Skip to main content

App Role Permissions

Roles Defined on Apporetums App Registration​

An app role is a way to define custom permissions and roles in Azure that is assigned to user groups. This allows the implementation of role-based access control (RBAC) that determines what actions a user or service can do.

Permission Issues​

If you encounter permission issues when attempting to do an action that you should be authorised for in Apporetum, it may be missing a permission. An example of an error message that is missing a permission is ForbiddenAccessException.

Checking App Roles​

In order to check if Apporetum has all the correct App Role Assignments, do the following:

  • Navigate to Portal.Azure.com
  • Navigate to App registrations
  • Search for your Apporetum App registration under "All Applications"
  • On the App registration, select App Roles
  • Check if the App roles that are displayed line up with the following list below

List of Built-in App Roles​

APPLYACCESSPACKAGE
  • description: "Apply Access Packages"
  • displayName: "APPLYACCESSPACKAGE"
  • value: "Apply.AccessPackage"
EDITAPP
  • description: "Edit Applications - more of a system admin role who can edit any app"
  • displayName: "EDITAPP"
  • value: "Edit.App"
EXTERNALINTEGRATION
  • description: "Access External Integration Endpoints"
  • displayName: "EXTERNALINTEGRATION"
  • value: "Ext.Integration"
IDENTITYMANAGEMENT
  • description: "Allows the user to view the history, transforms, and overrides of Identity related entities when they already have permission to view the base entity."
  • displayName: "IDENTITYMANAGEMENT"
  • value: "Read.IdentityManagement"
MANAGERACCESSREVIEW
  • description: "Allows the user to manage their team members during an access review."
  • displayName: "MANAGERACCESSREVIEW"
  • value: "Write.Manager.AccessReview"
OPERATESTATEMODEL
  • description: "Schedule, Run, or Stop the State Model Engine"
  • displayName: "OPERATESTATEMODEL"
  • value: "Operate.StateModel"
PUBLISHSTATEMODEL
  • description: "Publish a StateModel"
  • displayName: "PUBLISHSTATEMODEL"
  • value: "Publish.StateModel"
READACCESSPACKAGE
  • description: "Read Access Packages"
  • displayName: "READACCESSPACKAGE"
  • value: "Read.AccessPackage"
READACCOUNTTYPE
  • description: "View the information of the current AccountType and any status info"
  • displayName: "READACCOUNTTYPE"
  • value: "Read.AccountType"
READAPP
  • description: "Read Applications"
  • displayName: "READAPP"
  • value: "Read.App"
READAPPGROUP
  • description: "Read Application Role"
  • displayName: "READAPPGROUP"
  • value: "Read.App.Group"
READAPPMEMBERSHIP
  • description: "Read App User Membership"
  • displayName: "READAPPMEMBERSHIP"
  • value: "Read.App.Membership"
READDATASOURCE
  • description: "View the information of the current DataSource and any status info"
  • displayName: "READDATASOURCE"
  • value: "Read.DataSource"
READGLOBAL
  • description: "Read Global Console"
  • displayName: "READGLOBAL"
  • value: "Read.Global"
READIDENTITY
  • description: "View the information of a Identity Entity or the list of Identities"
  • displayName: "READIDENTITY"
  • value: "Read.Identity"
READMAILTEMPLATE
  • description: "Read Mail Template"
  • displayName: "READMAILTEMPLATE"
  • value: "Read.Mail.Template"
READPORTAL
  • description: "Read Portal"
  • displayName: "READPORTAL"
  • value: "Read.Portal"
READPORTALCONFIG
  • description: "Read Configuration This should probably just refer to apporetum config"
  • displayName: "READPORTALCONFIG"
  • value: "Read.Portal.Config"
READPORTALUSER
  • description: "Read Console User"
  • displayName: "READPORTALUSER"
  • value: "Read.Portal.User"
READRECONCILE
  • description: "Read Reconciliation"
  • displayName: "READRECONCILE"
  • value: "Read.Reconcile"
READREPORT
  • description: "Read Reports "
  • displayName: "READREPORT"
  • value: "Read.Report"
READSTATEMODEL
  • description: "View the information of the current StateModel and any status info"
  • displayName: "READSTATEMODEL"
  • value: "Read.StateModel"
READTRUSTEDPARTY
  • description: "Read Trusted Party"
  • displayName: "READTRUSTEDPARTY"
  • value: "Read.TrustedParty"
READUSER
  • description: "Read App User (Managed Account)"
  • displayName: "READUSER"
  • value: "Read.User"
READWORKFORCEPERSON
