Authorization governs how workspace members can access platform features and user-defined objects in the workspace.
NOTE: Authorization manages access to object types. It does not cover access to individual objects of a specified type. For example, access to a specific flow is governed by ownership of the flow (owner) and sharing of the flow by the owner (to a collaborator). If a flow is shared with a user who is not permitted to access flows, then the user cannot access the flow.
In a workspace, a member can have one of the following roles:
The Member role enables the user to access all product functionality that is enabled within the workspace for the product edition.
The Admin role enables all capabilities of the Member role, plus:
NOTE: The workspace Admin role is a super-user. It should be granted on a limited basis.
NOTE: A platform administrator is automatically granted the workspace Admin role.
Access to workspace objects is governed by roles in the user account.
A user may have one or more roles in it.
NOTE: Roles are additive. If a user has multiple roles, the user has access at the highest level of privileges from each role.
All new users are automatically assigned the
default role. By default, the
default role enables full access to all workspace objects.
defaultrole represents no change in behavior. All existing users can access workspace objects as normal.
Since roles in a user account are additive, you may choose to reduce the privileges on the
default role and then add privileges selectively by creating other roles and assigning them to users. See the example below.
NOTE: You can modify the
NOTE: In future releases of the software, additional workspace objects may be made available. A level of access may be defined in the
The Workspace admin role is a super-user.
NOTE: This role enables for the user owner-level access to all objects in the workspace and access to all admin-level settings and configuration pages in the admin console. This role should not be assigned to many users. At least one user should always have the
For a complete list of privileges for each type of object, see Privileges and Roles Reference.
In the following model, three separate roles have been created. Each role enables the highest level of access to a specific type of workspace object.
default object has been modified:
defaultrole, the scope of its permissions has been reduced here to view-only.
viewerprivilege for Plans (
NOTE: Depending on your product edition, some of these privileges may not be applicable.
|Privilege/Role||default||Role A||Role B||Role C||Notes|
|Connections||viewer||none||author||none||Paid product editions only|
|Plans||none||none||none||author||Premium product editions only|
User can create, schedule, modify, execute (run jobs), and delete plans (full privileges).