This article explains the options available to the Administrators within the OneConnect group.
General Group Settings
This section provides an overview of the generic settings available for the OneConnect group.
- Admin Consent: Within the Admin Consent section, Microsoft tenant administrators can grant delegated Enterprise App Permissions to OneConnect. This feature is exclusively accessible to OneConnect when Office 365 authentication is set on the OneConnect group. Note: If the tenant group was created by a non-Microsoft user, the Grant Admin Consent button will not work as the tenant IDs will not match.
The permissions being granted are:
-
- Microsoft Graph - User.Read
- Microsoft Graph - User.Read.All
- Tenant Information: Displays the name and ID of the associated OneConnect group's tenant. Thes values cannot be changed.
- Group Settings: The settings listed here pertain to the specific OneConnect group logged into.
- Name: Identifies the OneConnect group within the dropdown menu.
- ID: Represents the unique identifier for the OneConnect group.
- Authentication Type: Determines the method by which additional users are added to the OneConnect group, influencing the availability of buttons on the Users page and the Admin Consent section above. Note: The Authentication Type setting is overridden when the users are added via the OnePlan Configuration ID option.
- Office 365 Strict: Limits user additions to those associated with the Microsoft tenant organization, requiring Admin Consent for functionality.
- Multi-Authentication: Enables the addition of users outside the client's Microsoft tenant organizaion.
- Allowed Authentication: Provides options for adding users to the OneConnect group, available only when the Authentication Type is set to multi-authentication:
- Office365: Limits user addition to those associated with the Microsoft tenant organization, requiring Admin Consent for functionality.
- Forms: Facilitates the query and addition of users associated with the connected OnePlan group. Note: Forms users who are not associated to a connected OnePlan group cannot be added to a OneConnect group.
- OnePlan Configuration ID: Allows administrators to link a single OnePlan group with a OneConnect group, streamlining user access management. users who are not added to the OnePlan group will have their access revoked from the connected OneConnect group the next time they log in to OneConnect. For more information on how the OnePlan Configuration ID affects users, please scroll down to the User Management section.
- Time Zone: Determines the display format of date and time values for users, without affecting processing within integrations.
Adding a user to OneConnect can be facilitated in multiple ways, if the user already has access to the tenant organization ( by logging in with their Microsoft credentials), the user can then create their own OneConnect group, request access to an existing OneConnect group in that tenant or be added to an existing OneConnect group via the Users page.
The ability to add users to a OneConnect group is directly affected by how the OneConnect tenant was created (either by a Microsoft or a Forms user), the Authentication Type, and allowed method, and if the group is connected to a OnePlan group or not.
Access Requests
Access requests can only be initiated by users within their home tenant. Upon submission, all administrators within the tenant receive an email notification. They can review pending requests via the Users page and can approve or deny access to that OneConnect group.
Add Entra User
Adding an Entra user can only be completed if the Grant Admin Consent button within the general group Settings page has been approved by the Microsoft tenant administrator. Only users within the Microsoft tenant can be queried and added using this button.
Add OnePlan User
Adding a OnePlan user can only be done if the OnePlan group is connected to the OneConnect group. At this time, users outside of the OnePlan group or the Microsoft tenant organization cannot be added to the OneConnect group.
User Roles
User roles in OneConnect include Administrator, Editor, and Reader. These roles are managed differently depending on the connection status with a OnePlan group. When connected, permissions are synchronized with OnePlan; otherwise, the Administrator can adjust roles individually.
How OnePlan Controls User Roles and Access
If a user is associated with an enterprise security group that has the global permissions of Administrator (most commonly seen in Owners of OnePlan), the user will then be automatically granted Administrator access to the OneConnect group if the user is in the connected OnePlan group when logging into OneConnect.
If the user does not have Owner permissions, the user will be given Reader permissions when logged into OneConnect. An Administrator in OneConnect can alter that users permissions to an Editor should that be more appropriate.
If a user is not given any permissions in OnePlan, are inactive in OnePlan, or are not associated with the OnePlan group when connected to the OneConnect group, the user will not be given access to the OneConnect group regardless of that users permission prior to connecting to OnePlan.
Deleting a User
Removing a user from a OneConnect group revokes their access upon their next login.
The only exception to this is if the OneConnect group is connected to a OnePlan group, and the user is an Owner in the OnePlan group.
Clients can configure automated email alerts for specific strategy statuses, which includes Success, Success with Exceptions, and Failure. Toggling the desired status activates the alert, with designated email recipients listed in the designated field.
Relays
Relays facilitate secure exposure of internal services to the OneConnect platform. For more information, please visit the What is a Relay, and the Relay Installation pages to decide if a relay is necessary for your on-premises integration needs.