Skip to content
  • There are no suggestions because the search field is empty.

Cascade Native Integration: Microsoft Excel Security & Technical Overview

Overview

This document provides a technical overview of Cascade's native integration with Microsoft Excel, focusing on data access, permissioning, and security protocols. This integration enables automated data synchronization from specified Excel files into your own Cascade Metrics.

Data Access & Permission Model

Data transfer from Excel to Cascade is facilitated via the Microsoft Graph API. The integration's permission model is based on OAuth 2.0, where an end-user grants consent for the application's access.

Initial Authorization & Permission Scope

During initial setup, a Microsoft Admin will be required to make the first connection to the Excel integration. During this process, the integration requests specific permission scopes from the user's Microsoft 365 Tenant to enable file access. The scopes include:

  • User.Read
  • Files.Read.All 

Principle of Least Privilege at Runtime: Cascade's Connection-Level Controls

Despite the initial broad consent scopes requested by Microsoft Graph API, Cascade rigorously enforces a secondary, connection-level permission system that adheres to the Principle of Least Privilege during runtime.

  • Connection Creation: Each specific point of connectivity is defined as a 'connection' within Cascade, created via OAuth when a user authenticates with their Microsoft 365 credentials. This connection is unique to the creating user.

  • Granular Access Scoping: Within Cascade, for each connection, users define the precise scope of access that the integration will operate within:

    • Specific File: Limits integration access to a single Excel file. (Recommended for highest security: focus on a single sheet within this file for data pull).

    • Specific Folder: Limits integration access to any Excel file within a designated folder in OneDrive/SharePoint.

    • Entire OneDrive: Grants integration access to any Excel file across the user's OneDrive. (Least restrictive at connection level).

  • Runtime Enforcement: Data access is exclusively confined to the Excel files or folders explicitly specified in this per-connection configuration. Cascade will not access, process, or transfer data from any other files within the user's Microsoft 365 account, even if Files.Read.All was initially consented.

    • For example, if you link a file named "Q1_Sales_Report.xlsx" from a specific SharePoint folder, the integration will only read data from that exact file. It will not read "Q2_Sales_Report.xlsx" from the same folder, nor will it access any other files or folders within that SharePoint site or your OneDrive, unless explicitly linked by you.

  • Connection Visibility (Public vs. Private): Users can further define a connection's visibility within Cascade:

    • Private: Only the user who created the connection can utilize it.

    • Public: Any user within your Cascade workspace can utilize this connection. This enables scenarios where a single connection to a centralized SharePoint folder can be used by multiple Cascade users.

  • Data accessed via the integration is logically segregated and associated only with the user's connected Cascade workspace.

Granular permission configuration for Excel integration connections. Users define the data source scope by choosing to link to a specific Excel file, a designated folder, or their entire OneDrive account

Limiting Excel Integration Usage to Admins (Optional)

For heightened security and controlled data flow, organizations can restrict the use of the Cascade Metric Library to only Admins within their Cascade account. This will effectively limit use of the Excel connection since the Excel integration is exclusively managed and utilized within the Metric Library. This confines its use to designated administrators.

Data Security & Ongoing Connectivity

  • In Transit: All data transfer between Microsoft 365 services and Cascade is secured using industry-standard HTTPS/TLS (1.2/1.3) encryption protocols.

  • At Rest: Excel files remain encrypted at rest within the user's Microsoft 365 cloud storage environment (per Microsoft's security standards). Data ingested into Cascade is similarly encrypted at rest within the Cascade platform using AES-256 encryption.

  • Ongoing Connectivity: Once set up, each integrated metric will sync once daily to its source spreadsheet, bringing in the full dataset values each time. This implies an ongoing connection to the specific Excel files linked by users. No other connectivity is maintained to your Microsoft 365 account whatsoever beyond these actively managed integrations.