Role-Based Access Control
This section describes the design decisions associated with Role Based Access Control (RBAC) for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 3 minutes
Role-Based Access Control (RBAC) defines what an end user or administrator can do. In relation to system administration, RBAC provides various roles each of which can only perform certain tasks. For example, help desk staff may be able to only view certain resources, whereas system administrators could view, create, and delete those resources.
Privileged Identity Management (PIM) can be leveraged to enhance the RBAC model available within Microsoft Entra ID. PIM is an implementation of Just-in-time (JIT) access, which ensures that an administrative account only has privileges when required to complete a function, and aligns to the principle of Zero Standing Privilege.
Each PIM role assignment can have the following attributes:
- Activation Duration - the Activation Duration attribute specifies the duration to allow the access request, the maximum is 72 hours.
- Approver - the Approver attribute specifies the person or people who can approve role activation requests.
- Notification - the Notification attribute specifies that a pending request is awaiting approval via email.
- Incident Request Ticket - the Incident Request Ticket attribute specifies that the approver add an incident ticket number to the approval request.
- Multi-factor Authentication (MFA) - the MFA attribute specifies whether MFA is required for activation.
Microsoft Entra ID roles can be assigned via PIM to various scope types, depending on the specific role being assigned. Scope types include:
- Directory - Roles that apply permissions across the entire Microsoft Entra ID tenant.
- Administrative Unit - Configurable by administrators to segregate permissions within organisation into specific business units or locations.
- Application - A specific application registered to Microsoft Entra ID.
- Service Principal - Including registered applications, managed identities and legacy apps.
Only specific Microsoft Entra ID roles can be assigned to the Administrative Unit scope type.
|Role Based Management
|Least Privilege, using PIM
|PIM will be utilised to provide Just-in-Time role-based management to ensure elevated access is only provided when required.
Azure Information Protection Administrator
Office Apps Administrator
Power BI Administrator
Power Platform Administrator
Privileged Role Administrator
Teams Communications Administrator
Teams Communications Support Engineer
Teams Communications Support Specialist
User Account Administrator
|The configured PIM roles align to the services utilised within the solution.
|Automatic approval for all roles except for Global Administrator
|Approval will only be required for Global Administrators.
|PIM assignment type
|Eligible (for supported roles)
|Roles should be assigned as “eligible” for supported roles as per the ASD’s Essential Eight guidance for restricting administrative privilege (just-in-time administration). Note, some roles such as SharePoint Administrators and Device Administrators can experience some delays in applying using PIM.
|PIM assignment period
|Assignment of all roles within PIM for a maximum of 12 months as per the ASD’s Essential Eight guidance for restricting administrative privilege.
|The activation duration will be one workday to ensure that administrative actions are not impeded.
Security & Governance
- None identified