Security matrix (scopes)

When you connect 3rd party apps, data is shared between those apps and Next Matter. Learn what is being shared to maintain full data security.


🚧

Best practice

Connect integrations with a service account, for example [email protected] and define what data and permissions you share with this account.

Normally, the service account has read and write access to data so it's important to decide what the account should have access to.

How do I connect with a service account
  1. Log in to Next Matter with an admin account.
  2. In Automations Library [ left-hand navigation panel], click Connect for the integration you want to connect.
  3. In the 3rd party pop-up, select the account you'll use for the integration (the service account). You'll be asked to log in to the 3rd party tool using this account.

🚧

You can use the same service account to connect all integrations or use separate ones for each. For example, you can use a separate service account for Outlook and Teams.

  1. Go to the tenant configuration and decide what permissions you want to grant to the account.
    Tip: Think of the account as a user - anything the account has access to, the user logging in with this account also has access to.

Integrations with API access

Normally the API key you create shares the same permissions as yourself. That means that whatever you can do as the creator of the key, the key will be able to do at your behest. Some tools let you define the scopes you give to the key, so look up 3rd party docs to find out if the app you want to connect to has this option.

Scopes requested by Next Matter

Microsoft
Graph API access to appsScopes
Default (always requested)offline_access,
openid,
profile,
email,
user.ReadBasic.All
OneDrivefiles.ReadWrite.All
Excel (no-code)files.ReadWrite.All
(the Excel no-code step also requires OneDrive permissions)
Sharepoint sites.ReadWrite.All
TeamschannelMessage.Send,
chatMessage.Send,
chat.ReadWrite
Outlookmail.Send,
calendars.ReadWrite
Outlook (no-code)mail.Send
Dynamics365 Business Centralfinancials.ReadWrite.All
Google
Google appScopes
Google Docsdocuments,
drive
Gmail (no-code)gmail.send
gmail.labels
gmail.modify
gmail.readonly
Google Drivedrive,
drive.appdata,
drive.metadata
Google Sheetsspreadsheets
Google Sheets (low-code)drive,
spreadsheets
Google Slidespresentations
Zendesk
AppScopes
Zendesk (no-code)read,
write
Next Matter sidebar in Zendesktoken-based so no scopes apply
Freshdesk
AppScopes
Freshdesk (no-code)token-based so no scopes apply (any API activities are allowed based on the permissions of the key holder)
Next Matter sidebar in Freshdesktoken-based so no scopes apply
Front

The Front no-code step uses API tokens so you don't need to define scopes. The same applies to running Next Matter as the sidebar in Front.

OpenAI

The OpenAI no-code step uses API tokens so you don't need to define scopes.

SendGrid

The scopes are defined by SendGrid's eSignature REST API authentication(parameters: signature, openid, cors.