Understanding roles, permissions and V-Tenants

  • Last update on September 27th, 2024

CoreView offers the flexibility to augment or enhance your existing Least Privilege Access and/or Role-based access control strategies. 

Least Privilege Access

Least privilege access is the practice of restricting access rights for users, accounts, and computing processes to only those roles necessary to perform routine, legitimate activities. 

For example, if someone's job is to monitor license usage for a particular division in your organization, you can configure their access so that they only see that division and the licenses that are part of it.

Role Based Access Control (RBAC)

CoreView allows you to define access to information and actions based on the job function of the person accessing the console. 

This allows you, for example, to give the regional administrator in Chicago access to only the objects in that office. The finance manager, for example, can view licensing and service usage reports. Meanwhile, a high-level administrator can only make specific changes to defined users.

CoreView features

CoreView enhances the experience of designing a least privilege access and/or RBAC model to keep your Microsoft 365 tenant safe and secure. There are several CoreView features you can use to create and maintain a strategy for least privilege access:

Operator roles

In the Essentials solution, all operators have a Tenant Admin role.

 

Microsoft administrators are called operators within CoreView. The operator with the highest level of access is known as a “Tenant Admin”. CoreView allows the Tenant Admin to finely control what other operators can see and do within the tenant. 

Using the Role-based Access Control (RBAC) security model, operators are granted access to resources based on their role in the organization. Their access can be limited to information and actions based on their job function. Each operator can be assigned roles that grant an initial level of access to CoreView, which can then be modified with permissions.

 
 

Permissions

Permissions are not available in the Essentials solution.

 

Assigned permissions determine the actions an operator can perform within CoreView.
The creation of role-based access controls (permissions) is essential to ensure that any operator has the appropriate access to perform the activities required of them.  

 
 

Virtual Tenants

Virtual Tenants are not available in the Essentials and Professional solutions, but they can be purchased as an add-on.

 

Creating “Virtual Tenants” allows you to divide your tenant into smaller, more manageable sub-tenants. This limits the visibility of objects (users, groups, etc.) based on specific attributes, such as city or department. There are several different criteria by which scoping can be achieved. Once the scope is set, the operator can only see and manage the objects assigned to them.

In combination with permission sets, you can restrict management and reporting tasks by tenants. Virtual Tenants allow you to segment your business data and restrict an operator's span of control to only a particular set of business data. 

Tenants can be filtered by any Entra ID attribute, such as office, city, or department.

Note: not all reports are subject to Virtual Tenant scoping.

 
 

Licence Pools

License Pools are not available in the Essentials and Professional solutions, but they can be purchased as an add-on.

 

The “License Pools” feature allows you to limit the number of licenses an operator can assign within a specific set of licenses.

In other words, it enables you to allocate licenses to a defined group of users, geographical location, office, or department. By assigning a specific set of licenses to any of these groups, operators can assign licenses to users without worrying about exceeding any limits or budgets.

An operator's access to license pools allows them to manage the assignment or recovery of licenses, but only within the scope defined by the organization. 

 
 

Licence Templates

License Templates  are not available in the Essentials and Professional solutions, but they can be purchased as an add-on.

 

License Templates work in conjunction with License Pools to give delegated teams flexibility over license assignments while maintaining centralized control. In fact, license templates carry rules that specify which services can be enabled or disabled for a user. This allows for the use of multiple license types in one tenant without the risk of unauthorized license assignment.

Simply put, Templates act as a filter for license assignment, while License Pools control the number of licenses that can be assigned.

 
 

Operator delegation

You can easily and securely delegate role-based access to CoreView to individuals within your organization using any or all of our three key control mechanisms. These provide you with the ability to define an individual’s use of CoreView as narrowly or broadly as is appropriate for an individual’s technical or a business role within your organization.

Only Tenant Admins can manage operator accounts, assign Permissions, Virtual Tenants, and License Pools.

 
Relation between Roles, Permissions and Virtual Tenants.