Current implementation
Every user will get their own @mydre.org username.
Security - every user is subject to the same policies
- No guest-accounts
- Minimally every 24h Multi-Factor Authentication (MFA) is required
- Trusted devices cannot be created
Access - to myDRE and to a Workspace is segregated
- A @mydre.org username allows access to myDRE
- A @mydre.org username allows being invited into a Workspace, without explicit invitation Workspaces are not accessible
Authentication - federated per Workspace
- An Accountable can invite people with their @mydre username in the role Privileged Member/Owner or Member
- Privileged Members/Owners can invite and manage, on behalf of the Accountable, other people
- In effect, the Accountable and Privileged Members/Owners are empowered to Identify and Authorize for their Workspaces
- In effect, the authentication is federated per Workspace
Scope - only myDRE
- The @mydre.org username is a username, not an (email) account and cannot be used beyond myDRE.org
Explaining why federated access currently is not supported
anDREa uses its own AAD and security settings to ensure:
- A smooth and predictable user experience
In a previous version we used Microsoft's B2B solution, however, this resulted in the following issues: - Some organizations mask the UPN and effectively the B2B solution cannot work with the deeper Microsoft Azure functionalities leaving users no choice but to use a private email address (hotmail, gmail, etc)
- Unburding HR and IT
- To collaborate in a Workspace it is not necessary to have a Tenant account
- No lifecylce management needed on 'guest' accounts with respect to collaborating in a Workspace
- Each Workspace is protected with the same level of security with respect to user access
- We have found that the security requirements on account access greatly differs, some organizations:
- Do not require MFA
- Allow the creation of trusted devices
The ability to collaborate is key in what anDREa offers. Having an account on anDREa is a requirement to collaborate. However, it is the Owner(s) of a Workspace that determine who has access to their Workspace in what role and for how long.
Future
anDREa is looking into federated solutions like SRAM. When considering solutions like these, anDREa evaluate the ideas/solutions on being: - Sustainable (including dev team commitment)
- Affordable
- Scalable (organizational implementation/configuration does not impact working of anDREa services)
- Minimally compliant with Security Policy of anDREa