Technical Reference

Further more specific reference information is available for the following modules:

Security

Note

The default security roles cannot be modified. Note that if you replace the default security roles with your own custom security roles in a Sensei IQ deployment, the Sensei IQ landing page will need to be customized in the "Landing Page" configuration setting to include the custom roles on each tile, link or button. The left side menus will still work as intended.

Security Overview

The Security framework for the Sensei IQ Solution is modelled on the permission model employed by Project for the web and leverages the capabilities of Dynamics 365 Roles.

In order to accommodate both everyday use of IQ and complex security requirements that customers may have, Sensei provide security capabilities through a Basic Security Model as well as a Modular Security Model. The Roles provided in each model can be mixed and matched to suit requirements. In addition, custom roles can be created if required.

There are five Roles which are shipped as part of the Basic Security Model - each of which provides a layered approach to user access to the system.

Additional Roles are included with the Modular Security Model. These Roles provide access to specific functionality within IQ.

Sensei IQ leverages the use of Teams in Dynamics 365 to provide group level Ownership to Dataverse entities. Sensei IQ replicates the ownership behaviour of the records in Dataverse that relate to Projects in IQ. For example, if a Project is owned by a Team, that Team will also be attributed Ownership for any Risks, Issues, etc that relate to that project. This provides access to all records relating to the project to the entire project Team. This same behaviour is extended to Portfolios and Programs in IQ.

The following Legend identifies the access level represented by each tick.

Note

Strategy IQ Functionality is only made available when a Strategy IQ license has been activated.

Basic Security Model

In the Basic Security Model each role builds upon the permission set of the underlying role. If using just the Basic Security model, users need only be a member of one Sensei IQ Role.

The Basic Security Model can be depicted as per the following diagram:

Sensei IQ Project User
The Sensei IQ Project User role is the base level role for a user of Sensei IQ for Project. Users in this role have the required permissions to create, update and delete Table records that relate to Projects that they have created or have been provided access to via a Project Group/Team.

Users who are in this role have access to the Sensei IQ app and can navigate the Project IQ and Work IQ areas within the app.

Sensei IQ Project Executive
This role is intended for Users who require access to all projects in Sensei IQ, but who do not require the Portfolio IQ functionality. Users in this role have the required permissions to create, update and delete Table records that relate to any/all Projects in the user's Business Unit.

Users who are in this role have access to the Sensei IQ app and can navigate the Project IQ and Work IQ areas within the app.

Sensei IQ Portfolio User
This role is intended for Users who require access to Portfolio IQ functionality in the Sensei IQ app. This role provides users with access to create and manage Portfolios and Programs and with Read/Write visibility of all Projects and Registers in the user's Business Unit.

Users who are in this role have access to the Sensei IQ app and can navigate the Portfolio IQ, Project IQ and Work IQ areas within the app.

Sensei IQ Strategy User
This role is intended for Users who require access to Strategy IQ functionality in the Sensei IQ app. This role provides users with access to create and manage Strategic Themes, Strategic Goals and Benefits within the Organization, and with visibility of all Portfolios, Programs, Projects and Registers within the user's Business Unit.

Users who are in this role have access to the Sensei IQ app and can navigate the Strategy IQ, Portfolio IQ, Project IQ and Work IQ areas within the app.

Sensei IQ Admin User
This role provides Administrator level access to all custom Tables relating to Sensei IQ including the ability to create, update and delete any Table records relating to the Solution. Admin access is provided across data for the entire Organization (e.g. all Business Units). Admin Users are provided with access to all areas in the Sensei IQ app including Settings.

Modular Security Model

The Modular Security Model provides capability for more fine grained controls of which users have access to what functionality within Sensei IQ. Depending on their requirements, a user may be granted more than one of the modular security roles. (The modular security roles could also be used in conjunction with the basic security roles to fulfil specific requirements).

Many roles within the Modular Security Model allow access to be determined by the owning Business Unit of records - giving flexibility for separation of access to data. If no separation of data is required, an organization could choose to use only the root organization Business Unit in Dynamics.

Note

Modular Security roles are not specifically designed to be functionally complete in isolation - usually they are applied as a combination with existing security roles.

Sensei IQ - Program Manager Users in the Sensei IQ - Program Manager role will be granted:

Read access to all Projects within the user's Business Unit.
Read/Write access to all Programs or Projects where they are the sole owner of that record, or where they are part of the Program or Project Group/Team.
Read access to all Proposals, Challenges and Ideas within the Business Unit.
Note:
A Program Manager will only have visibility of Programs within their own Business Unit if they are either the sole owner of that record or where they are a member of the Program Team/Group.
A Program Manager will not have visibility of Programs or Projects from other Business Units (unless they have specifically been granted access via the associated Program or Project Group/Team).

