Permissions

Overview

The Permissions menu allows you to control access to the RADIUSaaS Admin Portal and the RADIUSaaS REST API.

Roles

Administrators

Microsoft Entra ID (Azure AD) UPNs entered here can access the RADIUSaaS Admin Portal and full read and write permissions on the service. These permissions include:

• View dashboards and Logs

• View, add, change, delete Users

• View, add, change, delete RADIUS server certificates and trusted certificates for client authentication and RadSec

• View, add, delete Proxies

• View and change others settings including permissions

• Manage RADIUSaaS REST API Access Token

• Access to all API endpoints and CRUD operations

Viewers

Microsoft Entra ID (Azure AD) UPNs entered here can access the RADIUSaaS Admin Portal and full read permissions on the service. These permissions include:

• View dashboards and Logs

• View Users

• View, add, change, delete RADIUS server certificates and trusted certificates for client authentication and RadSec

• View Proxies

• View others settings (permission cannot be viewed)

• Access to all API endpoints - limited to read operations

Users

Microsoft Entra ID (Azure AD) UPNs entered here can access the RADIUSaaS Admin Portal but can only access the Users portal, where they are able to create Users for BYOD or guest access.

Invalidate user tokens

During authentication to the RADIUSaaS Admin Portal, each permitted Microsoft Entra ID (Azure AD) account obtains an access (bearer) token that is cached in the browser's cookie store. The lifetime of the token is 30 days. Furthermore, RADIUSaaS has permission to refresh these access tokens.

In a security event, RADIUSaaS Administrators can invalidate all previously issued access tokens by setting the minimum issuance date to now.

Access Tokens

Access tokens are required to authenticate calls to the RADIUSaaS REST API.

Add

Follow these steps to create a new access token:

1. Click on Add

2. Provide a meaningful Name for the access token

3. Set the permission level by selecting a Role

4. Select the lifetime of the access token

7. Click on Close

Delete

To delete an access token, locate it in the table and click on the bin icon:

Permissions consent

Microsoft Entra ID (Azure AD) accounts that log on to the RADIUSaaS Admin Portal for the first time must grant RADIUSaaS a limited set of permissions in their Azure tenant.

There are two alternative ways to provide consent:

• User Consent Each user accepts the consent upon first login to the portal.

• Admin Consent An administrator can consent on behalf of the organization for all users.

User consent

If no consent has been given on behalf of the organization before by an admin, a user will see a permission request dialogue:

Users can review or revoke this consent in Microsoft My Apps.

Administrators can review & revoke user consents in the Azure Portal (Microsoft Entra ID > Enterprise Applications > RADIUS as a Service):

Admin consent

Rather than requiring consent from each user, administrators can grant consent for all users on behalf of the organization, when logging in the RADIUSaaS web portal for the first time:

Alternatively, administrators can grant the consent on behalf of the organization in the Azure portal (Microsoft Entra ID > Enterprise Applications > RADIUS as a Service). In Azure Portal, administrators can also review or revoke the consent: