What permissions are needed?
Admin permissions are needed to install the add-in. No specific permissions are needed to use the add-in. The scopes that the admin needs to give us access to is included in https://success.rewardgateway.com/hc/en-us/articles/360015834078-Installing-the-MS-Teams-Integration (Authorize your Microsoft Access section)
Can I send awards with the integration?
No, the Connect+ add-in can only send ecards at this time.
How do we get notified of changes/updates with the integration?
All changes to our software are communicated through our Spotlight newsletters or our release log here: https://success.rewardgateway.com/hc/en-us/sections/360004845113-Product-development-updates
What information is stored?
The only information stored on Reward Gateway is the end-users Microsoft Teams Account ID (Unique system identifier for MS Teams). This is stored to allow us to identify which user is using the add-in.
What information can be read from the user.Reall Api call?
https://docs.microsoft.com/en-us/graph/permissions-reference
What tests do Microsoft conduct on the teams integration?
You would need to enquire from Microsoft about this for more specifics. Reward Gateway followed the MS Teams verification process before it was published to their store where it was tested for functionality, security and compliance. https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/appsource/publish
Is all traffic between Reward Gateway and MS Teams encrypted in transit?
All traffic is over https.
What secure coding training and practices are in place for the development of the Connect+ Bot and the application?
The same training and practices that apply to all Reward Gateway software development applies here. It is a proprietary software developed by an in-house Reward Gateway team of software engineers. You may find more information around secure coding practices and more information on security in general by visiting rg.co/security
What secure code testing is done on the application and the Connect+ Bot?
The same quality assurance practices are applied to all Reward Gateway software development. Quality assurance is baked into multiple layers of the software development life cycle.
Here is a list of things we quality gates we carry out as a part of any change management process:
- Automated Unit Testing
- Automated Integration / Functional Testing
- Peer-Reviews on each change set
- Automated Vulnerability checks using third party tools such as Snyk / RIPS
- Automated quality gate / coding standard checks (Sonarcloud)
- Bi-Annual / Ad-hoc Penetration testing
- Thread Modelling and Risk assessments in the agile development process
What processes and procedures are in place to update the application and the Connect+ Bot if/when there are security vulnerabilities identified?
Security Vulnerabilities are automatically monitored through third-party vendor software such as Snyk, RIPS and Sonarcloud and triaged and resolved based on relevant CVSS scores. If a security vulnerability is to be reported by a partner (MS Teams), it would be assessed initially by our in-house information security team and triaged based on severity for resolution.
Since it appears you are wanting access to our personnel data offline; Where are you storing it? What security measures are in place? Are you encrypting it?
All of this information can be found in our security pack (rg.co/security)
What does Reward Gateway do with the ability to read all apps in our catalog and why is this needed?
This is needed so we can make the installation process as seamless as possible for you. When you access our administration portal and authorize your MS Teams account, we are able to install the Connect+ Bot into your catalog automatically. To do this, Microsoft requires all partners to request read.all.app scope permissions.
What does Reward Gateway do with the ability to read all channels in our MS Teams instance and why is this needed?
The read all channels scopes allow Reward Gateway to display a list of all channels during the setup process. We require the admin to preselect a channel of their choice where they would like all publicly shared recognition to be visible. More information on the setup: https://success.rewardgateway.com/hc/en-us/articles/360015834078-Installing-the-MS-Teams-Integration
Why does Reward Gateway need access to data offline?
The Connect+ bot is a bot developed to provide a seamless experience for all end-users when they want to send a recognition. To do this we require offline access where we can keep a long lived refresh token that linked their MS Teams account and Reward Gateway account.
If this is not to be granted, all end-users would have to re-authenticate against the bot everytime their access token expires. Additionally, end users can manage their access tokens at any time through the security section of their Reward Gateway portal.
Why does Reward Gateway need the ability to read the names and descriptions of all Teams?
The read all team names scopes allow Reward Gateway to display a list of all teams during the setup process. We require the admin to preselect a Team of their choice where they would like all publicly shared recognition to be visible. More information on the setup: https://success.rewardgateway.com/hc/en-us/articles/360015834078-Installing-the-MS-Teams-Integration
Why does Reward Gateway need to Manage all user's Teams apps?
This is needed so we can install the app for a user on 1:1 scope so they can converse with the Connect+ bot.
Why does Reward Gateway need to be able to Manage all installed Teams apps in teams?
This is needed so we can make the installation process as seamless as possible for you. When you access our administration portal and authorise your MS Teams account, we are able to install the Connect+ Bot into your catalog automatically. To do this, Microsoft requires all partners to request read.all.app scope permissions.
Why does Reward Gateway need to be able to Read all users' full profiles? If the above is absolutely required what security is in place to protect sensitive and NPPI data obtained?
Reward Gateway only requires the MS Teams Account ID from the MS Teams profiles. However, due to how permissions and scopes within Microsoft work, we require full profile permissions to be able to read any information about any user. This is absolutely required for the bot to work as we need to be able to establish a connection between an end users MS Teams account and their Reward Gateway account.
To find more information around our data policies, right to withdraw and account de-provisioning processes, please visit rg.co/security
What is the list of channels when allowing the permission Channel.readbasic.all?
The Connect+ app will access all channels from the specified Team. This is required so the app can publicly share recognition moments.
What basic profile information is read when allowing the permission OpenID?
By using this permission, an app can receive a unique identifier for the user in the form of a sub claim. The permission also gives the app access to the UserInfo endpoint. The OpenID scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication. More info on https://learn.microsoft.com/en-gb/graph/permissions-reference
Are you referring to all channels & groups across the organisation when allowing this permission Team.readbasic.all?
This gets the teams in Microsoft Teams that the user is a direct member of. More info on https://learn.microsoft.com/en-us/graph/api/user-list-joinedteams?view=graph-rest-1.0&tabs=http
What is the user information being read/collected from the teams instance when allowing User.read.all?
It is End-users Microsoft Teams Account ID (Unique system identifier for MS Teams)