# Role-based access control

The ability to assign granular, comprehensive roles to team collaborators is essential to collaborating in a team. Role-based access control (RBAC) is a key feature of Workato Teams that allows team admins to fully define the permissions of every collaborator in the team through the creation of custom roles.

At a high level, custom roles allow the admin to:

  • Assign collaborators to specific folders/projects

  • Give specific privileges (View, Edit, Create, Delete) to different assets in the team

    • Recipes
    • Connections
    • Tools (Lookup tables, Recipe lifecycle management, Connector SDK etc.)

# System roles

The system roles, which are available in all teams are:

  • Admin
  • Analyst
  • Operator

To view the privileges of system roles, team admins can select each of the roles in the Roles tab to view a read-only mode of the role configuration.

# Team Owner

In addition to the three system roles that can be assigned to collaborators, there is the Team Owner, who has the highest privileges over the Workato account. The team owner owns the root login (username and password) to the account. Once they're logged in, they have complete access to the team's Account Settings, which include audit log streaming settings, API key, email/password etc.

# Admin role

Admins have almost equivalent permissions as the team owner. They are able to add, edit, and delete recipes, connections, SDK, API keys and on-prem agents. In addition, admins have administrative rights over the team and are able to invite collaborators or edit collaborators' roles.

The admin role is typically given to users managing the Workato team account.

# Analyst role

Analysts have no access to team administration nor API keys. They are able to add and edit recipes, connections, SDK, as well as start and stop the on-prem agents.

The analyst role is typically given to users building and testing integration recipes or custom connectors on Workato.

# Operator role

Operators only have access to view recipes and jobs, as well as start and stop recipes and rerun jobs. The operator role is typically given to users maintaining the recipe and ensuring the recipes are running well.

Note: The Operator role gives access to All folders, but the Operator cannot edit/create/delete new folders or sub-folders.

# Custom roles

In addition to the default team roles, you can also define custom roles. These allow you to assign fine-grained permission sets to collaborators. You can create new roles on the Roles tab in the team page.

Roles management Manage your roles and create new roles in the Roles tab

Team admins can define very granular access to all Workato assets and features. They may also define the folders, and correspondingly the recipes and connections contained in that folder, that the role will have access to. This is useful when there are multiple teams working on the same Workato account, such as development, QA, and production teams in the recipe development lifecycle, or when different departments in the company wish to manage their recipes separately.

# Viewing existing roles

To view the privileges of each role, including System roles, you need to be an Owner, Admin, or have a role granted permissions to both 'Teams' and 'Custom team roles'.

Simply select each role to view the privileges it has.

# Cloning roles

Both system and custom roles can be cloned by clicking on the 'Clone role' button just below the role name. This will create a copy of the role.

Roles can also be cloned via Workato API programmatically.

# Deleting roles

When a role is deleted, all collaborators assigned to that role will be denied access to the team. The admin must reassign other roles to these collaborators. It is thus not advisable to delete a role until all collaborators are first migrated to a different role.

# Role privilege matrix

The following sections provide a breakdown of each privilege you can confer to a custom role. They are categorized into privileges for:

Default settings for custom roles

When creating a new role, the View privilege for recipe development (Recipes, Connections and Folders) is automatically pre-selected. This gives the users the ability to view the core Workato assets. They can be removed if not required for the role.

Thereafter, admins can select the specific Create, Edit, and Delete rights for all other assets, tools, and features in Workato.

Additional role access to features Adding a new custom role

# Interdependent privileges

Several privileges in the role matrix have interdependencies with other privileges. For example, since all recipes and connections are contained within Folders, the Folder View permission is required to allow viewing recipes and connections. Another example is that the Create privilege for features will also require the Edit permission. The role matrix helps users by selecting and deselecting these dependencies on behalf of the user.

The privileges that will be selected or deselected will be indicated when hovering over a privilege checkbox.

Additional role access to features Autoselecting interdependent privileges

# Recipe development

In this section, admins can define access and privileges to core recipe-building assets (recipes, jobs, connections, and folders).

# Recipe creation

These privileges are core assets for recipe development:

Privilege Description
Projects Give access to create, edit, view, or delete specific projects. Alternatively, you can give the user Full access to all projects.
Recipes Give specific access to view, edit, create, delete, run recipes and access to the job history in the jobs tab.
Connections Give access to view, create, edit, or delete connections.
Folders Give access to edit, create, or delete folders and sub-folders. This privilege works in conjunction with the selected privileges in the Top-level folder access section to define the role's folder privileges.

# Debug jobs

Give roles the ability to access the network trace of a job. This allows viewing not only the input and output but also the network trace of the HTTP calls made for the action. This gives access to information in HTTP headers, request, and response flowing between the recipe action and the end application.

Privilege Description
Network trace Give access to view the network trace in job history.

# Folder access

This folder access privilege scopes a role's access to the folders, and correspondingly the recipes and connections contained in the specified folder. It also works in conjunction with the Folder View, Edit, Create, and Delete permissions defined above. For example, if the permissions for Edit folder are specified in the Recipe creation section above, collaborators with this role can edit sub-folders within the top-level folder access given here.

Privilege Description
Give access to all folders? Select 'Yes' or 'No'. If 'No', proceed to give the role specific folders access.
Folders access Select from the list of top-level folders in the team. Collaborators will be given access to assets in the folders selected.

# Platform tools

In this section, admins can manage privileges tools available in the 'Tools' menu such as Lookup tables, API platform etc.

# Tools

Privilege Description
API platform Give access to the API platform, collections, clients policies and logs.
Common data models Give access to view, create, edit, or delete common data models.
Custom OAuth profiles Give access to view, create, edit, or delete custom OAuth profiles and Enterprise Workbots.
Lookup Tables Give access to all lookup tables.
Message templates Give access to view, create, edit, or delete message templates.
On-prem groups Give access to all on-prem groups and agents.
People task Give access to human approval workflows with the People task tool.
Properties Give access to all account Properties.
Pub/Sub Give access to create or edit PubSub topics.
Recipe lifecycle management Give access to import/export recipe packages with recipe lifecycle management.
Workbot Give access to create or edit installed Workbots.
Verified user access at runtime Give access to view or edit the recipe setting for Workbot personal connections. Note that this privilege requires the Recipe 'Edit' privilege to access.

# Connector SDK

Privilege Description
Connector SDK Give access to view, create, edit, or delete SDK connectors.

# Admin privileges

Admin privileges should be given to collaborators that need to perform administrative functions on the Workato workspace such as managing the team and viewing the audit log.

# Team management

Give granular access to the Teams page tabs (Collaborators, Roles, and Settings).

Privilege Description
Teams Give access to manage and edit your team collaborators.
Custom team roles Give access to manage custom team roles.
SAML SSO Give access to view SAML SSO settings of the team.

# Activity audit

Give access to view all team activity in the Dashboard's activity audit log. This is an admin privilege that allows the user to view all activity audit logs, regardless of platform tools and top-level folder access.

Privilege Description
Activity audit Give access to view team activity in the Activity audit log.