Role-based Access Control (RBAC) Multiple Group Assignments
When using one of the built-in accounts, administrative access to Nerdio Manager is controlled by individual user or group assignment to Nerdio Manager's application registered in Entra ID. As of Nerdio Manager v6.4, support for Cumulative RBAC has been introduced for custom roles. Please review this document carefully to understand the implications of this change. Details on the new and previous behavior are described below.
While it is possible for a user to be entitled to Nerdio Manager through multiple group memberships, this is not a supported configuration if using built-in accounts, or a combination of built-in accounts and custom roles. Care should be taken to ensure that users only have one assignment granting access to Nerdio Manager if using built-in accounts.
RBAC Considerations from Nerdio Manager v6.4 and later
Note: The behavior described here is default for new installations of Nerdio Manager. For existing installs, if cumulative RBAC functionality is desired, this must be enabled by the app service setting Features:CumulativeRbac with a value of True.
With the release of Nerdio Manager v6.4, the concept of cumulative RBAC has been introduced for custom roles. This new functionality allows for different permissions, which may be assigned via separate individual assignments user or group memberships, to be applied cumulatively within the Nerdio Manager console.
Where conflicts are present within the assigned roles, the higher permission assignment is applied. Ensure the permissions you assign to users and groups via custom roles meet or exceed your organization’s security requirements.
Note: Multiple direct assignments are not supported. A single direct assignment may be combined with multiple direct assignments. This new functionality applies only to custom roles defined within the Nerdio Manager application. Built-in roles are fully excluded from this new functionality.
Core Permission Assignment Principles
The following are the core principles related to how the permission assignments apply through Entra ID and how Nerdio Manager interprets them.
Users can be assigned directly to the application with a specific role and workspace combination, or they can be a direct member of a group that is assigned to the application. Assignments as both a user and group member are supported
Members of a group that is a nested member of another group, which is assigned to the Entra ID application, are not considered. This is an Entra ID limit. See this Microsoft article for details.
Nerdio Manager's built-in default roles are arranged in order of tiers with decreasing permission. If a user is a member of groups with multiple equivalent built-in role tiers, then Entra ID only provides one of those assignments to Nerdio Manager. In general, it is provided alphabetically, so the first alphabetical group's assignments apply in most situations, but technically it can be processed in any order.
Additional Principles
Nerdio Manager’s Custom Roles provide a filtered experience at the application level. Therefore, custom roles provide the ability to assign one or more custom roles via direct assignment or group membership, and these roles are combined within the Nerdio Manager application to provide the most permissive set of permissions.
A direct user assignment is considered the highest priority. Therefore, any user directly assigned to Nerdio Manager is assigned before other permissions that may be assigned by groups.
Example Scenario
A user’s account is a member of ABC-ADM Group and DEF-ADM Group.
ABC-ADM Group is nested underneath the group XYZ-NerdioSupport-Admin.
ABC-ADM Group is assigned to workspace A with a custom role in Nerdio Manager.
DEF-ADM Group is assigned to workspace B with a custom role in Nerdio Manager.
XYZ- NerdioSupport- Admin is assigned to workspaces C and D as an AVD Admin in Nerdio Manager.
The nested membership plays no role. Therefore, as far as Entra ID is concerned, the ABC-ADM Group as a member of XYZ-NerdioSupport-Admin does not exist. Only users that are direct members of the XYZ- NerdioSupport- Admin group are considered. Since the user is not a direct member of XYZ-NerdioSupport-Admin, they do not have access to workspaces C or D.
Since the user is a direct member of both ABC-ADM Group and DEF-ADM Group, and both of those groups are assigned to a custom role, therefore, the same tier of permissions per Entra ID, then the effective permissions of the user is going to be the cumulative total of the permissions assigned to the ABC-ADM Group and DEF-ADM Group.
Feature Limitations
In this initial release of the cumulative RBAC feature, there are some functional limitations. These will be addressed in the future where possible.
The feature does not support mixing of different access levels to the workspace module across separate assignments. For example, you cannot mix the ‘Manage Hosts’ and ‘Manage Sessions’ permission in the workspaces module across separate assignments, because only one access level for the workspaces module is supported globally.
You cannot mix limited permissions with Full Access, even when restricting the scope to specific workspaces, because the Full Access user interface would conflict with the limits set.
You cannot mix limited permissions with Read Only, even when restricting the scope to specific workspaces, because the Read Only user interface would conflict with the limits set.
The maximum supported number of assignments is 10. Additional assignments are filtered out.
