Control 1.18: Application-Level Authorization and Role-Based Access Control (RBAC)

Overview

Control ID: 1.18 Control Name: Application-Level Authorization and Role-Based Access Control (RBAC) Regulatory Reference: FINRA 4511, SOX 302/404, GLBA 501(b), SEC Rule 17a-3/4 Setup Time: 2-3 hours (initial); ongoing maintenance

---

Purpose

Role-Based Access Control (RBAC) ensures users have only the permissions necessary to perform their job functions within Power Platform and Copilot Studio. For financial services, proper RBAC implementation supports:

• SOX 302/404: Segregation of duties and internal controls
• GLBA 501(b): Least-privilege access to customer information
• FINRA 4511: Access controls on books and records systems
• Audit Trail: Documented evidence of who can do what
• Breach Prevention: Limiting blast radius of compromised accounts

---

Prerequisites

Primary Owner Admin Role: Power Platform Admin Supporting Roles: Dataverse System Admin

Required Licenses

• Power Platform per-user or per-app licenses
• Dataverse for Apps (for security roles)
• Microsoft Entra ID P1 (for group-based role assignment)
• Microsoft Entra ID P2 (for Privileged Identity Management)

Required Permissions

• Power Platform Administrator (environment-level roles)
• System Administrator (within Dataverse environment)
• Global Administrator (Azure AD role management)

Dependencies

• Control 2.1 (Managed Environments): Provides environment structure for role segmentation
• Control 1.11 (Conditional Access): CA policies complement RBAC
• Control 2.8 (Access Control & SoD): Strategic SoD policies

Pre-Setup Checklist

• [ ] Document role requirements per job function
• [ ] Create security groups in Entra ID
• [ ] Define custom security roles if needed
• [ ] Plan role assignment review schedule
• [ ] Identify PIM eligibility for privileged roles

---

Governance Levels

Baseline (Level 1)

Implement role-based access to agents; separate roles for creators, editors, admins, viewers.

Recommended (Level 2-3)

Least-privilege role assignment with quarterly reviews; automated role removal for departing users.

Regulated/High-Risk (Level 4)

Fine-grained RBAC with mandatory approval workflows; immutable audit of all role changes; PIM for all admin roles.

---

Setup & Configuration

Step 1: Understand Power Platform Security Model

Power Platform uses a layered security model:

┌─────────────────────────────────────────────────────────────┐
│ Layer 1: Tenant-Level (Power Platform Admin roles)         │
├─────────────────────────────────────────────────────────────┤
│ Layer 2: Environment-Level (Environment roles)             │
├─────────────────────────────────────────────────────────────┤
│ Layer 3: Dataverse Security (Security roles + teams)       │
├─────────────────────────────────────────────────────────────┤
│ Layer 4: Record-Level (Row-level security, sharing)        │
└─────────────────────────────────────────────────────────────┘

Step 2: Configure Environment Security Groups

Portal Path: Power Platform Admin Center → Environments → [Select environment] → Settings → Users + permissions → Security groups

1. Navigate to the target environment
2. Click Settings → Users + permissions → Security groups
3. Click Edit security group
4. Select the Azure AD security group that should have access
5. Click Save

FSI Security Group Structure:

Security Group	Environment Access	Purpose
SG-PowerPlatform-Admins-Prod	Production	Platform administrators
SG-CopilotStudio-Makers-Prod	Production	Approved agent developers
SG-CopilotStudio-Viewers-Prod	Production	Read-only access
SG-PowerPlatform-Devs	Development	Development team
SG-AI-Governance-Team	All	Governance oversight

Step 3: Create Custom Security Roles

Portal Path: Power Platform Admin Center → Environments → [Select environment] → Settings → Users + permissions → Security roles

FSI Custom Role 1: Agent Publisher

1. Click + New role
2. Configure role:
3. Role Name: FSI - Agent Publisher
4. Business Unit: Root business unit
5. Set privileges:
6. Tables:
   • Copilot: Create, Read, Write, Append, Append To
   • Flow: Create, Read, Write
7. Miscellaneous:
   • Publish Copilots: Organization level
   • Export/Import Copilots: None (restrict)
8. Click Save and Close

FSI Custom Role 2: Agent Viewer (Read-Only)

1. Click + New role
2. Configure role:
3. Role Name: FSI - Agent Viewer
4. Set privileges:
5. Tables:
   • Copilot: Read only
   • Flow: Read only
6. Miscellaneous:
   • All creation/modification: None
7. Click Save and Close

