Workflow Automation CoE > Securing Workflow Automation Products - Part 1: Application Access
Goal
In this set of Workflow Automation Center of Excellence articles, you’ll learn about various ways to manage access to the Workflow Automation products Flow Designer, Decision Builder, and Process Automation Designer. This topic is quite complex and covers a range of Platform Capabilities, so I’ll break it up into multiple articles for easier consumption.
- Part 1: Introduction and Application Access (you are here)
- Part 2: Designer Access
- Part 3: Execution Access and Key Takeaways
- Platform Academy - Securing Workflow Automation Products
Technology Overview
Flow Designer is our central low-code workflow automation technology. It allows you to automate work on and off the Now Platform with an extensive repository of actions, logic, and integration spokes.
Process Automation Designer runs flows and flow actions to power individual process activities while adding a dedicated UI experience for the process worker with the help of Playbook Experience.
Decision Builder allows you to create Decision Tables to decouple conditions from the logic, making them easier to manage and reuse.
Today, we’ll look at three dimensions of access: Application Scope development permissions, access to the respective design interface and its features, and access to objects and data at execution runtime. All of these dimensions can apply individually or cumulatively.
Application Access
Unless you want to give your workflow developers full ‘admin’ access, using Delegated Development permissions or the plugin “App Collaboration” will be the process of choice to limit development access to specific scoped applications. Application Collaboration was introduced for App Engine Studio in the Utah release, and an App Engine license is required. It extends and replaces the delegated development system.
Delegated Development
Delegated Development allows an admin or application owner to assign specific development and/or deployment permissions to users or groups. These permissions will be limited to the application scope they’re granted in. This option is only available for Scoped Apps, not Global App Bundles. Managing Developers is available from the Application record (sys_app) or the Studio menu.
Tip: Learn more about Delegated Development in this Platform Academy session.
Application Collaboration
After installing the App Collaboration plugin, the “Manage Developers” link and modal are replaced with “Manage Collaborators” in both AES and Studio IDE, as well as in the Application (‘sys_app’) record form.
The plugin comes with two default Collaboration Descriptors: “Editor” and “Owner”. Additional Custom Descriptors can be created as well. For example, we could make one that includes all Workflow Automation Products: Flow Designer, Process Automation Designer, and Decision Tables.
When you request development permission for a user from a given scoped app, a new “Developer Collaboration Task” is created, triggering an approval flow.
This flow will check if that collaboration descriptor is allocated to the user or a group they’re a member of. If so, the request will be approved automatically. If not, an approval is sent to the “App Engine Admins” Group.
After approval, the user can access, create, and edit flows, processes, and decision tables for this specific application scope. The permissions can be customized or removed from the same menu if needed.
Continue here to read Part 2: Designer Access
