GA role for Nerdio Updates

Avatar
Martijn Van Braeckel

Hi everyone,

As per the Nerdio update guide, it is clearly stated that Global Admin and Subscription Owner permissions are required. While the need for a Subscription Owner is understandable, we have significant concerns regarding the necessity of Global Admin permissions, particularly when limited access mode is enabled at the MSP level.

When upgrading the Nerdio environment, the Global Admin (GA) role is rarely used. We encountered issues twice due to the missing GA role: once for modifying a description field in an internal Nerdio Role, and again for adding an extra reply URL. Both changes apply to the managed application. Requiring a GA role for such minor adjustments seems excessive, similar to needing Domain admin permissions to change an object property in on-prem AD.

In our current scenario, we are part of a large company where the Entra ID is managed by a different division. It is not feasible for us to obtain the Global Administrator role, even on a temporary basis. The other team responsible for Entra ID has no knowledge of Nerdio and don't even know where it is used for. Because of the missing permissions, we need to ask our colleagues to perform the update and they understandably want to know what specific changes will be made to Entra ID by the upgrade script.

It would help if Nerdio provided details about Entra ID changes in the update. Ideally, include steps or code to apply these changes by another team so we can upgrade Nerdio without needing the GA role.

5

Comments (3 comments)

Sort by
0
Avatar
Dave Stephenson

Great call-out, Martijn Van Braeckel!
"Less is more" is great from a Security perspective, but from a documentation perspective, it can be a little concerning.

Right now, we're using the "GA" role to modify the MSP App Registration, Role/Permission assignments, claims configuration, etc.

This article gives a high-level overview of the permissions that are required:
Permissions and Nerdio Manager – Nerdio Help Center

And our release notes would show what changes we're making (if any) to the Entra Tenant.
NMM Product Revisions – Nerdio Help Center

I have heard talks about our product team looking into the possibility of removing the GA requirement. However, they're still looking into the ramifications/issues/pitfalls/implications, so we don't have an ETA on that ability, right now.

 

1
Avatar
Martijn Van Braeckel

Hi Dave,

Thank you for your response. The product revisions do not display the changes on Entra ID performed by the update script. It would be helpful to know what changes will occur or need to be made at the Entra ID level to perform an update. This way, another team can apply those changes, allowing us to carry out the actual Nerdio update without requiring GA permissions. The Nerdio update script is designed to check all Entra ID properties and reset the settings if they are missing or not as expected. If it attempts to "fix" these settings, the GA role is checked, and the update script is aborted if the GA role is not assigned.

It would be beneficial if the changes on Entra ID and subscription levels could be separated.

1
Avatar
Dave Stephenson

Thanks Martijn.
Another great call out. 🙂
I'm sure our product team will take your suggestions into consideration when they get to revamping that feature/setting.

Please sign in to leave a comment.