Role-Based Access Control
This section describes the design decisions associated with Role Based Access Control (RBAC) for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 3 minutes
Role-Based Access Control (RBAC) defines what an end user or administrator can do. In relation to system administration, RBAC provides various roles each of which can only perform certain tasks. For example, help desk staff may be able to only view certain resources, whereas system administrators could view, create, and delete those resources.
Privileged Identity Management (PIM) can be leveraged to enhance the RBAC model available within Microsoft Entra ID. PIM is an implementation of Just-in-time (JIT) access, which ensures that an administrative account only has privileges when required to complete a function, and aligns to the principle of Zero Standing Privilege.
Each PIM role assignment can have the following attributes:
- Activation Duration - the Activation Duration attribute specifies the duration to allow the access request, the maximum is 72 hours.
- Approver - the Approver attribute specifies the person or people who can approve role activation requests.
- Notification - the Notification attribute specifies that a pending request is awaiting approval via email.
- Incident Request Ticket - the Incident Request Ticket attribute specifies that the approver add an incident ticket number to the approval request.
- Multi-factor Authentication (MFA) - the MFA attribute specifies whether MFA is required for activation.
Microsoft Entra ID roles can be assigned via PIM to various scope types, depending on the specific role being assigned. Scope types include:
- Directory - Roles that apply permissions across the entire Microsoft Entra ID tenant.
- Administrative Unit - Configurable by administrators to segregate permissions within organisation into specific business units or locations.
- Application - A specific application registered to Microsoft Entra ID.
- Service Principal - Including registered applications, managed identities and legacy apps.
Note
Only specific Microsoft Entra ID roles can be assigned to the Administrative Unit scope type.
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Role Based Management | Least Privilege, using PIM | PIM will be utilised to provide Just-in-Time role-based management to ensure elevated access is only provided when required. |
| PIM Roles | Authentication Administrator Azure Information Protection Administrator Global Administrator Exchange Administrator Helpdesk Administrator Intune Administrator Office Apps Administrator Power BI Administrator Power Platform Administrator Privileged Role Administrator Security Administrator Security Operator SharePoint Administrator Teams Communications Administrator Teams Communications Support Engineer Teams Communications Support Specialist Teams Administrator User Account Administrator | The configured PIM roles align to the services utilised within the solution. |
| PIM approval | Automatic approval for all roles except for Global Administrator | Approval will only be required for Global Administrators. |
| PIM assignment type | Eligible (for supported roles) | Roles should be assigned as “eligible” for supported roles as per the ASD’s Essential Eight guidance for restricting administrative privilege (just-in-time administration). Note, some roles such as SharePoint Administrators and Device Administrators can experience some delays in applying using PIM. |
| PIM assignment period | 12 Months | Assignment of all roles within PIM for a maximum of 12 months as per the ASD’s Essential Eight guidance for restricting administrative privilege. |
| Activation duration | 8 hours | The activation duration will be one workday to ensure that administrative actions are not impeded. |
Related information
Security & Governance
Design
Configuration
- None identified