# Privileges
This page lists all available privileges in Workato. Use this reference when creating or editing custom roles. Each entry describes what the privilege controls, where it applies, and any dependencies to consider.
Privileges fall into two scopes:
- Environment-level privileges: Apply across the entire environment
- Project-level privileges: Apply within a specific project
# Environment privileges
Environment-level privileges control access across entire environments. They cover administrative tools, configuration options, and features shared across multiple projects, such as lifecycle settings, OAuth profiles, or project creation.
Workspaces may include multiple environments, and collaborators can have different environment roles across each one.
# Platform tools
The Platform tools privileges tab controls access to shared tools and features that operate across projects within the environment. This tab includes the following privilege access:
# Project management
These privileges control whether a collaborator can create projects and manage access to all projects in the environment. When a user creates a project, Workato automatically assigns them the Project admin role for that project.
Manage projects
Controls access to create projects and manage collaborator access across all projects in the environment.
Full access
Includes project creation and the ability to manage collaborator access for all projects in the environment.
Create
Grants the ability to create new projects. The creator is automatically assigned the Project admin role for that project.
Access control
Grants permission to manage collaborator roles and access across all projects in the environment.
# Tools
These privileges control access to shared environment-level tools and resources used across recipes.
Common data models
Controls access to create and manage common data models that standardize schema across recipes.
Full access
Grants all permissions to common data models.
View
View common data models in the workspace.
Edit
Edit common data models in the workspace.
Create
Create common data models in the workspace.
Delete
Delete common data models in the workspace.
Custom Oauth profiles
Controls access to manage custom OAuth profiles used for authentication across recipes and connectors in the environment.
Full access
Grants all Custom OAuth profile permissions.
View
View Custom OAuth Profiles and Enterprise Workbots.
Edit
Edit Custom OAuth Profiles and Enterprise Workbots.
Create
Create Custom OAuth Profiles and Enterprise Workbots.
Delete
Delete Custom OAuth Profiles and Enterprise Workbots.
Message templates
Controls access to manage message templates used in recipes.
Full access
Grants all message templates permissions.
View
View message templates in the workspace.
Edit
Edit message templates in the workspace.
Create
Create message templates in the workspace.
Delete
Delete message templates in the workspace.
People task
Controls access to use and manage the People task feature.
- Full access
- Grants full access to the People task tool.
Event streams
Controls access to event streams.
Full access
Grants full access to all event streams permissions.
View
View Event topics in the workspace.
Edit
Edit Event topics in the workspace.
Create
Create Event topics in the workspace.
Delete
Delete Event topics in the workspace.
View history
View the message content in the Event topics messages list.
Recipe lifecycle management
Controls access to the Recipe lifecycle management feature.
- Full access
- Grants full access to the Recipe lifecycle management (RLCM) feature. This includes the ability to create manifests and view and interact with all assets included in manifests.
Workbot
Controls access to manage Workbot configurations.
Full access
Grants full access to all Workbot permissions.
View
View installed Workbots in the workspace.
Edit
Edit installed Workbots in the workspace.
Create
Create Workbots in the workspace.
Delete
Delete installed Workbots in the workspace.
Runtime user connections
Controls access to runtime user connections.
Full access
Grants all runtime connection permissions.
View
View runtime connections in the workspace.
Edit
Edit runtime connections in the workspace.
Delete
Delete runtime connections in the workspace.
Logs
Controls access to system logs that track platform activity at the environment level.
- Full access
- Grants full access to available logs.
File Storage
Controls access to the FileStorage feature.
Full access
Grants full access to FileStorage permissions.
View
View files and directories in the FileStorage interface.
Edit
Edit files and directories in the FileStorage interface.
Create
Create files and directories in the FileStorage interface.
Delete
Delete files and directories in the FileStorage interface.
# On-premise
These privileges control access to on-premise features, including agent management, file-based connections, and command line scripts.
On-prem groups & agents
Controls access to set up, configure, and manage on-premise agents and agent groups.
Full access
Grants full access to permissions for on-prem groups and agents.
View
View on-prem groups and agents.
Edit
Edit on-prem groups and agents.
