Access, Authentication and Authorisation Essentials

TeamForm architecture and terminology

• TeamForm is typically setup to have one Tenant per customer, then depending on the needs of the customer there will be one or more Workspaces.

• A tenant is how TeamForm is provisioned at the infrastructure level, it determines the hosting region.

• A workspace is a single instance or environment of TeamForm. The most common use case is team directory, this can also be configured to support team based workforce management (e.g. managing membership relative to demand and planning over a number of periods.)

First some definitions and an analogy to create a common understanding

Access

• TeamForm is a Cloud native SaaS platform that is accessible over the internet. Your tenant is configured to your needs e.g. mycompany.teamform.co (often referred to as a vanity domain).

• Functionality: this is a default behaviour.

• Implementation: during initial implementation it is possible to provide access manually to a subset of your users until the SSO solution is working. From a risk perspective, it is recommended that this list be kept low so that it doesn’t further expose you to people having incorrect access.

Further reading:

• Access Groups and User-Based Access Controls

Authentication

• TeamForm integrations with customer SSO solutions through a solution known as Auth0, this is compatible with the most common SSO solutions used in the industry and itself is becoming an industry standard for SaaS platforms.

• It is common for customers to use: MS Entra ID (formerly MS Azure AD), Google Auth, LogMeIn etc. These solutions are controlled on the customer side, this enables supporting processes such as joiners / movers / leavers with confidence that access is controlled and compliant to customer policy.

• Functionality: driven from customer SSO solution and then mapped into TeamForm’s Identity Provider (IdP).

Further reading:

• Single Sign-On Configuration Guide

Authorisation

• Authorisation is a key concept that takes authentication a step further. Once users are authorised.

• Analogy: Authorisation is what floors or facilities a user can use

• Functionality: the below 4 access groups are established in the customers Identity and Access Control Provider (IACP). Membership is controlled by the customer. TeamForm has no control over authorisation when using an SSO solution.

• Consideration: When setting up these access groups, in your IACP, consider who the appropriate approvers would be as they will be responsible for approving authorisation requests. This could be one or multiple approvers in a workflow, e.g. a data steward, line manager, specialised approver etc.

• TeamForm uses the following 4 access groups: directory, power, admin, report

• These access groups can be combined to enable users to have multiple access groups e.g. someone can have authorisation to both the power and report access groups.

Further reading:

• How to grant workspace access to users

• How to remove workspace access from specific users

Group / Team Access restriction

• If you have a need to further restrict access groups to specific teams only, this can be achieved with a more granular approach that requires additional integration.

• Further access restrictions can be applied to Teams / Groups: Group access restrictions

Workspace restricted access

• Depending on your use case, it is also possible to restrict / limit access to a workspace to a subset of TeamForm users either long term or for the duration of an activity.

• Functionality: this is driven through the admin section Workspace access

• Further access restrictions at the Workspace level: Workspace access restrictions