This document describes how the Worklytics' Role-Based Access Control (RBAC) works.

It details the different roles a user can be granted when accessing the Worklytics' Web App, and the permissions they get based on their roles. It also contains information about session management settings and how they affect logged-in users.

Account setup

When the organization account is provisioned, Worklytics will send a One-Time Password (OTP) link to the designed account admin with the SecurityAdmin role (see below). Once logged in the user needs to set up the access control policies that suit their organization needs following the instructions below.

User Roles and Permissions

How to Grant/Revoke Roles to Users

Security Admins can grant or revoke roles to users through the "Roles and Access Control" user interface of the Web App. Typically, users will be identified by their email addresses when signing in using any of the Identity Providers your organization has configured. Once the user has been identified, they will be granted the roles assigned to their email address. Worklytics currently supports the following Identity Providers:

• Google Identity

• Microsoft

• Okta

• SAML integrations (*)

By default, any member of your organization that is able to log in to the Worklytics' Web App using any of those providers, will be granted the unprivileged User role unless the email address we receive from the Identity Provider matches one of the email addresses you have identified as subject of a role grant.

Role Conditions (**) can be added to restrict the role grant to a particular Identity Provider. For example, if Google and Microsoft are configured as Identity Providers, and a member of your organization's IT team has the email address user@acme.com on both providers, the SecurityAdmin role can be granted, but only when they sign in using Microsoft; so, if they use Google the role won't be granted.

(*) SAML integrations also allow assigning roles by group. Check the SAML documentation for details on how this works.

(**) Role Conditions don't apply to One-Time Password (OTP) login links.

Session Management Settings

In the Roles and Access Control user interface, session management settings can also be configured:

• Maximum Session Duration: the maximum duration of a user session before they must re-authenticate with any of the configured Identity Providers (defaults to 14 days)

• Session Inactivity Duration: maximum time of inactivity before user sessions expire and they get logged out (defaults to 14 days)