Mapped Security Architecture

The mapped security architecture includes the following components:

  • IDOL Microsoft Teams Connector
  • IDOL OmniGroupServer
  • IDOL Content component (which includes the mapped security plug-in)
  • IDOL Community component
  • A front-end application

Messages and attachments in Microsoft Teams have associated permissions that specify the users and groups who are permitted to view them. The connector adds an Access Control List (ACL) to each IDOL document, containing the security information. Each time the connector synchronizes with the repository, it updates the ACLs for any documents where the associated permissions have changed.

The IDOL Content component needs the ACL to determine whether a user can view a document that is returned as a result to a query. However, IDOL must also consider the groups that the user belongs to. A user might not be permitted to view a document, but they could be a member of a group that has permission. This means that IDOL requires the user and group information from Teams.

The connector can extract user and group information. This functionality is available through the SynchronizeGroups action. You can configure OmniGroupServer to run this action. It is not necessary to connect to Active Directory or Azure AD.

When a user logs on to a front-end application, the application requests the user’s security information and group memberships from Community. Community returns a token containing the information. The front-end application includes this token in all queries the user sends to the Content component.

When a user submits a query, IDOL Content compares the user's security information and group memberships to each document ACL. The mapped security plug-in determines which documents the user is permitted to view and returns the results. The IDOL Content component then sends only those documents to the front-end application.