Group Roles

App Role Groups

Role Groups are a way to simplify permission management by combining app roles with Entra ID groups. Instead of assigning app roles directly to individual users, you assign the roles to a group, and then add users to that group.

Permission Issues

If you encounter permission issues when attempting to do an action that you should be authorised for in Apporetum, it may be missing a permission. An example of an error message that is missing a permission is ForbiddenAccessException.

Checking Group Roles

In order to check if Apporetum has all the correct Group Role Assignments, do the following:

• Navigate to Portal.Azure.com
• Navigate to Entra ID, and select All Groups
• Search the following group names in the list below and ensure the entitlements correctly match
• If there is an Entra Group that is missing an App Role, follow the steps for Adding A Missing App Role

Adding A Missing App Role

If there is a missing App Role in an Entra Group, it can be added through Apporetums App registration

• Navigate to Portal.Azure.com
• Navigate to Enterprise Applications
• Search and select your Apporetums Enterprise Application under "All Applications"
• On the Enterprise Application overview page, select Users and groups
• Select Add user/group
• Under users and groups select the Entra Group that is missing the App Role
• Under Select a role select an app role to assign to the Entra Group
• Select Assign to add the app role to the Entra Group

List of Built-in Group Roles

Access Approver - ("APPORETUM_ACCESS_APPROVER")

• Description: "Similar to access provider, with approval permissions"
• Entitlements:
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.Portal
  • Read.Reconcile
  • Read.Report
  • Read.TrustedParty
  • Read.User
  • View.Approve.Membership
  • Write.Approve.Membership
  • Write.Item.AccessReview
  • Write.Reconcile
  • Write.Report

Access Provider - ("APPORETUM_ACCESS_PROVIDER")

• Description: "Access provider may invite, suspend, revoke and renew memberships to applications they administer. They may also run reports and request new reports."
• Entitlements:
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.Portal
  • Read.Reconcile
  • Read.Report
  • Read.TrustedParty
  • Read.User
  • View.Approve.Membership
  • Write.App.Membership
  • Write.Item.AccessReview
  • Write.Reconcile
  • Write.Report
  • Write.User

Access Reporter - ("APPORETUM_ACCESS_REPORTER")

• Description: "TBC."
• Entitlements:
  • Read.AccountType
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.DataSource
  • Read.Global
  • Read.Portal.User
  • Read.Reconcile
  • Read.Report
  • Read.Suspended
  • Read.TrustedParty
  • Read.User

Access Review Admin - ("APPORETUM_ACCESS_REVIEW_ADMIN")

• Description: "Manages all access reviews"
• Entitlements:
  • Read.AccessPackage
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.Global
  • Read.Mail.Template
  • Read.Portal
  • Read.Portal.User
  • Read.Reconcile
  • Read.Report
  • Read.TrustedParty
  • Read.User
  • View.Approve.Membership
  • Write.App.Membership
  • Write.Global
  • Write.Reconcile
  • Write.Report
  • Write.User

Access Reviewer - ("APPORETUM_ACCESS_REVIEWER")

• Description: "Similar to access provider, with review action permissions"
• Entitlements:
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.Portal
  • Read.Reconcile
  • Read.Report
  • Read.TrustedParty
  • Read.User
  • Write.App.Membership
  • Write.Item.AccessReview
  • Write.Reconcile

Account Management - ("APPORETUM_ACCOUNT_MANAGEMENT")

• Description: "TBC."
• Entitlements:
  • Read.AccountType
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.DataSource
  • Read.Identity
  • Read.IdentityManagement
  • Read.StateModel
  • Read.User
  • Read.WorkforcePerson
  • Write.Account.Overrides
  • Write.Identity
  • Write.Identity.Overrides
  • Write.Identity.Transform
  • Write.WorkforcePerson

Application Admin - ("APPORETUM_APPLICATION_ADMIN")

• Description: "TBC."
• Entitlements:
  • Apply.AccessPackage
  • Edit.App
  • Read.AccessPackage
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.Global
  • Read.Mail.Template
  • Read.Portal
  • Read.Portal.User
  • Read.Reconcile
  • Read.Report
  • Read.TrustedParty
  • Read.User
  • View.Approve.Membership
  • Write.AccessPackage
  • Write.App
  • Write.App.Membership
  • Write.Approve.Membership
  • Write.Global
  • Write.Reconcile
  • Write.Report

Application Owner - ("APPORETUM_APP_OWNER")

• Description: "App owner of one or many applications."
• Entitlements:
  • Edit.App
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.Mail.Template
  • Read.Portal
  • Read.Reconcile
  • Read.Report
  • Read.TrustedParty
  • Read.User
  • View.Approve.Membership
  • Write.Reconcile
  • Write.Report

Global Admin - ("APPORETUM_GLOBAL_ADMIN")

