User group admin delegation rights

%3CLINGO-SUB%20id%3D%22lingo-sub-1149908%22%20slang%3D%22en-US%22%3EUser%20group%20admin%20delegation%20rights%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1149908%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Erecently%20we%20tested%20user%20group%20admin%20delegation%20rights%20in%20Microsoft%20Cloud%20App%20Security.%20According%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fmanage-admins%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fmanage-admins%26nbsp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3EUser%20group%20admin%3A%3C%2FSTRONG%3E%20Has%20full%20or%20read-only%20permissions%20to%20all%20of%20the%20data%20in%20Microsoft%20Cloud%20App%20Security%20that%20deals%20exclusively%20with%20the%20specific%20group%20selected%20here.%20For%20example%2C%20if%20you%20give%20a%20user%20admin%20permission%20to%20the%20group%20%22Germany%20-%20all%20users%22%2C%20the%20admin%20can%20view%20and%20modify%20information%20in%20Microsoft%20Cloud%20App%20Security%20only%20for%20that%20user%20group.%20...%26nbsp%3B%3C%2FEM%3EMoreover%20The%20user%20group%20admin%20should%20have%20no%20permissions%20on%20%3CEM%3EFile%20page%3C%2FEM%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20if%20we%20test%20this%20user%20group%20admin%20can%20see%20all%20the%20files%20in%20the%20file%20page%20(even%20files%20which%20are%20owned%20by%20users%20not%20part%20of%20the%20group%20to%20which%20he%2Fshe%20has%20rights).%20I%20would%20say%20that%20user%20group%20admin%20should%20be%20able%20to%20see%20no%20files%20or%20at%20least%20only%20those%20files%20which%20are%20owned%20by%20someone%20in%20group%20that%20is%20administering.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20this%20changed%20recently%20in%20microsoft%20cloud%20app%20security%2C%20is%20it%20by%20design%20or%20have%20I%20misconfigured%20something%20somehow%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMartin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1149908%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1187631%22%20slang%3D%22en-US%22%3ERe%3A%20User%20group%20admin%20delegation%20rights%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1187631%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F213505%22%20target%3D%22_blank%22%3E%40Martin%20Rublik%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20recommend%20submitting%20a%20support%20ticket%20for%20us%20to%20investigate%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Dear all,

 

recently we tested user group admin delegation rights in Microsoft Cloud App Security. According https://docs.microsoft.com/en-us/cloud-app-security/manage-admins 

User group admin: Has full or read-only permissions to all of the data in Microsoft Cloud App Security that deals exclusively with the specific group selected here. For example, if you give a user admin permission to the group "Germany - all users", the admin can view and modify information in Microsoft Cloud App Security only for that user group. ... Moreover The user group admin should have no permissions on File page.

 

However if we test this user group admin can see all the files in the file page (even files which are owned by users not part of the group to which he/she has rights). I would say that user group admin should be able to see no files or at least only those files which are owned by someone in group that is administering.

 

Has this changed recently in microsoft cloud app security, is it by design or have I misconfigured something somehow?

 

Thank you for your help

 

Martin

1 Reply

@Martin Rublik 

I recommend submitting a support ticket for us to investigate this.