Advvy Overview
Microsoft Power Platform & Advvy, Tenancy, Licensing & Hierarchy
What is Advvy?
Bringing together campaign management and media planning capabilities, Advvy is an enterprise workflow solution to help manage media initiatives at scale.
Unified around a campaign record, Advvy provides a single view of the implementation of media campaigns from start to finish.
It seamlessly integrates with your Office 365, Teams, and SharePoint, becoming an extension of the productivity tools you use everyday.
Advvy is built on the Microsoft Power Platform and is deployed and hosted inside an organisation’s Office 365 tenant.
Hosting, Hierarchy & Security model
Advvy Workflow’s hosting is unique when compared to any other workflow tool. While Advvy Workflow is delivered and supported like a SaaS application, it is not hosted by Advvy. Rather, the application is deployed into an organisations Microsoft Office 365 Tenant. It is then “hosted” within this tenant. This is a major point of difference, in that the security and compliance is handled by Microsoft, and the enterprise control of the application, including access to the platform and data, rests solely within an organisations IT administration.
Advvy has a 3 tiered hierarchy model that can be structured to meet organizational business needs and is used to control security and visibility of data and assets.
Advvy is enforced using Microsoft PowerApps Security. The following is a high-level look at how a security model is implemented in PowerApps.
- Users are authenticated by Azure Active Directory (AAD)
- Licensing is the first control-gate to allowing access to PowerApps components
- Ability to create applications and flows is controlled by security roles in the context of environments
- A user’s ability to see and use PowerApps is controlled by sharing the application with the user. Sharing of PowerApps canvas apps is done directly with the user or AAD group. Sharing of PowerApps model-drive apps is done via CDS security roles
- Environments act as security boundaries allowing different security needs to be implemented in each environment
- Flows and Canvas apps use connectors, the specific connections credentials and associated service entitlements determine permissions when apps use the connectors
- Environments with a Common Data Service for Apps (CDS) instance add support for more advanced security models that are specific to controlling access to data and services in that CDS instance.
Advvy leverages the following Microsoft cloud services:
- Power Apps – Advvy core solution and portal
- Power Automate – Advvy connectors and process automation
- Power BI – Advvy advanced analytics and reporting
- Office 365 – SharePoint Online for document storage
- Azure – Identity layer
These cloud services run within the customers Microsoft tenant and fall under the customer’s existing Microsoft Service Level Agreements (SLA), Service Descriptions, governance, and compliance rules. The core Advvy Workflow application can be deployed to a Microsoft Azure region as per the availability at the time, refer to Microsoft’s documentation https://docs.microsoft.com/en-us/power-platform/admin/regions-overview
The Advvy Workflow system provides additional security layers through its use of customised Advvy security roles, client teams, team groups and workflow roles – all of which combine to form a rich suite of user security models.
Role-based access to permit local (market) delegated administration
Advvy Workflow uses Microsoft’s Power Apps / Common Data Service Security model which protects data integrity and privacy and supports efficient data access and collaboration. The goals of the model are as follows:
- Provide users with the access only to the appropriate levels of information that is required to do their jobs.
- Categorise users by role and restrict access based on those roles.
- Support data sharing so that users and teams can be granted access to records that they do not own for a specified collaborative effort.
- Prevent a user’s access to records the user does not own or share.
Role-based security focuses on grouping a set of privileges together that describe the responsibilities (or tasks that can be performed) for a user. Common Data Service includes a set of predefined security roles. Each aggregates a set of user rights to make user security management easier. Also, each application deployment can define its own roles to meet the needs of different users. Security roles are based on the business units within Advvy Workflow that users are assigned to.
Data is secured at the lowest level tying it to a client team through programmatic record-level ownership reassignment. Users can only have access to data through membership to the client team. Teams can be grouped together via the Team Groups functionality with team membership management done either via a per-team basis or from a higher level (low-overhead) of groups of teams. These Team Groups can represent either a vertical view of data based on geographic region or it could be a horizontal view of data, for example, of an agency spanning geographic regions.
