RBAC Configuration
AlignSure enforces role-based access control (RBAC) tied to Microsoft Entra ID identities. This guide covers how administrators configure roles and permissions.
Assignment Methods
Section titled “Assignment Methods”Individual Assignment
Section titled “Individual Assignment”Assign roles to specific users through the AlignSure admin interface:
Settings → User Management → Select User → Assign Role
Group-Based Assignment
Section titled “Group-Based Assignment”Map Entra ID security groups to AlignSure roles:
Settings → User Management → Group Mapping
When users are added to or removed from the Entra ID group, their AlignSure role updates automatically at next sign-in.
Permission Matrix
Section titled “Permission Matrix”| Capability | Administrator | Owner | Reviewer | Contributor |
|---|---|---|---|---|
| View assigned documents | ✓ | ✓ | ✓ | ✓ |
| Submit documents | ✓ | ✓ | ✓ | ✓ |
| Review and annotate | ✓ | ✓ | ✓ | — |
| Approve/reject evidence | ✓ | ✓ | — | — |
| Assign reviewers | ✓ | ✓ | — | — |
| Configure frameworks | ✓ | — | — | — |
| Manage users and roles | ✓ | — | — | — |
| Access audit logs | ✓ | Domain-scoped | Own actions | Own actions |
| Export evidence packages | ✓ | ✓ | — | — |
Minimum Necessary Principle
Section titled “Minimum Necessary Principle”AlignSure enforces minimum necessary access:
- Contributors see only their own submissions
- Reviewers see only documents assigned to them or within their domain
- Owners see all activity within their compliance domain
- Administrators see system-wide activity
PHI access is further restricted — only users whose role requires PHI access (as validated by the Job Role Validation Engine) can view PHI-containing documents.
Audit Logging
Section titled “Audit Logging”All role changes are logged:
- Who made the change (administrator identity)
- What changed (previous role → new role)
- When (UTC timestamp)
- Why (optional note field for the administrator)