Insufficient Permissions to Modify Assignments

When entitling users to host pools within Nerdio Manager, the Assign button may be grayed out.

Hovering over Assign returns the following message:

Insufficient permissions to modify assignments. Assign Owner role to Nerdio-nmw-app in HostPoolName-AppGroup to enable this functionality.

Nerdio Manager requires Owner role on the app groups of a host pool in order to entitle users, since entitling users to AVD host pools is done by adding an Azure role assignment to the resource. By default, Nerdio Manager is only granted Contributor rights on any linked resource group in Azure in order to maintain the least amount of privilege as possible. Contributor permissions allow Nerdio Manager to create, remove, and manage the resources, but do not allow for permission or role assignment changes. See Azure Permissions and Nerdio Manager for details.

When creating a new host pool or adding app groups, Nerdio Manager utilizes the privileges (in Azure) of the admin user creating the host pool to add the required Owner rights on the app group(s). If the admin user creating the host pool does not have Owner permissions on the resource group (or subscription) in Azure, then it cannot assign the Nerdio Manager application Owner on the newly provisioned app groups . This also means that Nerdio Manager cannot modify user entitlements on the host pool.

To avoid seeing this warning message on newly created pools, there are a few options available depending on the requirements:

1. Default Behavior: The user(s) creating a host pool would need to have Owner rights on the resource group where the host pools are created. This would allow Nerdio Manager to automatically be granted Owner privileges on the app group.

   Note: This is ideal for environments where admin users creating new host pools have Owner privileges. This follows the least-privilege principle by limiting permission assignment as much as possible.

2. Nerdio Manager can be granted Owner on the resource group where host pools are provisioned. In this case, Nerdio Manager would inherit Owner permissions on the app group, and would not need explicit assignment.

   Note: This is ideal for environments where admin users, without Owner rights in Azure, are regularly creating, removing, or cloning new host pools or app groups. Nerdio's application only has elevated privileges to the resources in the associated resource group.

3. Have an administrator with Owner rights in Azure add the Nerdio Manager application as Owner to the app group role assignments after provisioning.

   Note: This would also maintain the least-privilege permissions, but any new host pools or app groups would need an admin with Owner permissions to first add rights for Nerdio Manager before users can be entitled to the host pool.

4. If you are using the API Limit Booster feature, you must ensure that all booster applications, along with Nerdio Manager’s default application, have matching Owner privileges for the resources noted above.

5. Once permissions have been corrected, refresh the Manage > Users and groups page, and the Assign button should be available.

   Note: It may take several minutes for the changes to take effect.