Understanding roles, permissions and V-Tenants

  • Last update on September 18th, 2023

CoreView offers the flexibility to augment or enhance your existing Least Privilege Access and/or Role-based access control strategies. 

Least Privilege Access

Least privilege access is the practice of restricting access rights for users, accounts, and computing processes to only those roles necessary to perform routine, legitimate activities. 

For example, if someone's job is to monitor license usage for a particular division in your organization, you can configure their access so that they only see that division and the licenses that are part of it.

Role Based Access Control (RBAC)

CoreView allows you to define access to information and actions based on the job function of the person accessing the console. 

This allows you, for example, to give the regional administrator in Chicago access to only the objects in that office. The finance manager, for example, can view licensing and service usage reports. Meanwhile, a high-level administrator can only make specific changes to defined users.

CoreView features

CoreView enhances the experience of designing a least privilege access and/or RBAC model to keep your Microsoft 365 tenant safe and secure. There are several CoreView features you can use to create and maintain a strategy for least privilege access:

Operator roles

Microsoft administrators are called operators within CoreView. The operator with the highest level of access is known as a “Tenant Admin”. CoreView allows the “Tenant Admin” to finely control what other operators can see and do within the tenant. 

Using the Role-based Access Control (RBAC) security model, operators are granted access to resources based on their role in the organization. Their access can be limited to information and actions based on their job function. Each operator can be assigned roles that grant an initial level of access to CoreView, which can then be modified with permissions.



Assigned permissions determine the actions an operator can perform within CoreView.
The creation of role-based access controls (permissions) is essential to ensure that any “Operator” has the appropriate access to perform the activities required of them.  


Virtual tenants

Creating “Virtual TenantsTM” allows you to divide your tenant into smaller, more manageable sub-tenants. This limits the visibility of objects (users, groups, etc.) based on specific attributes, such as city or department. There are several different criteria by which scoping can be achieved. Once the scope is set, the “Operator” can only see and manage the objects assigned to them.

In combination with permission sets, you can restrict management and reporting tasks by tenants. “Virtual TenantsTM” allow you to segment your business data and restrict an operator's span of control to only a particular set of business data. 

Tenants can be filtered by any AzureAD attribute, such as office, city, or department.

Note: not all reports are subject to “Virtual TenantTM” scoping.


Licence pools

The “License pools” feature allows you to limit the number of licenses an operator can assign within a specific set of licenses.

In other words, it enables you to allocate licenses to a defined group of users, geographical location, office, or department. By assigning a specific set of licenses to any of these groups, operators can assign licenses to users without worrying about exceeding any limits or budgets.

An operator's access to license pools allows them to manage the assignment or recovery of licenses, but only within the scope defined by the organization. 


Licence templates

License Templates work in conjunction with License Pools to give delegated teams flexibility over license assignments while maintaining centralized control. In fact, license templates carry rules that specify which services can be enabled or disabled for a user. This allows for the use of multiple license types in one tenant without the risk of unauthorized license assignment.

Simply put, Templates act as a filter for license assignment, while License Pools control the number of licenses that can be assigned.


Please remember that if you do not see all the features discussed above, it may be because the roles and permissions applied to your CoreView account restrict access to certain features. 


Operator delegation

You can easily and securely delegate role-based access to CoreView to individuals within your organization using any or all of our three key control mechanisms. These provide you with the ability to define an individual’s use of CoreView as narrowly or broadly as is appropriate for an individual’s technical or a business role within your organization.

Only TenantAdmins can manage operator accounts, assign Permissions, Virtual Tenants, and License Pools.

Relation between Roles, Permissions and Virtual Tenants.