Security and Governance
The permission model in our CSP setup is designed to support both Playground Tech's service delivery and TD Synnex's distributor requirements while maintaining security and compliance. This model uses Microsoft's Granular Delegated Admin Privileges (GDAP) framework combined with Azure RBAC for comprehensive access management.
GDAP Roles, Azure RBAC, and Relationships
Playground Tech and TD Synnex require GDAP and Azure RBAC to be part of our delivery model. Their purposes, however, are different. We will outline their differences and purposes below.
Playground Tech
Below is the access we need to operate efficiently as a Tier 2 Partner with Microsoft and TD Synnex. The access can be subject to changes.
AdminAgent
This access is essential for managed services scenarios. In the case of CMP, it is required when you request our hands-on support and expect us to onboard CMP without assistance. This role provides significant permissions within the environment. Only a limited number of individuals have access to it, and we maintain access logs that can be used to investigate any actions taken.
GDAP Roles
Cloud Application Administrator
Service Principal & OAuth Management
Global reader
Azure AD Object Access
Service Support Administrator
Azure Support Management
Groups Administrator
Identity Management
Privileged role administrator
Automation & Identity Management
Azure RBAC
Owner
“PGT Root” Management Group
Full Azure resource access across the tenant.
HelpdeskAgent
Access to the system is essential for Playground Tech to operate as a Tier 2 Microsoft Partner under TD Synnex. This access is Read-Only, enabling additional team members—such as product managers, operations managers, and sales personnel—to gain insights into the customer environment. This role is our default when working in customer environments.
GDAP Roles
Global Reader
Basic Troubleshooting & Azure Portal Read Only
Service Support Administrator
Support
Azure RBAC
Support Request Contributor
Support
TD Synnex
For TD Synnex to function effectively as a distributor for Microsoft and us, they must obtain specific permissions. We keep these permissions as restrictive as possible for two reasons. First, you shouldn’t be concerned about our partnership with a distributor. Second, you, the end customer, should engage with Playground Tech as much as possible without being aware of TD Synnex's involvement. With that said, if you want to do many things in a self-service way, we need to give TD Synnex higher permissions.
GDAP Roles
Global Reader
Basic Troubleshooting & Azure Portal Read Only
Service Support Administrator
Support
Access & Permissions Audit
As part of ISO27001, we conduct a quarterly audit of our access permissions. This ensures we address changes in our needs or access patterns and adequately account for new hires, transfers, or departures.
Last updated
Was this helpful?