Mapped Security Architecture
The mapped security architecture includes the following components:
- Knowledge Discovery Microsoft Teams Connector
- Knowledge Discovery OmniGroupServer
- Knowledge Discovery Content component (which includes the mapped security plug-in)
- Knowledge Discovery Community component
- A front-end application
Messages and attachments in Microsoft Teams have associated permissions that specify the users and groups who are permitted to view them. The connector adds an Access Control List (ACL) to each document, containing the security information. Each time the connector synchronizes with the repository, it updates the ACLs for any documents where the associated permissions have changed.
The Content component needs the ACL to determine whether a user can view a document that is returned as a result to a query. However, the Content component must also consider the groups that the user belongs to. A user might not be permitted to view a document, but they could be a member of a group that has permission. This means that the Content component requires the user and group information from Teams.
The connector can extract user and group information. This functionality is available through the SynchronizeGroups
action. You can configure OmniGroupServer to run this action. It is not necessary to connect to Active Directory or Azure AD.
When a user logs on to a front-end application, the application requests the user’s security information and group memberships from Community. Community returns a token containing the information. The front-end application includes this token in all queries the user sends to the Content component.
When a user submits a query, the Content component compares the user's security information and group memberships to each document ACL. The mapped security plug-in determines which documents the user is permitted to view and returns the results. The Content component then sends only those documents to the front-end application.