Understanding Permission Levels

This page covers technical configuration of System Administrator access. For an overview of all permission levels (System Admin, Record Admin, and User), see Understanding User Permission Levels.

System Administrator Access via Admin Panel

System Administrators have full system-wide administrative access in Brief Connect, including access to the Admin Panel and all records. This page focuses on how to grant and manage System Administrator access using the Admin Panel.

For a conceptual overview of what System Administrators can do, how they differ from Record Administrators and standard Users, and the overall security model, see Understanding User Permission Levels.

Granting System Administrator Access via Admin Panel

Prerequisites

You must already have at least one System Administrator (for example, configured via an existing permission set or legacy environment-variable configuration) who can access the Admin Panel.
You need the name of the Azure AD (Entra ID) group(s) or user IDs that should be granted System Administrator access.

Step 1: Open the Admin Panel

Sign in to Brief Connect with a System Administrator account.
Navigate to the Admin Panel (/#/adminPanel). For more information on the Admin Panel itself, see Admin Panel.

Step 2: Open Role Assignments

In the Admin Panel, go to Configuration Manager → Role Assignments.
Role Assignments determine who gets which Permission Set under which conditions. To grant System Administrator access, you will assign the Admin permission set.
If you are not familiar with Role Assignments, review Role Assignments first.

Step 3: Create or Update a System Administrator Role Assignment

Select Add Assignment (or edit an existing System Administrator assignment).
Configure the assignment with the following recommended settings:
Content Type Scope: All
This ensures System Administrators have full access across all record types.
Permission Set: Admin
Combined with Content Type Scope = All, this is what elevates users to System Administrator level.
- Make sure there is a permission set called Admin in the Permission Sets tab first.
- If it doesn’t exist, create a new permission set named Admin – you don’t need to enable any specific permissions for it to work for System Administrator access.
AAD Group Name (recommended): Specify one or more Azure AD (Entra ID) security group display names that contain your System Administrators (for example, BC - System Administrators).
- Using groups makes it easy to add/remove admins without changing configuration.
User ID (optional): Use Graph User ID or UPN if you must grant System Administrator access directly to individual users.
Configure any Organisation, Stage, or Field filters only if you have a specific reason to scope System Admin behaviour. In most cases, System Administrators should be fully scoped and not restricted by these filters.
Select Save to persist the role assignment.

Once saved, any user who matches this role assignment with the Admin permission set will become a System Administrator as described in Understanding User Permission Levels.

Validating System Administrator Access

To confirm that a user has System Administrator access:

Ensure the user is:
A member of the configured AAD group(s) used in the System Administrator role assignment, or
Explicitly listed in the User ID field on the assignment.
Ask the user to sign out and sign back in to Brief Connect to refresh their permissions.
Verify that they can:
Access the Admin Panel (/#/adminPanel).
View and manage all records.
Perform the System Administrator actions described in Understanding User Permission Levels.

If access does not work as expected, see the troubleshooting section below.

Legacy Fallback: `AdminEntraId` Environment Variable (Optional)

While the recommended approach is to grant System Administrator access via Admin Panel → Role Assignments with the Admin permission set, there is also a legacy fallback mechanism using the AdminEntraId environment variable.

When to Use the Environment Variable

Use the AdminEntraId variable only for:

Break-glass or emergency accounts (for example, when no one can access the Admin Panel).
Temporary recovery scenarios where you need to restore admin access to create or fix role assignments.

Purpose of `AdminEntraId`

The AdminEntraId environment variable contains a semicolon-separated list of Azure Active Directory (AAD) user IDs or User Principal Names (UPNs) that are granted System Administrator privileges in the application. These users are treated as System Administrators regardless of their role assignments in the system.

Configuring `AdminEntraId` in Azure Function App

Navigate to the Azure Portal:
Log in to the Azure Portal.
Locate your Function App under the "Function Apps" section.
Access Configuration Settings:
In the Function App's left-hand menu, select Configuration under the Settings section.
Add Environment Variables:
Click on the Application settings tab.
Click New application setting to add a new environment variable.
For example, to set up the AdminEntraId variable:
- Name: AdminEntraId
- Value: Provide a semicolon-separated list of admin Entra IDs (e.g., id1;id2;id3).
Save Changes:
After adding all required variables, click Save to apply the changes.
Confirm the restart of the Function App if prompted.

Best Practices

Keep the List Minimal: Only include users who absolutely need administrative privileges to reduce security risks.
Use Secure Storage: Store the AdminEntraId variable securely, such as in Azure Key Vault or a secure configuration management system.
Audit Regularly: Periodically review and update the list to ensure it reflects the current administrative needs.

Troubleshooting

Admin Access Not Working:
Verify the AdminEntraId variable is set correctly.
Ensure the application has access to the environment variable.
Unexpected Admin Access:
Review the AdminEntraId value for unintended entries.
Check logs to identify which user ID or UPN matched.

Admin Role Assignment via Azure Storage Table

Overview

This functionality enables specifying administrators in the Brief Connect based on Azure Active Directory (AAD) groups and user IDs listed in an Azure Storage Table. This approach decouples the system from SharePoint dependency, providing flexibility to assign and manage admins.

How It Works

AAD Group Integration:
AAD groups are used to dynamically assign administrative roles. Instead of relying solely on SharePoint, the system can add an AAD group to SharePoint as needed, allowing members of the group to gain access to certain resources.
Role Assignment via Azure Storage Table:
The table stores entries that specify administrative permissions. Each entry includes several key fields:
- PartitionKey: Defines the partition, such as "All" for all record types (only "All" is supported for now).
- RowKey: Identifies the role assignment name, such as "Admin Role Assignment."
- AADGroupNames: Contains names of the AAD group, like BriefConnect-ABC-Admin.
- UserId: Specifies individual user identifiers who are granted admin rights directly.
- PermissionSet: Defines the permission level, where "Admin" is required for administrator access.
Determining Administrators:
The system checks the AADGroupNames and UserId fields to identify administrators.
A user will be granted admin rights if they:
- Belong to the specified AAD group or
- Have a User ID explicitly listed in the table and a PermissionSet of "Admin".

Fields in the Role Assignment Table

Field	Description
PartitionKey	General partition label, such as "All"
RowKey	"Admin Role Assignment"
AADGroupNames	Lists the AAD group name(s) where members will gain admin rights
UserId	Specifies individual users who are granted admin access directly
PermissionSet	Must be "Admin"

Example Usage

The system will look at entries with PartitionKey set to "All" and PermissionSet set to "Admin" and check both the AADGroupNames and UserId fields.
Any user who either belongs to the AAD group or has a matching User ID in the table will be granted administrator permissions.

==image_0==.jpeg