ASD's Blueprint for Secure Cloud

Role-Based Access Control

This section describes the design decisions associated with Role Based Access Control (RBAC) for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Role-Based Access Control (RBAC) defines what an end user or administrator can do. In relation to system administration, RBAC provides various roles each of which can only perform certain tasks. For example, help desk staff may be able to only view certain resources, whereas system administrators could view, create, and delete those resources.

Privileged Identity Management (PIM) can be leveraged to enhance the RBAC model available within Microsoft Entra ID. PIM is an implementation of Just-in-time (JIT) access, which ensures that an administrative account only has privileges when required to complete a function, and aligns to the principle of Zero Standing Privilege.

Each PIM role assignment can have the following attributes:

  • Activation Duration - the Activation Duration attribute specifies the duration to allow the access request, the maximum is 72 hours.
  • Approver - the Approver attribute specifies the person or people who can approve role activation requests.
  • Notification - the Notification attribute specifies that a pending request is awaiting approval via email.
  • Incident Request Ticket - the Incident Request Ticket attribute specifies that the approver add an incident ticket number to the approval request.
  • Multi-factor Authentication (MFA) - the MFA attribute specifies whether MFA is required for activation.

Microsoft Entra ID roles can be assigned via PIM to various scope types, depending on the specific role being assigned. Scope types include:

  • Directory - Roles that apply permissions across the entire Microsoft Entra ID tenant.
  • Administrative Unit - Configurable by administrators to segregate permissions within organisation into specific business units or locations.
  • Application - A specific application registered to Microsoft Entra ID.
  • Service Principal - Including registered applications, managed identities and legacy apps.

Security & Governance



  • None identified


Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra