Updating AAD Docs and UserAssignment Roel Description. (#1581)

* Updating doc and role description. * Update src/deployment/deploy.py Co-authored-by: Cheick Keita <kcheick@gmail.com> * Update docs/AADEntitites.md Co-authored-by: Cheick Keita <kcheick@gmail.com> Co-authored-by: nharper285 <nharper285@gmail.com> Co-authored-by: Cheick Keita <kcheick@gmail.com>
2025-06-15 19:38:11 +00:00 · 2022-01-14 10:02:14 -08:00
parent 7c3beb4d6f
commit f02f3f0ae2
2 changed files with 15 additions and 2 deletions
--- a/docs/AADEntitites.md
+++ b/docs/AADEntitites.md
@ -9,14 +9,19 @@ This is the registration of the OneFuzz instance.
        * value: ManagedNode
        * Allowed Member types: Applications
    * _CliClient_
-        * value: ManagedNode
+        * value: CliClient
        * Allowed Member types: Applications
+    * _UserAssignment_
+        * value: UserAssignment
+        * Allowed Member types: Users/Groups 
 * API Permissions
    * _User.Read_ ([Microsoft Graph](https://docs.microsoft.com/en-us/graph/permissions-reference#user-permissions))
 * scope
    * `user_impersonation`
 * Authorized application:
    * OneFuzz CLI registration
+* Properties: 
+    * Assignment required?: Yes

 ### OneFuzz Application Service Principal
 Service principal linked to the OneFuzz application registration.
@ -42,3 +47,11 @@ This entity is available after the first deployment. This is the service princip
 * Service Principal
    * Permission
        * _ManagedNode_ (from OneFuzz Application registration)
+
+### Deployment Service Principal
+This entity is the 'user' service principal that invokes a OneFuzz deployment. This service principal is assigned access to the instance's primary App Registration. 
+
+* name: `<user_name_sp>`
+* Service Principal
+    * Permission
+        * _UserAssignment_ (from OneFuzz Application registration)
--- a/src/deployment/deploy.py
+++ b/src/deployment/deploy.py
@ -324,7 +324,7 @@ class Client:
            },
            {
                "allowedMemberTypes": ["User"],
-                "description": "Allows user access from the CLI.",
+                "description": "Allows user to access the OneFuzz instance.",
                "displayName": OnefuzzAppRole.UserAssignment.value,
                "id": str(uuid.uuid4()),
                "isEnabled": True,