Robopack permissions and roles
Robopack supports limiting access to areas of the product and to Intune tenants. This document describes the ways in which users can sign in to Robopack and how their access can be managed.
Robopack supports local accounts as well as Entra ID associated accounts.
Accounts that have been created without an association with an Entra ID account are considered local accounts and let users sign in with a password.
A local account can later be associated with an Entra ID account in Account Settings by authenticating with the Entra ID account. Optionally, the password login for that account may be disabled so that only Entra ID can be used to sign in.
When a user signs in to Robopack for the first time with an Entra ID account – assuming that their tenant is associated with an organization in Robopack, and they have access to the app registration in that tenant - their account will be created in Robopack automatically.
By default, Entra ID users in all tenants associated with the Robopack organization can sign in using Entra ID, but this behavior can be changed.
In Settings -> Tenants you can change between SSO enabled or SSO disabled for each tenant. When SSO is disabled, no users can sign in to Robopack using Entra ID accounts from that tenant.
It is important to consider what types of users should have access to Robopack and set up your environment accordingly. In Account Settings, a user with appropriate access to the organization in Robopack can change settings related to sign-ins.
This can be switched between:
1) Allow both Entra ID and password sign-ins
2) Only allow Entra ID sign-ins
3) Only allow password sign-ins
The recommendation is to only allow Entra ID sign-ins, but make sure that any users who should have access to Robopack are using Entra ID to sign in before password sign-in is disabled.
Robopack has a range of roles that can be assigned to users either manually through Robopack or through Enterprise application settings in Entra ID.
The following roles are provided:
Organization administrator
Organization admins have full access to all operations in Robopack, including modifying authorization and organization settings. This role includes the permissions of all other roles
Security reader
Allows viewing users and settings for the organization.
Security writer
Allows editing users, permissions and settings for the organization.
Robopatch reader
Allows viewing app update flows in Robopatch.
Robopatch writer
Allows administering app update flows in Robopatch.
Package reader
Allows viewing and downloading packages
Package writer
Allows creating, importing and managing packages in Robopack.
Custom App Settings reader
Allows viewing Custom App Settings (CAS).
Custom App Settings writer
Allows editing Custom App Settings (CAS) for the organization in Robopack.
For all reader/writer roles, having the writer role allows read access as well.
Roles can be assigned to users in two ways
Assign roles through Robopack, by editing the user account in Settings -> Users and selecting the roles that a particular user should have
Roles can be assigned through Entra ID for users that use Entra ID accounts in that tenant to sign in to Robopack.
To assign roles through Entra ID, go to the Entra portal -> Microsoft Entra ID -> Enterprise applications -> Robopack -> Manage -> Users and groups.
Here you can assign individual users or groups to Robopack roles. You can assign multiple roles to the same people, but an assignment needs to be created for each role.
In addition to the assignable roles, permissions can be assigned per-tenant. The tenant permissions do not in themselves give users access to Robopack features – they must also be granted access to, for example Packages or Robopatch in addition to the tenants they are allowed to import to or modify.
For example, a user with the Robopatch writer role and permissions to one tenant will be able to create new Robopatch flows that target that tenant, as well as edit those that do – but will not be able to edit flows that target other tenants.
Tenant permissions are configured in Settings -> Tenants and have the following options:
· See/read information: Allows seeing the tenant in lists and viewing deployment status
· Upload apps: Upload apps from packages or through Robopatch
· Set configuration: Change tenant configuration
· Set permissions: Add or remove permissions for who can access the tenant
The permissions can be assigned to:
· All users in the organization
· A manually specified range of users
· An Entra ID security group
When assigning tenant permissions to an Entra ID group, you will need to select the tenant that contains the group, and the group to use to grant the permission.
Note: Tenant permissions assigned through Entra ID groups only apply to users who sign in to Robopack using an Entra ID account from the same tenant.