Skill: Security — Role Assignment and Self-Elevation

This skill uses PAC CLI exclusively. Do NOT write Python scripts for role operations.

Preview Before Running

Role grants and self-elevate are destructive (they change security posture and are logged to Purview). Before running, preview the action in plain prose — target user, role, environment(s) — using placeholders (<ENV_URL>, <USER_EMAIL>) for anything unknown, and ask for confirmation and missing values in the same turn. Skip the raw pac admin block; the user shouldn't have to read CLI syntax to approve a security change.

Key principle: the user should be able to evaluate what's about to happen from your first response. A bare "which environment?" fails that test; a one-line prose preview passes it.

Examples

Assign role (user given, env missing):

• ❌ "Which environment should I target?"
• ✅ "I'll assign System Administrator to user@contoso.com on <ENV_URL>. Confirm to proceed and provide the target environment URL (or 'all' to list and batch)."

Admin access across all environments:

• ❌ "Please provide your email address."
• ✅ "I'll list your environments, then assign System Administrator in parallel on each one for <YOUR_UPN>. If assign-user fails on any environment, I'll fall back to self-elevate (logged to Purview) for that one. Confirm to proceed and provide your UPN."