Account administrators can organize integrations to serve as “workspaces” that segregate flows, connections, and other resources for various teams. An integration is a collection of flows and resources that have been grouped together, similar to a folder.
Celigo does not use a permissions model that targets user roles; however, you can organize your environment so that the equivalent permissions for each user are easily set at the integration level. You can decide which flows, connections, and permissions are assigned to each user.
Summary of topics covered in the video:
- Consult with your team to determine who will be the account owner and account admins. Admins have all the same permissions that the account owner has to modify user roles, but an admin can’t alter the permissions of the account owner or transfer ownership to another user.
- To ensure that your account is secure, set up single sign-on (SSO) or require multifactor authentication (MFA) for all of your users.
- Create an integration for each permission type your users will have. Think of your permission types in terms of teams, and create an integration for each one.
- Create the limited access connections for each of the teams. A user with manage permissions to an integration can create additional connections as long as they have sufficient permissions applied to the credentials in an app.
- Invite users to the account and assign permissions to each user as needed. You can assign permissions for multiple users at a time using a comma between each email address.
- Configure authentication profile permissions within the external app
- Create connections
- Organize flows within integrations
- Register the connection with each integration
- Grant users the appropriate level of access to the integration
- Sample plan checklist
SaaS applications allow you to assign permissions (or scopes) to specific user profiles. Create multiple authentication profiles in the app you are connecting to. You should narrowly tailor the scopes of each set of credentials so that data that is not relevant to the purposes of the flow you are building is protected from unauthorized access. One set of credentials might have the highest level of access to data in the external app, and other credentials should have limited permission scopes to be used for specific tasks that don’t require maximum access.
Flows rely on connections to access applications. Once you have configured permissions for the authentication profiles within the app you are connecting to, create a connection for each profile permission level.
All flows are stored in integrations (see below, How to organize flows). All flows within an integration should use a registered connection to authenticate with the external app. Each connection registered to an integration should have the minimum permissions required to perform the tasks of the flows within the integration.
The Celigo platform Home page displays all integrations in your account in either list or tile view. You can group your flows and resources in whichever way best serves your purposes, and then apply integration-level permissions to each user depending on their role in your organization.
- Organize flows by business process – If a single process requires a collection of flows and the users of your account need to be able to modify all of the flows and resources, consider placing them within a single integration. Limit the scopes for the connections used in these flows to access only the data necessary to achieve your goals.
- Organize flows by application platform – If you have a variety of requirements, but some of your flows connect to a specific application, it might make sense to put all of those flows in a single integration. This strategy might not be effective if you have multiple connections with different scope configurations. Any user with manage access over an integration that has multiple connector profiles will be able to use any connector profile included in that integration.
- Organize flows by role usage – If multiple users with similar roles all need the same permissions for multiple flows, it might make sense to group all flows into a single integration. Limit the scopes for the connections used in these flows to access only the data appropriate for the roles that need manage permission over the integration.
When you create a flow from the integrator.io Home page, it is saved to the Standalone flows integration by default. To organize your flows more efficiently, you should move any flow that needs limited permissions into an integration that facilitates your management strategy.
Use the following steps to move a flow from Standalone flows into an integration:
- Create the integration.
- Open the integration and click the Flows tab.
- Click … More and choose Attach flows.
- Check the box next to any flow you want to add to the integration, and click Attach.
Note: You can’t add a flow to an integration that is already attached to another integration. Detach the flow from the integration to return it to Standalone flows.
Use the following steps to detach a flow from an integration:
- Open the integration and click the Flows tab.
- In the Actions column next to the flow you want to detach, click the Overflow menu (…).
- Click Detach flow.
The flow is now available in Standalone flows.
You can register each connection with the integration, so that only the registered connection serves as the gateway to access the application.
You can grant a user access to any integration using the roles assigned to each user or team of users.
By registering connections and giving permissions to specific users, you can limit each user’s access to the integrations that have been built for their security level.
Regardless of the organizational strategy you use to group your flows into integrations, you should verify that the scopes applied to your connector credentials are appropriate for all users who will have integration-level permissions to all flows in the integration.
Now that you have a grounding in the tools that the Celigo platform offers to control access, it’s time to consider the factors that will influence your company’s security strategy:
- Which are the mission-critical applications? What is the relative urgency of their data security and integrity?
- Do the business requirements logically correspond to an integration group flow organization?
- Should we adhere to best practices, such as developing flows first in the Sandbox environment and taking advantage of Integration Lifecycle Management?
- Can we then segregate integrations by role and registered connection as they move to the Production environment?
- What internal policies currently govern access to applications? How do the RBAC settings in the applications correspond to the API endpoints that we’ll be reading from and writing to (CRUD operations)?
- Before setting up accounts, how do we understand the players in terms of functional roles: application administrators, project managers, IT/developers, business users, and those who will periodically monitor the integrations?
- What are the individual team members’ proficiency levels with respect to API calls, data formats, scripting, proprietary query languages, and low-code solutions?
- What risks are involved with syncing data incorrectly or a lag in addressing runtime errors?
- Who should be notified of changes and errors? Who should be the primary point of contact for customer success and support?
- How will the team document the flow logic and communicate the need for changes at higher levels of access? Do we need redundancy for outages and offboarding?