Role-based Access Control (RBAC) Multiple Group Assignments

Role-based Access Control (RBAC) Multiple Group Assignments

Administrative access to Nerdio Manager is controlled by individual user or group assignment to Nerdio Manager's application registered in Entra ID. Entra ID, and Nerdio Manager by extension, can only support one permission assignment per individual user account.

While it is possible for a user to be entitled to Nerdio Manager through multiple group memberships, this is not a supported configuration. Care should be taken to ensure that users only have one assignment granting access to Nerdio Manager.

This topic discusses the situation where a user is potentially a member of different groups-- some of them may be direct assignments or a nested group assignment.

  • The groups are assigned to different custom roles. For example, two assignments grant access to workspace A with varying custom permissions (that is, the same workspace), and one assignment grants access to workspaces B, C, and D.

  • When the user signs in, they only see the workspace A. They do not see workspaces B, C, and D.

  • In fact, you want the user to have access to all the workspaces (A, B, C, and D).

Core Permission Assignment Principles

The following are the core principles related to how the permission assignments apply through Entra ID and how Nerdio Managerinterprets them.

  • User assignment to Entra ID applications does not support nested group membership. That is, users can only be assigned directly to the application with a specific role and workspace combination, or they can be a direct member of a group that is assigned to the application. Assigned as both a user and group member is supported, but Nerdio Manager prioritizes the user assignment first (see below).

  • Members of a group that is a nested member of another group, which is assigned to the Entra ID application, are not considered. This is an Entra ID limit. See this Microsoft article for details.

  • Nerdio Manager's built-in default roles are arranged in order of tiers with decreasing permission. If a user is a member of groups with multiple equivalent role tiers, then Entra ID only provides one of those assignments to Nerdio Manager. In general, it is provided alphabetically, so the first alphabetical group's assignments apply in most situations, but technically it can be processed in any order.

Additional Principles

  • All custom roles created in Nerdio Manager are considered to be the same tier in terms of Entra ID's role permissions. Due to how Azure handles multiple equivalent entries (only considering one assignment if there are multiple on the same tier), Nerdio Manager can not merge or consolidate permissions to enable access to the most permissive combination.

  • Even if there was a custom role that enables all permissions, and a second role that only includes a single permission, because they are both considered to be a custom role, they are equal on the same tier from the perspective of the Azure application.

  • A direct user assignment is considered the highest priority. Therefore, any user directly assigned to Nerdio Manager bypasses any alternate permissions that may be assigned by group. However, users should only have a single assignment, otherwise it is subject to the same processing challenges as multiple group memberships.

Example Scenario

  • A user’s account is a member of ABC-ADM Group and DEF-ADM Group.

  • ABC-ADM Group is nested underneath the group XYZ-NerdioSupport-Admin.

  • ABC-ADM Group is assigned to workspace A with a custom role in Nerdio Manager.

  • DEF-ADM Group is assigned to workspace B with a custom role in Nerdio Manager.

  • XYZ-NerdioSupport-Admin is assigned to workspaces C and D as an AVD Admin in Nerdio Manager.

  1. The nested membership plays no role. Therefore, as far as Entra ID is concerned, the ABC-ADM Group as a member of XYZ-NerdioSupport-Admin does not exist. Only users that are direct members of the XYZ-NerdioSupport-Admin group are considered. Since the user is not a direct member of XYZ-NerdioSupport-Admin, they do not have access to workspaces C or D.

  2. Since the user is a direct member of both ABC-ADM Group and DEF-ADM Group, and both of those groups are assigned to a custom role (therefore, the same tier of permissions per Entra ID), then the effective permissions of the user is going to be a toss up between what workspaces/pools those groups are assigned to. In this example, that is either workspace A or workspace B.

  3. Typically, the assignment is done alphabetically, but there is no official definition of how that is interpreted by Entra ID. Therefore, today, the user could see the workspace A that is enabled by ABC-ADM Group. Tomorrow, the user may see workspace B that is enabled by DEF-ADM Group. Entra ID makes the evaluation and provides the user with access to Nerdio Manager under that group. Nerdio Manager just sees that a member of a specific group has signed in, and grants the permissions accordingly.

Note: This could also apply to two different RBAC role assignments in Nerdio Manager, where two different groups are assigned to the same workspace (for example, workspace A), but have two different custom role definitions. One assignment may be grant permissions to one set of host pools, while the other group may be assigned to a different set of host pools.

Because all custom roles are on an equivalent tier, the specific host pools visible to the user may change depending on which group evaluation Entra ID makes when signing in to Nerdio Manager.

Recommendations

Tip: Be sure to follow these recommendations to ensure a clear and consistent experience.

  • Option #1: Either modify the group membership or assignments used to grant the user access to Nerdio Manager, so that there is only one group membership applied with a single custom role granting access to all the requisite workspaces that the user should have entitled.

    Note: Not having multiple groups for Entra ID to evaluate ensures only the single correct assignment is applied.

  • Option #2: Assign the user's account explicitly, not as group membership, to the custom role directly, and grant access to all workspaces that should be entitled.

    Note: Having a single direct assignment ensures that the exact required permissions are applied.

Tip: While either solution would work, we would recommend using Option #1. This helps prevent bloating the permission listing with a large number of individual users.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.