Permissions & Access Controledit

Workplace Search is designed to ensure proper visibility results and information based on pre-determined access attributes known as document-level permissions.


Document-level permissions take a few different forms across the Workplace Search platform:

  1. Document access strategies for content sources: A handy guide helping you implement proper access control for Content Sources like Google Drive
  2. Document permissions for custom sources: A handy guide helping you implement proper access control for custom sources
  3. Enabling private content sources: How to enable private content sources like Slack and Gmail for your team mates

Select a guide to start applying permissions, or read keep reading for a conceptual introduction to content sources and permissions.

Alternatively, the following video provides an overview of permissions and access control:



Organizational Sources and Private Sourcesedit

Content sources represent one of the atomic units of Workplace Search. A content source is a repository of information made accessible to a user or collection of users, based on a number of parameters.

To better understand the hierarchy of access, let’s break down the three sharing levels:

  1. Organizational source, all users: also known as shared sources, connected by an administrative user of Workplace Search, usually with an account with access limited to globally available information or documents.
  2. Organizational source, specific groups: also known as shared sources, connected by an administrative user of Workplace Search, usually with an account with access limited to information or documents generally available to members of a group, like an engineering or marketing team.
  3. Private source: connected by a user, with personal credentials to the content source. The source must first be configured by an administrative user, and then it can be connected by an individual user. Afterwards, the content is available to the connecting user exclusively.

Organizational sources are always connected by Workplace Search administrative users. The account credentials used to connect the source can be one of two types:

  1. A standard user of the platform being connected, with restricted access to certain documents — in general mapping exactly with the group structure at the Workplace Search level.
  2. A superadmin user of the platform with access to document-level permission information for the source being synchronized.

When using a standard user, all documents accessible to the user will be synchronized and be made available to the organization’s users, or group’s users. Documents are immediately available for search.

When a superadmin user is used to connect a source that supports document-level access synchronization, all documents found on the platform are indexed, along with access information for each file, record, and document. For documents to be searchable, permission information mapping must be provided via the External Identities API reference. Not all content platforms offer superadmin user privileges.

Refer to Document access strategies for content sources guides to learn more on each connector’s ability to extract and synchronize document-level access information.


Which strategy should I choose?edit

Perhaps the most effective way to understand the various strategies is to look at some practical examples.

Organization-Wide Intranet

If your organization uses a platform like Confluence to power internal knowledge sharing via an Intranet-style portal, you could choose to create a user with access limited to all global spaces and articles, which should represent most of the information available on the platform. Concretely, this means using the Confluence integration provided with Workplace Search, with document permission synchronization turned off, and access granted via a workplace-search-global-confluence@acme.co standard user. All information available will be made searchable as is to all users of the Workplace Search platform.

Team-Wide Legal Document Repository

Perhaps your Legal team uses OneDrive as a way to store and collaborate on all contracts created for your organization. You may deem the content to be a little too sensitive for your Accounting and Engineering teams. You may choose to connect the source as a group-specific source, with a workplace-search-legal-team@acme.co standard user created at the OneDrive level, with document permission synchronization turned off.

High-Traffic Productivity Suite

Some content repositories are both personal and team-driven by nature. For example, Google Drive often encompasses a mix of globally available content via Team Drives, group-level items via shared documents, and personal documents, like Google Docs and Sheets used on a daily basis. For cases like this one, a superadmin account can be used to connect the source, with document permission synchronization enabled. This way, all documents found for every user of the source will be extracted along with the associated access data.