Role Based Access Control Management

Role Based Access Control Management

Manage roles via Entra ID Application Roles

Cybersecurity Office utilises Role Based Access Control to grant and constrain which of your Azure Entra ID users are able to access which parts of the application and uses your organisation’s Microsoft Entra ID tenant as the Identity Provider (IdP). Authorisation is controlled via Entra ID Application Roles, assigned to users (and optionally groups) on the Cybersecurity Office Enterprise Application in the Azure Portal.
Because access is managed in your own Entra ID tenant, any existing Identity Governance & Administration (IGA) tools and processes you already use with Entra ID are inherently integrated with Cybersecurity Office (e.g., approvals, access reviews, lifecycle automation, conditional access, audit logging).

Where roles are managed

Application Roles are assigned in:
Azure Portal → Microsoft Entra ID → Enterprise applications → CybersecurityOfficeAPIServiceProd → Users and groups

Which Enterprise Application to use

You will see two Cybersecurity Office Enterprise Applications:
  1. CybersecurityOfficeSPAWebAppProd: Cybersecurity Office SPA Web App that your users log into.
  2. CybersecurityOfficeAPIServiceProd: This is the Cybersecurity Office API called by the Web App and any other tools and scripts that 
Role assignments are managed on the Cybersecurity Office API Enterprise Application and apply regardless of whether you are accessing the service via the Web App, or via scripts or scheduled tasks.

Role catalogue

The following table provides a summary of the capabilities granted by each of the available roles.
Role
Description
Manageable Resources
Tenant Admin
The Tenant Administrator role is required to setup and maintain the Tenant details and subscriptions. Where required, the Tenant Administrator is also able to create and maintain ACLs that provide fine-grained authorisation rules beyond what can be defined with just roles. Even if not assigned to an individual, at least one Subscription Plan or Add-On pack containing the Tenant Administrator role must be licensed in order to allow the system to be bootstrapped when first starting out.
  1. Tenants
  2. Security Profiles
  3. Subscriptions
  4. ACLs (via API Only)
Risk Manager
The Risk Manager is limited to managing the Risk Framework and the associated Information Asset Classification.
  1. Risk Framework
  2. Asset Classification
Asset Manager
The Asset Manager can define all entities within the Asset Registry and the asset hierarchy within the assessment, in addition to classifying the Information Assets, from which the classification of all other entities in the asset hierarchy are derived. If using Cybersecurity Office purely as an asset registry, this will be the primary role required.
  1. Platform Teams
  2. Environments
  3. Systems
  4. Information Assets
  5. User Account Types
Control Catalogue Manager
The Control Catalogue Manager provides write access to the Countermeasures, which includes Control Catalogues, Cybersecurity Frameworks and Maturity Models. Due to the tight relationship between the controls and the threats they mitigate, this role also has the ability to manage the Threats as well. In addition to managing the controls, this role also provides access to the pre-defined and formatted standards based data available to import at a click without having to define them from scratch. This currently excludes standards that must be licensed, such as ISO 27001.
  1. Control Catalogues
  2. Cybersecurity Frameworks
  3. Maturity Models
  4. Threats
Threat Catalogue Manager
The Threat Catalogue Manager role is capable of creating and maintaining the Threats forming the basis of the risks to the organisations assets, including the association with the controls that mitigate those risks.
  1. Tasks
  2. Work Packages
  3. Horizons
  4. Reports
Auditor
The Auditor Role is able to create and apply and update the Control Assessments of the current state, as well as defining the target state. In addition, the Auditor is able to create and maintain Reports, however the target state maturity may have dependencies on Tasks and Work Packages that need to be defined by a Security Program Manager or Security Architect.
  1. Current State Assessment
  2. Target State Assessment
  3. Reports
Security Program Manager
The Security Program Manager role is responsible for creating Tasks, Work Packages and prioritising the Roadmap based activities required to transition from the current state to the target state. In addition, the Security Program Manager is able to create and maintain Reports, which will have dependencies on capabilities from the Auditor, Control Catalogue Manager and Asset Manager roles.
  1. Tasks
  2. Work Packages
  3. Horizons
  4. Reports
Security Architect
The Security Architect role has the capabilities of all of the other roles, excluding the Cognitive User. When a single user is responsible for the entire end-to-end process, such as when producing a Protective Data Security Plan (PDSP), it may be simpler to assign a single Security Architect role to that user than all of the other roles combined.
  1. All Entities
Cognitive User
Many of the capabilities within Cybersecurity Office used by the above roles have AI Assistant driven services that can help streamline otherwise time-consuming activities.
However, each organisation must explicitly authorise each individual user to make use of these AI services by assigning the Cognitive User role for the following reasons:
  1. Different organisations may have specific policies about allowing staff usage of AI services and/or sending organisation specific data to those AI services for analysis;
  2. The back-end OpenAI based services utilised for these capabilities are relatively expensive, requiring this capability to be licensed separately.
AI services are charged by 'token', which is roughly analogous to a word (or part of a word). Each licensed Cognitive User has a capped number of tokens available per month, however these are shared across the organisation. This means that more licensed Cognitive Users allows for more usage across all users, as well as more individual users.
The token cap per licensed users is 50 million tokens (50,000,000) per month.
  2. Platform Teams
  3. Environments
  4. Systems
  5. Information Assets
  6. User Account Types
  7. Tasks
  8. Work Packages
Consumer
Provides read-only access to all data within your Cybersecurity Office tenant. In most cases, having a role that provides write-access also provides read-access to the same data without having to also have a Consumer role assigned as well.
  1. All Entities

