Organizational Accounts DESIGN
Read as MarkdownCronofy allows the connection of an organization’s Calendar, Conferencing and Directory Services in order to support its scheduling service. This document gives an overview of the roles and permissions required.
Notably Calendar Services can be connected in one of three modes to match the compliance requirements of your organization.
Calendar Organization Accounts
Calendar Organization Accounts can be configured using one of three different access modes.
- Read Write
- Free/Busy
- No Access
The mode chosen affects the access Cronofy has to the organization’s calendar service. This will in turn affect the approach taken to creating calendar events in response to bookings.
Multiple calendar services can be connected to one Cronofy Organizational Unit. Allowing companies that operate different calendar domains, even if they are from different service providers, to be operated under one Cronofy account.
Read Write #
This access mode enables a fully native calendaring experience. Events are created directly in users’s calendars on their behalf. They are the organizer of the event and any attendee invitations are sent from the organizer’s email account.
This mode also enables native conferencing support. Similarly to event invitations, by acting on behalf of the user, Teams and Meet conferencing links are generated as a native part of the event using the organizing user’s conferencing account.
This mode also allows the inviting of meeting rooms and other resources to calendar events.
Google Workplace Scopes #
The following scopes are required as part of the authorization process.
email
profile
https://www.googleapis.com/auth/calendar
Microsoft Graph Scopes #
The following scopes are required as part of the authorization process.
openid
email
Calendars.ReadWrite.All
Free/Busy #
The Free/Busy access mode allows Cronofy to see whether a user is marked as free or busy in their calendar when determining which slots to offer. This information is updated in real-time meaning that the availability functionality of Cronofy is essentially the same as for the Read Write access mode.
Where this mode differs is how calendar invites are managed. This mode doesn’t allow Cronofy to create events directly in a user’s calendar, the organizer. Instead Cronofy will send an email to the organizer and all attendees with an attached calendar invite. This invitation will act like a native calendar invite and thus will automatically be added as pending acceptance into the organizer’s and the attendees’ calendars. Attendee acceptance status will be reported back to Cronofy and the organizer’s calendar.
The email address used to send the invitation can be configured to match a customer’s domain.
This mode also changes how video conferencing links are generated. Without the ability to create events directly into a user’s calendar, we lose the ability to create native conferencing links. Instead a separate conferencing service authorization will be required. See Conferencing Integrations.
This mode also prevents inviting meeting rooms and resources to events. Generally meeting rooms only respond to invitations from internal mailboxes.
Google Workplace Scopes #
The following scopes are required as part of the authorisation process.
email
profile
https://www.googleapis.com/auth/calendar.calendarlist.readonly
https://www.googleapis.com/auth/calendar.events.freebusy
Microsoft Graph Scopes #
Microsoft Graph does not currently offer a Calendar Free/Busy scope. Following the principle of least permission we request Calendars.ReadBasic. This gives access to the title of an event and the attendees list but not the body or any attachments.
Cronofy only synchronizes Free/Busy information, ie the start and end times along with whether the period is to be considered free or busy.
The following scopes are required as part of the authorization process.
openid
email
Calendars.ReadBasic.All
No Access #
The No Access mode is for organizations with compliance requirements that prevent any access to their calendar services. This prevents Cronofy from having access to any information about a user’s availability outside of events that have been created through Cronofy. This means that users will need to manage their Availability solely in their Cronofy preferences.
Cronofy will still consider events created through Cronofy when assessing a user’s availability.
This mode doesn’t allow Cronofy to create events directly in a user’s calendar, the organizer. Instead Cronofy will send an email to the organizer and all attendees with an attached calendar invite. This invitation will act like a native calendar invite and thus will automatically be added as pending acceptance into the organizer’s and the attendees’ calendars. Attendee acceptance status will be reported back to the Cronofy and the organizer’s calendar.
The email address used to send the invitation can be configured to match a customer’s domain.
This mode also changes how video conferencing links are generated. Without the ability to create events directly into a user’s calendar, we lose the ability to create native conferencing links. Instead a separate conferencing service authorization will be required. See Conferencing Integrations.
This mode also prevents inviting meeting rooms and resources to events. Generally meeting rooms only respond to invitations from internal mailboxes.
Identity Verification #
Another key area where this mode differs is there needs to be a method by which Cronofy verifies the identity of the organizer. With Read Write and Free/Busy modes, this verification is inherent in the authorization to the calendar account. Without access to a calendar account, another method is required.
This is generally provided by a Directory Service, see Directory Organization Accounts though can be achieved through confirmation links sent to email addresses to confirm ownership.
Google Workplace Scopes #
None - no access required
Microsoft Graph Scopes #
None - no access required
Directory Organization Accounts
In order to automate user onboarding and offboarding it is possible to connect to a Directory Service. This gives Cronofy the ability to ensure that every user returned by the service has a corresponding Cronofy Account.
Microsoft and Google both provide directory services. Also, Integrations like SAP SuccessFactors will provide a directory like service that can be used to control user access to Cronofy.
Google Workplace Scopes #
The following scopes are required as part of the authorization process.
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
Microsoft Graph Scopes #
The following scopes are required as part of the authorization process.
User.Read.All
Organization.Read.All
Place.Read.All
Conferencing Integrations
Where the Read Write Calendar Access Mode is used, Microsoft Teams and Google Meet meetings can be added to calendar events using the organizer’s account. Without a Read Write calendar service connection a separate conferencing integration is required.
This is also the case with other conferencing services not linked to calendar services like Zoom or Webex.
Cronofy uses the email address associated with conferencing accounts to link to a corresponding calendar account.
Google Meet Scopes #
The following scopes are required as part of the authorization process.
https://www.googleapis.com/auth/meetings.space.created
https://www.googleapis.com/auth/meetings.space.readonly
https://www.googleapis.com/auth/meetings.space.settings
Microsoft Teams Scopes #
The following scopes are required as part of the authorization process.
OnlineMeetings.ReadWrite.All
Webex Scopes #
The following scopes are required as part of the authorization process
spark:kms
meeting:admin_schedule_write
spark:people_read
Zoom Scopes #
The following scopes are required as part of the authorization process
meeting:write:admin
user:read:admin