Security

Note

The default security roles cannot be modified. Note that if you replace the default security roles with your own custom security roles in a Sensei IQ deployment, the Sensei IQ landing page will need to be customized in the "Landing Page" configuration setting to include the custom roles on each tile, link or button. The left side menus will still work as intended.

Security Overview

The Security framework for the Sensei IQ Solution is modelled on the permission model employed by Project for the web and leverages the capabilities of Dynamics 365 Roles.

In order to accommodate both everyday use of IQ and complex security requirements that customers may have, Sensei provide security capabilities through a Basic Security Model as well as a Modular Security Model. The Roles provided in each model can be mixed and matched to suit requirements. In addition, custom roles can be created if required.

There are five Roles which are shipped as part of the Basic Security Model - each of which provides a layered approach to user access to the system.

Additional Roles are included with the Modular Security Model. These Roles provide access to specific functionality within IQ.

Sensei IQ leverages the use of Teams in Dynamics 365 to provide group level Ownership to Dataverse entities. Sensei IQ replicates the ownership behaviour of the records in Dataverse that relate to Projects in IQ. For example, if a Project is owned by a Team, that Team will also be attributed Ownership for any Risks, Issues, etc that relate to that project. This provides access to all records relating to the project to the entire project Team. This same behaviour is extended to Portfolios and Programs in IQ.

The following Legend identifies the access level represented by each tick.

Note

Strategy IQ Functionality is only made available when a Strategy IQ license has been activated.

Basic Security Model

In the Basic Security Model each role builds upon the permission set of the underlying role. If using just the Basic Security model, users need only be a member of one Sensei IQ Role.

The Basic Security Model can be depicted as per the following diagram:

Sensei IQ Project User
The Sensei IQ Project User role is the base level role for a user of Sensei IQ for Project. Users in this role have the required permissions to create, update and delete Table records that relate to Projects that they have created or have been provided access to via a Project Group/Team.

Users who are in this role have access to the Sensei IQ app and can navigate the Project IQ and Work IQ areas within the app.

Sensei IQ Project Executive
This role is intended for Users who require access to all projects in Sensei IQ, but who do not require the Portfolio IQ functionality. Users in this role have the required permissions to create, update and delete Table records that relate to any/all Projects in the user's Business Unit.

Users who are in this role have access to the Sensei IQ app and can navigate the Project IQ and Work IQ areas within the app.

Sensei IQ Portfolio User
This role is intended for Users who require access to Portfolio IQ functionality in the Sensei IQ app. This role provides users with access to create and manage Portfolios and Programs and with Read/Write visibility of all Projects and Registers in the user's Business Unit.

Users who are in this role have access to the Sensei IQ app and can navigate the Portfolio IQ, Project IQ and Work IQ areas within the app.

Sensei IQ Strategy User
This role is intended for Users who require access to Strategy IQ functionality in the Sensei IQ app. This role provides users with access to create and manage Strategic Themes, Strategic Goals and Benefits within the Organization, and with visibility of all Portfolios, Programs, Projects and Registers within the user's Business Unit.

Users who are in this role have access to the Sensei IQ app and can navigate the Strategy IQ, Portfolio IQ, Project IQ and Work IQ areas within the app.

Sensei IQ Admin User
This role provides Administrator level access to all custom Tables relating to Sensei IQ including the ability to create, update and delete any Table records relating to the Solution. Admin access is provided across data for the entire Organization (e.g. all Business Units). Admin Users are provided with access to all areas in the Sensei IQ app including Settings.

Modular Security Model

The Modular Security Model provides capability for more fine grained controls of which users have access to what functionality within Sensei IQ. Depending on their requirements, a user may be granted more than one of the modular security roles. (The modular security roles could also be used in conjunction with the basic security roles to fulfil specific requirements).

Many roles within the Modular Security Model allow access to be determined by the owning Business Unit of records - giving flexibility for separation of access to data. If no separation of data is required, an organization could choose to use only the root organization Business Unit in Dynamics.

Note

Modular Security roles are not specifically designed to be functionally complete in isolation - usually they are applied as a combination with existing security roles.

Sensei IQ - Program Manager Users in the Sensei IQ - Program Manager role will be granted:

Read access to all Projects within the user's Business Unit.
Read/Write access to all Programs or Projects where they are the sole owner of that record, or where they are part of the Program or Project Group/Team.
Read access to all Proposals, Challenges and Ideas within the Business Unit.
Note:
A Program Manager will only have visibility of Programs within their own Business Unit if they are either the sole owner of that record or where they are a member of the Program Team/Group.
A Program Manager will not have visibility of Programs or Projects from other Business Units (unless they have specifically been granted access via the associated Program or Project Group/Team).

Sensei IQ - Portfolio Manager Users in the Sensei IQ - Portfolio Manager role will be granted:

Read access to all Projects within the user's Business Unit.
Read access to all Programs within the Business Unit.
Read access to all Proposals, Challenges and Ideas within the Business Unit.
Read/Write access to all Portfolios, Programs or Projects where they are the sole owner of that record, or where they are part of the Portfolio, Program or Project Group/Team.

Note:

A Portfolio Manager will only have visibility of Portfolios within their own Business Unit if they are the sole owner of that record or where they are a member of the Portfolio Team/Group.
A Portfolio Manager will not have visibility of Portfolios, Programs or Projects from other Business Units (unless they have specifically been granted access via the associated Portfolio, Program or Project Group/Team).

Sensei IQ - Proposal Manager Users in the Sensei IQ - Proposal Manager role will be granted:

Read/Write access to all Proposals within the user's Business Unit.

Note:

Proposal Users will not be able to see Proposals that have been created in a different Business Unit unless those items have been specifically shared with them.
Proposal Users will not be able to see Projects that have been created from a Proposal unless they have been specifically granted access to that Project through the Project Group/Team.

Sensei IQ - Idea User Users in the Sensei IQ - Idea User role will be granted:

Read access to all Challenges within the user's Business Unit.
Read/Write access to all Ideas within the user's Business Unit.

Note:

Idea Users will not have visibility of any Ideas or Challenges in different Business Units unless those items have been specifically shared with them.

Sensei IQ - Challenge User Users in the Sensei IQ - Challenge User role will be granted:

Read/Write access to all Challenges within the user's Business Unit.
Read/Write access to all Ideas within the user's Business Unit.
Read access to all Strategic Themes in the Organization (in order to associate a Challenge to a Strategic Theme)

Note:

Challenge Users will not have visibility of any Ideas or Challenges in different Business Units unless those items have been specifically shared with them.

Sensei IQ - Strategy Executive Users in the Strategy Executive role will be granted:

Read access to all Projects in the entire Organization.
Read access to all Programs in the entire Organization.
Read access to all Portfolios in the entire Organization.
Read access to all Proposals in the entire Organization.
Read access to all Challenges in the entire Organization.
Read access to all Ideas in the entire Organization.
Read/Write access to all Strategic Themes in the entire Organization.
Read/Write access to all Strategic Goals in the entire Organization.
Read/Write access to all Benefits in the entire Organization.

Note:

Strategy Executive users have visibility of records across the entire Organization, and access to all Areas in the IQ app with the exception of Settings.

Sensei IQ - PMO User Users in the PMO User role will be granted:

Read/Write access to all Projects in the entire Organization.
Read/Write access to all Programs in the entire Organization.
Read/Write access to all Portfolios in the entire Organization.
Read/Write access to all Proposals in the entire Organization.
Read/Write access to all Challenges in the entire Organization.
Read/Write access to all Ideas in the entire Organization.
Read/Write access to all Strategic Themes in the entire Organization.
Read/Write access to all Strategic Goals in the entire Organization.
Read/Write access to all Benefits in the entire Organization.
Read/Write access to all Resources in the entire Organization.
Read/Write access to all Enterprise Calendars in the entire Organization.

Note:

PMO Users have Read/Write access to all IQ related records across the entire Organization, and access to all Areas in the IQ app with the exception of Settings.

Sensei IQ - Resource Manager Users in the Resource Manager role will be granted:

Read/Write access to all Resources in the entire Organization.
Read/Write access to all Enterprise Calendars in the entire Organization.
Read/Write access to Resource Demand.
Read/Write access to Timesheet Approvals.
Read access to all Projects and Proposals in the entire Organization.

Note:

Resource Managers have Read/Write access to all IQ related records in the Resource IQ area of the IQ app.

Sensei IQ - Timesheet Manager Users in the Timesheet Manager role will be granted:

Read/Write access to Timesheet Approvals.

Special Cases

Assigned To
In the instance where a user who has a Table record (e.g. a Risk or Action Item) assigned to them (by them being selected in the Assigned To Column) and where that user is not part of the project Team, that individual record will be shared with that User - providing them visibility of the Table record. Note that because only the individual item is shared with the User, that user will not have access to other artefacts associated with the Project (including the Project itself).

Sensei IQ - Resource Organizational Access In Sensei IQ, the default access level for Security Roles to the Bookable Resource Table is 'Business Unit' level access. This means that for example, a Sensei IQ Project User will have visibility of only those Bookable Resources in their own Business Unit. If the preferred behaviour is that a Sensei IQ Project User should have visibility of all Bookable Resources across the entire Organization, then the 'Sensei IQ - Resource Organizational Access' security role should be given to users in addition to whichever other IQ Roles they require. (Note: if all users are in the root org business unit, then this security role need not be applied as it would provide no change in functionality).

Permissions Chart

View the Permissions Chart as an Excel document

Business Unit Model

In instances where a customer requires complete separation of data, Business Units can be created in Dynamics

Note

For Dynamics there is always an Org Business Unit which sits at the top of the Business Unit tree. (In an out of the box Dynamics environment, all users are part of that root Org Business Unit).

Each User will need to be assigned to their appropriate Business Unit in Dynamics. As shown in the example below by the colored icons next to each Business Unit.

Note

A User can only directly be associated to a single Business Unit.

Based on each Users assigned role different Read/Write access to Portfolios, Programs and Projects within ones Business Unit will be given. Read/Write access if not part of the base role can either be gained through ownership or membership to a Microsoft 365 (M365) Group associated with a Portfolio, Program or Project.

Note

Membership of an M365 Groups would allow for a User in one Business Unit to have access to say a Program in another Business Unit (because they have been explicitly added to that M365 Group).

Example

The chart above indicates an organization where there are two Business Units both of which have been configured as children of the root org Business Unit. There are Users (depicted with the coloured icons) which are each associated with a Business Unit and assigned the “Sensei IQ - Portfolio Manager”.

The “Sensei IQ - Portfolio Manager” role from Modular Security Model above has:

Read access to all Programs and Projects that are in the User’s Business Unit (Only)
Read/Write access to any Portfolio, Program or Project where they are either the Owner, or where they are a member of the M365 Group that is the Owner of that record.

In the example the Blue, Green and Purple are assigned to the IT Business Unit and Red, Yellow are assigned to the HR Business Unit as indicated by the colored person icon on the associated Business Unit. These Users have Read access to all Portfolios, Programs and Projects within their Business Unit as indicated at top by the vertical box surrounding the Business Unit in its associated color.

Read/Write access is indicated by colored person icon next to a Portfolio, Program or Project and is granted via Ownership within ones Business Unit or by explicit membership to the associated M365 Group.

Note

Once a User has been granted membership in a M365 Group that is an owner of a Portfolio, Program or Project they will have read/write access to that Table record plus the artefacts (e.g. Risks) that are directly associated with that Table record.

In our example the table below the chart indicates the explicit assignment to M365 Groups per User. For each of these Users we will look at their permissions

IT Business Unit

Blue User (Base Case) is assigned to no M365 Groups as shown in the table. As a result this User has Read Only access to Programs and Projects within the IT Business Unit because Blue user is assigned to the IT Business Unit in the chart above.
- Read access to all “IT Business Unit” Programs and Projects as assigned to the IT Business Unit
Green User (Standard Case) is assigned explicitly to two M365 Groups (IT Portfolio 2 and IT Program 3) as a result this User has Read/Write access as indicated in the chart with a Green User against both groups. It has Read Only access to all other Programs and Projects within the IT Business Unit as Green is also assigned to the IT Business Unit.
- Read access to all “IT Business Unit” Programs and Projects as assigned to the IT Business Unit
- Read/Write access to “IT Portfolio 2 and IT Program 3”
Purple User (Special Case) is assigned explicitly to the “HR Portfolio 2” M365 Group in “HR Business Unit”. This is not standard practice within Business Units, however is possible Providing Read/Write access explicitly to “HR Portfolio 2” Only within the “HR Business Unit”. No other Portfolios, Programs or Projects from HR Business Unit are accessible. Purple also has Read/Write access to (IT Portfolio 2, IT Program 1 and IT Program 2) and Read Only access to all other Programs and Projects within the IT Business Unit.
- Read access to all “IT Business Unit” Programs and Projects
- Read/Write access to “IT Portfolios 2, IT Program 1, IT Program 2 and HR Portfolio 2”

HR Business Unit

Yellow User (Standard Case)
- Read access to all “HR Business Unit” Programs and Projects as assigned to the HR Business Unit
- Read/Write access to “HR Portfolio 2, HR Program 2 and HR Project 2”
Red User (Special Case)
- Read access to all “HR Business Unit” Programs and Projects
- Read/Write access to “HR Portfolio 1, HR Program 1, HR Program 3, HR Project 1 and IT Project 2”

Note

Changing the base role from “Sensei IQ - Portfolio Manager” would result in different Read/Write permissions.

Setting up AAD Sync

It is possible to set up AAD sync of users from a M365 Group into a Dynamics Team. That Dynamics Team can then be granted Roles that give access to Sensei IQ (which would therefore facilitate membership of those Roles to be determined by membership in an M365 Group).

The steps to set this up are as follows:

Create a M365 Group or identify an existing M365 Group that you wish to use for synchonization.
Identify the Object Id of this Group (this is visible from within Azure Active Directory).
From the Dynamics Advanced settings portal, select Settings > Security
Select Teams
Select All AAD Office Group Teams
Select + NEW
Enter the Team Name (as you would like it to appear in Dynamics), select an Administrator, select AAD Office Group as the 'Team Type', and enter the Azure AD Object Id that you identified earlier, then press Save and Close.
Select your newly created Team
Select MANAGE ROLES
Select the Role(s) that you would like to automatically grant to members of the identified Microsoft 365 Group, then press OK.

Note that members of the M365 Group will not appear in the list of Team members in the Dynamics Team until the user next logs in to Dynamics/PowerApps. At that time their Role access will be automatically granted.

If an existing User is later removed from the M365 Group their Role access will also be removed.

Dynamics User Sync Process

When Dynamics Teams are created and linked to AAD Security groups or M365 teams, the membership of the Dynamics Team is not immediately updated. The membership of the Dynamics Team is updated when the user logs in, or at a later time via a synchronisation process.

This can sometimes be seen when creating a new Project to Group association. The following warning is issued when the Dynamics Team is not yet in sync with the linked M365 group:

To resolve this problem, ask the users to log in to the PowerApp, or wait until the Microsoft sync process runs.