Configuration Manager supports the use of comprehensive role-based access control (RBAC) for many aspects of the Configuration Manager app. This flexibility ensures that you can tailor access and control according to your organization's specific needs and security policies. One of the most important restrictions is to limit which users can approve changes to your tenant using Configuration Manager.
What does it mean to approve a Sync?
When deploying configuration changes to your tenant with Configuration Manager, a Sync process is initiated. This process involves:
- authentication into the tenant
- performing a backup to understand the tenant's current state
- and preparing to deploy the changes.
However, before any changes are applied, the sync process pauses, requiring a user to review and either approve or reject the proposed changes. This step ensures that modifications to your tenant are reviewed and controlled by a human user.
What is the “Approval Group”?
The “Approval Group” is a customizable setting within Configuration Manager that determines which group of Configuration Manager users has the authority to approve or reject changes made to the tenant.
This feature allows for granular control over who can authorize changes, enhancing the security and integrity of your tenant's configuration.
The Approval Group by default is set to the "Contributors group” within Azure DevOps, from which Configuration Manager pulls these groups.
How can I customize my Approval Groups?
You can customize these groups directly in Azure DevOps by creating a new group, naming it as you wish, setting the desired permissions, and adding the appropriate users. This customized group can then be selected in Configuration Manager to have the authority to approve tenant changes.
Where can I find more information on customizing permissions in Configuration Manager?
Documentation is available that covers how permissions work and how to manage them in Configuration Manager.