  • description: "View the information of a Workforce Person Entity or the list of Workforce Persons"
  • displayName: "READWORKFORCEPERSON"
  • value: "Read.WorkforcePerson"
REVIEWAPPMEMBERSHIP
  • description: "Approve App User Membership"
  • displayName: "REVIEWAPPMEMBERSHIP"
  • value: "Review.App.Membership"
SECURITYGLOBAL
  • description: "Security Global Console"
  • displayName: "SECURITYGLOBAL"
  • value: "Security.Global"
SELFENROLMENT
  • description: "Allows the user to add themselves to roles that are configured for self-enrolment."
  • displayName: "SELFENROLMENT"
  • value: "Write.App.SelfMembership"
VIEWAPPROVEMEMBERSHIP
  • description: "access provider and global admin role, where all approvals can be seen in the users page"
  • displayName: "VIEWAPPROVEMEMBERSHIP"
  • value: "View.Approve.Membership"
VIEWSUSPENDED
  • description: "View Suspended App User (Managed Account)"
  • displayName: "VIEWSUSPENDED"
  • value: "Read.Suspended"
WRITEACCESSPACKAGE
  • description: "Write Access Packages"
  • displayName: "WRITEACCESSPACKAGE"
  • value: "Write.AccessPackage"
WRITEACCESSREVIEWITEM
  • description: "Allows the user to perform access reviews over items they can see."
  • displayName: "WRITEACCESSREVIEWITEM"
  • value: "Write.Item.AccessReview"
WRITEACCOUNTOVERRIDES
  • description: "Edit the overrides present on an Account"
  • displayName: "WRITEACCOUNTOVERRIDES"
  • value: "Write.Account.Overrides"
WRITEACCOUNTTYPE
  • description: "CRUD for a AccountType"
  • displayName: "WRITEACCOUNTTYPE"
  • value: "Write.AccountType"
WRITEAPP
  • description: "Write Applications"
  • displayName: "WRITEAPP"
  • value: "Write.App"
WRITEAPPGROUP
  • description: "Write Application Role"
  • displayName: "WRITEAPPGROUP"
  • value: "Write.App.Group"
WRITEAPPMEMBERSHIP
  • description: "Write App User Membership"
  • displayName: "WRITEAPPMEMBERSHIP"
  • value: "Write.App.Membership"
WRITEAPPROVEMEMBERSHIP
  • description: "Only for access approver and global admin"
  • displayName: "WRITEAPPROVEMEMBERSHIP"
  • value: "Write.Approve.Membership"
WRITEDATASOURCE
  • description: "CRUD for a DataSource"
  • displayName: "WRITEDATASOURCE"
  • value: "Write.DataSource"
WRITEGLOBAL
  • description: "Write Global Console"
  • displayName: "WRITEGLOBAL"
  • value: "Write.Global"
WRITEIDENTITY
  • description: "CRUD for a Identity Entity and the link to an Identity"
  • displayName: "WRITEIDENTITY"
  • value: "Write.Identity"
WRITEIDENTITYOVERRIDES
  • description: "Edit the overrides present on an Identity"
  • displayName: "WRITEIDENTITYOVERRIDES"
  • value: "Write.Identity.Overrides"
WRITEIDENTITYTRANSFORMS
  • description: "Edit the transforms from a a Identity to an Account Type"
  • displayName: "WRITEIDENTITYTRANSFORMS"
  • value: "Write.Identity.Transform"
WRITEMAILTEMPLATE
  • description: "Write Mail Template"
  • displayName: "WRITEMAILTEMPLATE"
  • value: "Write.Mail.Template"
WRITEMATCHUSER
  • description: "Write Match User"
  • displayName: "WRITEMATCHUSER"
  • value: "Write.Match.User"
WRITEPORTALCONFIG
  • description: "write Configuration This should probably just refer to apporetum config"
  • displayName: "WRITEPORTALCONFIG"
  • value: "Write.Portal.Config"
WRITEPORTALUSER
  • description: "Write Console User"
  • displayName: "WRITEPORTALUSER"
  • value: "Write.Portal.User"
WRITERECONCILE
  • description: "Write Reconciliation"
  • displayName: "WRITERECONCILE"
  • value: "Write.Reconcile"
WRITEREPORT
  • description: "Write Reports"
  • displayName: "WRITEREPORT"
  • value: "Write.Report"
WRITESTATEMODEL
  • description: "CRUD for a StateModel"
  • displayName: "WRITESTATEMODEL"
  • value: "Write.StateModel"
WRITETRUSTEDPARTY
  • description: "Write Trusted Party"
  • displayName: "WRITETRUSTEDPARTY"
  • value: "Write.TrustedParty"
WRITEUSER
  • description: "Write App User (Managed Account)"
  • displayName: "WRITEUSER"
  • value: "Write.User"
WRITEWORKFORCEPERSON
  • description: "CRUD for a Workforce Person Entity and the link to an Identity"
  • displayName: "WRITEWORKFORCEPERSON"
  • **value": "Write.WorkforcePerson"
WRITEWORKFORCEPERSONTRANSFORMS
  • description: "Edit the transforms from a a Workforce Person to an Identity"
  • displayName: "WRITEWORKFORCEPERSONTRANSFORMS"
  • value: "Write.WorkforcePerson.Transform"