Group access restrictions
- Space Sync for Confluence
Group access restrictions allows an admin to configure TeamForm so only explicit users can access particular functionality (Planner, Forecast & Team Builder) on specified groups (teams).
All users can still see all teams and people in the organisation, but only explicitly defined users can access the Planner, Forecast & Team Builder tabs in TeamForm.
This group access restriction, combined with other TeamForm optionality such as restricting tags are shown in the TeamForm app, allow TeamForm to be setup in a way to allow confidential organisation changes to be planned with only limited visibility to explicit users.
Users are prevented from downloading to CSV and Team data that they aren't explicitly entitled to access.
Use-case
The key use-case is a organisational change project. This can allow each ‘manager' can make edits in a confidential way without them being revealed to managers of other groups.
Considerations
As TeamForm operates with a dual hierarchal group structures - demand and supply - a key consideration is the setup of this matrix structure to be compatible with the desired group access restrictions.
To restrict a user to one particular demand team, the user also needs access to all of the supply teams where people are sources from.
TeamForm can explain and advise on your hierarchal setup so that it is compatible with the group restrictions you desire.
Setup
To enable group access restrictions on a workspace, go to Configure Workspace → Group access:
Once enabled only admin users will be able to access Planner, Forecast and Team Builder.
Granting access
All users have zero access to groups by default. Only admin users receive unrestricted group access.
Access is permitted via a allowlist of user and group combinations. That is for each user a list of groups that are permitted to access is established.
To grant users access to groups, an import needs to be performed that specifies the group IDs that they can access. The user will have visibility of these groups and any of the child groups.
The IDs need to be under a column or mapped to a column named AccessGroupIds and should be enclosed in " . Multiple group ids can be provided, separated by a ; delimiter.
Example CSV import permitting user 123456 to access three groups:
PersonID | Attributes:id:email:Email | AccessGroupIds |
123456 | “XXXX1234;YYYY1234;ZZZZ1234” |
This CSV file then needs to be imported using a File Upload → Data integration.
To check what access levels a user has and Admin or Support user will see an Access to Panel on an individuals home page.
If a user has been granted access to a Group, then they will also have access to all the children of that group