Create
Create on-prem groups and agents.
Delete
Delete on-prem groups and agents.
Connection - on-prem files
Controls access to create and manage connections to local file systems through the on-prem agent. These connections enable recipes to interact with the file system of the machine where the agent is installed.
- Full access
- Grants full access to permissions for on-prem groups and agents. Grants permission to create, edit, and delete on-prem file connections, including secondary connections. Note that global connection settings may override this permission.
Connection - command line scripts
Controls access to create and manage on-premise connections that execute command-line scripts on machines where the on-prem agent is installed. These connections enable recipes to run local shell commands as part of automated workflows.
- Full access
- Grants permission to create, edit, and delete command-line script connections. Note that global connection settings may override this permission.
# Apps portal
These privileges control access to the Workflow Apps portal. These permissions control portal-level settings and identity group access. Creating or editing a Workflow app requires Workflow app privileges. Access to a Workflow app's data depends on data table permissions.
Settings
Controls access to manage settings for the Workflow Apps portal. This includes workspace-level branding, authentication methods, login experience, and other global configurations for end-user apps.
- Full access
- Grants full access to all Workflow Apps portal settings.
ACCESS CONTEXT
Workflow app creation is controlled by Workflow app permissions. Access to a Workflow app's data is controlled by data table privileges.
Users and groups
Controls access to manage groups and user assignments in the Workflow Apps portal.
- Full access
- Grants permission to view, add, remove, and modify users and their group memberships in the Apps portal.
# Data storage
These privileges control access to environment-level data storage features such as lookup tables and environment properties.
Lookup tables
Controls access to the lookup tables interface. These permissions apply only to tables the user can already access. This includes tables scoped to All projects, and project-scoped tables if the user also has access to that project.
Full access
Grants full to lookup tables permissions.
View
View all tables and their records.
Edit records
Add, edit, or delete records for all lookup tables in the lookup tables interface.
Create
Create new tables in the Lookup tables interface.
Delete
Delete tables in the Lookup tables interface.
Modify structure
Edit the schema, such as adding, removing, or editing columns for any table.
CONNECTOR ACCESS
Users can still add, update, or delete records using the Lookup Tables connector in recipes, as long as they have access to the table. This works independently of the “Edit records” UI permission.
Environment properties
Controls access to environment-level configuration values used across recipes.
Full access
Grants full to environment properties permissions.
View
View all Environment properties.
Edit records
Add, edit, or delete environment properties.
Create
Create new environment properties.
Delete
Delete environment properties.
# API platform
These privileges control access to the API platform, including endpoints, policies, and related configurations.
Dashboard & logs
Controls access to API dashboards and logs.
- Full access
- Grants full access to view, configure, and manage API dashboards and logs.
Collections & endpoints
Controls access to API collections and endpoints.
Full access
Grants all permissions for managing API collections and endpoints.
View
View existing API collections and endpoints.
Edit
Edit API collections and endpoints.
Create
Create new API collections and endpoints.
Delete
Delete API collections and endpoints.
Client & access profiles
Controls access to client profiles and access credentials for API usage.
Full access
Grants full access to manage client profiles and access credentials.
View
View client profiles and access credentials.
Edit
Edit client profiles and access credentials.
Create
Create client profiles and access credentials.
Delete
Delete client profiles and access credentials.
Policies
Controls access to manage API policies that govern usage and security.
Full access
Grants all API policy permissions.
View
View API policies.
Edit
Edit API policies.
Create
Create new API policies.
Delete
Delete API policies.
Settings
Controls access to API platform settings.
- Full access
- Grants complete control of API platform settings.
# Connector SDK
These privileges control access to custom SDK connectors and their usage in recipes.
Connector SDK
Controls access to develop and manage SDK-based connectors within the environment.
- Full access
- Grants full access to create, edit, publish, and manage custom SDK connectors. Note that this doesn't include permissions for recipe-level use.
Use in recipes
Controls whether users can use SDK connectors in recipes.
- Full access
- Grants full access to using custom SDK connectors in recipes across any accessible project.
# Insights
These privileges control access to Insights dashboards.