Sensei IQ - Portfolio Manager Users in the Sensei IQ - Portfolio Manager role will be granted:

Read access to all Projects within the user's Business Unit.
Read access to all Programs within the Business Unit.
Read access to all Proposals, Challenges and Ideas within the Business Unit.
Read/Write access to all Portfolios, Programs or Projects where they are the sole owner of that record, or where they are part of the Portfolio, Program or Project Group/Team.

Note:

A Portfolio Manager will only have visibility of Portfolios within their own Business Unit if they are the sole owner of that record or where they are a member of the Portfolio Team/Group.
A Portfolio Manager will not have visibility of Portfolios, Programs or Projects from other Business Units (unless they have specifically been granted access via the associated Portfolio, Program or Project Group/Team).

Sensei IQ - Proposal Manager Users in the Sensei IQ - Proposal Manager role will be granted:

Read/Write access to all Proposals within the user's Business Unit.

Note:

Proposal Users will not be able to see Proposals that have been created in a different Business Unit unless those items have been specifically shared with them.
Proposal Users will not be able to see Projects that have been created from a Proposal unless they have been specifically granted access to that Project through the Project Group/Team.

Sensei IQ - Idea User Users in the Sensei IQ - Idea User role will be granted:

Read access to all Challenges within the user's Business Unit.
Read/Write access to all Ideas within the user's Business Unit.

Note:

Idea Users will not have visibility of any Ideas or Challenges in different Business Units unless those items have been specifically shared with them.

Sensei IQ - Challenge User Users in the Sensei IQ - Challenge User role will be granted:

Read/Write access to all Challenges within the user's Business Unit.
Read/Write access to all Ideas within the user's Business Unit.
Read access to all Strategic Themes in the Organization (in order to associate a Challenge to a Strategic Theme)

Note:

Challenge Users will not have visibility of any Ideas or Challenges in different Business Units unless those items have been specifically shared with them.

Sensei IQ - Strategy Executive Users in the Strategy Executive role will be granted:

Read access to all Projects in the entire Organization.
Read access to all Programs in the entire Organization.
Read access to all Portfolios in the entire Organization.
Read access to all Proposals in the entire Organization.
Read access to all Challenges in the entire Organization.
Read access to all Ideas in the entire Organization.
Read/Write access to all Strategic Themes in the entire Organization.
Read/Write access to all Strategic Goals in the entire Organization.
Read/Write access to all Benefits in the entire Organization.

Note:

Strategy Executive users have visibility of records across the entire Organization, and access to all Areas in the IQ app with the exception of Settings.

Sensei IQ - PMO User Users in the PMO User role will be granted:

Read/Write access to all Projects in the entire Organization.
Read/Write access to all Programs in the entire Organization.
Read/Write access to all Portfolios in the entire Organization.
Read/Write access to all Proposals in the entire Organization.
Read/Write access to all Challenges in the entire Organization.
Read/Write access to all Ideas in the entire Organization.
Read/Write access to all Strategic Themes in the entire Organization.
Read/Write access to all Strategic Goals in the entire Organization.
Read/Write access to all Benefits in the entire Organization.
Read/Write access to all Resources in the entire Organization.
Read/Write access to all Enterprise Calendars in the entire Organization.

Note:

PMO Users have Read/Write access to all IQ related records across the entire Organization, and access to all Areas in the IQ app with the exception of Settings.

Sensei IQ - Resource Manager Users in the Resource Manager role will be granted:

Read/Write access to all Resources in the entire Organization.
Read/Write access to all Enterprise Calendars in the entire Organization.
Read/Write access to Resource Demand.
Read/Write access to Timesheet Approvals.
Read access to all Projects and Proposals in the entire Organization.

Note:

Resource Managers have Read/Write access to all IQ related records in the Resource IQ area of the IQ app.

Sensei IQ - Timesheet Manager Users in the Timesheet Manager role will be granted:

Read/Write access to Timesheet Approvals.

Special Cases

Assigned To
In the instance where a user who has a Table record (e.g. a Risk or Action Item) assigned to them (by them being selected in the Assigned To Column) and where that user is not part of the project Team, that individual record will be shared with that User - providing them visibility of the Table record. Note that because only the individual item is shared with the User, that user will not have access to other artefacts associated with the Project (including the Project itself).

Sensei IQ - Resource Organizational Access In Sensei IQ, the default access level for Security Roles to the Bookable Resource Table is 'Business Unit' level access. This means that for example, a Sensei IQ Project User will have visibility of only those Bookable Resources in their own Business Unit. If the preferred behaviour is that a Sensei IQ Project User should have visibility of all Bookable Resources across the entire Organization, then the 'Sensei IQ - Resource Organizational Access' security role should be given to users in addition to whichever other IQ Roles they require. (Note: if all users are in the root org business unit, then this security role need not be applied as it would provide no change in functionality).

