GRC Settings

RBAC Mapping Matrix

Local `admin` account acts as Global Admin bootstrap. Operational personas are mapped through Entra groups.

Entra Group	Mapped Persona	Scope	Assume Role Required	SoD Risk	Status
UCP-GRC-Platform-Admin	Global Admin	Global	Yes	Low	Healthy
UCP-GRC-Control-Reviewer	Reviewer	Tenant	Yes	Medium	Healthy
UCP-GRC-Control-Approver	Approver	Tenant	Yes	Medium	Healthy
UCP-GRC-Evidence-Operator	Evidence Operator	Tenant	No	Low	Needs review
UCP-GRC-Risk-Exception-Manager	Risk / Exception Manager	Tenant	Yes	Medium	Healthy

Entra ID Configuration (V1)

Single IdP mode for V1: Entra only.

Enabled

Authority

Tenant ID

Client ID

Redirect URI

Group Claim

Global Admin Group

Reviewer Group

Approver Group

Evidence Operator Group

Risk/Exception Group

Audit Publisher Group

GitHub Enterprise Integration

Professional baseline: Entra is authority for identities, GitHub uses OIDC/SAML auth and optional SCIM provisioning with single write-source guardrails.

Enabled

Enterprise Slug

Auth Mode (oidc|saml)

SCIM Enabled

SCIM Token Secret Ref

GitHub API Base URL

OIDC Issuer

OIDC Audience

Tenant Binding

Group Sync Source

Global Settings Toggles

Require Active Role

Multi-persona users must pick an active role.

RBAC Enforced

Enforce permission gates on all protected flows.

Temporal Enabled

Use Temporal orchestration for workflow execution.

Service Bus Enabled

Enable async event transport via Service Bus.

Strict Contract Validation

Fail closed when governance contracts are invalid.

Maintenance Mode

Gate operational writes for planned maintenance windows.

Configuration Audit & Integration Health

Identity posture

GitHub integration posture

Global controls posture

Professional guardrails

Use one IdP as write source for provisioning operations.
Provision users before groups, then map groups to teams.
Store SCIM token as secret reference, never plaintext.