Common Roles and Scenarios

This catalog lists practical examples of roles you can model in GrantFlow, grouped by common administration areas and user scenarios. Use it as inspiration when designing your own role set and approval flows.

note

Keep roles purpose‑built and time‑bound. Favor short activation windows with the option to extend when needed.

Prerequisites in destination systems

GrantFlow orchestrates just‑in‑time activations; it does not create native permissions or configure delegation in your target systems. Ensure AD group permissions, Entra ID role scope/administrative units, Exchange/Intune/SQL RBAC, etc. are set up beforehand. Map your GrantFlow role provisioning to those pre‑configured objects.

Active Directory Administration Roles

Roles that grant temporary privileges in on‑premises AD. Pair with AD Agents and connectors.

Domain User Support (Reset Passwords)
- Grants: Reset user passwords, unlock accounts in specific OUs
- Suggested duration: 30–60 minutes; Approval: Single
Join Computers to Domain
- Grants: Add workstations to the domain within a target OU
- Suggested duration: 1–2 hours; Approval: Single
Group Management (Scoped)
- Grants: Add/Remove members in designated security groups (e.g., VPN‑Users)
- Suggested duration: 15–60 minutes; Approval: Single
AD Operator (Tier‑0 Exceptions excluded)
- Grants: Create/disable/enable users, manage service accounts in scoped OUs
- Suggested duration: 2–4 hours; Approval: Dual
AD DNS Admin (Scoped Zones)
- Grants: Manage DNS records in specified zones
- Suggested duration: 1–4 hours; Approval: Single or Dual (production)

Instant replication

If your AD spans multiple sites and you need faster effect for group changes, consider on‑demand replication. See: Instant Replication Between Sites

Application Administration Roles

Temporary escalation for app platforms that integrate with AD or Entra ID (examples shown).

Exchange Administrator (Scoped)
- Grants: Manage mailboxes, distribution lists; change limits for specific org units
- Suggested duration: 2–4 hours; Approval: Dual
SharePoint Site Admin (Project Space)
- Grants: Manage site permissions and features for a specific collection
- Suggested duration: 1–2 hours; Approval: Single
Teams Administrator (Scoped Policies)
- Grants: Policy and settings changes in limited scope
- Suggested duration: 1–2 hours; Approval: Single
Intune/Endpoint Admin (Change Window)
- Grants: Create/edit device policies and app assignments during change windows
- Suggested duration: 2–6 hours; Approval: Dual
SQL DBA (Production Read/Write)
- Grants: Database role membership on target instances/databases
- Suggested duration: 1–4 hours; Approval: Dual

Scenario‑based Administration Roles

Task‑focused roles that bundle just the privileges needed to complete a workflow.

Patch Management (Maintenance Window)
- Grants: WSUS/SCCM change rights, AD group updates for maintenance collections
- Suggested duration: 2–6 hours; Approval: Dual
Break/Fix – User Access Recovery
- Grants: AD unlock/reset, mailbox repair commands, ticket reference required
- Suggested duration: 30–90 minutes; Approval: Single (with audit)
Emergency Access (Firefighter)
- Grants: Pre‑approved high‑risk permissions under strict controls
- Suggested duration: 15–60 minutes; Approval: Dual + paging/escalation
Release Deployment (Prod)
- Grants: App config updates, feature flags, limited DB change scripts
- Suggested duration: 1–4 hours; Approval: Dual

Entra ID (Azure AD) Administration Roles

Use built‑in or custom Entra roles. For production, prefer scoped and time‑bound access.

User Administrator (Scoped)
- Grants: Create/update users, reset passwords in specific administrative units
- Suggested duration: 30–90 minutes; Approval: Single
Groups Administrator (AU‑Scoped)
- Grants: Manage membership for designated groups/admin units
- Suggested duration: 30–90 minutes; Approval: Single
Application Administrator
- Grants: Manage app registrations/enterprise apps (non‑prod vs prod separation)
- Suggested duration: 1–2 hours; Approval: Dual
Privileged Role Administrator (Exception)
- Grants: Manage role assignments (use sparingly with strict dual approval)
- Suggested duration: 15–60 minutes; Approval: Dual
Security Reader / Security Operator
- Grants: Investigation/troubleshooting visibility without broad admin rights
- Suggested duration: 2–8 hours; Approval: Single

Mixed AD / Entra ID Roles

When tasks span hybrid scenarios, bundle cross‑system steps in one temporary role.

Exchange Hybrid Admin
- Grants: Entra permissions for EXO, on‑prem Exchange/AD group management
- Suggested duration: 2–4 hours; Approval: Dual
Hybrid‑Joined Device Admin
- Grants: Intune policy changes + AD group membership for device joins
- Suggested duration: 1–2 hours; Approval: Dual
Identity Lifecycle Troubleshooting
- Grants: Read access across HR, Entra Connect, AD; scoped write to fix drift
- Suggested duration: 1–2 hours; Approval: Single

User Access Roles (End‑User Scenarios)

Low‑risk, time‑bound access for everyday needs with strong audit trail.