Permissions Chart

View the Permissions Chart as an Excel document

Business Unit Model

In instances where a customer requires complete separation of data, Business Units can be created in Dynamics

Note

For Dynamics there is always an Org Business Unit which sits at the top of the Business Unit tree. (In an out of the box Dynamics environment, all users are part of that root Org Business Unit).

Each User will need to be assigned to their appropriate Business Unit in Dynamics. As shown in the example below by the colored icons next to each Business Unit.

Note

A User can only directly be associated to a single Business Unit.

Based on each Users assigned role different Read/Write access to Portfolios, Programs and Projects within ones Business Unit will be given. Read/Write access if not part of the base role can either be gained through ownership or membership to a Microsoft 365 (M365) Group associated with a Portfolio, Program or Project.

Note

Membership of an M365 Groups would allow for a User in one Business Unit to have access to say a Program in another Business Unit (because they have been explicitly added to that M365 Group).

Example

The chart above indicates an organization where there are two Business Units both of which have been configured as children of the root org Business Unit. There are Users (depicted with the coloured icons) which are each associated with a Business Unit and assigned the “Sensei IQ - Portfolio Manager”.

The “Sensei IQ - Portfolio Manager” role from Modular Security Model above has:

Read access to all Programs and Projects that are in the User’s Business Unit (Only)
Read/Write access to any Portfolio, Program or Project where they are either the Owner, or where they are a member of the M365 Group that is the Owner of that record.

In the example the Blue, Green and Purple are assigned to the IT Business Unit and Red, Yellow are assigned to the HR Business Unit as indicated by the colored person icon on the associated Business Unit. These Users have Read access to all Portfolios, Programs and Projects within their Business Unit as indicated at top by the vertical box surrounding the Business Unit in its associated color.

Read/Write access is indicated by colored person icon next to a Portfolio, Program or Project and is granted via Ownership within ones Business Unit or by explicit membership to the associated M365 Group.

Note

Once a User has been granted membership in a M365 Group that is an owner of a Portfolio, Program or Project they will have read/write access to that Table record plus the artefacts (e.g. Risks) that are directly associated with that Table record.

In our example the table below the chart indicates the explicit assignment to M365 Groups per User. For each of these Users we will look at their permissions

IT Business Unit

Blue User (Base Case) is assigned to no M365 Groups as shown in the table. As a result this User has Read Only access to Programs and Projects within the IT Business Unit because Blue user is assigned to the IT Business Unit in the chart above.
- Read access to all “IT Business Unit” Programs and Projects as assigned to the IT Business Unit
Green User (Standard Case) is assigned explicitly to two M365 Groups (IT Portfolio 2 and IT Program 3) as a result this User has Read/Write access as indicated in the chart with a Green User against both groups. It has Read Only access to all other Programs and Projects within the IT Business Unit as Green is also assigned to the IT Business Unit.
- Read access to all “IT Business Unit” Programs and Projects as assigned to the IT Business Unit
- Read/Write access to “IT Portfolio 2 and IT Program 3”
Purple User (Special Case) is assigned explicitly to the “HR Portfolio 2” M365 Group in “HR Business Unit”. This is not standard practice within Business Units, however is possible Providing Read/Write access explicitly to “HR Portfolio 2” Only within the “HR Business Unit”. No other Portfolios, Programs or Projects from HR Business Unit are accessible. Purple also has Read/Write access to (IT Portfolio 2, IT Program 1 and IT Program 2) and Read Only access to all other Programs and Projects within the IT Business Unit.
- Read access to all “IT Business Unit” Programs and Projects
- Read/Write access to “IT Portfolios 2, IT Program 1, IT Program 2 and HR Portfolio 2”

HR Business Unit

Yellow User (Standard Case)
- Read access to all “HR Business Unit” Programs and Projects as assigned to the HR Business Unit
- Read/Write access to “HR Portfolio 2, HR Program 2 and HR Project 2”
Red User (Special Case)
- Read access to all “HR Business Unit” Programs and Projects
- Read/Write access to “HR Portfolio 1, HR Program 1, HR Program 3, HR Project 1 and IT Project 2”

Note

Changing the base role from “Sensei IQ - Portfolio Manager” would result in different Read/Write permissions.

Setting up AAD Sync

It is possible to set up AAD sync of users from a M365 Group into a Dynamics Team. That Dynamics Team can then be granted Roles that give access to Sensei IQ (which would therefore facilitate membership of those Roles to be determined by membership in an M365 Group).