FSI Custom Role 3: Agent Tester

1. Click + New role
2. Configure role:
3. Role Name: FSI - Agent Tester
4. Set privileges:
5. Tables:
   • Copilot: Read
   • Test Session: Create, Read
6. Miscellaneous:
   • Run Copilots: Organization level
   • Publish: None
7. Click Save and Close

Step 4: Assign Security Roles to Users/Teams

Portal Path: Power Platform Admin Center → Environments → [Select environment] → Settings → Users + permissions → Users

Assign to Individual Users:

1. Navigate to Users
2. Search for the user
3. Click Manage security roles
4. Select appropriate roles:
5. FSI - Agent Publisher for approved developers
6. FSI - Agent Viewer for compliance/auditors
7. System Administrator for platform admins only
8. Click Save

Assign to Teams (Recommended for Scale):

1. Navigate to Settings → Users + permissions → Teams
2. Create or select a team:
3. Team Name: FSI Production Makers
4. Team Type: Azure AD Security Group
5. Azure AD Group: SG-CopilotStudio-Makers-Prod
6. Click Manage security roles
7. Assign FSI - Agent Publisher
8. Click Save

Step 5: Configure Column-Level Security (Optional)

For environments with sensitive data, restrict field visibility:

Portal Path: Power Platform Admin Center → Environments → [Select environment] → Settings → Users + permissions → Column security profiles

1. Click + New profile
2. Configure:
3. Name: FSI-Sensitive-Fields-Restricted
4. Description: "Restricts access to sensitive customer data fields"
5. Add columns to restrict:
6. Customer SSN
7. Account Balance
8. Credit Score
9. Assign users/teams who CAN access these fields
10. Save

Step 6: Implement Privileged Identity Management (PIM)

Portal Path: Microsoft Entra Admin Center → Identity Governance → Privileged Identity Management

For Tier 3 production environments, use PIM for just-in-time (JIT) access:

1. Navigate to Azure AD roles or Azure resources
2. For Power Platform admin roles:
3. Click Roles → Power Platform Administrator
4. Click Assignments → + Add assignments
5. Select users as Eligible (not Active)
6. Set maximum activation duration: 4 hours
7. Require approval for activation
8. Require justification
9. Configure notification settings:
10. Send email when role is activated
11. Send email when role is deactivated
12. Notify security team on activation

Step 7: Configure Access Reviews

Portal Path: Microsoft Entra → Identity Governance → Access Reviews

1. Click + New access review
2. Configure:
3. Name: FSI-PowerPlatform-RBAC-Quarterly
4. Scope: Security roles in Power Platform environments
5. Reviewers: Role owners or managers
6. Frequency: Quarterly
7. Duration: 14 days
8. Under Upon completion settings:
9. Auto-apply results: Yes (for lower-risk roles)
10. If reviewer doesn't respond: Remove access
11. Create review

---

PowerShell Configuration

# Power Platform RBAC Configuration
# Requires: Microsoft.PowerApps.Administration.PowerShell

# Install and connect
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force
Add-PowerAppsAccount

# Get all environments
$Environments = Get-AdminPowerAppEnvironment
$Environments | Select-Object DisplayName, EnvironmentName | Format-Table

# Get security roles in an environment
$TargetEnv = "prod-enterprise-copilotstudio"
$Roles = Get-AdminPowerAppEnvironmentRoles -EnvironmentName $TargetEnv
$Roles | Select-Object RoleName, RoleId | Format-Table

# Get all role assignments in an environment
$RoleAssignments = @()
foreach ($Env in $Environments) {
    try {
        $Assignments = Get-AdminPowerAppEnvironmentRoleAssignment -EnvironmentName $Env.EnvironmentName
        foreach ($Assignment in $Assignments) {
            $RoleAssignments += [PSCustomObject]@{
                Environment = $Env.DisplayName
                PrincipalType = $Assignment.PrincipalType
                PrincipalDisplayName = $Assignment.PrincipalDisplayName
                PrincipalObjectId = $Assignment.PrincipalObjectId
                RoleName = $Assignment.RoleDefinition.Name
                RoleId = $Assignment.RoleDefinition.Id
            }
        }
    } catch {
        Write-Host "Error getting roles for $($Env.DisplayName): $($_.Exception.Message)" -ForegroundColor Yellow
    }
}

$RoleAssignments | Export-Csv "C:\Governance\RBAC-Assignments-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Exported $($RoleAssignments.Count) role assignments" -ForegroundColor Green

