Skip to content

Commit 5a45546

Browse files
padmagit77padmagit77
authored
Merge pull request #3089 from Ronen-Refaeli/patch-12
Update manage-admins.md
2 parents d8212b9 + dd9f1be commit 5a45546

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

CloudAppSecurityDocs/manage-admins.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ The following specific admin roles can be configured in the Microsoft Defender p
7575
|**Compliance administrator** | Grants the same permissions as the Microsoft Entra Compliance administrator role but only to Defender for Cloud Apps. |
7676
|**Security reader** | Grants the same permissions as the Microsoft Entra Security reader role but only to Defender for Cloud Apps. |
7777
|**Security operator** | Grants the same permissions as the Microsoft Entra Security operator role but only to Defender for Cloud Apps. |
78-
|**App/instance admin** | Has full or read-only permissions to all of the data in Defender for Cloud Apps that deals exclusively with the specific app or instance of an app selected. <br><br>For example, you give a user admin permission to your Box European instance. The admin will see only data that relates to the Box European instance, whether it's files, activities, policies, or alerts: <ul><li>Activities page - Only activities about the specific app<li> Alerts - Only alerts relating to the specific app. In some cases, alert data related to another app if the data is correlated with the specific app. Visibility to alert data related to another app is limited, and there is no access to drill down for more details<li>Policies - Can view all policies and if assigned full permissions can edit or create only policies that deal exclusively with the app/instance<li>Accounts page - Only accounts for the specific app/instance<li> App permissions - Only permissions for the specific app/instance<li> Files page - Only files from the specific app/instance<li>Conditional access app control - No permissions<li> Cloud discovery activity - No permissions<li> Security extensions - Only permissions for API token with user permissions<li>Governance actions - Only for the specific app/instance<li> Security recommendations for cloud platforms - No permissions<li>IP ranges - No permissions </ul> |
78+
|**App/instance admin** | Has full or read-only permissions to all of the data in Defender for Cloud Apps that deals exclusively with the specific app or instance of an app selected. <br><br>For example, you give a user admin permission to your Box European instance. The admin will see only data that relates to the Box European instance, whether it's files, activities, policies, behaviors or alerts: <ul><li>Activities page - Only activities about the specific app<li> Alerts/Behaviors - Only relating to the specific app. In some cases, alert/behavior data related to another app if the data is correlated with the specific app. Visibility to alert data related to another app is limited, and there is no access to drill down for more details<li>Policies - Can view all policies and if assigned full permissions can edit or create only policies that deal exclusively with the app/instance<li>Accounts page - Only accounts for the specific app/instance<li> App permissions - Only permissions for the specific app/instance<li> Files page - Only files from the specific app/instance<li>Conditional access app control - No permissions<li> Cloud discovery activity - No permissions<li> Security extensions - Only permissions for API token with user permissions<li>Governance actions - Only for the specific app/instance<li> Security recommendations for cloud platforms - No permissions<li>IP ranges - No permissions </ul> |
7979
|**User group admin** | Has full or read-only permissions to all of the data in Defender for Cloud Apps that deals exclusively with the specific groups assigned to them. For example, if you assign a user admin permissions to the group "Germany - all users", the admin can view and edit information in Defender for Cloud Apps only for that user group. The User group admin has the following access: <br><br> <ul><li>Activities page - Only activities about the users in the group<li>Alerts - Only alerts relating to the users in the group. In some cases, alert data related to another user if the data is correlated with the users in the group. Visibility to alert data related to another users is limited, and there is no access to drill down for more details.<li>Policies - Can view all policies and if assigned full permissions can edit or create only policies that deal exclusively with users in the group<li>Accounts page - Only accounts for the specific users in the group<li>App permissions – No permissions<li>Files page – No permissions<li> Conditional access app control - No permissions<li> Cloud discovery activity - No permissions<li>Security extensions - Only permissions for API token with users in the group<li> Governance actions - Only for the specific users in the group<li>Security recommendations for cloud platforms - No permissions<li>IP ranges - No permissions </ul> <br><br>**Notes**: <ul><li>To assign groups to user group admins, you must first [import user groups](user-groups.md) from connected apps. <li>You can only assign user group admins permissions to imported Microsoft Entra groups.</ul> |
8080
|**Cloud Discovery global admin** | Has permission to view and edit all cloud discovery settings and data. The Global Discovery admin has the following access: <br><br><ul><li>Settings: System settings - View only; Cloud Discovery settings - View and edit all (anonymization permissions depend on whether it was allowed during role assignment) <li> Cloud discovery activity - full permissions<li>Alerts - view and manage only alerts related to the relevant cloud discovery report<li> Policies - Can view all policies and can edit or create only cloud discovery policies <li> Activities page - No permissions<li>Accounts page - No permissions<li> App permissions – No permissions<li> Files page – No permissions<li> Conditional access app control - No permissions<li> Security extensions - Creating and deleting their own API tokens<li> Governance actions - Only Cloud Discovery related actions<li> Security recommendations for cloud platforms - No permissions<li> IP ranges - No permissions</ul> |
8181
|**Cloud Discovery report admin** | <ul><li> Settings: System settings - View only; Cloud discovery settings - View all (anonymization permissions depend on whether it was allowed during role assignment)<li>Cloud discovery activity - read permissions only<li> Alerts – view only alerts related to the relevant cloud discovery report<li>Policies - Can view all policies and can create only cloud discovery policies, without the possibility to govern application (tagging, sanction and unsanctioned)<li> Activities page - No permissions<li> Accounts page - No permissions<li>App permissions – No permissions<li>Files page – No permissions<li> Conditional access app control - No permissions<li> Security extensions - Creating and deleting their own API tokens<li>Governance actions – view only actions related to the relevant cloud discovery report<li>Security recommendations for cloud platforms - No permissions<li>IP ranges - No permissions |

0 commit comments

Comments
 (0)