Article published on the 1st of August, 2024.
Contents
1. Introduction
When working in your solution, WorkPoint uses site collections to store your data. Every project, case, company, etc. will typically have it's own site collection to store and manage related documents, emails, tasks, etc.. WorkPoint offers a seamless and efficient user experience by managing the provisioning of site collections. For this to work, WorkPoint will initially during installation prompt you to grant various permissions. These permissions are important for the software to function automatically and effectively.
In order to create site collection in your Microsoft 365 tenant, it's required that WorkPoint are consented the Sites.FullControl permission scope. When consenting to this, WorkPoint is allowed to create new site collections in your tenant. However, it also grant WorkPoint access to all other site collections in your tenant, although it does not access or change any data outside the WorkPoint solution.
We understand that some customers may have concerns about the extent of these permissions, which might not align with their organization's data privacy and security policies.
To address these concerns and provide greater control over your data, we offer an alternative option This option allows the customer to be able to create site collections for WorkPoint and grant permissions only to those specific site collections that is relevant to WorkPoint. This option uses the Sites.Selected permission scope.
2. What is Custom Site Collection Provisioning
In order to understand Custom Site Collection you need to understand how WorkPoint manages site provisioning with the standard settings. This is illustrated in the following figure.
Within your tenant many site collections can exist. Some might be used in WorkPoint, while others might not. In order to provide a good user experience to the end-user, WorkPoint needs site collections to be created in advanced, so the user doesn't need to wait for the provisioning when requesting e.g. a new project or similar. This functionality is called buffer sites. Buffer sites are managed the WorkPoint Backend, which runs outside your tenant. When the number of buffer sites is below a certain threshold, the Site Provisioning Engine in the backend will start creating new site collections and add them to the buffer. As mentioned, this requires the Sites.FullControl permission scope to work.
With Custom Site Collection Provisioning, it's possible to manage this within your tenant ensuring that you have full control and WorkPoint doesn't need the Sites.FullControl permission scope. Consider the following figure
In this scenario, an automation hosted at the customer tenant manages the site provisioning. This automation can be implemented using many different technologies in Azure (e.g. PowerBook, Flow, Logic Apps, Function Apps, etc.). This automation will be responsible for creating the sites and afterwards register them in WorkPoint. The automation adds the required consent (Sites.Selected), so WorkPoint has access only to the required site collections. The outcome of this approach is that WorkPoint only accesses the sites that belongs to a WorkPoint solution while the rest (the red sites in the figure) are inaccessible to the WorkPoint backend. The automation can be notified when the number of sites in the buffer is low or you can check the status of the buffer regularly.
3. Why use Custom Site Collection Provisioning?
In most cases we recommend that you chose to use the standard site provisioning engine in WorkPoint, but in some scenarios it makes sense to use the setup mentioned in this article.
Enhanced Data Privacy
By restricting permissions to specific site collections, you maintain greater control over which data the software can access. This approach ensures that sensitive information in other site collections remains inaccessible to the software, thereby aligning with your data privacy policies.
Increased Security
Limiting permissions to designated site collections reduces the risk of unauthorized access to your organization's broader SharePoint environment. This containment helps in mitigating potential security vulnerabilities and ensures that only necessary data is accessible.
Meet advanced compliance requirement
For organizations subject to strict regulatory requirements, this method offers a way to comply with data protection laws and standards by minimizing the scope of permissions granted.
In the following sections, we will guide you through the step-by-step process of manually creating site collections and configuring the necessary permissions for WorkPoint. This approach ensures that you can enjoy the full benefits of our software while maintaining stringent control over your SharePoint environment. We will demonstrate the approach using a Microsoft CDX tenant to simulate a brand new tenant.
4. How to add site collection to WorkPoint
The process of creating and registering site collections for WorkPoint involves the following steps:
- Install WorkPoint 365 on your tenant. Be sure to select "No" when the installer asks whether WorkPoint should create sites for you automatically. This step also includes granting the necessary consents.
- In the SharePoint administration, create the site collections you need for WorkPoint's one-site architecture or bucket site collections (you can make more as you go).
- In the WorkPoint administration, enable "Site collection buffer".
- For each site collection, you need to give the WorkPoint app permissions.
- For each site collection, register the site collection in WorkPoint and apply WorkPoint to the site.
- Create a business module using either the "Multiple entities per site collection" or "One entity per site collection" architecture.
- You can now start creating entities in the business module.
Comments
0 comments
Please sign in to leave a comment.