Managing Role Assignment for GDAP Relationship Requests

About Permissions and Roles

In the Microsoft GDAP scheme, the atomic unit assignable to a user is a permission. Because an individual user may require multiple permissions, Microsoft allows an individual user to be assigned multiple permissions.

As there are a large number of permissions, it may be difficult for an administrator to know which ones are required for certain users, and it may be challenging to apply those permissions in a consistent way to multiple users (without human error).

To respond to these challenges, Microsoft Introduced roles to support best practices. A role aggregates two or more permissions that are thematically related (i.e. Customer Care, Billing, Invoicing, Operations, Security etc.). An Administrator may more easily assign a role to users, knowing it has the universe of permissions that are required for users to be effective in their job.

Because an individual user may be authorized to perform functions across multiple roles, Microsoft allows an individual user to be assigned multiple roles at once.

Provider to Customer GDAP Relationship

Whenever a Microsoft direct provider partner acting as provider (1T or 2T) requests a new GDAP relationship with a customer, the GDAP request must encapsulate the desired roles. When a customer accepts a GDAP relationship, these encoded roles are approved by the customer for the partner's use.

Reseller to Customer GDAP Relationship

An indirect 2T reseller desiring a GDAP relationship with a customer must request and manage a relationship that is independent of any provider relationship. To clarify, a reseller does not inherit any permissions from a provider's independent relationship.

CloudBlue Context

User Journey

When the Connect processor is invoked by a provider to form a provider-to-customer GDAP relationship request, the provider must select and encode the desired roles into the relationship.

Because in an automated Cloud Marketplace the provider associates do not participate in keying in each transaction, the provider associates will not have to select and configure the desired roles on a transactional basis.

Instead, the provider is invited to select default permissions as a one-time event that will be configured and stored in Connect. Then, as Connect handles each transaction event, Connect will automatically access these default roles and encode them into the GDAP relationship request.

Roadmap

As Microsoft uses a Multi-Partner model, customers may have multiple independent relationships with competing providers and with competing resellers. Each relationship requires its own set of approved permissions.

Request Provider-to-Customer Relationships via Connect Processor

Earlier releases of this functionality will require providers to nominate their default permissions/roles via their Technical Account Manager (or other), which will then be manually configured in Connect.

In later releases of this functionality, CloudBlue will offer a self-serve journey for providers to manage the default permissions/roles on their own, without manual assistance from any CloudBlue associate.

© 2025 Ingram Micro, Inc. All Rights Reserved. Privacy Policy, Terms of Use and Legal

CloudBlue, an Ingram Micro business, uses cookies to improve the usability of our site. By continuing to use this site and/or logging in you are accepting the use of these cookies. For more information, visit our Privacy Policy.
I accept