# Add user to environment with specific role
Set-AdminPowerAppEnvironmentRoleAssignment `
    -EnvironmentName $TargetEnv `
    -RoleName "Environment Maker" `
    -PrincipalType User `
    -PrincipalObjectId "user-object-id-guid"

# Add security group to environment
Set-AdminPowerAppEnvironmentRoleAssignment `
    -EnvironmentName $TargetEnv `
    -RoleName "CanEdit" `
    -PrincipalType Group `
    -PrincipalObjectId "sg-copilotstudio-makers-guid"

# Remove role assignment
Remove-AdminPowerAppEnvironmentRoleAssignment `
    -EnvironmentName $TargetEnv `
    -RoleId "role-id-guid" `
    -PrincipalObjectId "user-object-id-guid" `
    -PrincipalType User

# Audit admin role changes via Graph API
Connect-MgGraph -Scopes "AuditLog.Read.All"

$StartDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")
$EndDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")

$RoleChanges = Get-MgAuditLogDirectoryAudit -Filter "category eq 'RoleManagement' and activityDateTime ge $StartDate and activityDateTime le $EndDate" -All

$RoleChanges | Select-Object ActivityDateTime, ActivityDisplayName, InitiatedBy, TargetResources |
    Export-Csv "C:\Governance\Role-Changes-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Generate RBAC compliance report
$ComplianceReport = @()

foreach ($Assignment in $RoleAssignments) {
    # Check for over-privileged accounts
    $IsOverPrivileged = $Assignment.RoleName -eq "System Administrator" -and $Assignment.Environment -like "*Prod*"

    $ComplianceReport += [PSCustomObject]@{
        Environment = $Assignment.Environment
        Principal = $Assignment.PrincipalDisplayName
        Role = $Assignment.RoleName
        PrincipalType = $Assignment.PrincipalType
        OverPrivileged = $IsOverPrivileged
        LastReviewed = "TBD"
        ReviewDue = (Get-Date).AddDays(90).ToString("yyyy-MM-dd")
    }
}

$ComplianceReport | Export-Csv "C:\Governance\RBAC-Compliance-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Count privileged users per environment
$PrivilegedCount = $RoleAssignments |
    Where-Object { $_.RoleName -eq "System Administrator" } |
    Group-Object Environment |
    Select-Object Name, Count

Write-Host "`nPrivileged Users by Environment:" -ForegroundColor Cyan
$PrivilegedCount | Format-Table

---

Financial Sector Considerations

Regulatory Alignment

Regulation	RBAC Requirement
SOX 302/404	Segregation of duties; documented access controls
GLBA 501(b)	Least privilege access to customer NPI
FINRA 4511	Access controls on books and records
SEC 17a-3/4	Document who has access to what systems
OCC 2011-12	Access controls for model development and production

Zone-Specific Configuration

Zone 1 (Personal Productivity)

Role Strategy: Standard roles
Admin Access: Self-service
Review Frequency: Annual
PIM Required: No
Approval Workflow: None

Zone 2 (Team Collaboration)

Role Strategy: Team-based roles via security groups
Admin Access: Team lead approval
Review Frequency: Semi-annual
PIM Required: For admin roles
Approval Workflow: Manager approval for elevated roles

Zone 3 (Enterprise Managed)

Role Strategy: Custom least-privilege roles
Admin Access: PIM with approval
Review Frequency: Quarterly
PIM Required: Yes - all admin roles
Approval Workflow: Multi-level approval + justification
Audit: All role changes logged to SIEM

FSI Role Matrix

Job Function	Tier 1 Role	Tier 2 Role	Tier 3 Role
Citizen Developer	Environment Maker	FSI - Agent Tester	None
Professional Developer	System Customizer	FSI - Agent Publisher	FSI - Agent Publisher (PIM)
QA Analyst	Basic User	FSI - Agent Tester	FSI - Agent Tester
Compliance Officer	Basic User	FSI - Agent Viewer	FSI - Agent Viewer
Platform Admin	System Administrator	System Admin (PIM)	System Admin (PIM)
AI Governance Lead	Basic User	FSI - Agent Viewer	All environments read

FSI Configuration Example: Community Bank

Scenario: A community bank with strict regulatory oversight needs RBAC for Copilot Studio agents handling customer inquiries.

