Microsoft Entra ID
- 23 Feb 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Microsoft Entra ID
- Updated on 23 Feb 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Introduction
This article describes the user management capabilities in Business Activity Monitoring for a Turbo360 account with Microsoft Entra ID authentication.
Add user or group
Users with the Account owner or Owner role can add new users and Microsoft Entra ID groups to Business Activity Monitoring (hereafter referred to as "module").
- Go to User management section in the Business Activity Monitoring module
- Click Add user/Add group option in the Users tab
- Select the required users/groups
- Click Add
- The first 500 users/groups from the corresponding Microsoft Entra ID will be listed, and users can make use of the "Load more" option to load the next set of users/groups.
- For Microsoft Entra ID users, users in the retrieved list can be filtered by User principal name using the filter option provided above the user list. If no user is found in the retrieved list, the same filter can be performed directly in the Microsoft Entra ID, which will list the filtered users from the Microsoft Entra ID.
- For Microsoft Entra ID groups, groups in the retrieved list can be filtered by group name using the filter option provided above the group list. If no group is found in the retrieved list, the same filter can be performed directly in the Microsoft Entra ID, which will list the filtered groups from the Microsoft Entra ID.
Role assignment
User can be assigned roles in any of the two ways:
1. Direct role assignment
2. Specified access
- Direct role assignment refers to the assignment of a role to a user/group, which will be applicable for the entire module. For instance, assigning a direct role like 'Reader' for a user/group means that the user/group has complete read access to all the Business Processes in the module.
Owner role cannot be assigned to Microsoft Entra ID groups.
- Specified access refers to assigning different roles on different module-specific areas. For instance, if an organisation has two Business Processes for its two environments such as Production and Development, a user like a contractor or a Microsoft Entra ID group with guest users cannot be given even 'Reader' access to Production Business Process. In such cases, the user/group can be assigned Specified access, by choosing only the Business Process that the user/group can see, and assign a role for each chosen Business Process, which determines what the user/group members can do inside that Business Process.
Users/groups who are already added to Turbo360 (members of other modules of Turbo360, or do not have any module-permission) are available to be added from the Existing user and Existing group tab for Add user and Add group options respectively.
Manage role assignments of users and groups
Update user / group permission
- Go to User management section of the module
- Click on the Edit permission icon next to the user/group
- Update the user role either at a specified level (or) as a direct role
- Click Update
The role assignments can also be updated for multiple users (or) groups simultaneously.
- Select the users (or) groups to whom the role is to be updated
- Click Edit permission available at the top
- Assign role either at a specified level (or) as a direct role
- Click Update
The chosen role will be assigned to all the selected users.
User access at a specified level
The list of users and groups having access to a particular Business Process Group / Business Process can be viewed and managed by clicking the three-dotted icon next to the required group / business process in the tree view and selecting Users in its context menu.
Only users/groups having direct access to a Business Application/Group can be revoked access when viewing from the Business Application/Group's Users widget.
Remove user or group
Account owners or owners of the module can remove any existing user.
- Click the Remove user icon next to the user (or) group
(or) - Remove multiple users (or) groups by selecting them and clicking the Remove option above the users' list.
User/group removed from a module still exists in Turbo360's directory. Account owners can remove the users/groups completely from Turbo360 by navigating to Settings -> Users and choosing Remove user/group option.
Permission evaluation
When a MIcrosoft Entra ID user is added directly as a member of Turbo360, the permissions are evaluated against the roles that have been assigned to that user during user operations. If that user is also a member of a Microsoft Entra ID group that has been added to Turbo360, the group permissions will not be evaluated because the direct user membership in Turbo360 takes precedence.
However, when a user signs in as a member of a Microsoft Entra ID group, i.e, this user is not added to Turbo360 directly, but the Microsoft Entra ID group that this user is a member of is added, the permissions of that user are checked against the roles assigned to that group during user operations. When a user belongs to multiple groups, high level permissions are determined by comparing the roles of all the groups.
The same is true when a user signs in as an owner of Microsoft Entra ID group, i.e, this user is not added to Turbo360 directly, but the Microsoft Entra ID group that this user is a direct owner of is added.
Although Turbo360 supports direct owners of Microsoft Entra ID groups, the recommended method of Microsoft Entra ID group management in Turbo360 is to stick to members of Microsoft Entra ID groups where the owners are also members of those groups.
Added information
Microsoft Entra ID group authentication occurs in a transitive manner, which means that if a parent group is added to Turbo360, all child groups in all inner levels of that group will be authenticated even if those child groups are not added to Turbo360.
Child groups, on the other hand, can be added if the users of different groups require different permissions based on business needs.
Was this article helpful?