We would like to use Cumulative RBAC to apply between both built-in and custom roles. There are use cases where we have users/groups that are assigned a built-in role and a custom role and this functionality broke in v6.4.
Add support for both built-in and custom roles for in Cumulative RBAC
2
Hello DJ Singh (Discount Tire) - firstly, please accept my apologies if you have seen a behavior change after 6.4 and you have not enabled cumulative RBAC as a feature. This is an unexpected bug that other customers have reported, and is being investigated by the development team.
Regarding built-in role support - this unfortunately is not possible currently. Built-in roles take complete precedence and cannot be used in combination with cumulative RBAC. However, you can work around this by building a custom role with identical properties to the built-in role. Please do bear in mind that RBAC modules cannot overlap across entitlements.
This feature is quite complex and has some limitations due to the requirement of working within the limits of native Azure RBAC functionality.
Below is an an example of how the feature is intended to be used:
For users with Cumulative RBAC roles assigned, from the ‘assigned roles’ UI element (found under my name in the console when multiple custom RBAC have been applied), I can see all the models that I am entitled to, and how they are inherited (1x direct , 2x groups)
Leading to the cumulative experience seen here (3x modules – Intune, Workspace, Images):
Please let me know if you have more questions here.
Please sign in to leave a comment.
Comments (1 comment)