# Collaborator Roles And Privileges

Collaborator roles control team access to Workato features, functions, and folders of Role-based access control.

In this guide, we'll cover:

Have Environment Setup?

Find out how Environment works with Team roles.


# System Roles

Workato pre-defines system roles so you can easily assign them to team collaborators, based on the access each user requires.

Workato has four system roles: Team owner, Admin, Analyst, and Operator.

You cannot edit these roles directly. However, you can clone each role, and then modify it.

To view the privileges of a system role, a Team Admin can select a role in the Roles tab. This opens a read-only version of the role.

# Team owner

The Team Owner role is the most permissive system role. It owns the root login (username/password) for the account and includes full access to all settings for the account.

All Admin role privileges
All privileges included in the Admin role.
Full Account Settings access
Access to all account settings.

# Admin

Typically granted to users managing the Workato team account, Admins have nearly equivalent privileges to the Team Owner. Aside from the Team Owner, this is the most permissive system role.

Full project access
All project permissions: View, edit, create, and delete.
Full folder access
All folder permissions: View, edit, create, and delete.
Full connection access
All connection permissions: View, edit, create, and delete.
Full recipe access
All recipe permissions: View, edit, create, delete, run, and view job history.
Full access network trace
View network traces in job histories. Includes recipe input, output, and the network trace of HTTP calls. HTTP call information includes HTTP headers, requests, and communication (responses) between Workato and the end application.
All projects
Access to all projects in a workspace.
Full access
Access to the API Platform, including dashboard & logs, collections & endpoints, clients & access profiles, policies, and settings.
Full Common data model access
All Common data model permissions: View, edit, create, and delete.
Full Custom OAuth Profile access
All Custom OAuth Profile permissions: View, edit, create, and delete.
Full Lookup table access
Access to the Lookup tables feature.
Full Message template access
All Message template permissions: View, edit, create, and delete.
Full On-prem groups access
Access all on-prem groups and agents in the workspace.
Full People task access
Access to the People task tool.
Full Properties access
Access to all Environment Properties in the workspace.
Full Pub/Sub access
All Pub/Sub permissions: View, edit, create, and delete topics.
Full Recipe lifecycle management access
Access to the Recipe lifecycle management feature.
Full Workbot access
All Workbot permissions: View, edit, create, and delete.
Full Runtime user connection access
All Runtime user connection permissions: View and edit.
Full Logs access
Access to the Workato Log Service feature.
Full Connector SDK access
All Connector SDK permissions: View, edit, create, and delete.
Full Team access
Manage the team in the workspace, including adding, editing, and removing collaborators.
Full Custom team roles access
View, edit, create, and delete custom team roles in the workspace.
Full SAML SSO access
View and edit SAML SSO settings for the workspace.
Full activity audit
Access to view team activity in the Dashboard's Activity audit log. This permission grants the user the ability to view all activity logs, regardless of other access settings.
Full key management
Access to the account's Key Management System (KMS). Users with this privilege can update key policies and encryption keys.

# Analyst

Analysts are typically users who build and test recipes or custom connectors.

Full project access
All project permissions: View, edit, create, and delete.
Full folder access
All folder permissions: View, edit, create, and delete.
Full connection access
All connection permissions: View, edit, create, and delete.
Full recipe access
All recipe permissions: View, edit, create, delete, run, and view job history.
All projects
Access to all projects in a workspace.
Full access
Access to the API Platform, including dashboard & logs, collections & endpoints, clients & access profiles, policies, and settings.
Full Common data model access
All Common data model permissions: View, edit, create, and delete.
Full Custom OAuth Profile access
All Custom OAuth Profile permissions: View, edit, create, and delete.
Full Lookup table access
Access to the Lookup tables feature.
Full Message template access
All Message template permissions: View, edit, create, and delete.
Full On-prem groups access
Access all on-prem groups and agents in the workspace.
Full People task access
Access to the People task tool.
Full Pub/Sub access
All Pub/Sub permissions: View, edit, create, and delete topics.
Full Workbot access
All Workbot permissions: View, edit, create, and delete.
Full Runtime user connection access
All Runtime user connection permissions: View and edit.
Full Connector SDK access
All Connector SDK permissions: View, edit, create, and delete.

