What is role-based access control?

Role-based access control (RBAC) is a method of protecting data from improper access. It helps organizations manage and control access to resources, data, and systems more effectively.

Roles are predefined sets of permissions or privileges. They define what a user or group of users is allowed to do within a system or application. For example, a role could be Administrator, Technician, or Read-only.

Users and groups are assigned to specific roles based on their job functions or responsibilities. This simplifies access management because you don't need to specify individual permissions for each person.

RBAC enforces access control by ensuring that users or groups can only perform actions defined by their assigned roles. This minimizes the risk of unauthorized access and data breaches.

Role-based access control in Cloud Commander

Cloud Commander uses role-based access control to provide fine-grained multi-tenancy access to Cloud Commander, Microsoft Partner Center, Microsoft Azure, and Microsoft 365 resources using the principle of Least Privilege. This means that users and groups are only assigned the specific roles required for their job responsibilities, and nothing extra.

Cloud Commander users only see the menu options and dialogs for their assigned roles. See Platform roles required for specific tasks. For the list of all Cloud Commander roles, see Platform roles dictionary.
If you can't see a menu option or dialog that you need, contact the Cloud Commander administrator at your MSP organization.


Two types of roles are assigned in Cloud Commander:

  • Platform role—a set of permissions and privileges that you assign to users and groups in Cloud Commander. These roles determine what actions users and groups can see and perform in Cloud Commander. See Platform role management.
  • Microsoft Entra ID role—a set of Microsoft Entra ID permissions and privileges that you can assign to users or groups via Cloud Commander. These roles determine what actions users or groups can perform in Microsoft products and apps. See Microsoft Entra ID roles.


You can assign users or groups as members of the following group types in Cloud Commander:

  • Platform user group—a group that is only available in Cloud Commander. It is used to assign platform roles to group members who perform tasks in Cloud Commander. See Manage platform user groups.
  • Microsoft Entra ID groupMicrosoft 365 and Microsoft Security groups that are either imported from the cloud or created using Cloud Commander and then written to Microsoft Entra ID. You can assign platform roles to Microsoft Entra ID groups.

You can assign one platform role to one Microsoft Entra ID group at a time, and you can assign one platform role to multiple users and platform user groups at a time.

Groups are efficient for onboarding and offboarding users. You assign the user to a group, so they inherit the group permissions and then remove the user from the group when the access is no longer required. Adding or removing a user from a group is more efficient than adding or removing individual roles for a user.

See Groups.


All users in Cloud Commander are Microsoft Entra ID users. They can be cloud only users or hybrid users that are on-premises Active Directory users synchronized with Microsoft Entra ID. In Cloud Commander, we use the following synchronization types for users:

  • Cloud: Microsoft Entra ID cloud only users.
  • Cloud and On-premises: Hybrid users that are on-premises Active Directory users synchronized with Microsoft Entra ID.

We recommend you assign roles to groups and then add users to groups to control user access. However, you can assign a Microsoft Entra ID role to a single user at a time, and you can assign a platform role to multiple users at one time.

See Users.

Updated: Feb 29, 2024