Privileged Identity Management (PIM) - Can approvals for a role be setup for some users only and not all users?

Question

Privileged Identity Management (PIM) - Can approvals for a role be setup for some users only and not all users?

Kumaran, Sabrina 20

I am working on implementing RBAC roles where users requiring certain privileges such as Global Administrator, need to activate their access via PIM. Further to this, there is an additional requirement for certain teams to have their Global Administrator access approved but not for other teams. Is it possible to separate approvals for a specific role by RBAC groups in PIM? A scenario to help illustrate further:

User 1 is a member of RBAC group Security
User 2 is a member of RBAC group Network
Both RBAC groups have Global Administrator as Eligible assignment
Members of RBAC group Security must have approval from Manager 1 when they activate Global Administrator as an Eligible assignment
Members of RBAC group Network DO NOT require any approval when they activate Global Administrator as an Eligible assignment
Can approval for Global Administrator be setup in such a way that approval is required only for Security RBAC group and NOT Network RBAC group?

If the ability to setup approvals for a specific role for some users only and not all users is currently NOT available, is there plans to update/configure this functionality in the future?

Shweta Mathur 30,271 Reputation points Microsoft Employee

2023-09-27T07:57:00.22+00:00

Hi @Kumaran, Sabrina

Could you kindly clarify "ability to setup approvals for a specific role for some users only and not all users"?

Are you interested in having all users with a particular role grouped together, or do you intend to allocate different roles to users within a single group?

Based on the scenario you described, it seems like you want members of a "Group security" to activate the "GA" role with approval from their manager, while members of the "Network" group can activate the "GA" role without requiring approval. Could you please confirm if my understanding aligns with your intentions?

Thanks,

Shweta
Shweta Mathur 30,271 Reputation points Microsoft Employee

2023-10-03T11:54:36.0066667+00:00

@Kumaran, Sabrina

Could you please confirm the above questions so we can help you further.
Kumaran, Sabrina 20 Reputation points

2023-10-03T19:15:00.3666667+00:00
Hi Shweta,

Apologies for late response. To respond to your questions:

For the intended RBAC model, I do wish to allocate different roles to users within a single group. Using the example I previously provided, users within "Group Security" would have different roles compared to users within "Group Network".

You are correct in that I want members of "Group Security" to activate GA role with approval from a manager - not necessarily their direct manager. The members of "Group Network" can activate GA role without approval. Is this possible?

Please let me know if additional clarity is required.
Navya 17,490 Reputation points Microsoft External Staff

2023-10-12T12:19:02.24+00:00

Hi @Kumaran, Sabrina

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Accepted answer

0 additional answers

Your answer

Shweta Mathur 30,271 Reputation points Microsoft Employee

2023-09-27T07:57:00.22+00:00

Hi @Kumaran, Sabrina

Could you kindly clarify "ability to setup approvals for a specific role for some users only and not all users"?

Are you interested in having all users with a particular role grouped together, or do you intend to allocate different roles to users within a single group?

Based on the scenario you described, it seems like you want members of a "Group security" to activate the "GA" role with approval from their manager, while members of the "Network" group can activate the "GA" role without requiring approval. Could you please confirm if my understanding aligns with your intentions?

Thanks,

Shweta
Shweta Mathur 30,271 Reputation points Microsoft Employee

2023-10-03T11:54:36.0066667+00:00

@Kumaran, Sabrina

Could you please confirm the above questions so we can help you further.
Kumaran, Sabrina 20 Reputation points

2023-10-03T19:15:00.3666667+00:00

Hi Shweta,

Apologies for late response. To respond to your questions:

For the intended RBAC model, I do wish to allocate different roles to users within a single group. Using the example I previously provided, users within "Group Security" would have different roles compared to users within "Group Network".

You are correct in that I want members of "Group Security" to activate GA role with approval from a manager - not necessarily their direct manager. The members of "Group Network" can activate GA role without approval. Is this possible?

Please let me know if additional clarity is required.
Navya 17,490 Reputation points Microsoft External Staff

2023-10-12T12:19:02.24+00:00

Hi @Kumaran, Sabrina

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Hi @Kumaran, Sabrina . Thank you for reaching out to us.

I understand your asking like if it is possible to set up approvals for a specific role for some users only and not all users in Azure Privileged Identity Management (PIM). As you provided scenario where members of RBAC group security require approval from a specific manager when they activate Global Administrator as an Eligible assignment, while members of another RBAC network group do not require any approval.

There is No possibility to separate approvals for a specific role by RBAC groups, Azure PIM does not currently support the ability to separate approvals for a specific role by RBAC groups. This means that if you require approval for a specific role, it will apply to all users who activate that role.

Regarding your ask about future updates to this functionality, we do not have information on any plans to update/configure this functionality in the future. However, we recommend keeping an eye on the Azure PIM documentation for any updates or changes to this feature.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Please remember to "Accept Answer" if answer helped you.

Kumaran, Sabrina 20 Reputation points

2023-10-12T16:20:41.1866667+00:00

Thank you very much Navya for confirming the functionality is not currently in place.

Share via

Privileged Identity Management (PIM) - Can approvals for a role be setup for some users only and not all users?

0 additional answers

Your answer