Permission/Access and Scopes
- Sandro Camastral
Permissions and Scoping in Unique
This document provides an overview of how Unique handles access permissions and scoping, allowing you to manage user access to content effectively within the platform.
Overview of the Existing Implementation
The Unique platform manages access permissions by organizing ingested content into Scopes/Folders. These Scopes are containers or "buckets of data" to which content is linked. Access to data in Scopes is controlled through ScopeAccess, allowing individual users or User Groups to access specific data.
When users interact with the chat, the system checks their ScopeAccess to retrieve the list of Scopes the user has permission to access. The system limits the search to these Scopes, ensuring that unauthorized content is never considered.
User Groups and Permissions
User Groups
User Groups in Unique control access to:
Space Access: User Groups can be added to the “Members” section within Space configurations, giving all group members access to that Space.
Scope Access: Access to specific Scopes can be granted to User Groups, making the contents of those Scopes available to all members of the group during a knowledge search.
User Groups can be synced from Entra ID or created manually in Unique. If syncing via SSO, group memberships are updated upon each user login.
For more information:
Configuring Space Access for User Groups
User Provisioning (Group Sync via SSO)
Manual user group management via API
Scopes (Folders)
Scope Creation
Scopes can be created via the UI or API. Content is ingested into specific Scopes, making it accessible only to users with ScopeAccess. SharePoint integration can automatically create Scopes based on the folder structure in the connected SharePoint site.
ScopeAccess (Folder Access)
Access to Scopes (folders) can be given to individual users or User Groups in Unique via UI or API. Access to a folder in Unique is flat and does not automatically give access to subfolders. These access permissions are always respected when doing a knowledge search in any of the Spaces users chat in. The system will only search for relevant content in the scopes the user has access to.
Access permissions can only be managed for individual Scopes (folders), file level permissions are not possible with the current implementation.
While User Groups can be synced, Scope permissions must be manually configured within Unique.
For more information:
Access Management for Scopes / Folders (UI)
Spaces and Content Filtering
Spaces are the environments where users interact with the chat. AI Modules within Spaces can filter content based on Scopes, ensuring that only relevant content is processed. These filters work alongside user permissions and can restrict access further but cannot grant additional permissions.
Example:
User 1 belongs to Group Alpha, which grants access to Scope X and Scope Y.
A Directives Chat Space is configured to filter for Scope X and Scope Z.
User 1 will only be able to search in Scope X, as they lack access to Scope Z, despite the Space's configuration.
For more information:
Document Search AI Module configuration - scopeIds filter option
Integrations and Future Outlook
SharePoint Integration
The SharePoint integration syncs content from selected SharePoint sites into the Unique knowledge base. There are two options for how to sync that content (can be set individually per Sharepoint site):
Static Scope - All synced content from a SharePoint site is ingested into the specified Scope in Unique.
Path based Scopes - The integration will create a separate Scope in Unique for each folder in the SharePoint site. Files in the folders on SharePoint will be ingested into the corresponding Scope in Unique.
Access permissions from SharePoint are not automatically mirrored in Unique. Permissions for Scopes must be configured manually within Unique.
Confluence Integration
The Confluence integration currently ingests all synced content into a single, specified Scope within Unique. As a result, any user with access to that configured Scope will have access to all ingested content from Confluence.
Unique is working on enhancing the Confluence integration to support multi-scope ingestion. This update will work similarly to the Path-based Scopes feature in SharePoint integration. With this feature, the system will automatically create a separate Scope for every Space in Confluence. This will allow for more granular control of permissions, enabling you to assign access at the Space level.
Planned Delivery: October
It is important to note that the Confluence integration does not automatically mirror any access permissions from Confluence itself. You will need to manually configure the access permissions in Unique for the newly created Scopes that correspond to Confluence Spaces.
For more information:
Confluence OnPrem Connector documentation
SCIM Support (Coming Soon)
To offer additional options and improve the provisioning and management of users and user groups, Unique is working on supporting the SCIM protocol. This will allow for a easier management of users and their groups via a set of standardized APIs where external systems can provision / manage users and groups in the Unique system.
This will be an additional option to the existing user group sync via ID token on SSO login. The benefit of using SCIM compared to the group sync via SSO is, that you are no longer reliant on the users performing a login to update their information, you can push updates to the Unique solution independently.
For more information:
Future Features
Author | @Sandro Camastral @Enerel Khuyag |
|---|
© 2024 Unique AG. All rights reserved. Privacy Policy – Terms of Service