Use in recipes
Controls whether users can use SDK connectors in recipes.
Full access
Grants full access to the Insights feature and permissions.
View
View all accessible Insights dashboards and their metrics.
Edit
Edit existing Insights dashboards.
Create
Create new Insights dashboards.
Delete
Delete Insights dashboards.
# Admin privileges
The Admin privileges tab controls access to administrative features at the workspace and environment level. These privileges affect collaborator roles, workspace configuration, API access, and security visibility.
This tab includes the following privilege categories:
# Workspace access
These privileges control access to workspace-wide configuration and collaborator management. Use these privileges to assign roles, manage users, and configure workspace settings.
Collaborators
Controls access to manage collaborators in the workspace.
- Full access
- Grants full control over collaborator management, including viewing, adding, updating, and removing users.
Collaborators roles (non-system)
Controls access to create and manage custom roles within the workspace. This applies to both environment and project-level roles, but does not include system-defined roles like Environment admin or Project admin.
- Full access
- Grants permission to define, edit, and delete custom roles.
Developer API
Controls access to manage the Developer API settings in the workspace.
- Full access
- Grants permission to view and update Developer API settings.
Workspace settings
Controls access to update global workspace-level settings.
- Full access
- Grants permission to view and update all workspace settings.
# Environment settings
These privileges control access to environment-level logs, debug tools, and security configurations.
Debug, Log and Security
Controls access to view team activity and security settings for the environment.
- Full access
- Grants permission to view and edit the workspace's environment-specific settings, including error alerts, network trace, data retention, and AWS IAM information.
# Manage customers privileges
WHO CAN USE THIS FEATURE?
The Manage customers interface only appears for Embedded collaborators with permission to create or modify collaborator roles.
Customers & customer managers
Controls access to the Customers and Customer managers tabs of the Embedded Admin console.
Full access
Grants all customers and customer managers permissions to view, add, update, and delete customers and customer managers.
View
Grants permission to view customers and customer managers.
Manage
Grants permission to add customers and assign customer managers.
Delete
Grants permission to delete customers and customer managers.
Shared connectors
Controls access to Shared connectors tab of the Embedded Admin console.
Full access
Grants all shared connectors permissions to view, manage, and delete shared connectors.
View
Grants permission to view shared connectors.
Manage
Grants permission to manage shared connectors.
Delete
Grants permission to delete shared connectors.
Usage metrics & settings
Controls access to usage metrics and settings in the Embedded Admin console.
Full access
Grants all usage metrics and settings permissions, including viewing and managing usage metrics and settings.
View
Grants permission to view usage metrics and settings.
Manage
Grants permission to manage audit log streaming and branding settings.
# Automation HQ privileges
The Automation HQ privileges tab controls access to Automation HQ.
Automation HQ
Controls access to the Automation HQ interface.
- Full access
- Allows users to access and use all features within Automation HQ.
# Solutions access
The Solutions access tab controls permissions to manage end users, user groups, and authentication for Workato solutions such as Workato ID, Workato GO, Genies, and the Low Code App.
Authentication settings and SSO
Controls access to configure authentication methods and single sign-on (SSO) for Workato solutions.
- Full access
- Grants permission to configure authentication settings, enable or disable SSO, and manage identity providers.
End users and groups
Controls access to manage end users and user groups for Workato solutions.
- Full access
- Grants permission to add, remove, and update end users and groups.
# Project privileges
These privileges control what users can access and manage within a specific project. Assign these permissions when creating custom project roles to define what collaborators can build, deploy, or view.
Project-level privileges are grouped into the following categories:
# Project assets
These privileges control access to build and manage core project components such as recipes, folders, and connections. Each asset type has its own set of granular permissions.
Connections
Controls access to manage connections that recipes use to integrate with external systems.
Full access
Grants all connection permissions.
View
View existing connections in the project.
Edit
Update connection configurations.
Create
Create new connections in the project.
Delete
Remove existing connections from the project.
Recipes
Controls access to create, manage, and operate recipes in the project.
Full access
Grants all recipe-related permissions.
View
View existing recipes.
Edit
Update recipe configurations.
Create
Build new recipes.
