SOP-Unit-Scoped-RBAC
Admin By Request Unit-Specific Role-Based Access Control (RBAC) SOP
Table of Contents
- Purpose
- Scope
- Intent
- Essential Core Knowledge
- Procedure and Guidelines
- Additional Notes and References
- Responsibilities
- Approval
Purpose
The purpose of this Standard Operating Procedure (SOP) is to define and outline the standardized process for managing role-based access control (RBAC) within the Admin By Request platform. Each unit within the organization is assigned a custom role that limits access to only their respective devices and users. This SOP ensures consistency in role assignment and management while adhering to the principle of least privilege, which restricts access to Global Settings and Sub Settings for Windows workstations.
Scope
This SOP applies to all IT administrators who manage permissions and device access within the Admin By Request platform. The scope includes:
- The assignment of custom roles to administrators within specific units.
- Limiting administrators' access to their unit’s devices and users.
- Preventing administrators from modifying Global Settings or creating Sub Settings for Windows workstations.
Intent
The intent of this SOP is to:
- Provide clear, step-by-step guidelines for managing unit-specific roles within Admin By Request.
- Ensure that administrators have appropriate, scoped access only to their unit’s devices and users.
- Promote security and operational consistency by enforcing the principle of least privilege.
Essential Core Knowledge
Administrators responsible for implementing this SOP must have a working knowledge of:
- The Admin By Request platform, its user interface, and its role-based access control (RBAC) capabilities.
- Entra ID (formerly Azure Active Directory) for managing security group memberships.
- Basic understanding of Windows workstation management within the Admin By Request framework.
Key learning resources:
- Windows Endpoint Management
- Administrative Portal Features and Permissions
- Key Terms and Definitions
Procedure and Guidelines
Custom Roles and Scoped Permissions
Each unit is assigned a custom role in Admin By Request, which restricts access to that unit’s specific devices and users. Administrators have no access to devices or users outside their assigned unit, and they are further restricted from modifying Global Settings and creating Sub Settings for Windows workstations.
Unit-Level Access
Administrators’ permissions are scoped as follows:
- View inventory: Access the inventory of devices within the unit.
- Approve requests: Approve end-user requests for elevated privileges on the unit’s devices.
- View reports: Generate and access reports related to the unit’s devices and users.
- Issue PIN codes: Generate PIN codes for administrative operations within the unit.
- Manage workstations: Perform management tasks for workstations scoped to the unit.
Restrictions:
- Global Settings: Administrators cannot modify Global Settings for Windows workstations.
- Sub Settings: Administrators cannot create or manage Sub Settings for Windows workstations.
Role Assignment Process
1. Identify Unit Membership
- Each unit is associated with at least one Security Group, which dynamically feeds another Security Group used for SCIM provisioning. This provisioning assigns RBAC permissions within Admin By Request.
- The top-level Security Group is intended for senior administrators, with additional groups (if necessary) assigned to progressively lower-tier administrators.
- Example: Mays Business School has only one Security Group due to its smaller size, while larger units may have multiple Security Groups to handle different admin tiers.
2. Assign the Custom Role
- Director or Manager Assignment: Only the unit’s director or designated managers, along with Platform Engineering, have the authority to assign users to the appropriate Security Group.
- Security Group Assignment: Add the administrator to the unit's top-level Security Group, which will:
- Dynamically feed into another Security Group used for SCIM provisioning to assign RBAC permissions within Admin By Request.
- Automatically provide the administrator with appropriate permissions in other systems, such as Entra ID and Intune, and any future products that utilize group-assigned RBAC permissions.
- SCIM Provisioning: Once the administrator is assigned to the correct Security Group, SCIM provisioning will ensure they receive the corresponding Admin By Request permissions.
3. Review and Audit
- Regular Reviews: The director or managers of the unit, in coordination with Platform Engineering, should regularly review Security Group memberships to ensure administrators have the correct level of access.
- Audits: Platform Engineering will conduct periodic audits of group memberships to verify that permissions align with the administrators' roles and responsibilities. Unauthorized changes should be reported and corrected promptly.
Additional Notes and References
- Maintaining Service Continuity: The restrictions on modifying Global Settings and creating Sub Settings ensure that the platform remains consistent across the organization, facilitating smooth, campus-wide deployment for Windows devices.
- RBAC Resources:
Responsibilities
- Team Owners:
- Managed Platforms
- Original Author:
- Anthony Guevara
- Contributors:
- Managed Platforms
- Reviewers:
- Managed Platforms