Assign a role to a user (Azure Portal)

Image: Cybersecurity Office API Enterprise Application Overview page (showing the “Assign users and groups” entry point).
  1. Open Microsoft Entra ID in the Azure Portal and go to Enterprise applications → All applications.
  2. Search for Cybersecurity Office and open the API Enterprise Application (CybersecurityOfficeAPIServiceProd).
  3. Select Users and groups.
  4. Select Add user/group.
  5. Under Users, select None selected, choose the user, then click Select.
  6. Image: Users picker with a user selected.
  7. Under Select a role, select None selected, choose the required role, then click Select.
  8. Image: Role picker showing the list of Application Roles.
  9. Click Assign.
  10. Image: Add Assignment page with a user selected and role chosen.
  11. Confirm the user appears in the Users and groups list with the correct Role assigned.

Change or remove a role

  1. In the same Enterprise Application, go to Users and groups.
  2. Select the user assignment.
  3. Use Edit assignment to change the role, or Remove assignment to revoke access.

Governance and operational alignment

Managing Cybersecurity Office roles in Entra ID allows you to apply your existing governance controls, such as:
  1. Joiner/mover/leaver processes (automated or manual)
  2. Approval workflows for access requests (where used in your organisation)
  3. Conditional Access policies for sign-in control
  4. Access reviews and periodic recertification (where used)
  5. Centralised auditing via Entra ID logs

Common issues

  1. User can’t access features / “not authorised”: Confirm the user is assigned the correct role on the API Enterprise Application and has re-signed-in since the change.
  2. Can’t assign groups: Follow the portal warning and assign users directly, or use the group assignment capabilities available in your tenant if enabled.
  3. App not visible in My Apps: In the Enterprise Application Properties, ensure “Visible to users” is enabled if you want it to appear in the user’s app launcher.

    • Related Articles

    • Using Custom Attributes on Information Assets

      Overview Custom Attributes let you store additional structured metadata on each Information Asset using the Custom Attributes section in the Information Asset dialog. Use this when the standard fields (for example Name or Summary) are not enough, and ...

    • Define System Assets

      This follows on from the VPDSF Setup guide, however this step may be revisited multiple times. Step 1.4 Define System Assets A System Asset refers to any component, whether hardware, software, network, or information system, that is essential to the ...

    • Define Consequences: Option 1: Use VPDSF BIL

      This is a one of the options for Defining the Consequences. Option 1: Use VPDSF BIL If Step 1.1 was performed and the Risk Framework hasn't been changed since, the 'Use VPCSF Bill Risk Framework' button will be disabled. If it is enabled, click the ...

    • Define Information Assets

      This follows on from the VPDSF Setup guide, however this step may be revisited multiple times. Step 1.5 Define Information Assets An Information Asset refers to any piece of information or data within an organisation, regardless of its value. This ...

    • Define Consequences

      This is a one-time setup step required as part of Determining the Information Asset Value. Note: Changing the Risk Categories after classifying Information Assets based on a prior Risk Framework can result in those classifications being broken. Step ...