User Roles in CIPP

How to grant users access to the CIPP App

PreviousAdding Tenants & Consenting the CIPP-SAM Application NextAdding a custom domain name

Last updated 10 days ago

Was this helpful?

User Roles in CIPP

How to grant users access to the CIPP App

CIPP utilizes the Secure Application model, which means that each action will be done under the user permissions of the CIPP-SAM user. To limit the access users have you can use the role management system.

For hosted clients, invites and roles can be managed by logging into the management portal

CIPP features a role management system which utilises the . The roles available in CIPP are as follows:

Role Name

Description

readonly

Only allowed to read and list items and send push messages to users.

editor

Allowed to perform everything, except change system settings.

admin

Allowed to perform everything.

superadmin

You can assign these roles to users using the

After the invite link is sent to the user, they must click on it to accept the invite and gain access to the app. The invites expire after a specific amount of time. Note this link must be sent manually to them, it is not e-mailed.

To assign a role to a user you would follow these steps:

Go to the Azure Portal.
Go to your CIPP Resource Group.
Select your CIPP Static Web App CIPP-SWA-XXXX.
Select Role Management (Not IAM Role Management).
Select invite user.
Add the roles for the user. Multiple roles can be applied to the same user.

Custom Roles

While CIPP only supplies the above roles by default, you can create your own Custom Roles and apply them to your users with editoror readonlyrights, admin users are unaffected by custom roles.

Custom role permissions can only grant the highest level of the base permission. You cannot grant edit permissions to the readonlyrole. Assigning the editorrole and then using a custom role to remove permissions will provide you with the functionality you're looking for there.

Set up Custom Roles by following these steps:

Go to CIPP -> Advanced > Super Admin > Custom Roles.
Select a Custom Role from the list or start typing to create a new one if you do not yet have any.
- Please ensure that your custom role is entirely in lowercase and does not contain spaces or special characters.
For Allowed Tenants select a subset of tenants to manage or AllTenants.
- If AllTenants is selected, you can block a subset of tenants using Blocked Tenants.
Select the API permission from the listed categories and choose from None, Read or Read/Write.
- To find out which API endpoints are affected by these selections, click on the Info button.

Please note that this functionality is in beta and not officially supported. Removing permissions will result in an error message on affected endpoints. The error message will note which permission is missing.

If you are a hosted client, you can add custom roles to your users from the Management App. Just start typing the role name in the select box and add it when prompted. Make sure that your users have the 'editor' or 'readonly' role selected as well.

If you set up Custom Roles by modifying staticwebapp.config.json, you should revert those changes and migrate to the new Custom Role management.

PreviousAdding Tenants & Consenting the CIPP-SAM Application NextAdding a custom domain name

Last updated 10 days ago

Was this helpful?

For hosted clients, invites and roles can be managed by logging into the management portal

CIPP features a role management system which utilises the . The roles available in CIPP are as follows:

Role Name

Description

readonly

Only allowed to read and list items and send push messages to users.

editor

Allowed to perform everything, except change system settings.

admin

Allowed to perform everything.

superadmin

A role that is only allowed to access the settings menu for specific high-privilege settings, such as setting up the settings. This role must be combined with 'admin'

You can assign these roles to users using the

To assign a role to a user you would follow these steps:

Go to the Azure Portal.
Go to your CIPP Resource Group.
Select your CIPP Static Web App CIPP-SWA-XXXX.
Select Role Management (Not IAM Role Management).
Select invite user.
Add the roles for the user. Multiple roles can be applied to the same user.

Custom Roles

While CIPP only supplies the above roles by default, you can create your own Custom Roles and apply them to your users with editoror readonlyrights, admin users are unaffected by custom roles.

Set up Custom Roles by following these steps:

Go to CIPP -> Advanced > Super Admin > Custom Roles.
Select a Custom Role from the list or start typing to create a new one if you do not yet have any.
- Please ensure that your custom role is entirely in lowercase and does not contain spaces or special characters.
For Allowed Tenants select a subset of tenants to manage or AllTenants.
- If AllTenants is selected, you can block a subset of tenants using Blocked Tenants.
Select the API permission from the listed categories and choose from None, Read or Read/Write.
- To find out which API endpoints are affected by these selections, click on the Info button.

If you set up Custom Roles by modifying staticwebapp.config.json, you should revert those changes and migrate to the new Custom Role management.