Teamform has defined user access groups, which provide access to parts of the application. It also has additional user-based access controls which further defines information and functionality available based on user.
User groups are typically defined via SSO Groups.
TeamForm Access Group | Access | Functionality |
|---|---|---|
Directory (typically given to all team members) | Directory Only | Directory view (for default workspace only):
|
Power (typically given to leaders of teams, to enable team and work planning) | Directory and TeamForm App | Directory plus TeamForm app (for default workspace only):
|
Admin (Typically given to TeamForm Admins) | As above plus admin controls |
|
Reporting (typically analyst / reporting, some leadership roles, admin roles) | Teamform reporting |
|
TeamForm Support | All of above plus dev tools |
|
Additional Access Controls
User Home
A user can be shown a personalised landing page in both App & TD.
TeamForm needs to be able to link a user’s auth0 account to person data stored in the teamform-api backend. The mechanism for this is email address matching.
A user’s email address needs to come in as an attribute with a type of id to be used for this purpose. The easiest way to achieve this is to run an import with this column header, where each row contains the email address of the person: Attributes:id:email:Email
When a user makes a request we attempt to match the email on their auth0 profile to the email addresses that we have imported. We first try an exact match, and then a lowercase match.
Troubleshooting
ensure the person data returned from the backend has the id attribute. The easiest way is to use devtools on Chrome or Firefox and inspect the person → attributes payload on the network tab.
ensure the user’s email on their auth0 user matches what we’ve stored in the backend. Use the auth0 webapp to see the user’s email address.
ensure the flagsmith feature flag
user-routed-to-personal-dashboardis not set to false.
The feature can be tested in dev by performing an import that has your own email address as an attribute, and then visiting TD or App.
Example:
personalised landing page when email is matched on login
Example:
A view of a users details page that all other users see
Group Access Restrictions
A user can be restricted from accessing groups (i.e. teams) within planner, forecast and teambuilder .
To enable group access restrictions on a workspace, go to Configure Workspace → Group access:
Once this is toggled on, only admins will be able to see all groups via planner etc.
To grant users access to groups, an import needs to be performed that specifies the group ids that they can access. They will have visibility of these groups and any of their children.
The ids need to be under a column or mapped to a column named AccessGroupIds. Multiple group ids can be provided, separated by a ; delimiter.
Example CSV import:
PersonID | Attributes:id:email:Email | AccessGroupIds |
48066180 | XXXX1234;YYYY1234;ZZZZ1234 |
This CSV file then needs to be imported using a File Upload → Data integration.
To check what access levels a user has and Admin or Support user will see an Access to Panel on an individuals home page.
If a user has been granted access to a Group, then they will also have access to all the children of that group
Workspace Access Restrictions
When there is more than one workspace, a user can be restricted from accessing one or more workspaces.
To enable workspace restrictions a workspace, go to go to Configure Workspace → Workspace access:
Once this has been enabled, users can be granted access to the workspace with an import that specifies their email address which needs to match their user login.
Example CSV import
For reporting access controls, see Workspace Reporting