft.Network/virtualNetworks/subnets/join/action
  • Microsoft.Network/bastionHosts/read
  • Microsoft.Network/bastionHosts/write
  • Microsoft.Network/bastionHosts/delete

檔案儲存安全

權限類型
所需權限
Azure Resource Manager (ARM) 權限
  • Microsoft.Authorization/roleAssignments/read
  • Microsoft.Authorization/roleAssignments/write
  • Microsoft.Authorization/roleAssignments/delete
  • Microsoft.Authorization/roleDefinitions/read
  • Microsoft.Authorization/roleDefinitions/write
  • Microsoft.Authorization/roleDefinitions/delete
  • Microsoft.EventGrid/eventSubscriptions/read
  • Microsoft.EventGrid/eventSubscriptions/write
  • Microsoft.EventGrid/eventSubscriptions/delete
  • Microsoft.EventGrid/systemTopics/read
  • Microsoft.EventGrid/systemTopics/write
  • Microsoft.EventGrid/systemTopics/delete
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/read
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/write
  • Microsoft.EventGrid/systemTopics/eventSubscriptions/delete
  • Microsoft.Insights/components/read
  • Microsoft.Insights/components/write
  • Microsoft.Insights/components/delete
  • Microsoft.Insights/components/currentbillingfeatures/read
  • Microsoft.Insights/components/currentbillingfeatures/write
  • Microsoft.KeyVault/locations/deletedVaults/purge/action
  • Microsoft.KeyVault/locations/operationResults/read
  • Microsoft.KeyVault/vaults/read
  • Microsoft.KeyVault/vaults/write
  • Microsoft.KeyVault/vaults/delete
  • Microsoft.KeyVault/vaults/accessPolicies/write
  • Microsoft.ManagedIdentity/userAssignedIdentities/read
  • Microsoft.ManagedIdentity/userAssignedIdentities/write
  • Microsoft.ManagedIdentity/userAssignedIdentities/delete
  • Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
  • Microsoft.OperationalInsights/workspaces/read
  • Microsoft.OperationalInsights/workspaces/write
  • Microsoft.OperationalInsights/workspaces/delete
  • Microsoft.Resources/deployments/read
  • Microsoft.Resources/deployments/write
  • Microsoft.Resources/deployments/delete
  • Microsoft.Resources/deployments/operations/read
  • Microsoft.Resources/deployments/operationstatuses/read
  • Microsoft.Resources/resources/read
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/write
  • Microsoft.Resources/subscriptions/resourceGroups/delete
  • Microsoft.ServiceBus/namespaces/read
  • Microsoft.ServiceBus/namespaces/write
  • Microsoft.ServiceBus/namespaces/delete
  • Microsoft.ServiceBus/namespaces/networkRuleSets/read
  • Microsoft.ServiceBus/namespaces/queues/read
  • Microsoft.ServiceBus/namespaces/queues/write
  • Microsoft.ServiceBus/namespaces/queues/delete
  • Microsoft.ServiceBus/namespaces/topics/read
  • Microsoft.ServiceBus/namespaces/topics/write
  • Microsoft.ServiceBus/namespaces/topics/delete
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/read
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/write
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/delete
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/read
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/write
  • Microsoft.ServiceBus/namespaces/topics/subscriptions/rules/delete
  • Microsoft.Storage/register/action
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Storage/storageAccounts/write
  • Microsoft.Storage/storageAccounts/delete
  • Microsoft.Storage/storageAccounts/listKeys/action
  • Microsoft.Storage/storageAccounts/blobServices/read
  • Microsoft.Storage/storageAccounts/blobServices/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/read
  • Microsoft.Storage/storageAccounts/blobServices/containers/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/delete
  • Microsoft.Storage/storageAccounts/fileServices/read
  • Microsoft.Storage/storageAccounts/fileServices/write
  • Microsoft.Web/serverfarms/read
  • Microsoft.Web/serverfarms/write
  • Microsoft.Web/serverfarms/delete
  • Microsoft.Web/sites/read
  • Microsoft.Web/sites/write
  • Microsoft.Web/sites/delete
  • Microsoft.Web/sites/basicPublishingCredentialsPolicies/read
  • Microsoft.Web/sites/basicPublishingCredentialsPolicies/write
  • Microsoft.Web/sites/config/read
  • Microsoft.Web/sites/config/write
  • Microsoft.Web/sites/config/list/Action
  • Microsoft.Web/sites/functions/read
  • Microsoft.Web/sites/functions/listkeys/action
  • Microsoft.Web/sites/host/listkeys/Action
  • Microsoft.Web/sites/publishxml/read
資料防護操作
  • Microsoft.KeyVault/vaults/secrets/*
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
  • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action

Azure 活動記錄的雲端偵測

權限類型
所需權限
無需權限。

Microsoft Defender 端點日誌收集

權限類型
所需權限
Azure Resource Manager (ARM) 權限
  • Microsoft.KeyVault/vaults/secrets/read
  • Microsoft.KeyVault/vaults/secrets/write