Authorization & integration modes

Purpose of the article

This article describes the permissions and integration modes between Cooperlink and Sharepoint, and more specifically the following topics are covered:

• Delegated Authorization vs. Application Authorization

• System User

• Segmentation of access rights

Introduction to Integration Modes

From a user's point of view, Cooperlink is an on-top application of Sharepoint. Storage is operated by Sharepoint and communication, collaboration and business procedures are managed in Cooperlink. The two are therefore intimately linked.

When a user uploads, edits, or deletes a document on Cooperlink, this action must be able to be performed on Sharepoint as well. Conversely, if a document is added, modified or deleted on Sharepoint, Cooperlink must be able to detect it.

All automatic operations (e.g. file detection) are handled by a "system user". Depending on the mode of integration, this system user can take different forms.

When setting up Cooperlink, please specify to your Customer Success Manager the desired integration mode. On this basis, he will tell you what to do. 

Delegate Mode 1 - Default

Internal user actions

In this onboarding mode, internal users authenticate to the Sharepoint-Cooperlink connector through their own Office 365 account. All operations that are performed (manually) by these users on Sharepoint are subject to the security scheme set up in the Microsoft admin center (which is why it is called delegation). So, if the user doesn't have the right to see a folder on Sharepoint, they won't have the right to see a folder on Sharepoint either via Cooperlink.

When the user authenticates, Cooperlink also delegates authentication to Microsoft. This is why the user is redirected to a Microsoft letterhead page, or sometimes the authentication is automatic because the user is already authenticated on his computer. Cooperlink therefore does not store any passwords, but only a token with a validity period.

Automatic actions + external user actions

All automatic actions, i.e. Actions that cannot be linked to an internal user of the organization are entrusted to a system user. Examples include saving a document that has been sent by an architect, or detecting new versions of a document on Sharepoint.

All of these automatic actions are handled in Cooperlink, the Sync Manager component that the system user is associated with. Except for the super administrator, no user has access to this system user.

Note that Cooperlink allows you to associate a separate system user per partner organization. Although this is technically feasible, in practice it is rarely used as it generates an additional workload.

Characteristics

This mode of integration makes it possible to guarantee the entire security chain. This allows the IT department to manage user rights on Sharepoint and these are automatically reflected on Cooperlink.

What to expect

For this integration mode, you must provide a system user associated with a Microsoft license with Sharepoint (Business Basic is sufficient). Cooperlink supports MFA activation on the system user. And it is recommended.

Delegate Mode 2

This second mode is similar to the previous one, with the difference that all internal user operations are carried out on SharePoint via the system user.

Features

This mode of integration is typically used on systems where each user does not have an individual account.

Application mode

In application mode, the Cooperlink application acquires permissions on the Sharepoint environment in a daemon-like manner from the rights assigned during application registration on Azure. The management of access rights is carried out exclusively at the level of Cooperlink. This application mode is similar to delegate mode 2 except that it does not require a system user.

Characteristics

This mode of integration allows for a simpler connection to Sharepoint. Users have direct access, regardless of whether they have an individual account or not. Nevertheless, users with configuration rights have unrestricted access to the entire Sharepoint.

Sites.selected

To overcome the access problem mentioned above, Microsoft has introduced the notion of .selected sites, which allows the application to be restricted to certain sites only. This operation is exclusively reserved via powershell. In addition, it does not allow a restriction of access to the site's libraries. All bookstores remain accessible.