InfraSOS Alerting Privileges for User Delegation
This documentation outlines the privilege structure for Active Directory (AD) and Office 365 / Azure AD alert features. Use this guide to ensure users have the correct access levels for their operational needs.
The "View-Plus" Requirement
Access to alerting features follows a View-Plus logic.
- View-Only Access: Assigning a "View" privilege allows a user to open the corresponding alerting pages in read-only mode.
- Management Access: To create, edit, or delete data, a user must have both the specific "Management" privilege and the "View" privilege assigned to their role.
- Security Behavior: If a user possesses a Management privilege but lacks the "View" privilege, they will encounter an "Access Denied" page when attempting to access the feature.
Privilege Definitions
The privileges are divided into two completely independent silos: Active Directory and Office 365 / Azure AD. Granting access in one does not grant access in the other.
Active Directory Alerts
| Privilege | Capability |
| View AD Alerts | Grants read-only access to all AD alert-related pages. |
| AD Active Alerts Management | Allows deletion of AD Active Alerts. |
| AD Alert Business Hours Management | Allows configuration of timeframes for AD alert notifications. |
| AD Alert Labels Management | Allows creation, deletion and modification of labels for alerts. Note: Labels are shared globally between AD and Azure AD. |
| AD Alert Profiles Management | Allows creation, deletion and modification of AD Alert Profiles. This role also allows to enable and disable Alert Profiles, effectively turning on and off collection of new Active Alerts. |
Azure AD Alerts
| Privilege | Capability |
| View Azure AD Alerts | Grants read-only access to all Azure AD alert-related pages. |
| Azure AD Active Alerts Management | Allows deletion of Azure AD Active Alerts. |
| Azure AD Alert Business Hours Management | Allows configuration of timeframes for Azure AD alert notifications. |
| Azure AD Alert Labels Management | Allows creation, deletion and modification of labels for alerts. Note: Labels are shared globally between AD and Azure AD. |
| Azure AD Alert Profiles Management | Allows creation, deletion and modification of Azure AD Alert Profiles. This role also allows to enable and disable Alert Profiles, effectively turning on and off collection of new Active Alerts. |
UI Behavior and Hierarchy
- Dynamic Interface: The portal UI adapts to the user's role. If a user lacks a specific "Management" privilege, the corresponding Create, Edit, or Delete buttons will be hidden from their view to prevent confusion.
- Total Independence: Privileges for local Active Directory and cloud-based Azure AD are siloed. Users requiring access to both environments must be granted permissions in both sections explicitly.
- Global Label Synchronization: While the AD and Azure AD environments are independent regarding most data, Alert Labels are common to both. Modifying or deleting a label from the Azure AD Labels management page will immediately affect the labels displayed in the Active Directory Labels management page.
- Recipient Management & "View Company Users": To manage alert recipients within Alert Profiles, the View Company Users privilege (Administration → User Management / Delegation → View Company Users) is required. Without this privilege:
- Users cannot assign company users to Alert Profiles.
- Users cannot see which company users are currently assigned to existing Alert Profiles.
Quick Troubleshooting
- User sees "Access Denied": Check if the user has the View AD Alerts or View Azure AD Alerts privilege assigned.
- Users can see the page but no buttons: The user has "View" access but lacks the specific Management privilege for that action.