RBAC Mapping Matrix
Local `admin` account acts as Global Admin bootstrap. Operational personas are mapped through Entra groups.
| Entra Group | Mapped Persona | Scope | Assume Role Required | SoD Risk | Status |
|---|---|---|---|---|---|
| UCP-GRC-Platform-Admin | Global Admin | Global | Yes | Low | Healthy |
| UCP-GRC-Control-Reviewer | Reviewer | Tenant | Yes | Medium | Healthy |
| UCP-GRC-Control-Approver | Approver | Tenant | Yes | Medium | Healthy |
| UCP-GRC-Evidence-Operator | Evidence Operator | Tenant | No | Low | Needs review |
| UCP-GRC-Risk-Exception-Manager | Risk / Exception Manager | Tenant | Yes | Medium | Healthy |
Entra ID Configuration (V1)
Single IdP mode for V1: Entra only.
GitHub Enterprise Integration
Professional baseline: Entra is authority for identities, GitHub uses OIDC/SAML auth and optional SCIM provisioning with single write-source guardrails.
Global Settings Toggles
Require Active Role
Multi-persona users must pick an active role.
RBAC Enforced
Enforce permission gates on all protected flows.
Temporal Enabled
Use Temporal orchestration for workflow execution.
Service Bus Enabled
Enable async event transport via Service Bus.
Strict Contract Validation
Fail closed when governance contracts are invalid.
Maintenance Mode
Gate operational writes for planned maintenance windows.
Configuration Audit & Integration Health
Identity posture
GitHub integration posture
Global controls posture
Professional guardrails
- Use one IdP as write source for provisioning operations.
- Provision users before groups, then map groups to teams.
- Store SCIM token as secret reference, never plaintext.