Azure App Configuration For RBAC

Overview

Role Based Access Control is a function in Resource Central (RC) that allows Azure users to log in the Resource Central without the need to create Persons in the system.

Requirements

This requires specific configuration in the Azure app in order to allow Azure users log in and get Roles in RC based on their setup in the Azure app.

This setup requires you to configure External Authentication in RC backend ➔ Authentication beforehand. Refer to RC Admin Guide for more details.

Azure App Configuration for RBAC

Go to Azure Portal ➔ Azure Active Directory ➔ App registrations and open the Azure app that you created for external authentication to Resource Central. Then configure the followings:

API Permissions Configuration

On your Azure app, go to API permissions ➔ click [Add a permission] to open the following screen:

Select Microsoft Graph...

... Then select Delegated permissions.

Next, search and add the following permissions:

• email
• openid
• profile
• User.Read

Then [Grant admin consent] to the added permissions. The result should look similar as follows:

App Roles Configuration

On your Azure app, go to App roles. Here you can create app roles that match with their respective roles in Resource Central.

To be able to do the initial configuration of RBAC in Resource Central an App Role called SysAdmin must be created.

The following section will describe how to create an app role in detail.

To create a new app role, click [Create app role] to open the following screen:

Here, fill in the following fields:

1. Display name: enter a role name which will be displayed on Azure.

2. Allowed member types: select Users/Groups.

3. Value: fill in this field with the Name of the respective Role in Resource Central. E.g.:

4. Description: enter a description of the role.

5. Do you want to enable this app role: make sure that it is checked.

Click [Apply] to create the role. Repeat the same steps to create other app roles. The result should look similar as follows:

Assign App Roles to Azure users

Go to Azure Portal ➔ Azure Active Directory ➔ Enterprise applications, then go to All applications:

Here, search for the Azure app that you have configured app roles, open it, and go to Users and groups:

Click [Add user/group] to open Add Assignment where you can add users to the app and give them app roles:

If no user nor role selected, the screen will show ’None Selected’. First, click on the text at Users to search and add Azure users:

Next, select a role for the selected users above:

NOTE: You can only assign one role for a group of users at a time.

When you have assigned users and a role, click [Assign] on ’Add Assignment’ screen. You will see the users added with the app role on ’Users and groups,’ e.g.:

Repeat the same method to add other users with different app roles.

The Azure app configuration for RBAC is now finished.

If you want to edit the users’ app role, select the users and click [Edit assignment], which will open the Add Assignment screen as described above.

Properties

Applies to: RC 4.3+

Reference: TFS #339238

Knowledge base ID: 0325

Last updated: Jun 13, 2023

Attachments (12)

3sEGd6qwhfAQ....png
118 KB

NKUh8MjWNbRW....png
51.2 KB

CC9l1grB44o5....png
73.9 KB

68N6v3O2evEe....png
48 KB

nPG88TU1kj9p....png
96.6 KB

A8pSMvHwcZu7....png
55.6 KB

V9Hbo1he3dD2....png
86 KB

Z8HQVkUx8IYe....png
95.6 KB

9ygIy8lzfPJv....png
50.2 KB

U7KDYdmZxffv....png
45.5 KB

OjpoGIbdWUAx....png
38.8 KB

Pl0ruItxiExl....png
72.6 KB