System Role to allow onboarding only

Hello,

Could you provide us more insights on your current setup? Do you use SSO? SCIM? Would you expect your tier 1 to be able to assign groups to the newly invited users or really just invite without any rights?

Have a good day!

Hello,

Could you provide us more insights on your current setup? Do you use SSO? SCIM? Would you expect your tier 1 to be able to assign groups to the newly invited users or really just invite without any rights?

Have a good day!

Yes we use SSO with SCIM groups from Entra. The onboard process is all handled thru AD-ADConnect to Entra->SCIM to Devo. This is the first layer of RBAC access. We currently have no PAM in place, so Secrets and Resources are broken out within the vault with our infosec team managing this thru local devo groups to allow for secrets access. Then the resources are another local group controlled by Infosec to allow the infrastructure team to build resources. In trying to divide the duties so that the Tier1 desk can do the onboarding I find that they must have a system role for users and groups which in turn gives them access to control the local group access that we strictly want to keep InfoSec in charge of but want the Tier1 to be able to send invitations to new users that have been SCIM'd in the onboarding process. So having that role allows them a bit more access than we would like them to have.

Hello,

Have you considered the encryption service? With the encryption service and SCIM, you wouldn't need to invite users into your Hub anymore. As soon as your application in Azure allows the user to log into your SSO/Hub, the user would be created directly in Hub Business and the appropriated groups would be applied.
https://docs.devolutions.net/hub/web-interface/administration/configuration-security/authentication/Encryption-service/

Have a good day!