Manage Users#

User management in Reply CMP integrates with your Azure Active Directory (Microsoft Entra ID) tenant. Users are invited as guest users via the Microsoft Graph API and then assigned roles within Reply CMP.

Navigate: left navigation → Tenant → Users.

The Users list#

The Users tab shows a card grid of all current users with:

  • Display name and email

  • Assigned role badge(s) — colour-coded by role category

  • Last activity indicator

Inviting a user#

  1. Click “+ Invite User”

  2. Enter the user’s email address

  3. Optionally add a display name (defaults to the username part of the email)

  4. Click Invite

What happens:

  • Reply CMP calls the Microsoft Graph Invitations API to send an invitation email

  • The user receives a welcome email with a link to accept and log in

  • Once accepted, the user appears in the Users list and can be assigned roles

Note

The invitation uses Azure AD guest user functionality. The invitee must have a Microsoft account or Azure AD account to accept. External email-only addresses (non-Microsoft) are not supported.

Assigning roles#

  1. Click on a user card → the User Role Drawer opens on the right

  2. Toggle roles on or off

  3. Click Save

Available roles#

Role

Category

What it allows

Owner

Built-in

Full platform access including RBAC management

Contributor

Built-in

Full platform access except RBAC changes

Reader

Built-in

Read-only access to all modules

Discovery Contributor

Module

Full Discovery access

Discovery Reader

Module

Read-only Discovery access

FinOps Contributor

Module

Full FinOps access

FinOps Reader

Module

Read-only FinOps access

Provisioning Contributor

Module

Full Provisioning access

Provisioning Reader

Module

Read-only Provisioning access

Policy Contributor

Module

Full Automation access

Policy Reader

Module

Read-only Automation access

Monitoring Contributor

Module

Full Monitoring access

Monitoring Reader

Module

Read-only Monitoring access

Tenant Reader

Tenant

View tenant configuration

User Administrator

Admin

Invite users and assign roles (limited by superset rule)

For the complete permissions matrix, see Roles and Permissions.

The superset rule#

Important

You can only assign roles whose permissions are a subset of your own permissions. This prevents privilege escalation.

Example: a FinOps Reader cannot assign the FinOps Contributor role to someone else.

The role drawer automatically disables roles that exceed your own permission set. If you need to assign a role you don’t hold yourself, ask a Tenant Owner.

Viewing effective permissions#

The User Role Drawer shows a collapsible Effective Permissions section:

  • All permissions the user holds given their assigned roles

  • Grouped by feature category (Discovery, FinOps, Provisioning, etc.)

  • Each permission shown as Module.Resource / Action (e.g. FinOps.Cost / Read)

Use this view to audit exactly what a user can do before confirming an invite-to-role workflow.

Self-operation restrictions#

Certain operations cannot be performed on your own account to prevent accidental lock-out:

  • You cannot remove your own Owner role

  • You cannot delete your own user account

To make these changes to your own account, ask another Tenant Owner.

Removing a user#

  1. Click on the user card → Role Drawer opens

  2. Click Remove user from tenant at the bottom of the drawer

  3. Confirm

Removed users lose all access immediately. Their historical activity remains visible in the Audit Log.