net core application. I am trying to implement authentication and authorization. I have users they are split into multiple regions. For example I have below regions.
GE GSAS
- user1
- user2
APAC
-user3
-user4
SE&A
-user5
-user6
These users have different permissions or roles. For example, RegionalAdmin,GlobalAdmin,Users etc These users will be creating some orders in the portal. For example, Regional head can reassign orders within that region only to other users. For global head he/she can reassign orders to anyone. Users can create orders and view delete and users cannot reassign orders. All these users are part of Azure AD tenant. Now I am trying to implement authentication and authorization. I started thinking the design strategy like this, I can create groups as per regions and add users to groups. Based on the groups I can have authentication or authorization. But these users have different permissions like RegionalAdmin,GlobalAdmin etc and these users have some extra functionalities aloowed in web/api permission. Can someone help me regarding this and how to organize groups or roles with respect to above scenario. Any help owuld be greatly appreciated. Thank you
Assuming regional admin you mentioned as a custom role in your application(as there is no such role in AAD), it is always better to use the administrative-units and a suggestable approach would be to create groups separately for regional admin, global admin users and assign roles to these groups accordingly.
A user can be assigned to multiple groups and roles can be assigned to individual users/groups.
Authorize applications based on the role permissions granted by the administrator to groups. Please refer this link for the detailed documentation on how to create/manage roles for an application in Azure AD.
Thanks dinakr. So first I should create groups for each regionsand add all the users. Then create again groups for regional admin and global admin in each region and add required users to it. Then for each group I should assign roles. This is the approach right?
Yes. This approach suits the above requirement.
So for example, in region1 if there was 10 users then I will create group region1 and add all the 10 users and add user role to this group. Then for example out of the 10 users 2 are global admin then I will create group region1globaladmin and add those 2 users and assign this group to reggion1globaladmin role. For region2 also same will be carried out. This is the approach right? But small question is we will end up with creating lot of groups right?
In AAD, Global administrator role can read and modify every administrative setting in your Azure AD organization. So, this will be at tenant level. Refer the below link for more details on Roles and permissions. It will be helpful if you can you elaborate what you mean by regions in the above example? docs.microsoft.com/en-us/azure/active-directory/roles/…
Assuming the global admin in the above scenario is a group of users with custom roles and regions as the segregation criteria for groups, are the roles and permissions different for global admin of different regions? If not, then you can just create one group for both/multiple the regions else you might have to create separate groups. With respect to increasing number of groups, it is always suggestable to follow the administrative units(link below) for an effective segregation for users/group management. docs.microsoft.com/en-us/azure/active-directory/roles/…