RBAC Considerations prior to Nerdio Manager v6.4
This section discusses the situation where a user is potentially a member of different groups for environments prior to v6.4. Some of these may be direct assignments or a nested group assignment.
The groups are assigned to different custom roles. For example, two assignments grant access to workspace A with varying custom permissions (that is, the same workspace), and one assignment grants access to workspaces B, C, and D.
When the user signs in, they only see the workspace A. They do not see workspaces B, C, and D.
In fact, you want the user to have access to all the workspaces (A, B, C, and D).
Core Permission Assignment Principles
The following are the core principles related to how the permission assignments apply through Entra ID and how Nerdio Managerinterprets them.
User assignment to Entra ID applications does not support nested group membership. That is, users can only be assigned directly to the application with a specific role and workspace combination, or they can be a direct member of a group that is assigned to the application. Assigned as both a user and group member is supported, but Nerdio Manager prioritizes the user assignment first (see below).
Members of a group that is a nested member of another group, which is assigned to the Entra ID application, are not considered. This is an Entra ID limit. See this Microsoft article for details.
Nerdio Manager's built-in default roles are arranged in order of tiers with decreasing permission. If a user is a member of groups with multiple equivalent role tiers, then Entra ID only provides one of those assignments to Nerdio Manager. In general, it is provided alphabetically, so the first alphabetical group's assignments apply in most situations, but technically it can be processed in any order.
Additional Principles
All custom roles created in Nerdio Manager are considered to be the same tier in terms of Entra ID's role permissions. Nerdio Manager can not merge or consolidate permissions to enable access to the most permissive combination.
Even if there was a custom role that enables all permissions, and a second role that only includes a single permission, because they are both considered to be a custom role, they are equal on the same tier from the perspective of the Azure application.
A direct user assignment is considered the highest priority. Therefore, any user directly assigned to Nerdio Manager bypasses any alternate permissions that may be assigned by group. However, users should only have a single assignment, otherwise it is subject to the same processing challenges as multiple group memberships.
Example Scenario
A user’s account is a member of ABC-ADM Group and DEF-ADM Group.
ABC-ADM Group is nested underneath the group XYZ-NerdioSupport-Admin.
ABC-ADM Group is assigned to workspace A with a custom role in Nerdio Manager.
DEF-ADM Group is assigned to workspace B with a custom role in Nerdio Manager.
XYZ-NerdioSupport-Admin is assigned to workspaces C and D as an AVD Admin in Nerdio Manager.
The nested membership plays no role. Therefore, as far as Entra ID is concerned, the ABC-ADM Group as a member of XYZ-NerdioSupport-Admin does not exist. Only users that are direct members of the XYZ-NerdioSupport-Admin group are considered. Since the user is not a direct member of XYZ-NerdioSupport-Admin, they do not have access to workspaces C or D.
Since the user is a direct member of both ABC-ADM Group and DEF-ADM Group, and both of those groups are assigned to a custom role (therefore, the same tier of permissions per Entra ID), then the effective permissions of the user is going to be a toss up between what workspaces/pools those groups are assigned to. In this example, that is either workspace A or workspace B.
Typically, the assignment is done alphabetically, but there is no official definition of how that is interpreted by Entra ID. Therefore, today, the user could see the workspace A that is enabled by ABC-ADM Group. Tomorrow, the user may see workspace B that is enabled by DEF-ADM Group. Entra ID makes the evaluation and provides the user with access to Nerdio Manager under that group. Nerdio Manager just sees that a member of a specific group has signed in, and grants the permissions accordingly.
Note: This could also apply to two different RBAC role assignments in Nerdio Manager, where two different groups are assigned to the same workspace (for example, workspace A), but have two different custom role definitions. One assignment may be grant permissions to one set of host pools, while the other group may be assigned to a different set of host pools.
Because all custom roles are on an equivalent tier, the specific host pools visible to the user may change depending on which group evaluation Entra ID makes when signing in to Nerdio Manager.
Recommendations
Tip: Be sure to follow these recommendations to ensure a clear and consistent experience.
-
Option #1: Either modify the group membership or assignments used to grant the user access to Nerdio Manager, so that there is only one group membership applied with a single custom role granting access to all the requisite workspaces that the user should have entitled.
Note: Not having multiple groups for Entra ID to evaluate ensures only the single correct assignment is applied.
-
Option #2: Assign the user's account explicitly, not as group membership, to the custom role directly, and grant access to all workspaces that should be entitled.
Note: Having a single direct assignment ensures that the exact required permissions are applied.
Tip: While either solution would work, we would recommend using Option #1. This helps prevent bloating the permission listing with a large number of individual users.
Comments (0 comments)