Interested in the CIPP app but with some questions?

[DineshBhagwandin1]

Hi all,

we want to use CIPP but our Legal had the following questions for us. Can someone please help us and answer these? I already provided the info that i could find on the website but maybe you guys can tell me more.

1. So I understand the risk correctly; CIPP will have read and write capabilities to multiple customers O365 (including their GDPR data), so do we have appropriate access controls / role based access in place?

2. Is CIPP externally accessible, or exposed to the internet? How do we protect CIPP from being compromised?

3. If this system was compromised, I presume it could compromise all customers we use it to manage?

My own questions is: is it possible to give access to users for different tenants. For example a group of 4 only see 5 tenants and the more advanced group sees 10 tenants?

Thank you in advance.

Kind Regards Dinesh

[BNWEIN]

Hey Dinesh. Ill try and help answer what i can!

CIPP its self uses an "app registration" within your own tenant that in turn has access to your customers based on the permissions you give it. (More on those permissions can be found here - https://cipp.app/docs/user/gettingstarted/permissions/).

There is limited access controles/role based access within CIPP, however there is some. There are three roles in total.

Read Only
Editor
Admin

More on these roles can be found here (https://cipp.app/docs/user/gettingstarted/roles/)

Depending on where you host CIPP (if you go sponsored and ask Kelvin and his team to access it, or if you want to take the next level from a security perspective and host it in your own azure) you can apply conditional access policies to access it, just like you would apply a conditional access policy to access any other Office 365/Azure Resource. For example, at my company, you must be on a company owned computer, and have used MFA to access any Office 365/Azure Resource. If you do not fit this criteria, then you will not be able to login to Office 365, or CIPP. CIPP Would use your Office 365 Credentials to sign into it.

You can also enable Private Networking to require a VPN To access your CIPP instance.

If the system was compromised, then yes, its possible the person could carry out any actions in CIPP that the role they compromised allowed them to. However, this is no different to what they could do in your Office 365 Partner Administration page if they compromised the same account.

You cannot give some users access to some tenant, and others access to another group of tenants. At least this is not something you can do right now.

Kelvin and several other developers are constantly working on the platform to add new features and i would guess (and this is just a guess!) that in the future more role based access control maybe implemented.

Hope this helps!

[DineshBhagwandin1]

Thank you for your quick reply. I think this answers my questions as for the first part i already gave legal as an answer.

If we manage to change some codes and/or update some features where can we upload these to let the community in on it? and asess.

Thanks in advance again..

[BNWEIN]

The platform runs off your own github repositories. You can edit any of the files and create a PR With Kelvin's dev branch, if he approves the changes, then when he pushes his dev to the main branch the community would get access to the additional features you have built.

Hope this helps.

[DineshBhagwandin1]

Thanks!!