The steps to set this up are as follows:

Create a M365 Group or identify an existing M365 Group that you wish to use for synchonization.
Identify the Object Id of this Group (this is visible from within Azure Active Directory).
From the Dynamics Advanced settings portal, select Settings > Security
Select Teams
Select All AAD Office Group Teams
Select + NEW
Enter the Team Name (as you would like it to appear in Dynamics), select an Administrator, select AAD Office Group as the 'Team Type', and enter the Azure AD Object Id that you identified earlier, then press Save and Close.
Select your newly created Team
Select MANAGE ROLES
Select the Role(s) that you would like to automatically grant to members of the identified Microsoft 365 Group, then press OK.

Note that members of the M365 Group will not appear in the list of Team members in the Dynamics Team until the user next logs in to Dynamics/PowerApps. At that time their Role access will be automatically granted.

If an existing User is later removed from the M365 Group their Role access will also be removed.

Dynamics User Sync Process

When Dynamics Teams are created and linked to AAD Security groups or M365 teams, the membership of the Dynamics Team is not immediately updated. The membership of the Dynamics Team is updated when the user logs in, or at a later time via a synchronisation process.

This can sometimes be seen when creating a new Project to Group association. The following warning is issued when the Dynamics Team is not yet in sync with the linked M365 group:

To resolve this problem, ask the users to log in to the PowerApp, or wait until the Microsoft sync process runs.

Settings

Details regarding what each of the Configuraton Settings is found within their Description field.

Status Updates

The information panels in the middle section of the KPI Status screen capture the state of the project at the time of the Status Update creation. They are a snapshot in time and cannot be updated via the UI once they are saved.

Except for the finance values, all the information panels are driven by the system configuration settings. The numbers and the default state for each KPI can be customised via the Status Update - Information Panel Calculations configuration setting.

These settings are shipped blank so that defaults can be adjusted over time. However, each number can be overwritten via the settings, and once overwritted the default configuration will no longer apply.

If you require the default configuration as a basis for customisation, please contact support.

Status Update - Duplicate Config Setting

The statusUpdateConfig configuration setting allows adminstrators the ability to setup which fields are to be copied and/or cleared by the Duplicate Status Update and Clear Status Update ribbon buttons.

Out of the box, the following fields will be duplicated.

[
  "sensei_deliverablesstatus",
  "sensei_schedulestatus",
  "sensei_workstatus",
  "sensei_financialsstatus",
  "sensei_issuesstatus",
  "sensei_changerequestsstatus",
  "sensei_risksstatus"
]

Ths statusUpdateConfig configuration will allow for all fields barring Lookup fields from being copied from the previous status update (previous status is determined by the most recent update sorted by Status Date).

The setting is an array of fields, which is populated by the helper widget to avoid user errors when entering fields.

Status Update - Information Panel Calculations Setting

The statusUpdateInformationPanels_IQA configuration setting allows the administrator to setup new or override existing information panel calculations in the status report.

If you make changes to the Status Updates please make sure you reference this statusUpdateInformationPanels_IQA setting and not the default statusUpdateInformationPanels_IQ setting.

The statusUpdateInformationPanels_IQA screen contains the following fields:

Parent Fields: The status information panels need to know which parent field and target object for their calculations. By default the sensei_projectlink and sensei_program fields are configured as parents.
Field Configurations: For the panel to calculate the bound field needs to have an entry here. Each value maps to a field on the sensei_statusupdate table. Defaults shipped with the product will be covered by default, and can be overridden here. To add a new value you will need to create a field or to change a given value you will need to determine which field name is used for a given value.
Overall KPI Configuation: Specifies the overall KPI field so we can roll up the other default calculations to it.

The Control

In the classic form designer for Status Update, you can see which fields the control are bound to. As you can see from the image below each control supports 4 properties as well as linking to one KPI property which determines which KPI to set the default to.

Field Configurations

Once you have the field name you can set up the configuration for its calculation. In the active Deliverables example, you can see the field internal name is configured in the Logical Name field and this maps the configuration for its calculation.

Note: The finance field configurations are hard coded as their complexity is too high to make this configurable.

At this level the fields are:

Value Suffix: This allows you to append a suffix to the value at run time such as hrs or days. This is not saved to the field.

Label Override: By default, the label below the value will come from the table field, however if you wish to customise it for this form, you can do so here.
Tooltip Description Override: Like the label you can customise the tooltip used here for the value.
Type Override: By default, we will try and coerce the value to the target field type, however here you can select a type for us to try and convert the value to. Supported types are Date Only, Date and Time, Currency, Decimal as well as Integer.
Default Colour: To customise the colour of the number when in a normal state you can do so here. You can use any valid CSS colour.
KPI Default: One field on each control can be responsible for setting the KPI default. This is where you determine what the default is. This value needs to one of the valid option set values set for the KPI. The options we ship with are 955000000 = On Track, 955000001 = On Watch, 955000002 = Troubled

Configurations

Depending on which parent entity (e.g. Program or Project) the status update is attached to, the calculation for the value may be different. This section allows you to configure how this is calculated, if at all. At run time the control will determine which relationship is active and then use the appropriate configuration to calculate the value.