Role Structure:

Production Environment: Bank-Prod-CopilotStudio
├── System Administrator (2 users, PIM-eligible only)
│   ├── IT Director (eligible, 4-hour activation max)
│   └── Senior Platform Admin (eligible, 4-hour activation max)
│
├── FSI - Agent Publisher (Security Group: SG-Bank-AgentPublishers)
│   ├── Senior Developer 1
│   └── Senior Developer 2
│
├── FSI - Agent Tester (Security Group: SG-Bank-AgentTesters)
│   ├── QA Analyst 1
│   ├── QA Analyst 2
│   └── Business Analyst
│
├── FSI - Agent Viewer (Security Group: SG-Bank-AgentViewers)
│   ├── Compliance Officer
│   ├── Internal Audit
│   └── Risk Manager
│
└── Basic User (All authenticated users)
    └── Can interact with published agents only

Governance Measures:

1. Quarterly Access Review:
2. All role assignments reviewed by IT Director
3. Attestation required for each role

4. Stale access automatically removed after 90 days of inactivity

5. PIM Configuration:

6. System Administrator: 4-hour max, approval required
7. Approvers: CISO + IT Director

8. Justification required for all activations

9. Monitoring:

10. All role changes logged to SIEM
11. Weekly report of elevated access to Risk Committee
12. Alert on after-hours role activations

---

Verification & Testing

Verification Steps

1. Confirm Security Groups Applied:
2. Navigate to Environment → Settings → Security groups

3. EXPECTED: Correct Azure AD group associated

4. Verify Custom Roles Created:

5. Navigate to Environment → Security roles

6. EXPECTED: FSI custom roles visible and correctly configured

7. Test Role Enforcement:

8. Log in as user with FSI - Agent Viewer role
9. Attempt to create or modify an agent

10. EXPECTED: Action blocked; read-only access confirmed

11. Validate PIM Configuration:

12. Attempt to access production as eligible admin

13. EXPECTED: Must activate role through PIM with justification

14. Confirm Audit Logging:

15. Make a role change in test environment
16. Query audit log for the change
17. EXPECTED: Role change event captured with details

Verification Evidence

• [ ] Screenshot: Security group configuration per environment
• [ ] Export: All role assignments (CSV from PowerShell)
• [ ] Screenshot: Custom security role definitions
• [ ] Documentation: Role-to-job-function mapping
• [ ] Screenshot: PIM configuration for privileged roles
• [ ] Report: Last access review results

---

Troubleshooting & Validation

Issue: User Cannot Access Environment

Symptoms: User receives "Access Denied" or cannot see environment

Solutions:

1. Verify user is member of the environment's security group
2. Check if user has any security role assigned
3. Confirm environment security group is correctly configured
4. Sync Azure AD groups (can take up to 1 hour)
5. Check for conflicting Conditional Access policies

Issue: Custom Role Not Working as Expected

Symptoms: Users can do more or less than expected with custom role

Solutions:

1. Review all privileges in the security role
2. Check for multiple role assignments (privileges are additive)
3. Verify privilege levels (User/Business Unit/Parent:Child/Organization)
4. Test with a single role assignment to isolate behavior
5. Review Dataverse table relationships that may grant implicit access

Issue: PIM Activation Fails

Symptoms: User cannot activate eligible role

Solutions:

1. Verify user is eligible for the role
2. Check PIM configuration requires approval (is approver available?)
3. Ensure user has completed MFA if required
4. Check if maximum activations limit reached
5. Review PIM activation requirements (justification, ticket number)

Issue: Role Changes Not Appearing in Audit

Symptoms: Role modifications not showing in audit log

Solutions:

1. Verify unified audit log is enabled (Control 1.7)
2. Check correct date range in search
3. Use correct search filters (activity type: Role changes)
4. Allow time for audit log propagation (up to 24 hours)
5. Confirm user has permission to view audit logs

---

Additional Resources

• Security Roles in Power Platform
• Create Security Roles
• Team Management in Dataverse
• Privileged Identity Management
• Column-Level Security
• Environment Security Groups

---

Related Controls

Control	Relationship
Control 2.1	Environment structure enables role segmentation
Control 1.11	CA complements RBAC for access control
Control 2.8	SoD policies implemented through RBAC
Control 1.7	Role changes captured in audit log
Control 1.1	Publishing roles restrict agent deployment

---

Support & Questions

For implementation support or questions about this control, contact:

• Identity & Access Management Team: Role design and PIM
• Power Platform Administrator: Security role configuration
• Compliance Officer: Role review and audit evidence
• HR/IT Operations: Role assignment lifecycle management

---

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification