0

I know that Azure AD app roles or group memberships can be used to implement RBAC. Do these two options have a more granular approach to roles?

Ex: We have tables called users, locations, teams, skills, campaigns etc and would like to be able to control access to view, edit, create, delete permissions on these entities for every user in the system.

Also, is there an option to create a profile of permissions on entities and then assign them to users in Azure AD? The idea is to define a common set of permissions and assign them to a set of users.

Thanks!

I read the MSFT documentation on App Roles and Group Memberships and couldn't find documentation for granular permission setup.

Sandeep C
  • 13
  • 3

1 Answers1

0

App Roles are the way to go in Azure AD but there is no hierarchical structure available. So, you would just have to create a new role that encompasses multiple permissions as per your requirements.

For example, to control access to a certain table (say Users), you could define App Roles like this

  • Users.Read : Read Access
  • Users.ReadWrite: Read and Write Access
  • Users.Export : Access to export data in bulk
  • Users.Manage : Access to manage metadata
  • Users.Admin : Access to all the above

Similarly, you would create a new app role that would be used to provide access to multiple parts of your application.

While this simple as there is little development effort required, if this doesn't work for you, you would have to roll out your own custom data store that manages the permissions for you, and you would your own service to validate requests.

You could also explore options like Open Policy Agent or casbin, both of which are open-source policy engines that can be used for custom RBAC.

PramodValavala
  • 6,026
  • 1
  • 11
  • 30