At the general level you specify what parent the configuration is for and then if required a drill through URL which is navigated to when the user clicks on the value.

Then there are several ways the value is calculated.

Fixed value from parent

This is the most straight forward in that it will save a field value from the parent entity. In the above example for the sensei_startdate field it will save the sensei_projectstart date field from the sensei_project relationship.

Date diff based on values from parent object in days

Coming soon!

OData aggregate

This will allow you to execute a query against DataVerse to retrieve and aggregate the data you want. Query data using the Web API (Microsoft Dataverse) - Power Apps | Microsoft Docs

In the above example for Active Deliverables it is querying for all deliverables for a given project and in a given state. As there is no field specified we will simply do a count of the rows returned.

Be careful to use a $select to load only the minimum fields you need to ensure optimal performance.

Note: that the tokens {parentId} and {utcNow} will be replaced at execution time, and be sure to correctly URL encode any query parameters provided.

In the above example for Rejected Change Requests it is adding up all the sensei_costestimate fields that are returned by the query of rejected change requests in the project.

/api/data/v9.0/sensei_changerequests?$select=sensei_costestimate&$filter=_sensei_project_value%20eq%20%27{parentId}%27%20and%20statuscode%20eq%20955000002

Note: In this case you can use an aggregate in the next mode, however here we are using it to show you in case you are struggling with the aggregation.

OData query

This option allows you to simply use an odata query and save a given value from the response.

In the above example for Remaining Work for programs, it is using aggregations to do the calculation of summing up all the effort remaining for a Program on the server side and then use the total provided.

/api/data/v9.0/sensei_programs({parentId})/sensei_project_sensei_program?$apply=groupby((sensei_program/sensei_programid),aggregate(sensei_effortremaining%20with%20sum%20as%20total))

Note: that the tokens {parentId} and {utcNow} will be replaced at execution time.

Variance

The variance option allows you to store a variance between 2 fields on the form. It has 2 modes, a basic numerical variance, as well as a date diff.

The above example for Schedule Variance will calculate the difference in days between the calculated scheduled finish and the calculated value provided by the baseline finish field.

In the above example for Work Variance, it will store the numerical difference between the total work field calculation and the baseline total work calculation.

Warnings

Warning calculations allow you to highlight the value at runtime based on its value. They will execute from top to bottom and stop when a warning has been triggered.

The comparison operator determines how we will compare the value and hence if the warning has been breached. Most are straight forward (greater than, equal, less than, etc.) “Variance (plus or minus)” is the only one that is a little out of the ordinary in that if the value is within the threshold it will be fine, only if it is greater than this will it be triggered.

In the above example for Work Variance, it is saying if the variance is greater than or less than 20% of the baseline total work, then trigger the warning.

What happens when it is triggered is determined by the Colour Override and KPI Default values as mentioned in their descriptions.

Note: The KPI Default value only needs to be set if the field is the one determining the KPI default.

Comparison Configuration

This is how you determine what the value will be compared to.

Compare to static value

The simple warning configuration will which compare the field value to a static value.

In this example for Risks Due Date Missing, the warning will be triggered if the value is greater than 0.

Compare to another information panel on this form

In the above example it is comparing to another field on the form.

Duration comparison

This allows you to compare the value to a calculation of a duration between 2 other fields on the form.

In the above example for Scheduled Finish, we will calculate the duration between the start date and the scheduled finish and the duration between the start date and the baseline finish, then compare the 2.

Here is the scheduled finish duration is greater than 10% over, the warning will be triggered.

Status Update - KPI defaults

The default behavior of the Status Update KPIs are as follows:

KPI	Red - Trouble	Amber - On Watch	Green - On Track
Overall	Any other KPIs are Red	Any other KPIs are Amber	All other KPIs are Green
Deliverables	NA	Any active deliverables are overdue	No active deliverables are overdue
Schedule	NA	The duration between the scheduled finish and start date is more than 10% (+/-), compared to the duration between the baseline scheduled finish and start date	The duration between the scheduled finish and start date is less than 10% (+/-), compared to the duration between the baseline scheduled finish and start date
Work	The work variance to the baseline total work is more than 20% (+/-)	The work variance to the baseline total work is (+/-) 0	There is no variance to the baseline total work
Financials	NA	The financial variance is greater than 10% +/- of the budget	The financial variance is less than 10% +/-of the budget
Issues	NA	Any active issues are overdue	No active issues are overdue
Risks	NA	Any active risks are overdue	No active risks are overdue
Change Requests	NA	Any change requests are in status Submitted	No change requests are in status Submitted

Teams App - Channel Tab Configuration Setting

The teamsAppChannelTabs configuration setting allows the administrator to specify the channel tabs that will be created by the Teams app for each project. The array contains a list of the Microsoft Graph objects to create a channel tab.

