Article published on the 21st of October, 2021.
This feature is only available from WorkPoint 365 Version 4.0.
Contents
1. Introduction
To control permissions in WorkPoint, the admins typically configure security rules in WorkPoint.
These rules can relate to various elements in SharePoint (e.g. lists, sites, entities, etc.). The rules ensure that specific users (identities) get permissions to required elements.
Currently, the identities are either static Azure Active Directory users/groups or dynamic identities based on entity roles, such as Project Manager or Team. The entity roles are user fields (properties) of the entities.
If an entity (e.g. a project) requires involvement of many users, the use of properties can be an issue. First of all, there is a limit on the amount of user fields per list, and second, it can be hard to manage many users in a property.
The Security Rules for Entity Role Lists feature can be used to organize all identities of people who need access to an entity in a list on the entity itself, and control who in the list can access which information.
This provides better opportunities for overview and easy management of users of entities, especially when working with a lot of users.
As a user, you will be able to create a new user in a list on an entity site, assign a role to the user using properties and let the system manage access automatically. You will also be able to create an external user using an e-mail address as identifier in a list on an entity site and let the system create the user and assign relevant permissions.
As an admin, you will be able to create security rules which work with an entity site list as source for identities (the users who will get permissions).
You can read much more about the WorkPoint Security system in this article.
2. Requirements
Security Rules for Entity Role Lists is part of the Advanced Security license which is required for the feature to work. If you do not have this license, contact WorkPoint sales at sales@workpoint.dk for more information.
3. Configuration
Configuration of security rules is done per business module. In order to create a security rule based on members of a list on an entity, we need to access the WorkPoint Administration.
In this instance, we will create a security rule for Projects which looks at a list on each entity called "Members". These lists contain people (or "identities") who are related to the projects. The rule is going to grant people designated as "Project Manager" the "Full Control" permission level to the site of the project entity:
- In the WorkPoint Administration, we click the header of the business module for which we want to create a new security rule. In this case, we will create a new rule for the Projects module.
- In the drop down menu, click "Security Settings".
- In the "Edit security settings" page, click the "Add security rule" button.
- To enable the new security rule, check the "Active" checker.
- Optionally, you can select an activation condition for the security rule. This condition must be fulfilled for the security rule to activate.
- To use personnel from a list on an entity for a security rule, we must select the "Dynamic" type.
- In this instance, we want the rule to control the permission level to the site of the project entities. We therefore select "Site" as scope.
- Since we selected the "Dynamic" type for the security rule, we can now select "Entity site list" in the Identity source selector. This will enable us to select a list on projects to target the security rule for.
- In the "Identity list" selector, we can select from all lists present on project master site. In this instance, we have a list called "Members" which contains identities relevant to the projects. It is from this list we will target identities for the security rule.
- In the "Field name" we can select which column on the list selected in pt. 9 to look at when selecting the identities that the security rule should target. In this instance, our "Members" list contains a Person/Group column called "User" which contains the actual users related to the projects. It is from this column on the Members list we will select the identities we want this security rule to target. This can either be a Person/Group field as in this case, or a text field. If a text field is selected, the system will ignore values which are not valid e-mail addresses.
- Next, select which column on the Identity list which contains the name of the identities. In this instance, the Members list has a column called "Name", which we will use. The data in this column will be used for the greeting message when inviting guest users in the Azure Active Directory.
- Select a column to on the Identity list which limits identities covered by the rule. In this case, we want the rule to target the identities in the Members list who has the Project Manager role. We therefore select a column on the Members list called "Role".
- In the "Identity limitation value" input field, we can type in a value which limits the identities targeted by the rule. We want to rule to target identities designated as "Project Manager" in the "Role" column in the Members list, so we type "Project Manager" in this field.
- Next, we select which permission level to grant the identities target by this rule. From our previous configuration steps, we have targeted user identities from the Members list on project, who are designated "Project Manager" in the "Role" column. Effectively, we are targeting the Project Managers of projects. In this instance, we will grant Project Managers the "Full Control" permission level.
- To save the new security rule, we click the "Save" button.
The security rule should now appear in the list of rules in the Security Settings page:
Note that if a security rule targets a user in the Identity list which is not currently registered in the Azure Active Directory of the tenant, WorkPoint will automatically invite the user as a guest user. In this case, an e-mail with an invitation link will be sent to the user.
Settings for this process can be found in the Security Settings page for the business module:
- If the "Enabled" checker is turned on, external guest users can be used. If a security rule targets a user in an Identity list which is not currently registered in the Azure Active Directory of the tenant, WorkPoint will automatically invite the user as a guest user.
- If you want external guest users to receive an e-mail when invited, enable the "Send invitation email" checker.
- Select a type of the URL that the invited user will be sent to after the invitation is redeemed. Available options are:
- Relative: A URL relative to the site (e.g. "/SitePages/ExternalHome.aspx")
- Absolute: An absolute URL to some location (e.g. "https://CalperIT.sharepoint.com/sites/projectmanagement")
- Type in the URL, based on the type selected in pt. 18.
- Type in a message which will be sent along in the invitation e-mail.
4. Notes
Note that Security Rules for Entity Role Lists is part of the elaborate WorkPoint Security system, which you can read more about in this article.
Note that if a security rule targets a user in the Identity list which is not currently registered in the Azure Active Directory of the tenant, WorkPoint can automatically invite the user as a guest user. In this case, an e-mail with an invitation link will be sent to the user. You can find settings for these aspects in the security settings page for each business module.
Comments
0 comments
Please sign in to leave a comment.