Authentication and authorization in Simployer
Authentication
Authentication is the process of verifying the identity of a user or a service.
Simployer can verify the identity of an user in several ways. The standard way is with Simployer specific username and password. Customers have the option to extend username/password authentication with multi factor authentication, which is recommended. For multi factor authentication to work, all users must have mobile phone numbers registered on their Simployer profile. Simployer multi factor athentication uses SMS and we support mobile number to a specific list of countries only. If you require multi factor to work with mobile numbers outside of the list, please post a ticket to our support center.
Under "the hood", Simployer use Auth0 as our Identity Provider (IDP). Auth0 is a global industry leading supplier of secure authentication services.
Azure AD authentication
Simployer offers, as a standard, authentication towards Microsoft Azure Active Directory for customers that have this implemented.
Custom Identity Provider
Simployer can offer customized authentication towards a range of 3rd party IDP's on a consultancy basis.
Authorization
Authorization is the process of verifying the access rights of a user or a service. Simployer evaluates implicit roles, explicit roles, group membership, department membership and general configuration settings on all request to provide users with the information they are entitled to - and nothing else.
Simployer provides self service for the administrator(s) of the customer to create and maintain the access rights for their users. Simployer personnel is by design not involved in this process.
Access rights for users is done by a combination of:
- Giving an user application access. By giving an user application access, the user will have a standard set of access rights to the users personal information. This is an implicit role (i.e. a role given by design in Simployer when application access is set).
- Giving an user module access. By giving an user module access, the user will have a standard set of access rights to that module. This is an implicit module role (i.e. a role given by design in that module in Simployer).
- Setting an user as a department manager. Department managers will have access to the personal data of the people assigned to that department. A department manager will be the nearest leader of the people in that department if the role is not overridden. "Nearest leader" is an implicit role.
- Setting an user as a dedicated manager. An user can be set as a dedicated manager for people across departments. "Dedicated manager" is an explicit role (i.e. not something that is implicitly inherited in Simployer)
- Giving an user a module specific role. Different modules have different explicit roles and roles can be set for individual departments in the department hierarchy, with support for downwards inheritance. An example of an explicit module role is "Document administrator" for "Tech department" including all sub units.