• Description: "Global Admin for the Apporetum Console."
• Entitlements:
  • Apply.AccessPackage
  • Edit.App
  • Operate.StateModel
  • Publish.StateModel
  • Read.AccessPackage
  • Read.AccountType
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.DataSource
  • Read.Global
  • Read.Identity
  • Read.IdentityManagement
  • Read.Mail.Template
  • Read.Portal
  • Read.Portal.Config
  • Read.Portal.User
  • Read.Reconcile
  • Read.Report
  • Read.StateModel
  • Read.Suspended
  • Read.TrustedParty
  • Read.User
  • Read.WorkforcePerson
  • Review.App.Membership
  • Security.Global
  • View.Approve.Membership
  • Write.AccessPackage
  • Write.Account.Overrides
  • Write.AccountType
  • Write.App
  • Write.App.Group
  • Write.App.Membership
  • Write.Approve.Membership
  • Write.DataSource
  • Write.Global
  • Write.Identity
  • Write.Identity.Overrides
  • Write.Identity.Transform
  • Write.Item.AccessReview
  • Write.Mail.Template
  • Write.Match.User
  • Write.Portal.Config
  • Write.Portal.User
  • Write.Reconcile
  • Write.Report
  • Write.StateModel
  • Write.TrustedParty
  • Write.User
  • Write.WorkforcePerson
  • Write.WorkforcePerson.Transform

Global Reader - ("APPORETUM_GLOBAL_READER")

• Description: "A global reader that has read all permissions to the Apporetum Console."
• Entitlements:
  • Read.AccessPackage
  • Read.AccountType
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.DataSource
  • Read.Global
  • Read.Identity
  • Read.IdentityManagement
  • Read.Mail.Template
  • Read.Portal
  • Read.Portal.Config
  • Read.Portal.User
  • Read.Reconcile
  • Read.Report
  • Read.StateModel
  • Read.Suspended
  • Read.TrustedParty
  • Read.User
  • Read.WorkforcePerson
  • Review.App.Membership
  • View.Approve.Membership

Identity Reporter - ("APPORETUM_IDENTITY_REPORTER")

• Description: "TBC."
• Entitlements:
  • Read.AccountType
  • Read.App.Membership
  • Read.DataSource
  • Read.Global
  • Read.Identity
  • Read.IdentityManagement
  • Read.Portal.User
  • Read.StateModel
  • Read.User
  • Read.WorkforcePerson

Lifecycle Admin - ("APPORETUM_LIFECYCLE_ADMIN")

• Description: "TBC."
• Entitlements:
  • Edit.App
  • Operate.StateModel
  • Publish.StateModel
  • Read.AccountType
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.DataSource
  • Read.Identity
  • Read.IdentityManagement
  • Read.StateModel
  • Read.User
  • Read.WorkforcePerson
  • Write.AccountType
  • Write.DataSource
  • Write.StateModel
  • Write.WorkforcePerson.Transform

Manager Reviewer - ("MANAGER_REVIEWER")

• Description: "Manages at least one user."
• Entitlements:
  • Write.Manager.AccessReview

Operations - ("APPORETUM_OPERATIONS")

• Description: "TBC."
• Entitlements:
  • Operate.StateModel
  • Read.App.Membership
  • Read.DataSource
  • Read.Identity
  • Read.Portal.Config
  • Read.StateModel

Organisation Admin - ("APPORETUM_ORGANISATION_ADMIN")

• Description: "TBC."
• Entitlements:
  • Read.Global
  • Read.TrustedParty
  • Read.User
  • Write.Global
  • Write.Report
  • Write.TrustedParty

Organisation Manager - ("APPORETUM_ORGANISATION_MANAGER")

• Description: "Manager of an Organisation."
• Entitlements:
  • Read.Global
  • Read.TrustedParty
  • Read.User
  • Write.TrustedParty

SecOps Manager - ("APPORETUM_SECOPS_MANAGER")

• Description: "Security Manager may suspend or remove any user, app, role or trusted party. May also run reconciliation on all objects and generate reports."
• Entitlements:
  • Apply.AccessPackage
  • Read.AccessPackage
  • Read.AccountType
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.DataSource
  • Read.Global
  • Read.Identity
  • Read.IdentityManagement
  • Read.Mail.Template
  • Read.Portal
  • Read.Portal.Config
  • Read.Portal.User
  • Read.Reconcile
  • Read.Report
  • Read.StateModel
  • Read.Suspended
  • Read.TrustedParty
  • Read.User
  • Read.WorkforcePerson
  • Security.Global
  • Write.Reconcile
  • Write.Report
  • Write.TrustedParty
  • Write.User

System Admin - ("APPORETUM_SYSTEM_ADMIN")

• Description: "System admin can create, edit and suspend all trusted partners, applications, console users and portal users."
• Entitlements:
  • Apply.AccessPackage
  • Edit.App
  • Read.AccessPackage
  • Read.AccountType
  • Read.App
  • Read.App.Group
  • Read.App.Membership
  • Read.DataSource
  • Read.Global
  • Read.Identity
  • Read.IdentityManagement
  • Read.Mail.Template
  • Read.Portal
  • Read.Portal.Config
  • Read.Portal.User
  • Read.Reconcile
  • Read.StateModel
  • Read.Suspended
  • Read.TrustedParty
  • Read.User
  • Read.WorkforcePerson
  • Review.App.Membership
  • Security.Global
  • View.Approve.Membership
  • Write.AccessPackage
  • Write.AccountType
  • Write.App
  • Write.App.Group
  • Write.DataSource
  • Write.Global
  • Write.Identity
  • Write.Mail.Template
  • Write.Match.User
  • Write.Portal.Config
  • Write.Portal.User
  • Write.Reconcile
  • Write.Report
  • Write.TrustedParty
  • Write.User