Security & Access Overview
Correct configuration of the security settings will make sure people see what they’re meant to see. There are further articles in this knowledge base that provide additional information on some of the topics here.
Please note that some of the screenshots show the previous name of ‘DiscoverMe’ that was rebranded as TeamFolio. The processes and concepts illustrated remain the same for TeamFolio. These screenshots will be updated soon!
Logging In (Authentication)
Any person accessing TeamFolio needs to have an account – their user identity – that TeamFolio recognises. This account provides the user with authenticated access in TeamFolio. When TeamFolio and other connected systems like Microsoft’s SharePoint or Office 365 platforms are accessed by an authenticated user, these systems can then control what this user account (person) can see and do. When the person enters their account credentials and clicks Sign in, the system checks the authenticity of these credentials:
Enter or select your login account ....
... and enter your password
You will be presented with the same login screen for first access to any page in TeamFolio, or the SharePoint system associated with TeamFolio. You can book mark any TeamFolio page, like your profile page, the search page or the landing page.
Single Sign On (SSO)
TeamFolio uses an organisation’s existing sign-in mechanism, like Azure Active Directory (AAD). AAD is used to authenticate Microsoft Office 365 users and is used as a trusted source for also logging in to TeamFolio. This means people with a valid account in AAD can also be authenticated by TeamFolio and switch between multiple AAD authenticated systems without being prompted to log in again. This approach is often referred to as ‘single sign-on’ (SSO):
- Logged in user can switch from TeamFolio to SharePoint ....
- ... or from SharePoint to TEamFolio without logging in again. :::
People can also go directly to TeamFolio. If they are not already authenticated, they will be prompted to log in using the organisation’s existing sign-in mechanism (e.g. Azure AAD) and then they’ll be taken directly to the TeamFolio landing page. SSO is still effective and the user will be able to go to other systems (e.g. SharePoint) requiring the same authentication without having to log in again:
Authorisation Groups
Once authenticated, controlling what a user can see and do is usually facilitated by privileges, also referred to as permissions, that are granted to the user's account.
Privileges could be assigned for each individual user account but this would quickly become unmanageable, so in TeamFolio privileges are assigned to groups of users, called Authorisation Groups. See the Manage Authorisation Groups article for more information on this.
Administrators
Users with administrator privileges in TeamFolio have access to all feature and all content. There are two ways an account can be granted administrator privileges in TeamFolio:
- When TeamFolio is first deployed, one or more administrator accounts are associated with the installation;
- One of the above accounts can be used to add other accounts to the Administrators Authorisation Group from within TeamFolio.
See the Default Admin Group article for more information on this.
TeamFolio as a SharePoint Add-In
TeamFolio is currently available for deployment as a provider hosted add-in (sometimes referred to as an App) for Microsoft’s SharePoint collaboration platform. We support deployment to any SharePoint Online or SharePoint on-premises farm deployment using SharePoint Server 2013 or later. See the TeamFolio Installation Overview article for more information on this.
Due to their elevated privileges in the operating environment, with the resulting risks to performance and security, high trust deployments are discouraged. They are becoming far less common and are being deprecated by FidraSoft as a supported deployment model going forward. :::
As long as the target operating environment is configured according to Microsoft’s documentation for SharePoint configuration on premises or online, TeamFolio will deploy as a standard SharePoint provider hosted add-in.
TeamFolio is actually deployed as a Microsoft Azure application but we use the SharePoint Term Store as a convenient repository and management tool for the taxonomies that underpin many of TeamFolio's unique capabilities.
Licensing
TeamFolio licensing is based on the number of people’s profiles stored in DiscoverMe and the number of people using TeamFolio to search for expertise and existing knowledge.
Most people will be a user with a profile as well as the ability to search across the entire organisation for other people's skills. This only consumes a single licence, but there are situations where people may need to view profile information without wishing to have a TeamFolio profile themselves. This person would also require a user licence.
It is also possible to provide a person external to the organisation with access to your 'internal' TeamFolio employee skills inventory. This person would also require a TeamFolio user licence.
For more information on TeamFolio licensing, please refer to the Managing Licences article.
Taxonomy Administration
For taxonomy management, TeamFolio supports connections to Microsoft's SharePoint Term Store service and TopQuadrant’s TopBraid Enterprise Data Governance™ (EDG) platform.
Microsoft SharePoint Term Store (Managed Metadata) Service
If you are using Microsoft's SharePoint Term Store for your taxonomy management, there are various permissions required for term management. TeamFolio will already have appropriate permissions for any taxonomy import processes undertaken via TeamFolio.
The majority of term store management is likely to be done directly in Microsoft's administration tools. For more information on this, please refer to the relevant Microsoft Term Store documentation.
TopBraid Enterprise Data Governance™ (EDG)
TopQuadrant’s TopBraid Enterprise Data Governance™ (EDG) is a flexible, web-based solution that addresses data governance needs in enterprise environments with heterogeneous data stores, data processing, and applications.
EDG provides a far more comprehensive data management solution to just taxonomy management, as provided by Microsoft's term store service. TeamFolio customers using EDG can utilise EDG Vocabulary Management capabilities knowing that these can be used by TeamFolio instead of, or as well as Microsoft term store.
For more information on this, please refer to the relevant TopQuadrant documentation providing an Introduction to TopBraid EDG. If you need to gain a better understanding of TopBraid's security configuration, start by looking at Authentication for TopBraid EDG.
View Filters
View Filters in TeamFolio are not actually a security boundary that prevents user access. That said, this filtering capability can be used in conjunction with TeamFolio's security features to provide better targeting of relevant content to different groups of users.
See the View Filters Overview article for more information on this.