Advvy Security roles control the data and features available to a user. Within Advvy Workflow the following security roles have been defined:
| Security Role | Description |
| Advvy Standard User | Basic access to Advvy Workflow.
Can: Read all the reference data, Can see operational data relating to their User Profile. Campaigns, Master Clients, Clients, Cannot: Create Reference data, update existing reference data or delete reference data |
| Advvy Standard Extension | Add this to the Standard User to extend capabilities such as:
Ability to create, read, and write all the additional reference data in a campaign, e.g. media type, media plan, media segments, media groups, workflows. They can also delete the records they create. Cannot: Delete Reference Data, Cannot manage User Profiles |
| Advvy User Admin | Add this to Standard User + Standard Extension to further extend capabilities such as:
System wide abilities, can see all the business users, clients, can create, read, write, delete records and master data, update, create, read write business units. Data imports. Security role changes. Create, edit teams. Can perform a lot of customisation with ability to delete. NB: this is NOT a platform admin, this is a data admin. |
All New Users, once they are provisioned with a Microsoft License, will automatically appear in Advvy Workflow in the Users section in Agency Settings.
User record controls both security permissions and agency assignments for the user. This directly influences what the user can see in the system (security) and how Advvy Workflow manages their record when executing certain functionalities (such as workflow allocation). Setting up both security and role assignments are required when first setting up a user.
Licensing Requirements
Within an existing Microsoft Office 365 tenancy, full enterprise capabilities and functionality is provided with a Microsoft Power Automate license and an Advvy License.
Additional Microsoft licensing may be required for Auditing and Reporting Dashboards depending on customer requirements.
Document Management
Advvy Workflow uses the underlying platform’s native connection to Microsoft SharePoint Online to store documents relating to campaigns and tasks. SharePoint online integration uses the out of the box functionality from Microsoft and follows the customer’s governance and compliance rules.
It is now also possible to link Microsoft Teams Client Teams’ Document storage location, with the Client Team record document location in Advvy Workflow. While this is still SharePoint based, it is an extension to the native capabilities.
The Advvy Workflow platform can also leverage application database storage, to attach files directly to specific tasks.
Using Microsoft Power Automate, it is possible to create rules-based integration with other document storage options, like Dropbox, Google Drive etc.
Performance and stability
Microsoft operates multiple data centres world-wide that support the Microsoft Power platform applications. When your organisation establishes a tenant, it establishes the default geographical (geo) location. In addition, when creating environments to support applications and contain CDS for Apps data, the environments can be targeted for a specific geo.
Microsoft’s Power Platform is currently available in the following regions:
- Asia
- Australia
- Canada
- Europe
- France
- India
- Japan
- South America
- United Kingdom
- United States
To support continuity of operations, Microsoft may replicate data to other regions within a geo, but the data will not move outside the geo to support data resiliency. This supports the ability to fail over or recover more rapidly in the event of a severe outage. There are some reasonable exceptions to keeping data in the specific geo that are listed on the above site, primarily focused on legal and support. It is also important to note that you or your users can take actions that expose data outside of the geo. Other services can also be configured to access the data and expose it outside of the geo. By default, authorised users can access the platform and your applications and data from anywhere in the world where there is connectivity.
Recoverability and Disaster recovery
Data stored within the Advvy Workflow application is retained according to the underlying Microsoft cloud service. The associated Microsoft Service Description for Power Apps will detail the return to operation RTO and geo-availability of the service. Microsoft also provide the ability to recover data via Service Request.
Maintenance and upgrades
Platform upgrades from Microsoft E.g. flows and power automate updates that we can utilise and bring into Advvy Workflow
Advvy releases enhancements and updates ~every 8-weeks
Ok so now you know the nuts and bolts behind Advvy, the next step is to set up your hierarchy!
Previous article: 7 Set up Excel Add-in for Media Plan Next article: 2 Setting up your hierarchy