Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This article is high level explanation of how TeamForm provides access, authentication and authorisation. This topic can be quite deep so having a common understanding is useful to create alignment and help explain some of the deeper topics.

TeamForm architecture and terminology

  • TeamForm is typically setup to have one Tenant per customer, then depending on the needs of the customer there will be one or more Workspaces.

  • A tenant is how TeamForm is provisioned at the infrastructure level, it determines the hosting region.

  • A workspace is a single instance or environment of TeamForm. The most common scenario is as a team directory, this can also be configured to support team based workforce management (e.g. managing membership relative to demand and planning over a number of periods.)

First some definitions and an analogy to create a common understanding

Term

Definition

Analogy

Access

Your ability to connect

Entering the foyer in a building

Authentication

Your ability to login

Getting past security

Authorisation (Coarse grain)

Your ability to access specific functionality

Getting to one or more floors

Authorisation (Fine grain)

Restricting functionality to a set of data

Access restricted to certain rooms on a floor

Access

  • TeamForm is a Cloud native SaaS platform that is accessible over the internet. Your tenant is configured to your needs e.g. mycompany.teamform.co (often referred to as a vanity domain).

  • Functionality: this is a default behaviour.

  • Implementation: during initial implementation it is possible to provide access manually to a subset of your users until the SSO solution is working. From a risk perspective, it is recommended that this list be kept low so that it doesn’t further expose you to people having incorrect access.

Further reading:

Authentication

  • TeamForm integrations with customer SSO solutions through a solution known as Auth0, this is compatible with the most common SSO solutions used in the industry and itself is becoming an industry standard for SaaS platforms.

  • It is common for customers to use: MS Entra ID (formerly MS Azure AD), Google Auth, LogMeIn etc. These solutions are controlled on the customer side, this enables supporting processes such as joiners / movers / leavers with confidence that access is controlled and compliant to customer policy.

  • Functionality: driven from customer SSO solution and then mapped into TeamForm’s Identity Provider (IdP).

Further reading:

Authorisation

  • Authorisation is a key concept that takes authentication a step further. Once users are authorised.

  • Analogy: Authorisation is what floors or facilities a user can use

  • Functionality: the below 4 access groups are established in the customers Identity and Access Control Provider (IACP). Membership is controlled by the customer. TeamForm has no control over authorisation when using an SSO solution.

  • Consideration: When setting up these access groups, in your IACP, consider who the appropriate approvers would be as they will be responsible for approving authorisation requests. This could be one or multiple approvers in a workflow, e.g. a data steward, line manager, specialised approver etc.

  • TeamForm uses the following 4 access groups: directory, power, admin, report

  • These access groups can be combined to enable users to have multiple access groups e.g. someone can have authorisation to both the power and report access groups.

Further reading:

Group / Team Access restriction

  • If you have a need to further restrict access groups to specific teams only, this can be achieved with a more granular approach that requires additional integration.

  • Further access restrictions can be applied to Teams / Groups: Group access restrictions

Workspace restricted access

  • Depending on your use case, it is also possible to restrict / limit access to a workspace to a subset of TeamForm users either long term or for the duration of an activity.

  • Functionality: this is driven through the admin section Workspace access

  • Further access restrictions at the Workspace level: Workspace access restrictions

For org design specific use cases or new workspace setup, please contact support. https://www.teamform.co/help

  • No labels