File Search - Respecting File Permissions

Respecting Source File Permissions

Our File Search feature is designed to mirror the Access-Control List (ACL) permissions of your source systems out-of-the-box. This means that when a search query is executed by a user in the Moveworks bot, the results returned are strictly aligned with the user's permissions in the source system. There's no need for additional configuration; the integration is continuous aligning with your source-of-truth, ensuring that your data remains secure, and your employees only access the information that they are permitted to view.

Scopes needed to Enforce ACL Permissions

In order to enforce your source file permissions, there are three categories of scopes that need to be granted to Moveworks.

Scope 1: Ability to Read Files and Resources (Sites/Drives/Folders)

The ingestion of the Files themselves is the cornerstone of our Search capabilities. This scope allows our system to ingest and index through your organization's wealth of data, as well as read the metadata on each file that describes which users or groups are able to read it. For some systems, such as Box, the Write permission is necessary in order to download the files and ingest into our system.

SystemScopes
SharepointSharepoint Online: Per-Site Read Access
MSGraph: Sites.Read.All (or Sites.Selected), Files.Read.All
Google Drivehttps://www.googleapis.com/auth/drive.metadata.readonly
https://www.googleapis.com/auth/drive.readonly
Box“Read and Write all files and folders stored in Box”

Scope 2: Ability to Read Users

To maintain the integrity of ACL permissions, our system needs to map the user making a Search request via your Moveworks bot to the user profile within your source system. This process is crucial for enforcing permission-based search results, ensuring that users can only  see via the Moveworks bot, what they are already authorized to access in your source system.

SystemScopes
SharepointUsers.Read.All
Google Drivehttps://www.googleapis.com/auth/admin.directory.user.readonly
BoxManage Users

Scope 3: Ability to Read Groups

Groups in your source system play a vital role in managing access permissions. By ingesting groups, we can enforce that only groups who have been granted access to a certain file can access that file and its information via search, and map that access to the users within those  groups.

SystemScopes
SharepointMSGraph: Groups.Read.All
Google Drivehttps://www.googleapis.com/auth/admin.directory.group.readonly
BoxManage Groups