Role-based access control in sapio365 (RBAC)

Delegate ANY task without compromising security

Don't settle for the limits of Office 365 roles and Administrative Units—define your custom roles with specific permissions scoped to sets based on user, group and site attributes.

Secure Delegation

Users use their own credentials to access the assigned roles and the privileges given to them – they don't get the actual key. Role configuration is locally encrypted and in your own Azure Cosmos DB. sapio365 does not require external servers to process this information - ever.

Granular roles

Roles can range from full power to a single function in sapio365.
Define what delegated users can do and where they can do it. You decide how granular you want to get through permitted tasks.

Dynamic Scopes

Unlike keeping Administrative Units up to date, you don't have to add users to sapio365 RBAC scopes.
The sets you define in sapio365 are dynamic since they are based on specific properties of users, groups or SharePoint sites.

In other words, hand over the exact level of control needed to your delegated users over specifically defined sets of users, groups, and SharePoint sites.


The role-based access control system in sapio365 is based on permissions mapped to every action in sapio365. Create custom roles by selecting only the permissions you need to delegate. The actions that you’ve chosen for the role can then be only enabled for a specific scope, or set of users, groups, and sites. The roles you create, the scopes and role assignments-RBAC configuration- are stored in a local encrypted database on your machine. When you connect YOUR Azure Cosmos DB account to your sapio365 license, the local database synchronizes with the one in your Cosmos DB. This allows delegated users to retrieve and take on assigned roles when they sign in to sapio365 on their own computers.

No. sapio365 RBAC does not change any roles or permissions in your Office 365. The delegated roles you create in sapio365 are ONLY available in sapio365—you won’t see them in Office 365 admin centers.

You’ll need to set up a Cosmos DB account. Have your sapio365 invoice information handy and follow the simple steps outlined here.

If you don’t have access to an active Azure AD subscription, you won’t be able to create a Cosmos DB account to use with sapio365 RBAC. Any role you create will be confined to your machine. This means that assigned users can only benefit from assigned roles using sapio365 on your computer.

Creating roles with sapio365 role-based access control (RBAC) is very simple as long as you have previously defined the actions you want to permit for users with that role and on which sets of users or groups or sites. Click here for more details.