Access Control

This page details how to 1) configure authentication for your organization's users to Worklytics (SSO) and 2) define a Role-based Access Control (RBAC) policy to authorize users to access with one or more supported roles (detailed below).

Getting Started: Initial Authentication via OTP for Account Setup

When your organization signs up for Worklytics, a new organization account is provisioned. Worklytics will send a One-Time Password (OTP) link to the designated account admin with the SecurityAdmin role (see below).

The recipient of the OTP link will be able to log in to the Worklytics' Web App and set up SSO (below) as well as define the organizations access control policies (grant user roles).

Configuring Authentication : Single Sign-On

Worklytics supports the following SSO methods:

Any SecurityAdmin can configure these from the Organization Settings > Single Sign-On section. The configuration depends on the method and Identity Provider you choose; so, please refer to the specific documentation for each method.

Configuring User Roles and Permissions

Worklytics supports the following user roles:

Role
Permissions

Analytics Viewer AnalyticsViewer

Permissions to access the analytics dashboards and reports (e.g. members of your organization's people analytics team).

Data Connection Admin DataConnectionAdmin

Permissions to create, remove, and manage integrations (data source connections). Usually, these are members of your IT Team.

Data Export Admin DataExportAdmin

Permissions to export data from Worklytics, such as audit logs, data processing records (GDPR), and datasets.

Security Admin SecurityAdmin

Permissions to make changes to the organization's settings. Ability to manage Single Sign-On (SSO) settings, grant roles to other users, change "Data Protection" and "Analytics" settings. Users with this role also have read-only access to integrations.

User

This is the implicit role that anyone who is able to sign-in to the Worklytics' Web App gets.

How to Grant/Revoke Roles to Users

Security Admins can grant or revoke roles to users through the "Roles and Access Control" user interface of the Web App. Typically, users will be identified by their email addresses when signing in using any of the single sign-on methods your organization has configured.

By default, any member of your organization that is able to log in to the Worklytics' Web App using any of those providers, will be granted the unprivileged User role unless the email address we receive from the Identity Provider matches one of the email addresses you have identified as subject of a role grant.

Role Conditions (**) can be added to restrict the role grant to a particular Identity Provider. For example, if Google and Microsoft are configured as Identity Providers, and a member of your organization's IT team has the email address user@acme.com on both providers, the SecurityAdmin role can be granted on the condition that they'll sign in using Microsoft; so, if they use Google the role won't be granted.

(*) SAML integrations also allow assigning roles by group. Check the SAML documentation for details on how this works.

(**) Role Conditions don't apply to One-Time Password (OTP) login links.

Session Management Settings

In the Roles and Access Control user interface, session management settings can also be configured:

  • Maximum Session Duration: the maximum duration of a user session before they must re-authenticate with any of the configured Identity Providers (defaults to 14 days)

  • Session Inactivity Duration: maximum time of inactivity before user sessions expire and they get logged out (defaults to 14 days)

PreviousOverviewNextSingle Sign-On

Last updated

Company

AboutSecurityPrivacy PolicyTerms of Service

Resources

BlogIntegrationsService StatusSupport

© Worklytics Co.