The DatabeatOMNI Digital Signage Publishing Platform allows users to login with their Office 365 or Google G suit account. We STRONGLY recommend using that option. Here is why, and how it works.
This article is in Progress, and our development team is implementing the described features. The final implementation may be different.
Planned release in mid-March 2020
- Why Use external authentication
- How Does It Work
- Further Technical Info
- Group Management
- How to Get Access To Resources
- Group Settings
Why use external authentication
Third-party vendor authentication is better for several practical, efficiency and security reasons:
- Users will not have to remember and manage another account and password.
- Already logged-in users (to Office 365 or Google), will not have to provide login credentials again (Single-Sign-On).
- DatabeatOMNI stores only userID and Name (E-mail address, First Name and Last Name). userID because it needs a link to the authentication partners system, First and Last name is used in the application, ie to inform and communicate with users.
- DatabeatOMNI does NOT store Password or user information such as Title, Phone, Picture, and Department). This is stored and maintained by the authentication provider.
- Security policies, Ie, two-factor authentication, and password conventions can be defined by the users' own organisation.
- When a user leaves the organisation, administrators will remove/block the account with their authentication partner. The user will automatically also lose access to their DatabeatOMNI account.
- DatabeatOMNI may be used to access and visualize information from tier Office provider, like Calendars and PowerBI. This way these resources can be accessed quick, easy and automatically when creating the content, and the OMNIplay (ie A Samsung or Philips SoC monitor) can access the information securely.
Here is a screenshot from DatabeatOMNI user management. Fields with orange text are not stored in DatabeatOMNI.
How does it work
When a user request access to DatabeatOMNI with a third party authentication, DatabeatOMNI directs to the authentication-process to the authentication vendor. Here, it will be handled according to defined policies (access/no-access, valid password, two-factor authentication etc). If access is approved (by a successful login or because the user is already logged in) a security- token is passed to DatabeatOMNI.
Further technical Info
Technical resources and administrators should note the difference between Delegated permission and Application permission. (See here).
- For access to Microsoft Office resources, we are using MS Graph API
- The method of Authentication is OAuth 2.0, an industry-standard protocol for authorization.
Group (role) management in DatabeatOMNI and how it is managed.
There are different kinds of users in DatabeatOMNI, Superadmins, admins, editors, etc. They have access to various features. Their access is based on user roles, that it, which Group the user belongs to. A user can belong to one or several groups.
With Office integration, Groups and Group membership can be stored and managed by DatabeatOMNI or it can be stored and managed by Office.
By default, it is managed by DatabeatOMNI, but it can be changed, but ONLY by the customer's Office Administrators (ONLY) as this requires access to Office user and role management. See Section "Groups", where you will find a switch, and an edit icon to manage.
Access to Office Resources, like Calendars and PowerBI.
On the player side, Databeat OMNIplay app is installed on either System-On-Chip (SmartTV) monitors (Samsung, LG or Philips), Android or Windows PCs. OMNIplay is linked to the publishing platform; DatabeatOMNI and display content as published and configured.
When OMNIplay is to display Office info, ie Calendar or Power BI, there is no person to provide username & password every time the player/screen start. As not all Microsoft's Office products behave the same way, OMNIplay must use different methods to do display Office data, without the need for a physical log-in.
Calendar resources (Application permission).
OMNIplay (the player app) uses Application permission to access the relevant Office calendar resources to display information from Office resources on screens. When enabled, Doorsign and various resource overview screens can be displayed on screens.
NB ! Only Global Admin (GA) has the rights to grant application permission.
This is a restriction from Microsoft and Google.
When set, the Calendar pane appears and the GA can set which rights to provide. Only Read access is required to show info, but ReadWrite is required for onscreen booking (typically a "book now" on a touchscreen). (More technical info).
Power BI (On user's behalf)
Unfortunately, Microsoft has not yet enabled Power BI to use the same application permissions as calendar does. Instead, Power BI can give the application rights to access resources, on a user's behalf. Therefore, setting Power BI permission is done in two steps;
- Enabled on a general level. First, a Databeat administrator must enable DatabeatOMNI to request Power BI access on the individual user's behalf.
- User permission. When enabled on General level (#1), individual users have access to the Power BI widget, but only get access to Power BI objects that the user is permitted to read (as determined in Office, either because it is their own ie dashboard or it has been shared to him).
When this user publishes an object (ie a Dashboard) in DatabeatOMNI, he/she will be asked (by a Microsoft Office Popup) to give consent to OMNIplay to display the object on his/her behalf, unless it has been granted before. Thereafter, Databeat OMNIplay will display the object on screens, on behalf of the user that has published it.
Other users in DatabeatOMNI
It is worth to stress the overall principle, that Databeat uses Office permissions to display content and that it is each customers Policy that dictates such access.
The publishing platform, DatabeatOMNI, access and display content based on delegated user permissions. This means, that users will not see content in DatabeatOMNI that they do not have the right to see. ie, a user may not see a Power BI Dashboard, Calendar content of a Doorsign or a Calendar overview, unless he/she has the necessary read right to (from Office administrator).
This may be impractical, and we recommend that those working with Office content are given read access to the resources, but it is up to the Office administrator(s), not Databeat to provide such access.
Global Admin (GA( may choose to
wants Office to manage Groups and edit icon (pencil) appears behind the switch. This will open up a PopUp UI for selections. The DatabeatOMNI Groups and Group (system) name is displayed to the left. Here GA can choose to use own Groups, or to Create Groups with the same name. GA may open up access to own roles, click and select to link roles.
Click on the Green Create buttons to Create Groups with the same system-name as used in DatabeatOMNI.
DatabeatOMNI (on logged in GAs behalf) will create the Groups using the same name as DatabeatOMNI.
GA may also want to combine with own groups, ie 4x using existing internal groups (and press Green button to create the remaining) :