Nova facilitates Role-Based Access Control (RBAC). That means you use it to grant permission for someone to do something, against something. For example, an administrator might grant permission for people to access a certain application. Or, an office manager might grant access for others in the office to use certain resources.

A Nova admin configures authorization policies to specify who can perform certain actions within a tenant, and the conditions associated with those actions.
There are 4 pieces to an authorization policy:

  • Tenant: Authorization policy is applied to a certain tenant. For example, North America.
  • Delegate: The person to which rights are granted. They can do something with the tenant. For example, VP of Operations.
  • Action: The activity the person can perform. For example, update user.
  • Conditions of the action: Any conditions related to the delegate performing the action. For example, when the VP of Operations updates a user’s information, you can specify whether they can see/update all of the user’s attributes or only some of them.

When an authorization policy grants someone rights to perform a certain action, that person logs in to Nova to perform the action.
For example, let’s say a manager can perform certain actions (like setting out of office messages and granting access to SharePoint resources) to the users on their team. The manager uses single sign-on (via their AAD credentials) to log in to Nova and perform the actions. Actions performed by the manager are pushed to other applications (for example, Exchange Online). It’s important to note the manager’s Nova instance only shows options that are relevant to the activities they can perform in the application.
Here’s a video overview of authorization policies:

Setting up a new authorization policy

Follow the steps below to create an authorization policy.

  1. In the left menu, select Manage AdministrationAuthorization policies.
  2. Click Add.
  3. Enter a name for the policy.
  4. Specify settings, if desired:
  • Default user policy: Select this option if the policy applies to all organizational units in a tenant. For example, select this option if you want the helpdesk to be able to update all users in the organization.
  • Self service: Select this option if you want a user to be able to perform a certain specific action on their own user object when they log in. For example, select this option if you want a user to be able to update their own phone number and address.
  • Is template: Select this option if you want to create a template policy that you’ll use across tenants.
  1. Using the Delegate to tab, assign the policy to users.
  2. Using the Managed objects tab, specify where the delegated rights are assigned.
  3. Using the Actions tab, add tasks you’re delegating.
  4. Using the Properties tab, add any conditions to the policy. For more information, click here.
  5. Click Save to create the authorization policy.

Editing or deleting an authorization policy

To edit or delete an existing authorization policy:

  1. In the left menu, select
  2. Manage Administration > Authorization policies.
  3. Locate the policy you want to edit or delete, and select it.
  4. Either:
  • Click Edit, make desired changes, and click Save to apply all the edits.
  • Click Delete and confirm the delete action.

Delegating action(s) to an authorization policy

Follow these steps to delegate an action to an authorization policy:

  1. In the left menu, go to
  2. Manage Administration > Authorization policies.
  3. Select an existing policy, and then click Edit.
  4. In the Assignment frame, select the Actions tab, and then click Add.
  5. Locate the action(s) you want to add, select it/them, and then click the Add button located in the top right corner of the window.
  6. Select the Properties tab and select any conditions. For more information, click here.
  7. Click the blue Save button.

Examples of authorization policies

In this video we see how to delegate the ability to perform password resets:

In this video we see how to delegate the ability to manage out of office (automatic replies) messages:

In this video we see how to delegate the ability to manage multi factor authentication settings for users:

Which policies apply?

After you’ve gone through the work of setting up and assigning policies, here’s how you can see which policies apply to a certain virtual organizational unit:

Print Friendly, PDF & Email