The following tokens will be replaced with the project specific value. {projectId}, {orgUrl}, {appId}

See: https://docs.microsoft.com/en-us/graph/api/resources/teamstab?view=graph-rest-1.0#json-representation For information on configuration of the different supported app tabs see https://docs.microsoft.com/en-us/graph/teams-configuring-builtin-tabs#power-bi-tabs

For information on using filters in an embed url see here https://powerbi.microsoft.com/en-us/blog/easily-embed-secure-power-bi-reports-in-your-internal-portals-or-websites/

The teamsAppChannelTabs screen contains the following fields:

Value: Click + New Channel Tab to create the New Channel Tab.

Microsoft Teams

Utilizing Microsoft Teams with Sensei IQ provides visibility into Sensei IQ Projects, Programs and Portfolios as well as integration avenues to display various pieces of data in Teams and Channels within the Native Teams Experience.
Sensei IQ offers a number of Teams integrated features that improve productivity and collaboration when working on the PPM Platform.
This includes:

Leveraging notifications in Teams when approvals for proposals are posted
Leveraging Teams and Channels for management/interaction with collaboration artifacts (Documents, Risks, Issues, Decisions, etc..)
Views of the Portfolios, Programs, Projects and Proposals with quick links to the various portals where related content is stored (link to IQ, link to SharePoint, link to Teams Team, link to Execution tool)

Out of the box, organizations can choose from two management methods with their Microsoft 365 Groups and Teams. For the purpose of exploring these scenarios we define the term “Headline Table” as “Projects, Programs or Portfolios”, and we define “Child Artifacts” as all of the content you would manage related to a headline Table like “Risks, Issues, Change Requests, Decisions, etc…”

Teams Usage Method 1 - Unique Groups

The first scenario offers an organization the ability to ensure that the security around their headline Tables are uniquely managed. In this scenario, when creating a headline Table, the manager would create a new group for each of these initiatives. This ensures that the security around the child artifacts of these headline Tables is limited to those in the specific group created for that initiative.

In Teams, this would create a separate Team for each of these groups created, in which the collaborating team can manage their conversations, artifacts, documents, and more.

Having separate Groups/Teams for each Table may also be useful as certain Teams features are only available at the Team level rather than the channel level. Inviting guest users from other Azure AD's for B2B collaboration is best maintained per Team and so in this scenario having a separate group per Table would be advantageous.

Summary
Maximum flexibility as personnel relevant to a Project/Table change	✅
Good separation between initiatives (maybe needed for guest users)	✅
End-users will likely need Group/Team creation rights	❌
Proliferation of many Groups/Teams may become cumbersome over time	❌

Note

There is a Microsoft limitation that users may only own up to 250 groups. Please keep this in mind when planning Group provisioning.

Teams Usage Method 2 - Reusable Groups (RECOMMENDED)

An alternative scenario would be to consider the recommendation that groups should be representative of functional teams or groups of people.

The Projects, Programs and Portfolios are the initiatives that these teams collaborate on. For that reason, and to keep these items secure within the purview of the team working on them, groups can be created to represent the team, and then these groups can be reused across projects, programs and portfolios, if the individuals responsible for those headline Tables remain the same.

This scenario results in fewer groups created, and the individuals in the groups that are created have less administrative overhead in terms of the groups/teams that they belong to.

This method is also better aligned for larger organizations that have governance policies around the creation of Microsoft 365 Groups and Teams. If there is an approval process or 3rd party mechanism used to administer the creation of Groups/Teams this process can be employed and then once the Group/Team is created that is representative of the people working on the initiatives, this group can be reused in Sensei IQ to allocate to all the desired Tables related to that group of people.

This provides what we consider to be better organization and more efficient management of the groups/teams. An additional consideration with this choice is that when reusing a group/team for multiple headline Tables, in Microsoft Teams, the various initiatives will be added by Sensei IQ as channels.

Summary
Lower total number of Groups	✅
People on the Team see what is important to them as channels	✅
Groups can optionally be created by Administrators / 3rd party approval systems	✅
Not as flexible when the personnel relevant to a Project/Table change	❌
Not as much separation between initiatives (which maybe important to Team-based features like guest users)	❌

Reusable Teams (RECOMMENDED)

These two strategies can co-exist simultaneously for different parts of the organization as necessary and can be utilized immediately with Sensei IQ. Other than disabling tenant functionality (turning off user-driven group creation – NOT RECOMMENDED), there is no method to disable or choose one or the other exclusively. We suggest you decide on the strategy best for your organization, and educate your users as to how they should best utilize groups/teams with Sensei IQ.

