Access Control
Last updated
Last updated
© Worklytics Co.
This page details how to 1) configure authentication for your organization's users to Worklytics (SSO) and 2) define a Role-based Access Control (RBAC) policy to authorize users to access with one or more supported roles (detailed below).
When your organization signs up for Worklytics, a new organization account is provisioned. Worklytics will send a One-Time Password (OTP) link to the designated account admin with the SecurityAdmin role (see below).
The recipient of the OTP link will be able to log in to the Worklytics' Web App and set up SSO (below) as well as define the organizations access control policies (grant user roles).
Worklytics supports the following SSO methods:
Any SecurityAdmin can configure these from the Organization Settings > Single Sign-On section. The configuration depends on the method and Identity Provider you choose; so, please refer to the specific documentation for each method.
Worklytics supports the following user roles:
| Role | Permissions |
|---|---|
Security Admins can grant or revoke roles to users through the "Roles and Access Control" user interface of the Web App. Typically, users will be identified by their email addresses when signing in using any of the single sign-on methods your organization has configured.
By default, any member of your organization that is able to log in to the Worklytics' Web App using any of those providers, will be granted the unprivileged User role unless the email address we receive from the Identity Provider matches one of the email addresses you have identified as subject of a role grant.
Role Conditions (**) can be added to restrict the role grant to a particular Identity Provider. For example, if Google and Microsoft are configured as Identity Providers, and a member of your organization's IT team has the email address user@acme.com on both providers, the SecurityAdmin role can be granted on the condition that they'll sign in using Microsoft; so, if they use Google the role won't be granted.
(*) SAML integrations also allow assigning roles by group. Check the SAML documentation for details on how this works.
(**) Role Conditions don't apply to One-Time Password (OTP) login links.
In the Roles and Access Control user interface, session management settings can also be configured:
Maximum Session Duration: the maximum duration of a user session before they must re-authenticate with any of the configured Identity Providers (defaults to 14 days)
Session Inactivity Duration: maximum time of inactivity before user sessions expire and they get logged out (defaults to 14 days)
Analytics Viewer
AnalyticsViewer
Permissions to access the analytics dashboards and reports (e.g. members of your organization's people analytics team).
Data Connection Admin
DataConnectionAdmin
Permissions to create, remove, and manage integrations (data source connections). Usually, these are members of your IT Team.
Data Export Admin
DataExportAdmin
Permissions to export data from Worklytics, such as audit logs, data processing records (GDPR), and datasets.
Security Admin
SecurityAdmin
Permissions to make changes to the organization's settings. Ability to manage Single Sign-On (SSO) settings, grant roles to other users, change "Data Protection" and "Analytics" settings. Users with this role also have read-only access to integrations.
User
This is the implicit role that anyone who is able to sign-in to the Worklytics' Web App gets.
