Securing Workflow Automation Products - Part 2: Designer Access - Workflow Automation CoE

Lisa Holenstein
ServiceNow Employee
ServiceNow Employee

‎11-09-2023 12:28 AM - edited ‎02-14-2025 05:42 AM

Workflow Automation CoEPart 2: Designer Access

 

Goal

In this set of Workflow Automation Center of Excellence articles, you’ll learn about various ways to manage access to the Workflow Automation products Flow Designer, Decision Builder, and Process Automation Designer. This topic is quite complex and covers a range of Platform Capabilities, so I’ll break it up into multiple articles for easier consumption.

 

Designer Access

The next level of access we’re looking at in this article will be at the designer level. All three designers offer various roles to specify access levels, like read-only roles or granting limited edit access.

Additionally, Flow Designer has two more features: Content Filtering and Feature Access. These can determine which flows, subflows, actions, and triggers can be used by which user roles (e.g., only HR developers may use the HR spokes) or limit access to Flow Designer features like “Save”, “Test”, “Activate”, “Create Code Snippet”, etc.

 

Roles

Flow Designer

User role access to Flow Designer can be roughly divided into three categories: reading, writing, and reporting.

To give users read-only access to flows, flow actions, and execution details, they can be granted the ‘fd_read’ role. This role includes read-only roles for the individual parts (‘fd_read_flows’, ‘fd_read_actions’, and ‘fd_read_operations’).

For developers to be able to create and modify flows and flow actions, ‘flow_designer’ and ‘action_designer’ are required, respectively. By default, ‘flow_designer’ does not grant access to Action Designer.

Lastly, for access to flow reporting or more detailed access to flow execution details, dashboards, and logs, you can grant ‘flow_report_viewer’ or ‘flow_operator’, depending on the required level of access.

 

Process Automation Designer

Roles for PAD are tailored to the requirements for authoring processes and the experience configuration.

Granting ‘pd_trigger_author’ allows users to create, update, and delete trigger definitions. The role ‘pd_content_author’ adds permissions to do the same for activity definitions. A full process admin (‘pd_admin’) can do all of the above plus everything included in the ‘pd_author’ role: create, activate, edit, and delete process definitions.

Reporting access to process and activity executions and execution logs is granted through ‘pd_operator’.

Additional roles (‘pd_shared.user’, ‘pd_shared.admin’) allow to view or edit Experience activity types and properties for Playbook Experiences.

 

Note: Granting access to PAD with these roles does not automatically grant access to Flow Designer. Since process activities run on flows and flow actions, it may also be helpful to assign Flow Designer roles.

 

Decision Builder

User role access for Decision Builder is built to determine the ability to read, create, edit, or delete specific parts of a decision table.

Read-only access to inputs and decision table rows is granted with ‘decision_table_reader’. Users with this role can also export the decision table to Excel.

The first extension adds edit permissions to the result values for existing decision rows with the ‘decision_result_editor’ role.

The next level of permissions grants access to the entire decision table with the role ‘decision_rule_author’, allowing adding, deleting, and rearranging decision table rows and editing conditions and result values in all rows and columns.

Finally, when you’re either a global admin or granted the ‘decision_table_admin’ role, you can access all parts of Decision Builder and Decision Tables, including inputs, properties, and creating new decision tables.

 

Flow Designer: Feature Access

Feature Access is a product capability that allows you to restrict access to certain functionality within Flow Designer. For example, you may want to limit access to activating flows, using the try logic, or accessing the error handling section to specific roles.

Feature access is maintained from “Process Automation > Flow Administration > Feature Access List”. This page lists all features that can be restricted from here. There’s also a checkbox that will enable/disable Feature Access Filtering globally.

Required role: ‘admin’

 

LisaHolenstein_0-1699356670583.png

 

Considerations

Before enabling feature access filtering, take stock of any permissions granted to Flow Designer and Action Designer through roles like ‘flow_designer’, ‘action_designer’, or ‘delegated_developer’. If you don’t add these roles to the features in the list, users with these roles will lose access they currently have once you enable the filtering.

Feature Access Tips

  1. Anyone with the ‘admin’ role will always have access to all Flow Designer and Action Designer features.
  2. Add the ‘flow_designer’ role to all features in the flow and subflow authoring categories.
  3. Add the ‘action_designer’ role to all features in the action authoring category.
  4. Add the ‘app_template_author’ role to the flow template authoring category if you have activated App Engine Studio and the Flow Template Builder plugins.
  5. Create or reuse custom roles (and groups) to define feature access classification, e.g.,
    1. For copying flows, subflows, or flow actions
    2. For activating flows or publishing subflows and flow actions
    3. For access to creating code snippets

 

Flow Designer: Content Filtering

Content Filtering is a product capability that allows you to grant access to certain content within Flow Designer. For example, you may want to limit access to HR-related flow actions or spokes to only be available for HR admins and developers.

 

Content filtering uses:

Flow Designer includes several default definitions and filtering rules. You can set up content filtering by modifying pre-existing rules or creating your own.

 

LisaHolenstein_1-1699356715858.png

 

Required roles: ‘flow_designer’, ‘action_designer’, or ‘admin’


Note: You will find that the records defined in the Feature Access List (see previous section) will also show up in the filtering rules list.

 

Considerations

Content filtering rules are additive – different from what you’re used to in ACLs – which means that when you add your own filtering rules to grant access to flow actions in a specific Application scope only for a particular role, you also have to exclude that scope from the default filter rules.


Example

In my example, I created a content definition for all flow actions in the Microsoft Teams Graph Spoke and a rule to apply for the example role ‘filter_2’. Then, I excluded the same app scope from the default filter rule.

 

Custom Content Definition

LisaHolenstein_0-1699356878938.png

 

Custom Filter Rule

LisaHolenstein_1-1699356886202.png

 

Default Filter Rule

LisaHolenstein_2-1699356901478.png

 

This results in the Spoke Actions no longer showing up for my test user.

Before:

LisaHolenstein_3-1699356909518.png

 

After:

LisaHolenstein_4-1699356920025.png

 

Continue here to read Part 3: Execution Access and Conclusion

 

Center of Excellence Navigation

  1. Workflow Automation - Center of Excellence
  2. Workflow Automation Migration Considerations
  3. What's new for Workflow Automation?
  4. Resource Hubs
    1. Flow Designer
    2. Decision Builder
    3. Process Automation Designer
  5. FAQ
  6. Checklist
  7. Training
  8. Platform Academy
0 Helpfuls
  • 1,844 Views
Version history
Last update:
‎02-14-2025 05:42 AM
Updated by:
ServiceNow Employee
Contributors