How to make collaboration at scale simple and secure in Workato
Automation is a team sport, where simple and secure collaboration is the key to success. The latest updates to Teams and Roles give you more control on how collaborators work together. This also increases visibility into their activity. Watch the demo above to learn more.
What does Collaboration mean?
It is no secret that collaboration makes us more productive and successful. By combining ideas, skills and efforts of our teams we can pull off complex projects. We can also be more efficient, create better quality work and innovate faster.
But it takes more than gathering the right people with the right skills to drive collaboration at scale. Like any team sport, it requires:
- a clear definition of roles and responsibilities
- standardization of operating practices
- empowering them with the right tools
- a coach to keep things in order.
Best Practices For Effective Collaboration
Here are a set of best practices that your team can adapt early on and habits that you can develop as the size of your team and projects grow.
Start with separation of working spaces
A team is a group of individuals working towards a common goal, each with a set of unique skills and a role to play. We must start with giving each team dedicated space to create, collaborate and manage their work.
Folders, in Workato, provide an easy way to create separate working spaces for a group of collaborators.
A common way to organize folders is to assign top level folders to each business function or functional area e.g. sales, marketing, HR etc.
Next, create sub-folders for each project in the functional area.
Additionally, your team can use folders to organize their resources i.e.recipes, callable recipes and app connections relevant to their projects. Include app connections and callable recipes that are expected to be shared across projects or functional areas in the top level folders.
For other resources that are only relevant for a project or contain sensitive data, you are recommended to put them in separate folders.
Next, control separation of users and access
User, role, and access management are three different types of permissions available in Workato to define what resources each user can access, view, and change.
As the number of collaborators working in your Workspace increases, flexible and customizable permissions allow you to create the right balance of collaboration and control to keep your business data secure.
For example, if you’re working on a project for automation of the employee onboarding process that deals with highly sensitive data such as SSN, you can use a combination of permissions to limit access to data for only a select set of users in the Workspace.
Examples of user and role management
User management allows you to add and remove collaborators from a Workspace. Additionally you can also set policies for how each user will authenticate to join the Workspace.
For example you can add john.doe@workato.com to be a collaborator in your Workspace who authenticates with SAML based SSO.
Role management allows you to create custom roles with precise permissions. We recommend that you follow the principle of least privilege when configuring permissions for these custom roles.
For example, you can create a custom role “Workato Chef” for collaborators that will create, test, and run recipes. Roles also provide the convenience of adding and revoking permissions at the role level. Then, apply the updates to all users who inherit the role.
Access management allows you to fully control what folders each user can access. Since folders contain recipes, connections, callable recipes and other resources, it is important to protect them from unauthorized access.
For example you can create a custom role “Finance_Reviewer” who has the same permissions as a reviewer but only has access to the Finance folder.
Also read: How to use Role-Based Access Control for collaboration governance in Workato
Create frictionless experiences for collaborators
Now you have set up separate working spaces and policies for user access. However, that is only half the job done. The lack of a streamlined process for new team members to get up and running fast with the right privileges can quickly add friction and frustration.
Your IT admins can use SAML based SSO and Just-in-Time provisioning to create Workato accounts for new collaborators the same way they do for other apps. This eliminates the manual efforts for managing username and passwords, selecting permissions one by one to be granted for each collaborator.
- First the IT team can set up a profile/group in the 3rd party identity provider (e.g. Okta, Onelogin) is configured to use the custom role value e.g. mktg_ops for the workato_role as one of the SAML attributes
- When a user logs into Workato using SAML based SSO for the first time, the identity provider (i.e. Okta,OneLogin) passes the custom role value e.g. mktg_ops for workato_role SAML attribute.
- The user’s Workato account is then automatically provisioned with the custom role i.e. mktg_ops
The combination of Just-in-time provisioning using SSO reduces administrative costs by eliminating manual work. You can improve security by ensuring all access is managed using SSO. Subsequently, this will boost the employee experience with faster access to Workato accounts.
Standardize and centralize access provisioning
As teams and projects grow in size and complexity, access control is a special concern. You can use a combination of tools, APIs and automations, available in Workato. This would help you efficiently manage access rights as collaborators join, move or leave the organization.
Here are a few ways to stay in control and support growing teams:
- Centralize access provisioning: Multiple people creating roles, inviting collaborators, creating folders can quickly lead to inconsistency, chaos, and creating security risks for your company.
It is good practice to set up centralized access provisioning with appropriate reviews and approvals of non-standard requests.
You can create an automation where provisioning requests for a new project with folders and collaborators are created in Slack. Admins can monitor a Slack channel for such requests, review, and provision directly from Slack.
You can use the Workato platform APIs and Workbot recipes to create this provisioning experience in Slack.
- Standardize roles with access policies: Managing user access rights on a granular level is highly inefficient. It can often result in giving too much, too little, or incorrect privileges to users. Instead, focus on creating well-defined roles with access policies for collaborators. Policies that are based on what they contribute to a project, what resources they might need access to get their job done.
For example a project administrator role will need permissions to create folders and add/revoke permissions. There may be a need to also coordinate release cycles regardless of what project teams they are a part of.
First you must create a set of standard roles like “Project Admin”, “Workato Chef”, “Ops Lead”. Then you can easily clone these roles and apply folder level restrictions to limit their access to certain working spaces.
For example, “Finance Project Admin” has the same permissions as the generic “Project Admin” role. However, the latter only has access to folders for finance team’s projects.
Also read: Automate provisioning and policy management with Google Workspace connector
Stay compliant with regular audits
Good governance is about making sure the right people have the right access to right applications, resources, and data. This allows them to do their jobs successfully. It also means detecting violations to prevent unauthorized activity, monitor and audit access to ensure policies are enforced consistently.
Best Practices:
Actively monitor user access changes: It is common for employees, contractors and partners working on projects to move from one project to another or leave your organization.
Make it a habit to regularly check on the list of collaborators in your Workspace. We advise to use the tools available to check they have been assigned the correct roles and have access to the right set of folders. Make sure that they are also authenticated based on your latest security policies e.g. SSO, 2FA.
In case you need to dive deeper into the activity of a particular collaborator the activity audit tab provides full visibility into all events for the user. You can also run daily, weekly or monthly reports to review access privileges and ensure revocations occur in a timely manner.
Set automatic alerts for violations: Additionally, you can consider setting up alerts for tracking new members joining your Workspace, unauthorized changes to connections and other resources using automations with audit log streaming and RecipeOps connector
The do’s and the don’ts of effective governance
These are some of the considerations and best practices that you can apply to take control of governance. Below is a quick checklist for what we discussed above.
For more best practices, check out this page here.
If you have any suggestions and learnings to share on how best to scale collaboration in a simple and secure way, please drop us a note at product@workato.com.