Simplifying Authentication & Access Management in ReportWORQ

Knowledge Base
1

:high_voltage: With version 5.0.0.84, ReportWORQ’s authentication system has been upgraded to support accounts, groups, entitlements, and workspaces, providing more precise and scalable user access control. We’ve introduced tighter integration with OIDC providers like Microsoft Entra, allowing you to manage ReportWORQ security directly within your identity provider using dynamic group claims. Previously limited to Unlimited license tiers and admins, dynamic group access is now available across all license tiers and entitlement types, supporting advanced features like the Reporting Excel Add-In, PowerPoint End User Add-In, and Contribution End User Access.

:locked_with_key: Authentication Mechanisms

  • Native and OIDC authentication are now nearly identical in behavior.
  • This unification reduces complexity and decreases the potential for configuration errors.

:busts_in_silhouette: Accounts, Groups, Entitlements & Workspaces

  • Accounts: Represent individual users.
  • Groups: Used to assign permissions and manage access collectively.
  • Entitlements: Represent licensed features (e.g., PowerPoint export, Reporting, Contribution).
  • Workspaces: Grant access to specific areas of the database.
    • Workspace access is cumulative when users belong to multiple groups.
    • A user must be assigned to a workspace to gain access to ReportWORQ

:construction: Role: System Administrator

  • System Administrators can access all workspaces. Explicit workspace assignment for System Administrators is not necessary.
  • System Administrators also consume a ReportWORQ Administrator license. However, they still need specific entitlements to access licensed functionality such as Reporting Add-in, Contribution End User, PowerPoint End User Add-in.

:hammer_and_wrench: Managing Access with Groups

Using groups simplifies permission management:

  • Create a group such as “Board Book Team”
  • Assign users (e.g., Bill, Bart, Chris, Clarence).
  • Grant entitlements (e.g., PowerPoint, Reporting Add-in).
  • Assign workspace access (e.g., Accounting Workspace, role: Member).

:shuffle_tracks_button: OIDC & Dynamic Group Management

In OIDC security mode:

  • Use identity provider claims to dynamically assign users to groups.
  • For example, assign users with "group": "sys_admin" claim to the System Administrators group.
  • Use claims to dynamically manage membership within groups which in turn provide access to license entitlements and workspaces.

:police_car_light: License Management & Overages

  • Overages occur when more users are assigned entitlements than licenses allow.
  • This can disable access to features.
  • To avoid issues:
    • Audit user/license assignments regularly.
    • Prefer group-level entitlement assignments.
      • When using dynamic groups with claims, make sure that the OIDC Provider’s group doesn’t contain more than the licensed amount for a given feature.
    • Pre-provision user accounts.

:wrench: Best Practices

  • Always use groups + entitlements for scalable access control.
  • Enable OIDC for a more cohesive authentication experience and configure claims to automate group membership.
  • Regularly monitor license consumption and adjust entitlements as needed.

:counterclockwise_arrows_button: Upgrading & Downgrading Authentication

  • When upgrading to the new authentication model, existing accounts and permissions will be automatically converted to the new format.
  • While the upgrade modifies your authentication database to support new features (like dynamic groups and structured entitlements), downgrading is supported.
  • :warning: Important: Any changes made after upgrading (e.g., new groups, assignments, or entitlements) may not be reflected if you revert to the old model.
  • If you need to downgrade or troubleshoot access after an upgrade, contact support@reportworq.com for assistance.