Scopes and permissions
When you connect 3rd party apps, data is shared between those apps and Next Matter. Learn what is being shared to maintain full data security.
Best practice: Connect integrations with a service account, for example, services@mycompany.org, and define what data and permissions you share with this account.
Normally, the service account has read and write access to data so it’s important to decide what the account should have access to.
How do I connect with a service account
How do I connect with a service account
- Log in to Next Matter with an admin account.
- In Automations Library [left-hand navigation panel], click Connect for the integration you want to connect.
- In the 3rd party pop-up, select the account you’ll use for the integration (the service account). You’ll be asked to log in to the 3rd party tool using this account.
You can use the same service account to connect all integrations or use separate ones for each. For example, you can use a separate service account for Outlook and Teams.
- Go to the tenant configuration and decide what permissions you want to grant to the account. Tip: Think of the account as a user - anything the account has access to, the user logging in with this account also has access to.
Integrations with API access
Normally the API key you create shares the same permissions as yourself. That means that whatever you can do as the creator of the key, the key will be able to do at your behest. Some tools let you define the scopes you give to the key, so look up 3rd party docs to find out if the app you want to connect to has this option.
Scopes requested by Next Matter
Individual scopes can be revoked by admins after connection has been established.
Microsoft
| Graph API access to apps | Scopes |
|---|---|
| Default (always requested) | offline_access, openid, profile, email, user.ReadBasic.All |
| OneDrive | files.ReadWrite.All |
| Excel (no-code) | files.ReadWrite.All (the Excel no-code step also requires OneDrive permissions) |
| Sharepoint | sites.ReadWrite.All |
| Teams | channelMessage.Send, chatMessage.Send, chat.ReadWrite |
| Outlook | mail.Send, calendars.ReadWrite |
| Outlook (no-code) | mail.Send |
| Dynamics365 Business Central | financials.ReadWrite.All |
| Google app | Scopes |
|---|---|
| Google Docs | documents, drive |
| Gmail (no-code) | gmail.send gmail.labels gmail.modify gmail.readonly |
| Google Drive | drive, drive.appdata, drive.metadata |
| Google Sheets | spreadsheets |
| Google Sheets (low-code) | drive, spreadsheets |
| Google Slides | presentations |
Zendesk
| App | Scopes |
|---|---|
| Zendesk (no-code) | read, write |
| Next Matter sidebar in Zendesk | token-based so no scopes apply |
Freshdesk
| App | Scopes |
|---|---|
| Freshdesk (no-code) | token-based so no scopes apply (any API activities are allowed based on the permissions of the key holder) |
| Next Matter sidebar in Freshdesk | token-based so no scopes apply |
Front
The Front no-code step uses API tokens so you don’t need to define scopes. The same applies to running Next Matter as the sidebar in Front.
OpenAI
The OpenAI no-code step uses API tokens so you don’t need to define scopes.
SendGrid
The scopes are defined by SendGrid’s eSignature REST API authentication (parameters: signature, openid, cors).