Best Practices

How to make collaboration at scale simple and secure

It is no secret that collaboration makes us more productive and successful. By combining ideas, skills and efforts of our teams we can pull off a complex project, be more efficient, create better quality work and innovate faster. 

But it takes more than gathering the right people with the right skills to drive collaboration at scale. Like any team sport it requires a clear definition of roles and responsibilities, standardization of operating practices, empowering them with the right tools, and a coach to keep things in order. 

Here are a set of best practices that your team can adapt early on and habits that you can develop as the size of your team and projects grow.

Start with separation of working spaces  

A team is a group of individuals working towards a common goal, each with a set of unique skills and a role to play. We must start with giving each team dedicated space to create, collaborate and manage their work.  

Separation of working spaces using folders

Separation of working spaces using folders

Folders, in Workato, provide an easy way to create separate working spaces for a group of collaborators. A common way to organize folders is to assign top level folders to each business function or functional area e.g. sales, marketing, HR etc, and create sub-folders for each project in the functional area.

Including project specific connections

Including project specific connections

Additionally, your team can use folders to organize their resources i.e.recipes, callable recipes and app connections relevant to their projects. Include app connections and callable recipes that are expected to be shared across projects or functional areas in the top level folders. For other resources that are only relevant for a project or contain sensitive data, it is recommended to put them in separate folders. 

Next control separation of users and access

 

Managing user access with roles

Managing user access with roles

User, role, and access management are three different types of permissions available in Workato to define what resources each user can access, view, and change.

As the number of collaborators working in your Workspace increases, flexible and customizable permissions allow you to create the right balance of collaboration and control to keep your business data secure. 

For example, if you’re working on a project for automation of the employee onboarding process that deals with highly sensitive data such as SSN, you can use a combination of permissions to limit access to data for only a select set of users in the Workspace.

Manage user access when adding collaborators

Manage user access when adding collaborators

  • User management allows you to add and remove collaborators from a Workspace. Additionally you can also set policies for how each user will authenticate to join the Workspace.  For example you can add john.doe@workato.com to be a collaborator in your Workspace who authenticates with SAML based SSO.
Fine grained role based access control

Fine grained role based access control

  • Role management allows you to create custom roles with precise permissions. We recommend that you follow the principle of least privilege when configuring permissions for these custom roles.  For example you can create a custom role “Workato Chef” for collaborators that will create, test and run recipes. Roles also provide the convenience of adding and revoking permissions at the role level, and applying the updates to all users who inherit the role.
View all user access in a single glance

View all user access in a single glance

  • Access management allows you to fully control what folders each user can access. Since folders contain recipes, connections, callable recipes and other resources, it is important to protect them from unauthorized access. For example you can create a custom role “Finance_Reviewer” who has the same permissions as a reviewer but only has access to the Finance folder.

Create frictionless experiences for collaborators

Frictionless provisioning

Frictionless provisioning

Now you have set up separate working spaces and policies for user access. That is only half the job done. The lack of a streamlined process for new team members to get up and running fast with the right privileges can quickly  add friction and frustration.  

Your IT admins can use SAML based SSO and Just-in-Time provisioning to create Workato accounts for new collaborators the same way they do for other apps. This eliminates the manual efforts for managing username and passwords, selecting permissions one by one to be granted for each collaborator.

  • First the IT team can set up a profile/group in the 3rd party identity provider (e.g. Okta, Onelogin) is configured to use the custom role value e.g. mktg_ops for the workato_role as one of the SAML attributes
  • When a user logs into Workato using SAML based SSO for the first time, the identity provider (i.e. Okta,OneLogin) passes the custom role value e.g. mktg_ops for workato_role SAML attribute.
  • The user’s Workato account is then automatically provisioned with the custom role i.e. mktg_ops

The combination of Just-in-time provisioning using SSO reduces administrative costs by eliminating manual work; improves security by ensuring all access is managed using SSO, and improves the employee experience with faster access to Workato accounts.

Standardize and centralize access provisioning

As teams and projects grow in size and complexity, access control is a special concern. You can use a combination of tools, APIs and automations, available in Workato, to efficiently manage access rights as collaborators join,move or leave the organization. 

Here are a few ways to stay in control and support growing teams:

  • Centralize access provisioning: Multiple people creating roles, inviting collaborators, creating folders can quickly lead to inconsistency, chaos, and creating security risks for your company. 
Centralized provisioning using automations

Centralized provisioning using automations

It is good practice to set up centralized access provisioning with appropriate reviews and approvals of non-standard requests. For example, you can create an automation where provisioning requests for a new project with folders and collaborators are created in Slack. Admins can monitor a Slack channel for such requests, review and provision directly from Slack. You can use the Workato platform APIs and Workbot recipes to create this provisioning experience in Slack.

  • Standardize roles with access policies: Managing user access rights on a granular level is highly inefficient. It can often result in giving too much, too little, or incorrect privileges to users. Instead focus on creating well defined roles with access policies for collaborators. Policies that are based on what they contribute to a project, what resources they might need access to get their job done.

For example a project administrator role will need permissions to create folders, add/revoke permissions, coordinate release cycles regardless of what project teams they are a part of.  

Easily clone existing roles

Easily clone existing roles

First you must create a set of standard roles like “Project Admin”, “Workato Chef”, “Ops Lead”. Then you can easily clone these roles and apply folder level restrictions to limit their access to certain working spaces. For example, “Finance Project Admin” has the same permissions as the generic “Project Admin” role but only has access to folders for finance team’s projects.

Stay compliant with regular audits

Good governance is about making sure the right people have the right access to right applications, resources, and data to do their jobs successfully. It also means detecting violations to prevent unauthorized activity, monitor and audit access to ensure policies are enforced consistently. 

  • Actively monitor user access changes: It is common for employees, contractors and partners working on projects to move from one project to another or leave your organization. 
Monitor access and activity

Monitor access and activity

Make it a habit to regularly check on the list of collaborators in your Workspace. Use the tools available to check they have been assigned the correct roles, have access to the right set of folders, and are authenticated based on your latest security policies e.g. SSO, 2FA.

Full visibility into user activity

Full visibility into user activity

In case you need to dive deeper into the activity of a particular collaborator the activity audit tab provides full visibility into all events for the user.You can also run daily, weekly or monthly reports to review access privileges and ensure revocations occur in a timely manner. 

  • Set automatic alerts for violations 
Send alerts for unauthorized changes to app connection

Send alerts for unauthorized changes to app connection

Additionally, you can consider setting up alerts for tracking new members joining your Workspace, unauthorized changes to connections and other resources using automations with audit log streaming and RecipeOps connector

The do’s and the don’ts

These are some of the considerations and best practices that you can apply to take control of governance. Below is a quick checklist for what we discussed above.

Summary of recommendations

Summary of recommendations

If you have any suggestions and learnings to share on how best to scale collaboration in a simple and secure way, please drop us a note at product@workato.com.