Managing Role Assignment for GDAP Relationship Requests
About Permissions and Roles
In Microsoft’s GDAP (Granular Delegated Admin Privileges) model, the most basic unit assignable to a user is a permission. Since users often require multiple permissions to perform their duties, Microsoft allows assigning multiple permissions to a single user.
However, with the vast number of available permissions, it can be difficult for administrators to determine which ones are necessary for specific roles or to apply them consistently across users. To address this, Microsoft introduced roles—collections of related permissions grouped by function (e.g., Customer Care, Billing, Invoicing, Operations, Security).
Assigning roles instead of individual permissions simplifies administration and reduces the risk of human error. Since users may need to perform tasks across different functional areas, Microsoft also supports assigning multiple roles to a single user.
Provider-to-Customer GDAP Relationship
When a Microsoft direct partner (1T or 2T) initiates a GDAP relationship with a customer, the request must specify the roles being requested. Once the customer accepts the request, the partner is granted access to the defined roles.
Reseller-to-Customer GDAP Relationship
Indirect resellers (2T) must independently request and manage their GDAP relationships with customers. Importantly, resellers do not inherit permissions from a provider’s GDAP relationship. Each relationship is distinct and must be configured separately.
CloudBlue Context
User Journey
When a provider initiates a GDAP relationship, they must select and encode the appropriate roles into the request.
In automated marketplaces, provider associates typically do not manually configure each transaction. Instead, providers define default roles once, which are stored in Connect. These defaults are then automatically applied to each GDAP request processed by Connect.