Contents
Note that Security Initialization Settings are only available in WorkPoint 365 version 4. Also note that using the feature requires it to be enabled on your WorkPoint License.
1. Introduction
Initialization settings for WorkPoint 365 security builds upon the WorkPoint security settings, and consultants who are to configure initialization settings are expected to have an advanced understanding of WorkPoint's security engine.
When an entity is created in WorkPoint 365, the security engine will as standard be granting the person who created the entity "Contribute" permissions immediately. This ensures that the creator can access the entity without delay. This assignment will only be temporary until all security rules has been applied and been implemented to avoid a time frame where the user didn't have access at all. However, this default setting may not always be sufficient for scenarios where more control and specificity are needed.
To address the need for more controlled access to newly created entities, WorkPoint 365 offers "Initialization settings." Administrators can enable "Security Initialization," which allows you to trigger security rules targeting entities or SharePoint groups to run at the moment of entity creation. This means that, in addition to the entity creator, other relevant personnel can be granted specific permissions immediately.
The primary reason for using Initialization Settings is to provide immediate and granular access control to entities beyond the default "Contribute" permissions after the initial security is set, but before the post-entity-creation security job is run. For instance, if a Project entity requires its project manager to have "Full Control" permissions from the moment of creation, Initialization Settings can be configured to ensure this access. This feature enhances security and efficiency, allowing organizations to meet specific access requirements and maintain a higher level of control over entity security.
Before going deeply into the Security Initialization Settings, it is important to understand how initial security traditionally set when new entities are created.
When a buffer site is created, the static rules configured on the business module are applied to the entity and the underlying lists and libraries. At some point, a new entity is created on the business module. This can be done either through WorkPoint Automate, the WorkPoint API, or other actions. When the entity is created, WorkPoint's entity creation provisioning engine runs a job which performs the entity site provisioning. During this job, an available buffer site is connected to the entity. If no buffer site is available, a new site is created for the entity. As part of this provisioning job, an initial security job is run where the entity author, meaning the person who created the entity, is granted "Contribute" permissions to the site. Once the initial security job is complete the site is ready for use and users can in theory access it. Soon thereafter, another post-creation security job is run which removes the permission granted to the entity author by the initial security job, and applies all dynamic security rules configured on the business module (* if their activation conditions are met)
As previously mentioned, this traditional setup is sufficient in many cases, but in others it may be necessary to be able to finely define who gets initial access to the entity and site.
Using the security initialization settings, you can postpone the the readiness of the site by inserting a job after the initial security. This job can apply specific security rules to the entity and the SharePoint groups on the site. We refer to these security rules as High priority security rules. This approach is exemplified in the following image:
In the image above, we can see that the "High priority security rules" block is executed after the initial security has been set, and before the site is ready for users to enter. As previously mentioned, the person who created the entity is granted Contribute permissions to the site by the initial security job. By applying the high priority security rules before site readiness, it is possible to grant other personnel, e.g., a Project Manager, access to the project immediately upon entity creation instead of them having to wait until the subsequent security job applies all security rules.
As a general recommendation, the high priority security rules should be targeted at the current user, i.e., the user who created the entity or any personnel who needs immediate access to the entity upon creation.
2. Requirements
Security Initialization Settings are only available in WorkPoint 365 version 4. Also note that using the feature requires it to be enabled on your WorkPoint License.
Additionally, this feature is included in the eXtreme premium extension package. You can read more about this package in this presentation (Source: WorkPoint Partner Portal).
3. Configuration
Initialization settings can be configured in the "Initialization Settings" section of the Security Settings page of any business module:
3.1. Activate Run Selected Rules on Entity Adding
With this setting enabled, administrators gain the ability to configure Entity- and SharePoint Group scoped security rules to run at the precise moment of entity creation. When enabled, rules with these scopes gain an additional option called "Run on Entity Adding", as shown in the following image:
Security rules which have this setting enabled will be applied as part of the "High priority security rules" block, and before the site is ready for other users to enter. All other rules will be applied when the automatic security job is run after the site is ready.
3.2. Initialization mode and condition
Enabling the Initialization mode and providing an activation condition makes it possible to postpone the post-creation security job which applies all security rules to the entity and site (and underlying lists and libraries, etc.) until the activation condition is met.
This approach is visualized in the image below:
In this visualization, we have an activation condition using the business module field "initMode" with the value "true". When a new entity is created with the initMode field set to true, the "Apply all security rules" security job is postponed until the activation condition is no longer valid, i.e. when the entity's initMode value is set to false. The time between when the site is ready and the activation condition is changed can be used to run custom jobs. One example could be when the site is ready, to call and endpoint which returns some data and updates the entity in some way.
This allows automated systems to perform actions on the entity, e.g., add team members to the entity's meta data fields, or similar actions before all security rules are then applied to the entity, site, etc. in the time between where the site is ready and the initMode value is set to false.
This part is configured by enabling the "Initialization Mode Enabled" checker and selecting a configured activation condition in the field below:
4. Best practices
To enhance security, use high priority security rules for the current user (the user creating the entity) or personnel needing immediate access. Other users can typically wait for access until the post-creation security job runs or initialization mode ends.
Use high-priority security rules sparingly to prevent delays in the post-creation security job, which can prolong the time it takes for other users to gain access to the entity.
Comments
0 comments
Please sign in to leave a comment.