# Collaborator roles

Collaborator roles control access to Workato features, functions, and folders of Role-based access control.

This guide covers the following topics:

Workato's built-in system roles
Add collaborator roles

To learn about the privileges collaborators can have, see Collaborator privileges.

ENVIRONMENTS AND WORKSPACE ROLES

Find out how Environments works with workspace roles.

# System roles

Workato pre-defines system roles so you can assign them to workspace collaborators, based on the access each user requires.

Workato has three system roles: Admin, Analyst, and Operator.

You cannot edit these roles directly. However, you can clone each role, and then modify it.

To view the privileges of a system role, an Admin can select a role in the Roles tab. This opens a read-only version of the role.

WORKSPACE OWNER

The workspace owner has direct (root) access to the workspace, which is different from a designated role. Workato advises against using the root login for tasks requiring administrative privileges and recommends limiting its use to emergencies. For example, you can use the root login to recover access to your admin workspace if you've lost access due to misconfiguring SAML.

The following privileges are associated with the root login of a workspace:

All Admin role privileges
All privileges included in the Admin role.
Full Account Settings access
Access to all account settings.

# Admin

The Admin role is typically granted to users managing the Workato workspace and is the most permissive system role. This role grants privileges to manage workspace settings and offers unique permissions for managing advanced settings such as key management, debugging, notifications, and secrets management. These permissions are exclusive to the Admin role and are not available to any other system or custom roles.

CLONING AN ADMIN ROLE

Workato supports the cloning of all system and custom roles within your workspace. However, when you clone the Admin role, the unique permissions for managing advanced workspace settings do not transfer to the newly-created role. To grant collaborators the ability to manage workspace settings, they must be assigned to the Admin system role.

Full project access: All project permissions: View, edit, create, and delete.
Full folder access: All folder permissions: View, edit, create, and delete.
Full connection access: All connection permissions: View, edit, create, and delete.
Full recipe access: All recipe permissions: View, edit, create, delete, run, and view job history.
Full access network trace: View network traces in job histories. Includes recipe input, output, and the network trace of HTTP calls. HTTP call information includes HTTP headers, requests, and communication (responses) between Workato and the end application.
All projects: Access to all projects in a workspace.
Full access
Full access: Access to the API Platform, including dashboard and logs, collections and endpoints, clients and access profiles, policies, and settings.
Full Common data model access: All Common data model permissions: View, edit, create, and delete.
Full Custom OAuth Profile access: All Custom OAuth Profile permissions: View, edit, create, and delete.
Full FileStorage UI access: All FileStorage UI permissions: View and create.
Full Lookup table access: Access to the Lookup tables feature.
Full Message template access: All Message template permissions: View, edit, create, and delete.
Full On-prem groups access: Access all on-prem groups and agents in the workspace.
Full People task access: Access to the People task tool.
Full Properties access: Access to all Environment Properties in the workspace.
Full Event streams access: All Event streams permissions: View, edit, create, and delete topics.
Full Recipe lifecycle management access: Access to the Recipe lifecycle management feature.
Full Workbot access: All Workbot permissions: View, edit, create, and delete.
Full Runtime user connection access: All Runtime user connection permissions: View and edit.
Full Logs access: Access to the Workato Log Service feature.
Full Connector SDK access: All Connector SDK permissions: View, edit, create, and delete.
Full Collaborator access: Manage the team collaborators in the workspace, including adding, editing, and removing collaborators.
Full Custom collaborator roles access: View, edit, create, and delete custom team roles in the workspace.
Full Collaborator SAML SSO access: View and edit SAML SSO settings for the workspace.
Full API client access: View and edit API Clients for the workspace.
Full activity audit: Access to view team activity in the Dashboard's Activity audit log. This permission grants the user the ability to view all activity logs, regardless of other access settings.
Full key management: Access to the account's Key Management System (KMS). Users with this privilege can update key policies and encryption keys.
Full Test Automation: All Test Automation permissions: view and manage test case details.
Full Workflow apps access: All Workflow apps permissions: create, edit, and delete Workflow apps, and manage settings for Workflow apps.
Full Workflow apps portal access: All Workflow apps portal permissions: configure Workflow apps portal settings and manage users and groups.
Full Insights access: All Insights permissions: View, create, edit, and delete Insights dashboards.

# Analyst

Analysts are typically users who build and test recipes or custom connectors.

Full project access: All project permissions: View, edit, create, and delete.
Full folder access: All folder permissions: View, edit, create, and delete.
Full connection access: All connection permissions: View, edit, create, and delete.
Full recipe access: All recipe permissions: View, edit, create, delete, run, and view job history.
All projects: Access to all projects in a workspace.
Full access: Access to the API Platform, including dashboard and logs, collections and endpoints, clients and access profiles, policies, and settings.
Full Common data model access: All Common data model permissions: View, edit, create, and delete.
Full Custom OAuth Profile access: All Custom OAuth Profile permissions: View, edit, create, and delete.
Full FileStorage UI access: All FileStorage UI permissions: View and create.
Full Lookup table access: Access to the Lookup tables feature.
Full Message template access: All Message template permissions: View, edit, create, and delete.
Full On-prem groups access: Access all on-prem groups and agents in the workspace.
Full People task access: Access to the People task tool.
Full Event streams access: All Event streams permissions: View, edit, create, and delete topics.
Full Workbot access: All Workbot permissions: View, edit, create, and delete.
Full Runtime user connection access: All Runtime user connection permissions: View and edit.
Full Connector SDK access: All Connector SDK permissions: View, edit, create, and delete.
Full Test Automation: All Test Automation permissions: view and manage test case details.
Full Workflow apps access: All Workflow apps permissions: create, edit, and delete Workflow apps, and manage settings for Workflow apps.
Full Workflow apps portal access: All Workflow apps portal permissions: configure Workflow apps portal settings and manage users and groups.
Full Insights access: All Insights permissions: View, create, edit, and delete Insights dashboards.

# Operator

Operators are users who focus on maintaining and validating existing recipes. This is the least permissive system role.

This role includes read-only access to All folders and All projects.

View projects: View specific projects in a workspace.
View folders: View folders and sub-folders in a workspace.
View recipes: View recipes in a workspace.
Test (start/stop) recipes: Run recipes and start and stop recipe tests in a workspace.
View recipe job history: View a recipe's job history in the Jobs tab.
All projects: Access to all projects in a workspace.

Additionally, this role includes read-only access to the Test Automation feature.

View Test Automation: View test cases, including mock data and checks in the Test Automation feature.

# Add collaborator roles

FEATURE AVAILABILITY

The custom collaborator role feature is included in specific pricing plans for direct customers and is available by default for Embedded partners and their end customers. Refer to your pricing plan and contract to learn more.

In addition to system roles, you can create additional custom collaborator roles to assign more granular privileges to workspace collaborators. System roles have preset permissions, but the roles you add can be customized, allowing you to control access levels for projects, recipes, tools, and more.

For example, you can assign distinct collaborator roles to development, QA, and production teams within the same workspace, each with specific privileges that align with the recipe development lifecycle.

Inheritable roles are custom roles that AHQ admins create in the HQ workspace. These roles automatically appear in all managed workspaces as non-editable roles.

Refer to the Role-based access guide to learn how to add a collaborator role.

Last updated: 4/25/2025, 6:30:48 PM