ASD's Blueprint for Secure Cloud

Role Based Access Control

This section describes the design decisions associated with Role Based Access Control within Power Platform Services for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

To help administer environments and settings for Microsoft Power Platform, organisations can assign users either of the following roles to manage at the tenant level without having to assign the more powerful Microsoft 365 global admin privilege.

Dynamics 365 administrator

The Dynamics 365 administrator role can:

  • Sign in to and manage multiple environments. If an environment uses a security group, a service admin would need to be added to the security group in order to manage that environment. Not assigning to an in- place security group essentially locks these admins out of any admin management
  • Perform admin functions in Microsoft Power Platform because they have the System Administrator role
  • Perform admin functions within Dynamics 365 services, if these have been licensed.

Power Platform administrator

The Power Platform administrator role can:

  • Sign in to and manage multiple environments. Power Platform admins are not affected by security group membership and can manage environments even if not added to an environment’s security group
  • Perform admin functions in Microsoft Power Platform because they have the System Administrator role
  • Manage the Power BI tenant

When planning an implementation, organisations should consider the following:

  • Power BI Administrator is a separate role which can be assigned to users who just need to manage the Power BI tenant, noting that Dynamics 365 Administrator role does not have the rights to manage the Power BI tenant
  • Environment specific administration rights can be managed by an Environment Admin Role, noting that by default all Environment users are provided with the Environment Maker role
  • Dataverse has specific built-in security roles.

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra