Role-based access control in sapio365 (RBAC)

Delegate ANY task without compromising security

Don't settle for the limits of Office 365 roles and Administrative Units—define your custom roles with specific permissions scoped to sets based on user, group and site attributes.

Secure Delegation

Users use their own credentials to access the assigned roles and the privileges given to them – they don't get the actual key. Role configuration is locally encrypted and in your own Azure Cosmos DB. sapio365 does not require external servers to process this information - ever.

Granular roles

Roles can range from full power to a single function in sapio365.
Define what delegated users can do and where they can do it. You decide how granular you want to get through permitted tasks.

Dynamic Scopes

Unlike keeping Administrative Units up to date, you don't have to add users to sapio365 RBAC scopes.
The sets you define in sapio365 are dynamic since they are based on specific properties of users, groups or SharePoint sites.

In other words, hand over the exact level of control needed to your delegated users over specifically defined sets of users, groups, and SharePoint sites.


The role-based access control system in sapio365 is based on permissions mapped to every action in sapio365. Create custom roles by selecting only the permissions you need to delegate. The actions that you’ve chosen for the role can then be only enabled for a specific scope, or set of users, groups, and sites. The roles you create, the scopes and role assignments-RBAC configuration- are stored in a local encrypted database on your machine. When you connect YOUR Azure Cosmos DB account to your sapio365 license, the local database synchronizes with the one in your Cosmos DB. This allows delegated users to retrieve and take on assigned roles when they sign in to sapio365 on their own computers.

No. sapio365 RBAC does not change any roles or permissions in your Office 365. The delegated roles you create in sapio365 are ONLY available in sapio365—you won’t see them in Office 365 admin centers.

You’ll need to set up a Cosmos DB account. Have your sapio365 invoice information handy and follow the simple steps outlined here.

If you don’t have access to an active Azure AD subscription, you won’t be able to create a Cosmos DB account to use with sapio365 RBAC. Any role you create will be confined to your machine. This means that assigned users can only benefit from assigned roles using sapio365 on your computer.

In the sapio365 tab of the main window, go to ‘RBAC – Configuration’ and set up the credentials to use for the roles you will create.

Step 1 – Enter a unique name and description for the credentials you’re setting up. If you’re using sapio365 RBAC to manage several tenants, you’ll need to do this for each tenant.


Step 2 (Optional) – We recommend that you create a new, RBAC-dedicated user and a new registered application but you do have the option of using the credentials of an existing global admin (b) and application (c) by filling out the related fields, and entering the target tenant (a). If that’s the case, skip to Step 6.


Step 3 – Click on the button ‘Create New Admin &Application’ to create a new, RBAC-dedicated user and a new registered application.


Step 4 – Confirm by clicking on OK.

Step 5 – Sign in with a global admin account to authorize the creation of a RBAC-dedicated user account and of a registered application.

Step 6 – Note that all the fields have been filled out with information of the newly created user and application.

Click on the button ‘Provide Admin Consent to sapio365’ to enable the use of an Advanced session.

Step 7 – Click ‘Continue’


Step 8 – Sign-in with global admin credentials.

Step 9 – Click on ‘Accept’ to consent to the listed permissions for sapio365

Step 10 – Click on the button ‘Provide Admin Consent’ in order to benefit from elevated privileges

Step 11 – Click on ‘Continue’


Step 12 – Click on ‘OK’


Step 13 – Sign in with global admin credentials

Step 14 – Click on ‘Accept’ to consent to the listed permissions for the registered sapio365 application.

You’re now ready to create a role using the credentials you set up.

In the sapio365 tab of the main window, go to ‘RBAC – Configuration’ and set up the credentials to use for the roles you will create.

Step 1 – Click on ‘Create Roles…’.


Step 2 – Enter a unique, meaningful name for the role and a description, which will be shown to assigned users.


Step 3 – Choose the credentials you wish to use. You can create a new one by clicking on the button ‘New Credentials…’ (see how to set up credentials).

Step 4 – By default, only changes sapio365 users make are logged in the User Activity Logs.
Check the first two options if you wish to keep track of when users use sapio365 roles, and what modules they access.
The third option makes it mandatory for any assigned user to take on a role when signing in to a sapio365 Standard session.

Step 5 – Choose the actions to customize the role you are creating.
Tip. Click on to expand the full list of permissions.

Step 6 (Optional) – Use this section if you wish to limit the number of licenses to manage. Make sure to include the license management permission by clicking on ‘Enable ‘User – Edit Licenses’ permission.

Step 7 – Click OK.

Step 8 – Assign the right scopes (see how to set up scopes).

Step 9 – Assign users.

In the sapio365 tab of the main window, go to ‘RBAC – Configuration’ > Scopes

Step 1 – Click on ‘Create…’.

Step 2 – Give the set a unique, meaningful name.

Step 3 – Select the scope type. A role can have all three different target sets (users, groups, sites) to expand the scope of action, but you’ll need to create separate scopes for each type before you assign them.

Step 4 – Select a property. Adding more than one scope of the same type based on different properties to a role will narrow that role’s scope (ex. users with country=Canada + department=sales will narrow the scope to users in Canada in the sales department).

Step 5 – Enter a property value that defines the scope. Tip: if you’re not sure, open Users, Groups or Sites modules. You can copy/paste the value from the grid.

Step 6 – Choose how to match the value you entered.

Step 7 – Click OK.