[GH-ISSUE #236] FEATURE REQUEST: Logical Groups for Tenant and Users with Access to CIPP #132

New issue

Closed

opened 2026-03-02 12:04:09 +03:00 by kerem · 1 comment

kerem commented

2026-03-02 12:04:09 +03:00

Owner

Originally created by @bearmerino on GitHub (Nov 12, 2021).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/236

We limit our techs to certain accounts to limit the amount of exposure we have as an organization to any one/group of our clients. We call these teams of people "Pods" and have clients assigned to Pods.

By doing this we typically provide the necessary access and controls to a Pod which may also have some layers in it depending on the size of Pod and responsibilities.

What I would like to see is the ability to assign users within one of these pods (admin, contributor, user) access to a grouping of tenants and that's all the access they have. I rarely need the ability for one pod to access another pod's clients but that could be secondary. The primary focus would be Client A, B, and C are in a classification "Client Pod 1" and My Techs 1, 2, 3 are part of POD1 which is assigned "admin role" to the tenants in Client Pod 1.

As a side benefit, we would then be able to open up CIPP to internal tenants as we have our internal environment assigned only to one of our PODs that are responsible for our internal tenant. I know this was a concern with the current setup of CIPP.

Originally created by @bearmerino on GitHub (Nov 12, 2021). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/236 We limit our techs to certain accounts to limit the amount of exposure we have as an organization to any one/group of our clients. We call these teams of people "Pods" and have clients assigned to Pods. By doing this we typically provide the necessary access and controls to a Pod which may also have some layers in it depending on the size of Pod and responsibilities. What I would like to see is the ability to assign users within one of these pods (admin, contributor, user) access to a grouping of tenants and that's all the access they have. I rarely need the ability for one pod to access another pod's clients but that could be secondary. The primary focus would be Client A, B, and C are in a classification "Client Pod 1" and My Techs 1, 2, 3 are part of POD1 which is assigned "admin role" to the tenants in Client Pod 1. As a side benefit, we would then be able to open up CIPP to internal tenants as we have our internal environment assigned only to one of our PODs that are responsible for our internal tenant. I know this was a concern with the current setup of CIPP.

kerem

2026-03-02 12:04:09 +03:00

closed this issue
added the
wontfix
label

kerem commented

2026-03-02 12:04:11 +03:00

Author

Owner

@KelvinTegelaar commented on GitHub (Nov 12, 2021):

This has been discussed before, but doing this would mean tracking user groups, states, and storing sensitive information. The risk vs reward is too high to allow this as one mistake could mean giving a user full access. Marking as "wontfix".

@KelvinTegelaar commented on GitHub (Nov 12, 2021): This has been discussed before, but doing this would mean tracking user groups, states, and storing sensitive information. The risk vs reward is too high to allow this as one mistake could mean giving a user full access. Marking as "wontfix".

kerem referenced this issue

2026-03-02 13:55:01 +03:00

[PR #132] [CLOSED] ci: add Azure Static Web Apps workflow file #2691

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#132

No description provided.

Rows
Columns