# Operator

Operators are users who focus on maintaining and validating existing recipes. This is the least permissive system role.

This role includes read-only access to All folders and All projects.

View projects
View specific projects in a workspace.
View folders
View folders and sub-folders in a workspace.
View recipes
View recipes in a workspace.
Test (start/stop) recipes
Run recipes and start and stop recipe tests in a workspace.
View recipe job history
View a recipe's job history in the Jobs tab.
All projects
Access to all projects in a workspace.

# Custom Roles

CUSTOM ROLES IS AN ADD-ON

Custom roles is available as an add-on. Contact your Customer Success Manager for more information.

Workato also supports custom roles, enabling you to assign granular privileges to team collaborators.

For example: Development, QA, and Production teams are working in the same account. As part of the Recipe development lifecycle, you can create and assign roles with specific privileges to each team.

Refer to the Role-based access guide to learn how to create a custom role.


# Privileges

This section contains information about each of the privileges in Workato.

When you create or modify a role, you'll see the following tabs:

# Recipe Development Privileges

The Recipe development tab controls access and privileges related to projects, recipes, folders, and connections:

# Recipe Creation

Projects
Full project access
All project permissions: View, edit, create, and delete.
View projects
View specific projects in a workspace.
Edit projects
Edit specific projects in a workspace.
Create projects
Create projects in a workspace.
Delete projects
Delete projects in a workspace.
Folders
Full folder access
All folder permissions: View, edit, create, and delete.
View folders
View folders and sub-folders in a workspace.
Edit folders
Edit folders and sub-folders in a workspace.
Create folders
Create folders and sub-folders in a workspace.
Delete folders
Delete folders and sub-folders in a workspace.
Connections
Full connection access
All connection permissions: view, edit, create, and delete.
View connections
View connections in a workspace.
Edit connections
Edit connections in a workspace.
Create connections
Create connections in a workspace.
Delete connections
Delete connections in a workspace.
Recipes
Full recipe access
All recipe permissions: View, edit, create, delete, run, and view job history.
View recipes
View recipes in a workspace.
Edit recipes
Edit recipes in a workspace.
Create recipes
Create recipes in a workspace.
Delete recipes
Delete recipes in a workspace.
Test (start/stop) recipes
Run recipes and start and stop recipe tests in a workspace.
View recipe job history
View a recipe's job history in the Jobs tab.

Back to Recipe development | Back to Privileges

# Debug Jobs

Network trace

Full access network trace
View network traces in job histories. Includes recipe input, output, and the network trace of HTTP calls. HTTP call information includes HTTP headers, requests, and communication (responses) between Workato and the end application.

Back to Recipe development | Back to Privileges

# Project Access

Project access
All projects
Access to all projects in a workspace.
Selected projects
Access to specific projects in a workspace. If this option is selected, the user can access the projects specified here.

Back to Recipe development | Back to Privileges

# Platform Tools Privileges

# Tools

Common data models
Full Common data model access
All Common data model permissions: View, edit, create, and delete.
View Common data models
View Common data models in the workspace.
Edit Common data models
Edit Common data models in the workspace.
Create Common data models
Create Common data models in the workspace.
Delete Common data models
Delete Common data models in the workspace.
Custom OAuth profiles
Full Custom OAuth Profile access
All Custom OAuth Profile permissions: View, edit, create, and delete.
View Custom OAuth Profiles
View Custom OAuth Profiles and Enterprise Workbots.
Edit Custom OAuth Profiles
Edit Custom OAuth Profiles and Enterprise Workbots.
Create Custom OAuth Profiles
Create Custom OAuth Profiles and Enterprise Workbots.
Delete Custom OAuth Profiles
Delete Custom OAuth Profiles and Enterprise Workbots.
Lookup tables
Full access
Enables all other permissions on Lookup tables.
View
Allows users to view all tables and their records.
Edit records
Allows users to add, edit, or delete records for all Lookup tables in the Lookup tables interface.
Create
Allows users to create new tables in the Lookup tables interface.
Delete
Allows users to delete tables
Modify structure
Allows users to edit the schema (to add, remove, or edit columns) for any table.
Message templates
Full Message template access
All Message template permissions: View, edit, create, and delete.
View Message templates
View Message templates in the workspace.
Edit Message templates
Edit Message templates in the workspace.
Create Message templates
Create Message templates in the workspace.
Delete Message templates
Delete Message templates in the workspace.
On-prem groups
Full On-prem groups access
Access all on-prem groups and agents in the workspace.
People tasks
Full People task access
Access to the People task tool.
Properties
Full Properties access
Access to all Environment Properties in the workspace.
PubSub
Full PubSub access
All PubSub permissions: View, edit, create, and delete topics.
View PubSub topics
View PubSub topics in the workspace.
Edit PubSub topics
Edit PubSub topics in the workspace.
Create PubSub topics
Create PubSub topics in the workspace.
Delete PubSub topics
Delete PubSub topics in the workspace.
Recipe lifecycle management
Full Recipe lifecycle management access
Access to the Recipe lifecycle management feature.
Workbot
Full Workbot access
All Workbot permissions: View, edit, create, and delete.
View Workbots
View installed Workbots in the workspace.
Edit Workbots
Edit installed Workbots in the workspace.
Create Workbots
Create Workbots in the workspace.
Delete Workbots
Delete installed Workbots in the workspace.
Runtime user connections
Full Runtime user connection access
All Runtime user connection permissions: View and edit.
View Runtime user connections
View the Runtime user connections setting.
Edit Runtime user connections
Edit the Runtime user connections setting.
Workato log service
Full Logs access
Access to theWorkato Log Service feature.

Back to Platform tools | Back to Privileges

# API Platform

Dashboard & logs
Full access
Full access to the API dashboard and API logs.
Collection & endpoints
Full access
Full access to the API collections and API endpoints.
View
Allows users to view all collections and endpoints.
Edit
Allows users to edit collections and endpoints.
Create
Allows users to create new collections and endpoints.
Delete
Allows users to delete collections and endpoints.
Client & access profiles
Full access
Full access to the API clients and API access profiles.
View
Allows users to view all clients and access profiles.
Edit
Allows users to edit clients and access profiles.
Create
Allows users to create new clients and access profiles.
Delete
Allows users to delete clients and access profiles.
Policies
Full access
Full access to the API access policies.
View
Allows users to view all access policies.
Edit
Allows users to edit access policies.
Create
Allows users to create new access policies.
Delete
Allows users to delete access policies.
Settings
Full access
Full access to the API custom domain and API prefix.

Back to Platform tools | Back to Privileges

# Connector SDK

Connector SDK
Full Connector SDK access
All Connector SDK permissions: View, edit, create, and delete.
View SDK connectors
View SDK connectors.
Edit SDK connectors
Edit SDK connectors.
Create SDK connectors
Create SDK connectors.
Delete SDK connectors
Delete SDK connectors.

Back to Platform tools | Back to Privileges

# Admin Privileges

Privilege type Privilege levels
Team
Custom team roles
  • Full Custom team roles access: View, edit, create, and delete custom team roles in the workspace.
SAML SSO
Activity audit
  • Full activity audit: Access to view team activity in the Dashboard's Activity audit log. Note: This permission grants the user the ability to view all activity logs, regardless of other access settings.
Key management
  • Full key management: Access to the account's Key Management System (KMS). Users with this privilege can update key policies and encryption keys.

Back to Privileges