Security Isolation by Application: One Application, One Service Principal

Created by Alexandru Sirbu, Modified on Thu, 5 Mar at 11:21 AM by Alexandru Sirbu

Problem Overview

When environments or domains share the same setup, access control tends to become too broad: identities are often granted permissions across more resources than necessary, and least-privilege becomes difficult to enforce consistently across all Connections in WOODY.IO. At the same time, managing separate credentials per Connection leads to credential sprawl, many secrets to create, store, rotate, and troubleshoot across multiple places.

Solution

Use an Application as the unit of isolation, and configure one Application Service Principal for that Application. Connections can then select Authentication Type = Application Service Principal to consistently use that centralized identity.

Configuration

Create/select an Application (only instance admins can create new Applications).
In the Application Management screen, in the right-side Details pane under Service Principal, click 'Add'.
Enter Name, Tenant Id, Client Id, Client Secret, then Save.
In each Connection that should reuse it, set Authentication Type to Application Service Principal.

If you have any further questions, please feel free to Contact Us.

You can also refer to the WOODY.IO End User Documentation.