Delete
Remove existing recipes from the project.
Test/Start/Stop
Start, stop, and test recipes.
Job history
View a recipe's job history in the Jobs tab.
Genies
Controls access to create and manage Genies.
Full access
Grants all Genie-related permissions.
View
View existing Genies.
Edit
Update Genie configurations.
Create
Build new Genies.
Delete
Remove existing Genies.
Knowledge Bases
Controls access to manage Knowledge Bases used for storing and retrieving structured content.
Full access
Grants all Knowledge Base permissions.
View
View Knowledge Bases in the project.
Edit
Update Knowledge Base configurations.
Create
Add new Knowledge Bases.
Delete
Remove existing Knowledge Bases.
Data Pipelines
Controls access to create, manage, and test Data Pipelines.
Full access
Grants all Data Pipeline permissions.
View
View Data Pipelines.
Edit
Update existing Data Pipeline configurations.
Create
Build new Data Pipelines.
Delete
Remove existing Data Pipelines.
Test/Start/Stop
Start, stop, and test Data Pipelines.
Data tables
Controls access to create and manage data tables.
Full access
Grants all Data Table permissions.
View
View Data Tables.
Edit records
Update existing records within a data table.
Create
Add new data tables.
Delete
Remove existing data tables.
Modify structure
Change the schema of a data table, including adding, updating, or removing columns.
Folders
Controls access to project folders used to organize recipes and assets.
Full access
Grants all folder permissions.
View
View folders and sub-folders in the project.
Edit
Update folder properties.
Create
Add new folders and sub-folders.
Delete
Remove existing folders and sub-folders.
# Project settings
These privileges control access to manage project-level configurations, deployments, and collaborator permissions. These settings define who can administer the project, modify properties, and approve or review deployments.
ENABLE DEPLOYMENT
You must enable deployment in both the source and target environments.
Project administration
Controls access to core administrative actions within a project.
Full access
Grants all project administrative permissions.
Edit
Update the project's name and description.
Delete
Delete the entire project.
Access control
Manage collaborator access and assign roles within the project.
Project properties
Controls access to manage project-level metadata and related configurations.
Full access
Grants all permissions to configure project properties.
View
View project properties such as the name, description, and metadata.
Edit records
Update existing project property records.
Create
Add new project property records.
Delete
Remove existing project property records.
Approve deployment
Controls the ability to approve deployments when deployment approval workflows are enabled.
- Full access
- Grants permission to approve deployment requests.
Review deployment
Controls the ability to review deployment details before approving or rejecting.
- Full access
- Grants permission to view and review deployment configurations.
# Low-code apps
These privileges control access to Workflow apps, such as the ability to create apps and manage settings for Workflow apps on an individual basis. These permissions only apply to the web interface and don't affect access to the Workflow apps connector. Access to the Workflow apps portal is determined by Workflow apps portal permissions. Access to a Workflow app's corresponding data table is determined by data tables permissions.
App development
Controls access to build and edit the workflow app's structure and logic.
- Full access
- Grants full Workflow app development permissions.
App access and role management
Controls access to manage who can use and manage the workflow app.
Full access
Grants full access to Workflow apps and role management permissions.
Manage access and role
Manage the users of your Workflow app.
Go live / Take offline
Allows users to publish a Workflow app in the Workflow apps portal or take an app offline.
# Test automation
These privileges control access to Test Automation.
Test automation
Grants access to all test automation privileges.
Full access
Grants all test automation permissions.
View
View test case details, including mock data and checks.
Manage (Create, Edit, Delete, Run)
Manage (create, edit, run, delete) test cases for recipes.
# Debug jobs
These privileges control access to the network trace within job history.
Network trace
Manage access to network tracing information in job histories.
- Full access
- View network traces in job histories.
# Secrets management
These privileges control access to manage security-related settings, including viewing, editing, and configuring secrets.
Secrets management
Controls access to create, view, and update secrets in the workspace.
Full access
Grants all permissions to manage secrets, including viewing and editing.
View
View existing secrets and their configurations.
Edit
Update or modify existing secrets.
Last updated: 10/7/2025, 3:50:03 PM