Playbook roles

  • Last update on September 26th, 2024

Playbook roles allow Tenant Admins to delegate responsibilities more precisely among their operators. There are three roles to view and manage Playbooks:

  • Playbook Manager
  • Playbook Admin
  • Playbook Global Viewer

How to assign the new Playbook roles

Tenant Admins can assign these roles easily. They simply need to select the desired role in the operator's “Personal info” tab under “Settings”. 

What can each Playbook role do?

Let's have a look at the differences between the new Playbook roles:

 

Tenant Admin

Playbook Admin

Playbook Manager

Playbook Global Viewer

Create and edit custom policies

✔️

✔️

 

 

Edit Out-of-the-box policies

✔️

 

 

 

See designated Playbooks

✔️

✔️

✔️

✔️

Enable remediation

✔️

✔️

 

 

Run remediation

✔️

✔️

✔️

 

Schedule remediation (OOTB)

✔️

 

 

 

Schedule remediation (custom)

✔️

✔️

   
Set exceptions

✔️

✔️

✔️

 

See Strategic and Operational dashboards

✔️

✔️

 

✔️

See Monitoring dashboard

✔️

✔️

✔️

✔️

Customize (hide/show widgets in each Governance center tab)

✔️

✔️

 

 ✔️

Customize Governance center widgets*

✔️

✔️

Overview tab 

 ✔️ 

Edit policy owner

✔️

     

*This refers to the ability to select which policies to display in the widget, the order in which they appear, and how to represent the matched items - either as a numeric value or a percentage.

It's important to note that while both Tenant Admins and Playbook Admins have similar capabilities, the actions of Playbook Admins are influenced by permissions.

 

How permissions affect Playbook roles

Permissions significantly influence the capabilities of each operator within the app. Each new Playbook role is subject to permissions, which can only be granted or revoked by a Tenant Admin. Let's examine the differences:

Tenant Admin

CAN

CAN'T

  • Create new policies
  • View all policies
  • Edit all Out-of-the-box policies*
  • Edit their own custom policies
  • Remediate all enabled policies 
  • Modify custom policies created by Playbook Admins via the “Edit” button

*Please note that only Tenant Admins can edit Out-of-the-box policies.

 

Playbook Admin

 

CAN

CAN'T

Without permissions
  • Create new policies
  • Edit their own custom policies
  • Remediate all enabled policies 
  • View any policies they don't own
  • Edit custom policies created by other Playbook Admins
With “Show all” permissions
  • Create new policies
  • View all policies
  • Edit their own custom policies
  • Remediate all enabled policies 
  • Edit custom policies created by other Playbook Admins
With one or more Playbook permissions
  • Create new policies
  • View delegated policies
  • Edit their own custom policies
  • Remediate all enabled policies 
  • View non-delegated policies
  • Edit custom policies created by other Playbook Admins

Playbook Admins without permissions won't be able to view any existing Playbooks. However, they can access the “Playbooks” section under “Settings”, where they can create their own Playbooks and associated policies.

 

Playbook Manager and Playbook Global Viewer

Operators assigned the “Playbook Manager” or “Playbook Global Viewer” role will be able to see all Playbooks under the “Playbook” section in the menu, unless a Tenant Admin grants them specific Playbook permissions. Moreover, they won't have access to the Playbook Policy Library under “Settings > Playbooks”.

For more information on delegation, please visit the “Delegate Playbooks and policies” article.

Custom policy ownership restrictions

As mentioned above, both Tenant Admins and Playbook Admins can create custom policies. When a custom policy is created, the creator of the policy becomes the owner. Let's examine in more detail what this ownership entails:

1. Tenant Admin creates a custom policy

A Tenant Admin who creates a custom policy can:

  •  Make it visible to all Playbook operators with the corresponding Playbook permissions within their own V-Tenant. To share the policy with operators, the “Set to public” toggle must also be enabled.
  •  Allow Playbook Admins and Playbook Managers to execute this policy remediation against matched items in their own V-Tenant.
  • Enable other Tenant Admins to edit the policy.

However, the following ownership restrictions will apply:

  • Neither Playbook Admins nor Playbook Managers will have the ability to modify this policy.
 

Tenant Admin

Playbook Admin 

with permissions

Playbook Manager

with permissions

Playbook Global Viewer with permissions

View custom policy

✔️

✔️

✔️

✔️

Execute custom policy

✔️

✔️

✔️

 
Edit custom policy

✔️

 

 

 

2. Playbook Admin creates a custom policy

If a Playbook Admin creates a custom policy, they can:

  • Make it accessible to all Playbook operators with the corresponding permissions within their own V-Tenant, if applied.
  • Permit Playbook Admins, and Playbook Managers to execute this policy remediation against matched items in their own V-Tenant.

Tenant Admins will also be able to:

  • View the policy 
  • Execute the policy remediation
  • Disable the custom policy
  • Delete custom policy

However, the following ownership restrictions will apply:

  • No Tenant Admin will be able to modify this custom policy.
 

Tenant Admin

Playbook Admin

with permissions

Playbook Manager

with permissions

Playbook Global Viewer with permissions

View custom policy

✔️

✔️

✔️

✔️

Execute custom policy

✔️

✔️

✔️

 
Disable custom policy

✔️

     
Delete custom policy

✔️

     
Edit custom policy        

When a Tenant Admin or a Playbook operator initiates the remediation of a custom policy they don't own, the remediation will be applied to the matched items that the user can see at the time of execution. 

 

Enterprise / Delegated Administration add-on

Policies run by Playbook Admins use their V-Tenant permissions. But if a Tenant Admin executes a policy created by a Playbook Admin, it will apply globally.

If a policy is scheduled for execution, it will use the V-Tenant permissions of the user who created the schedule.

 

Policy Box

The restrictions mentioned in this section will be reflected within the Policy Box: depending on the user's role and permissions, some actions will appear greyed out. 

In the example below, a Playbook Admin looking at a custom policy created by another admin is not able to edit or delete the policy. However, the “Run remediation” button is enabled. 

The Policy Box of a Custom Policy as seen by a Playbook Admin who isn't the owner.

Created by

Within each Policy Box, the “Created by” section is visible to all operators who have permission to view the policy. Its purpose is to provide clear visibility regarding the policy's creator and help operators understand the associated permissions based on their roles.

When it comes to custom policies, the UserPrincipalName (UPN) of the policy creator will be displayed in this section. Out-of-the-box policies are shown as created by CoreView. For custom policies created by CoreView partners, the text “MSP” will be displayed instead of the UPN of the creator.

The Policy Box of an Out-of-the-box policy as seen by a Playbook Admin.

Edit owner 

Tenant administrators can transfer the ownership of custom policies directly within the Policy Box. By clicking on the “Edit owner” button, a modal window will pop up, allowing them to choose a new owner from a list of Playbook admins presented in a dropdown menu. This functionality guarantees seamless continuity in policy management.

The Policy Box of a custom policy as seen by a Tenant Admin.

Delete owner

A pop-up window will appear when deleting an operator who owns a policy. This window offers a dropdown menu for easy reassignment to other admins. This ensures that no policy remains unmanaged, maintaining continuous governance.