Telemetry

Diagnostic telemetry data is used to keep Sensei IQ secure and up-to-date, detect, diagnose and remediate problems, and also make product improvements. This data does not include a user’s name or email address, the content of the user’s files, or the contents of projects, programs or portfolios managed by the product.

Our system uses a unique ID associated with user’s diagnostic data. For example, if we receive diagnostic data showing that one of our apps crashed 100 times, this unique ID lets us determine if it was a single user who crashed 100 times or if it was 100 different users who each crashed once. We don’t use this unique ID to identify a specific user.

Sensei uses Microsoft Application Insights for Telemetry collection management and storage. Sensei collects the following telemetry data items in addition to the default items collected by Microsoft Application Insights:

Tenant ID
Tenant Name
Application ID
Application Name
Organization Unique Name
Organizational Currency ID
User ID (guid)
User TimeZone offset
User Security Roles
Browser Language
Table Type Displayed
Event Type Action
Dataverse Storage Metrics

In addition to telemetry collected by Sensei, platform vendors may also collect telemetry:

Note

Sensei will never share organizational specific telemetry with a 3rd party unless required to do so by law, or via express written permission.

A Sensei IQ customer can opt-out of telemetry via adding a setting to the IQ configurations settings area.

Setting	Value	Effect
InstrumentationKey	False	Disables Sensei Telemetry collection
FeedbackOptOut	True	Disables Sensei User feedback collection

As of version 2022.05.31.3, Users will periodically be prompted for feedback ratings in IQ. Customers may optionally modify the cadence of feedback rating prompts to users. (Note, if FeedbackOptOut is set to True then no prompts will occur regardless).

Setting	Value	Effect
userFeedbackCadence	(Number)	Sets the number of days between feedback rating prompts. (Default is 30). Setting this value to 0 will never prompt users for feedback.

Updates

Sensei IQ is a Cloud Application that processes customer data within the confines of the customer's own Microsoft 365 environment. As a Cloud Application, Sensei applies updates and fixes to IQ over time to add additional features and keep the product synchronised with the features and capabilities of the underlying Cloud platform - which is also changing.

Updates are delivered in the following ways

The Sensei Dynamics Managed Solutions are updated via the Sensei Deployment Service Principal consented to in Technical Readiness. This Service Principal is granted administrative access to the target Sensei IQ Power Platform environment in order to stage and update the Dynamics Solutions layers that are used by the Power Platform to provide the application.
Power BI Reports. Updates to the Power BI reports could be applied manually via the deployment account (while it remains activated) or by appointment at a later time. Power BI Reports are likely to be customised as part of the initial engagement, so updating them at a later time is deemed an unlikely event.
The Teams IQ App is delivered as a series of static assets from our CDN at https://teams-iq.senseiiq.cloud. Updates will be provided as necessary by securely updating content at the CDN endpoint.

Note

All services are delivered over HTTPS / TLS 1.2 (Where supported by client browsers).

Decommissioning or Updating the Deployment Account Credentials

Warning

To prevent system downtime, please work with your Sensei Engagement Lead before either disabling the Deployment Account or changing the password for the Deployment Account.

Sensei IQ is designed to function without Sensei needing to maintain interactive access to the environment. This is an important point for those clients who have regulatory requirements with regard to 3rd party data access.

During deployment the Sensei consultant will utilize the Deployment Account to setup and customize the system. This may lead to the Deployment Account becoming the owner of certain key pieces of the infrastructure:

Microsoft Power BI Report Dataset Scheduled Refresh
Microsoft Power Automate Cloud Flow Data Connections
Microsoft Power Apps Dataflows (Optional Project/Task Synchronization from External Execution Tools)

While Sensei recommends keeping this account active to allow our consultants to use these credentials to provide ongoing assistance with enhancements and customizations to the client system or provide troubleshooting support, some clients will prefer to either:

Decommission this account post deployment.
Change the password to this account, while still keeping it active so as to keep running the services above under these credentials.

In both cases, to provide the best possible service and ongoing support to our clients, we advise our clients to provide their Sensei Engagement Lead with their own set of credentials to the Power Apps environment to which Sensei IQ has been deployed (and potentially other services depending on the requirements).

Before completing either of the above options, please review the above items to ensure that the ownership is transitioned to another identity (ideally an accountable user, who can view and respond to any failures in the Microsoft services).

