OrgChart Now has a robust security system that gives the customer administrator full control over who sees what within a given organizational chart.
Users can authenticate using a user name/password combination or using a Single Sign On (SSO) frameworks.
A session token is created at successful login. A valid session token is required for all user initiated transactions. Session tokens are also used to ensure data segregation. All database queries use session token to limit query scope to only tenant data.
When a user signs into OrgChart Now, they are assigned a role. Role assignment can be set up to be static or dynamic.
- Static role assignment associates a a fixed role with a named user.
- Dynamic role assignment uses a rule driven engine to determine a user’s role. The rule driven engine uses employee records (from the org chart) to determine a user’s role.
Role assignment can also be driven via a trust SSO framework.
A role determine the following:
- User Type: Read Only, Read/Write and Administrator
- Access Group: Named group that controls access level to application functionality and employee data
The following user types are supported:
- Read only – can view but not modify a set of predefined organizational charts
- Read/Write – read only user capability + can create and edit organizational charts and workforce plans
- Administrator – read only user capability + read/write user capability + can modify system configuration
A user’s access group controls the following:
- Access to application functionality: For example, ability to export data to Excel or PowerPoint
- Access to org charts: For example, if three org charts are loaded into a tenant, a user may only have access to one of the three org charts.
- Branch level access within an org chart: A user may be limited to a subset of branches within their organization (for example, limited to only viewing org charts for their department)
- Row level security: Control over which fields within employee records a user can access (on a record by record basis).
- Org Chart Visualizations: A user can be limited to only access a limited set of organizational chart visualizations (for example, ‘Employee Details View’ but not ‘Employee Performance View’)
- Folder access: A user can be limited accessing a limited set of folders. Folders are used to store documents, photos and data. For example, access to an ‘HR Private’ folder can be limited to only HR staff members.
Row Level Security
Row level security is driven by a set rules that determines which fields a user can access for any given record.
A typical scenario is that an HR person’s record contains a ‘Department Access List’ (a list of departments that an HR person supports). A row level security rule is then setup to allow access to privileged field for employees within the scope of a user’s ‘department access list’ but not for other departments.
Single Sign On
Single sign on integration can be setup to optionally auto-provision users. In this case, the role assigned to the user can be:
- Lowest privilege
- Rule based (see authorization section above)
- Driven by SSO parameters (e.g. Sign Sign On framework determines authorization level)
When a single sign on framework is not used, customer administrator is responsible for managing user accounts within OrgChart Now (e.g. deleting, adding, modifying).
When a single sign on framework is used, the system can be configured to:
- Only provision users via single sign on (auto-provision only)
- Allow only administrator to provision users (auto-provision off)
- Hybrid (auto-provision + manual provisioning)
Tools to automate mass creation of user accounts are also available.