VPN Access (Time‑boxed)
- Grants: Add to VPN‑Users group
- Suggested duration: 4–24 hours; Approval: Auto or Single
HR System Access (Campaign)
- Grants: Add to HR‑Access group during review period
- Suggested duration: 1–8 hours; Approval: Single
Finance Report Access (Month‑End)
- Grants: Read rights to reporting workspace/groups during close
- Suggested duration: 2–8 hours; Approval: Single
Temporary Project Space Access
- Grants: SharePoint/Teams group membership for a project phase
- Suggested duration: 1 day–2 weeks; Approval: Single

Design tips

Keep scope narrow: specific OUs, admin units, sites, applications, or databases
Set durations to match task length; start short, allow extension if justified
Choose approvals by risk: Auto (low), Single (moderate), Dual+ (sensitive)
Prefer group‑based eligibility over direct individual assignment
Document a simple business justification for audit trail

High‑risk roles

For critical production changes, require two different approvers, keep windows short, and monitor job/audit events in near‑real time.

Starter templates

Copy and adapt these minimal templates when creating roles. They capture the essentials: purpose, scope, time, approvals, and provisioning.

# AD: Group Management (Scoped)
name: AD Group Manager (VPN Users)
description: Temporarily manage membership of VPN-Users in OU=Corp
maxDuration: 60m
approvalPolicy: SingleApprover
provisioning:
  - type: activedirectory.groupMembership
    domain: corp.example.com
    group: VPN-Users
    ouScope: OU=Corp,DC=example,DC=com

# Entra ID: User Administrator (AU-scoped)
name: Entra User Admin (HR AU)
description: Create/update users and reset passwords in HR administrative unit
maxDuration: 90m
approvalPolicy: SingleApprover
provisioning:
  - type: entraid.roleAssignment
    role: User Administrator
    scope: AdministrativeUnit:HR

# Application: Exchange Admin (Exchange Online)
name: Exchange Admin (EXO)
description: Manage mailboxes and DLs in Exchange Online
maxDuration: 180m
approvalPolicy: DualApprover
provisioning:
  - type: entraid.roleAssignment
    role: Exchange Administrator

# Scenario: Patch Management (Maintenance Window)
name: Patch Manager (Prod)
description: Apply approved updates in maintenance window
maxDuration: 240m
approvalPolicy: DualApprover
provisioning:
  - type: activedirectory.groupMembership
    group: SCCM-Change-Managers
  - type: entraid.groupMembership
    group: Intune-Change-Window

# Mixed: Exchange Hybrid Admin
name: Exchange Hybrid Admin
description: Hybrid Exchange changes across EXO and on-prem AD groups
maxDuration: 240m
approvalPolicy: DualApprover
provisioning:
  - type: entraid.roleAssignment
    role: Exchange Administrator
  - type: activedirectory.groupMembership
    group: OnPrem-Exchange-Admins

# End-user: VPN Access (Time-boxed)
name: VPN Access (24h)
description: Temporary VPN access for travel/support
maxDuration: 24h
approvalPolicy: AutoApprove or SingleApprover
provisioning:
  - type: activedirectory.groupMembership
    group: VPN-Users

# Entra ID: Group-based App Access
name: Power BI Workspace Reader
description: Read-only access to a workspace via Entra group membership
maxDuration: 120m
approvalPolicy: SingleApprover
provisioning:
  - type: entraid.groupMembership
    group: PBI-Workspace-Readers

Automate with the CLI

Find role IDs, request activations, and manage the catalog from scripts. See also: CLI Reference, Roles CLI, Activations CLI, Admin CLI.

Users: request an activation

Request activation (60 minutes)

grantflow activations request <ROLE_ID> --duration 60 --reason "<justification>"

Users: list your eligible roles

List eligible roles

grantflow roles list --output table

Admins: list and create roles

List all roles (admin)

grantflow admin roles list --output table

Create a new role (skeleton)

grantflow admin roles create --name "VPN Access (24h)" --description "Temporary VPN access via AD group" --type activedirectory --connector <AD_CONNECTOR_ID> --max-duration 1440

Active Directory Administration Roles​

Application Administration Roles​

Scenario‑based Administration Roles​

Entra ID (Azure AD) Administration Roles​

Mixed AD / Entra ID Roles​

User Access Roles (End‑User Scenarios)​

Design tips​

Starter templates​

Automate with the CLI​

Users: request an activation​

Users: list your eligible roles​

Admins: list and create roles​

See also​