Hopp til innholdet

GDAP Permissions

GDAP fungerer slik at man spørrer kundene våre om vi får et gitt set med roller, og deretter er det mulig for oss å gi granulære tilganger istedenfor å alltid ha alle roller aktive samtidig. På denne måten er det altså mulig for oss å si at f.eks. support teamet vårt kun har tilgang til de rollene de oftest trenger, og hvis de må gjøre noe annet så må de bli gitt den rollen for et gitt tidsintervall før den fjernes fra brukeren.
 
Så, gruppene i våre GDAP relasjoner er utvalgt basert på hva vi må kunne bistå våre kunder med. Hvert team hos Ironstone har kun tilgang til noen få av disse rollene og det er ingen person som har tilgang til Global Admin gjennom GDAP uten det er reservert for backend-resurser.
 
Hvorfor har vi så mange roller?
Dette er fordi det er mulig å gi granulære tilganger hvis vi tar alle små rollene istedenfor å gi større roller som f.eks. Global Admin.
 
Hvorfor trenger dere Global Admin rollen i det hele tatt?
Det er mange ting som ikke er mulig å gjøre uten Global Admin. Så hvis vi ikke har noen måte for å elevere oss til denne rollen så er det ikke mulig å yte support som er pålagt fra Microsoft gjennom CSP-avtalen. Noen eksempler hentet fra Microsoft doc er vedlagt under. Hvis du ønsker å lese mer om disse selv så kan du gjøre det her.
  • Creating B2C applications and configuring B2B external collaboration settings.
  • Configuring company branding and company properties.
  • Managing tasks related to pass-through authentication and seamless single sign-on (SSO).
  • Managing user settings for enterprise applications
  • Installation of Azure AD Connect and managing object synchronization with on-premises directories.
  • Managing security and compliance, including setting retention policies under Data Governance
 
Her under ser du uttrekk fra vår interne dokumentasjon over Global Admin rollen:
 

Do we have any Global Admin group that gives me GA on all customers?

Yes, but this is not to be used by any normal user. The group is only used by backend services that require the role in order to work. If you need Global Admin on a customer you need to create a temporary admin account through the "Temporary Global Admin Power App" which creates a user with Global Admin role through the Partner Center for a set lifetime before automatically deleting it for you.
 

What backend services needs Global Admin at the customers?

One very important example is our billing service which won't work without the Global Admin role. That means we will not be able to invoice any customer where we don't have this available for the backend service.

Her under ser du uttrekk fra vår interne dokumentasjon over hvilken roller de forskjellige teamene inne i Ironstone har hos kundene.

Which roles does the Modern Work team have?

The following roles are given to the users that are a part of the "Ironstone--GDAP--Team Modern Work" security group.
  • Intune Admin
  • User Admin
  • Security Admin
  • Application Administrator
  • Authentication Administrator
  • Authentication Policy Administrator
  • Azure AD Joined Device Local Administrator
  • Azure Information Protection Administrator
  • Billing Administrator
  • Cloud Application Administrator
  • Cloud Device Administrator
  • Compliance Administrator
  • Compliance Data Administrator
  • Conditional Access Administrator
  • Desktop Analytics Administrator
  • Domain Name Administrator
  • Edge Administrator
  • Exchange Administrator
  • External ID User Flow Administrator
  • External Identity Provider Administrator
  • Global Reader
  • Groups Administrator
  • Guest Inviter
  • Helpdesk Administrator
  • Hybrid Identity Administrator
  • Identity Governance Administrator
  • Insights Administrator
  • Intune Administrator
  • Kaizala Administrator
  • Knowledge Administrator
  • License Administrator
  • Lifecycle Workflows Administrator
  • Microsoft Hardware Warranty Administrator
  • Microsoft Hardware Warranty Specialist
  • Network Administrator
  • Office Apps Administrator
  • Organizational Messages Writer
  • Password Administrator
  • Permissions Management Administrator
  • Power BI Administrator
  • Power Platform Administrator
  • Printer Administrator
  • Privileged Authentication Administrator
  • Privileged Role Administrator
  • Search Administrator
  • Security Administrator
  • Service Support Administrator
  • SharePoint Administrator
  • Skype for Business Administrator
  • Teams Administrator
  • User Administrator
  • Virtual Visits Administrator
  • Viva Goals Administrator
  • Windows 365 Administrator
  • Windows Update Deployment  Administrator
  • Yammer Administrator
  • Owner on subscriptions
 

Which roles does the 1st line support team have?

The following roles are given to the users that are a part of the "Ironstone--GDAP--Team 1st line support" security group.
  • Helpdesk Administrator
  • Global Reader
  • License Administrator
  • Authentication Administrator
  • Service Support Administrator
  • User Administrator

Which roles does the Azure team have?

The following roles are given to the users that are a part of the "Ironstone--GDAP--Team Azure" security group.
  • User administrator
  • Groups Administrator
  • Application admin
  • Azure DevOps Administrator
  • Global reader
  • Privileged Authentication Administrator
  • Service Support Administrator
  • Owner on subscriptions
 

Which roles does the On Duty team have?

The following roles are given to the users that are a part of the "Ironstone--GDAP--Team On Duty" security group.
  • Authentication Policy Administrator
  • Azure Information Protection Administrator
  • Security Administrator
  • Compliance Data Administrator
  • Compliance Administrator
  • Global Reader
  • Security Reader
  • Service Support Administrator
  • Billing Administrator
  • Application Administrator
  • User Administrator
  • Privileged Authentication Administrator
  • Privileged Role Administrator
  • Helpdesk Administrator
  • License Administrator
  • Conditional Access Administrator
  • Authentication Administrator
  • Windows 365 Administrator
  • Azure DevOps Administrator
  • SharePoint Administrator
  • Power Platform Administrator
  • Teams Administrator
  • Groups Administrator
  • Power BI Administrator
  • Exchange Administrator
  • Exchange Recipient Administrator
  • Identity Governance Administrator
  • Intune Administrator
  • Directory Readers
  • Cloud Application Administrator

Which roles does the Product Engineering team have?

The following roles are given to the users that are a part of the "Ironstone--GDAP--Team Product Engineering" security group.
  • Global Reader