The introduction of new Playbook roles allows Tenant Admins to delegate responsibilities more precisely among their operators. There are now three roles to view and manage playbooks:
- Playbook Manager
- Playbook Admin
- Playbook Global Viewer
With the release of the new roles, any operator who previously had been given access to manage a Playbook will be assigned the “Playbook Manager” role. Tenant Admins can then enhance their capabilities by assigning them either the “Playbook Admin” or “Playbook Global Viewer” role.
How to assign the new Playbook roles
Tenant Admins can assign these roles easily. They simply need to select the desired role in the operator's “Personal info” tab under “Settings”.
What can each Playbook role do?
Let's have a look at the differences between the new Playbook roles:
Tenant Admin |
Playbook Admin |
Playbook Manager |
Playbook Global Viewer |
|
|---|---|---|---|---|
| Create and edit custom policies | ✔️ |
✔️ |
|
|
| Edit Out-of-the-Box policies | ✔️ |
|
|
|
| See designated playbooks | ✔️ |
✔️ |
✔️ |
✔️ |
| Enable remediation | ✔️ |
✔️ |
|
|
| Run remediation | ✔️ |
✔️ |
✔️ |
|
| Schedule remediation (OOTB) | ✔️ |
|
|
|
| Schedule remediation (Custom) | ✔️ |
✔️ |
||
| Set exceptions | ✔️ |
✔️ |
✔️ |
|
| See Strategic and Operational dashboards | ✔️ |
✔️ |
|
✔️ |
| See Monitoring dashboard | ✔️ |
✔️ |
✔️ |
✔️ |
| Customize (hide/show widgets in each Governance center tab) | ✔️ |
✔️ |
|
✔️ |
| Customize Governance center widgets* | ✔️ |
✔️ |
Overview tab |
✔️ |
*This refers to the ability to select which policies to display in the widget, the order in which they appear, and how to represent the matched items - either as a numeric value or a percentage.
It's important to note that while both Tenant Admins and Playbook Admins have similar capabilities, the actions of Playbook Admins are influenced by permissions.
How permissions affect Playbook roles
Permissions significantly influence the capabilities of each operator within the app. Each new playbook role is subject to permissions, which can only be granted or revoked by a Tenant Admin. Let's examine the differences:
Tenant Admin
CAN |
CAN'T |
|---|---|
|
|
*Please note that only Tenant Admins can edit Out-of-the-Box policies.
Playbook Admin
CAN |
CAN'T |
|
|---|---|---|
| Without permissions |
|
|
| With “Show all” permissions |
|
|
| With one or more Playbook permissions |
|
|
Playbook Admins without permissions won't be able to view any existing Playbooks. However, they can access the “Playbooks” section under “Settings”, where they can create their own playbooks and associated policies.
Playbook Manager and Playbook Global Viewer
Operators assigned the “Playbook Manager” or “Playbook Global Viewer” role will not be able to see any playbook under the “Playbook” section in the menu until a Tenant Admin grants them specific Playbook permissions. Moreover, they won't have access to the Playbook Policy Library under “Settings > Playbooks”.
For more information on delegation, please visit the “Delegate playbooks and policies” article.
Custom policy ownership restrictions
As mentioned above, both Tenant Admins and Playbook Admins can create custom policies. When a custom policy is created, the creator of the policy becomes the owner. Let's examine in more detail what this ownership entails:
1. Tenant Admin creates a custom policy
A Tenant Admin who creates a custom policy can:
- Make it visible to all Playbook operators with the corresponding Playbook permissions within their own V-Tenant. To share the policy with operators, the “Set to public” toggle must also be enabled.
- Allow Playbook Admins and Playbook Managers to execute this policy remediation against matched items in their own V-Tenant.
- Enable other Tenant Admins to edit the policy.
However, the following ownership restrictions will apply:
- Neither Playbook Admins nor Playbook Managers will have the ability to modify this policy.
Tenant Admin |
Playbook Admin with permissions |
Playbook Manager with permissions |
Playbook Global Viewer with permissions |
|
|---|---|---|---|---|
| View custom policy | ✔️ |
✔️ |
✔️ |
✔️ |
| Execute custom policy | ✔️ |
✔️ |
✔️ |
|
| Edit custom policy | ✔️ |
|
|
2. Playbook Admin creates a custom policy
If a Playbook Admin creates a custom policy, they can:
- Make it accessible to all Playbook operators with the corresponding permissions within their own V-Tenant, if applied.
- Permit Playbook Admins, and Playbook Managers to execute this policy remediation against matched items in their own V-Tenant.
Tenant Admins will also be able to:
- View the policy
- Execute the policy remediation
- Disable the custom policy
- Delete custom policy
However, the following ownership restrictions will apply:
- No Tenant Admin will be able to modify this custom policy.
Tenant Admin |
Playbook Admin with permissions |
Playbook Manager with permissions |
Playbook Global Viewer with permissions |
|
|---|---|---|---|---|
| View custom policy | ✔️ |
✔️ |
✔️ |
✔️ |
| Execute custom policy | ✔️ |
✔️ |
✔️ |
|
| Disable custom policy | ✔️ |
|||
| Delete custom policy | ✔️ |
|||
| Edit custom policy |
When a Tenant Admin or a Playbook operator initiates the remediation of a custom policy they don't own, the remediation will be applied to the matched items that the user can see at the time of execution.
For CoreSuite, Suite, and Enterprise offerings
Policies run by Playbook Admins use their V-tenant permissions. But if a Tenant Admin executes a policy created by a Playbook Admin, it will apply globally.
If a policy is scheduled for execution, it will use the V-tenant permissions of the user who created the schedule.
Policy Box
The restrictions mentioned in this section will be reflected within the Policy Box: depending on the user's role and permissions, some actions will appear greyed out.
In the example below, a Playbook Admin looking at a custom policy created by another admin is not able to edit or delete the policy. However, the “Run remediation” button is enabled.
Created by
Within each Policy Box, the “Created by” section is visible to all operators who have permission to view the policy. Its purpose is to provide clear visibility regarding the policy's creator and help operators understand the associated permissions based on their roles.
When it comes to custom policies, the UserPrincipalName (UPN) of the policy creator will be displayed in this section. Out-of-the-Box policies are shown as created by CoreView. For custom policies created by CoreView partners, the text “MSP” will be displayed instead of the UPN of the creator.