To update the credentials used for Microsoft Power BI scheduled refresh

Log into Power BI using the account that you would like to use to "take over" the scheduled refresh service. Note - this account must be a workspace administrator.
For each of the Sensei IQ Report Datasets, access the "Scheduled Refresh" page, and click "Take Over" near the top of the page.
Confirm that you are taking over the dataset settings by clicking "Take Over" again on the dialog that appears.
Under the setting for "Data source credentials" click "Edit credentials" to update the credentials used for the dataset. Note - the new credentials must have READ access to the Dataverse tables for the Sensei IQ environment.
Lastly on the "Configure DatasetName" dialog, set the Authentication Method to "OAuth" and Privacy level to "Organizational" and then click "Sign in" and sign in using the standard Microsoft Authentication dialog.

To update the credentials used for Microsoft Power Automate Cloud Flow Data Connections

Sign into the Power Apps Maker Portal using the account that you would like to "take over" the data connections.
On the quick launch menu, click "Solutions".
Click the display name for the solution "Atsumeru".
Using the Content filter in the upper right of the page, select "Cloud flow".
Click the display for the Cloud Flow "Proposal Approval Atsumeru".
Once the Cloud flow opens in Power Automate, in the "Connection References" box, click "Edit".
Remove each of the Connection References by clicking the "x" next to each. Go back to the Cloud flow details page.
Click "Edit" to edit the Cloud Flow.
On the "Connections page" that is presented, click the "+" symbol next to each connection to update the credentials used for each. Click "Save". Note - the new credentials used will require a license for each of the services associated to the connection reference (example - Microsoft 365 Outlook requires an Exchange license, included with E1, E3, E5 licenses).
Test the Flow.

To update the credentials used for Microsoft Power Apps Dataflows

Note - updating credentials here may only be necessary if the password or credentials are updated for the account that has been used to connect to (query for) the external data being pulled into the Sensei IQ Dataverse.

Sign into the Power Apps Maker Portal using the account that you would like to "take over" the dataflows.
On the quick launch menu, under "Data" click "Dataflows".
Select "All Dataflows" and search for the owner of the dataflows to be replaced (in our example, we are taking over the dataflows owned by Tina Hamilton).
Click "Change Owner" for each dataflow that requires editing of the data connection credentials.
Enter the new user in the "New owner" input box, then click "Change Owner" at the bottom of the pane.
Once the owner has been changed for the dataflows required, assuming you are logged in as the new owner user, click "My Dataflows".
For each dataflow that has had it's owner changed that requires the credentials to be updated, click the ellipsis, then click "Edit".
Once the Power Query editor dialog opens, it will be likely that the connection will need to be configured. Click "Configure connection".
On the "Enter credentials" dialog, first ensure that "Privacy Level" is set to "Organizational", then set the "Authentication Kind" to "Organizational Account" and click "Sign In" then sign in using the standard Microsoft Authentication dialog. Note - you will not be able to use a browser that is in "InPrivate" or "Incognito" mode for this step. Once Authenticated, click "Connect".
On the "Edit queries" step in the Power Query editor, if no modifications to the query are desired, click "Next" at the bottom right of the dialog.
On the "Map tables" step in the Power Query editor, confirm mappings and click "Next".
On the "Refresh settings" step in the Power Query editor, update refresh settings if desired (Sensei recommends automatic refresh every 1 days) and finalize by clicking "Create".
Test the changes by ensuring that the dataflow refreshes without error (manual refreshes can be initiated at any time by clicking the ellipsis and clicking "Refresh").

Ending the subscription

What happens when an IQ subscription ends?

Sensei IQ is a Cloud Application where the customer maintains a subscription to continue to benefit from the application. Your Sensei sales representative will be in touch to arrange renewal of the subscription.

If the subscription is not renewed, the application data remains in place in the Microsoft Dataverse environment, but access to the Sensei IQ application is removed and a messge is displayed:

The end-user will then be redirected to the Sensei Website.

Software Boundaries and Limits

Task Management

Detail	Supported Limit
Number of Projects	>5000. We have tested up to 5000 projects per IQ installation. More may be possible but is not a supported scenario.

Resourcing

Detail	Limit
Dataverse quota consumed per resource year.	170kb / Resource / Capacity Year
Default Capacity Horizon	4 years / resource, 1 in arrears and 3 ahead.
Maximum Capacity Horizon	11 years / resource, typically 1 in arrears and 10 ahead.
Maximum Supported Resources with calendars	2000 Resources with 4 years of capacity planning (1 behind 3 ahead)
Resources in per Resource Plan	at least 90 resources
Save operations	45 resource years (90 resources for 6 months, 15 resource for 3 years etc.)

Scheduled Processes

Detail	Limit
Maximum results to be returned from FetchXML query in a Scheduled Process	500
Maximum runtime for a Workflow Extension called from a Dynamics Workflow	120 seconds (this is a platform limit)
Maximum number of days Process Logs will be kept	30 days