Skip to main content
Workspaces multi-tenant architecture
Scope: New access management and permission mechanism applies only to FlowX Designer access. Runtime permissions through Keycloak roles (at process level) remain unchanged.

​
Key benefits

Faster Onboarding

Onboard new business verticals in days instead of weeks with shared platform capabilities

Data Isolation

Provide secure separation between different business contexts while allowing controlled resource sharing

Enhanced Access Control

Implement granular permissions with role-based access control (RBAC) and access control lists (ACLs)

​
Key concepts

​
Workspace

A workspace is a logical grouping of entities and assets defined in FlowX that are only available to a subset of users who are given explicit access. Each workspace operates independently, ensuring data and configuration separation between different business contexts.

​
Multi-workspace user access

Users can be granted access to multiple workspaces and can switch between them as needed. When a user has access to multiple workspaces, they can select which workspace to enter after authentication.

​
Data isolation

Workspaces provide logical data isolation, meaning that resources (projects, libraries, themes, etc.) are scoped to specific workspaces and cannot be accessed from other workspaces without explicit sharing configurations.

​
Additional terminology

  • Group: A collection of users who share common characteristics, responsibilities, or access needs within a system. Groups are used to simplify access control by managing permissions collectively rather than assigning them individually to each user.
  • Permissions: Define what actions can be performed on resources. They are fine-grained access controls that specify privileges for a resource type, such as: read process, edit process, delete process.
  • Roles: Collections of permissions grouped together based on job functions or responsibilities. They simplify permission management by assigning a set of permissions to users instead of managing them individually.
Role assignment rule: Roles are never assigned directly to users or groups. A user or group is assigned a role ONLY when given access to a workspace OR a project/library. Exception: org_admin role is the only one assigned to users directly at the organization level.
When a user has multiple roles assigned in the context of a workspace or project, their access level is the union of all permissions from all roles associated with the user.

​
Workspace use cases

Isolation Level: HighDifferent use cases, projects, permissions, and users between business verticals (e.g., retail vs. corporate vs. investment banking).Shared Resources:
  • Shared users across business lines
  • Shared library builds
  • Shared themes (configurable)
Example: A multinational bank with separate workspaces for Retail Banking, Corporate Banking, and Investment Banking, each with its own processes but sharing common user authentication and compliance libraries.
Isolation Level: MediumSame business line across different regions, subject to local regulations.Shared Resources:
  • Libraries and common processes
  • Some shared users with multi-region access
Example: An insurance company with workspaces for US, EU, and APAC operations, sharing global insurance processes but maintaining region-specific compliance and regulatory processes.
Isolation Level: HighestComplete separation for different customers or organizations.Shared Resources: NoneExample: A consulting firm providing FlowX services to multiple clients, with completely isolated workspaces for each client organization.

​
How workspaces work

​
Authentication and access flow

1

User Authentication

User logs in using OAuth 2.0 through the configured identity provider (Keycloak or client’s existing provider). Authenticated users are saved with subject ID in FlowX database.
2

Permission Retrieval

System fetches the user’s workspace permissions and available workspaces
3

Workspace Selection

If user has access to multiple workspaces, they select which workspace to enter
4

Context Loading

FlowX Designer loads with workspace-specific content, projects, and permissions

​
Workspace selection experience

The workspace selection experience varies based on user access:
  • Single Workspace Access
  • Multiple Workspace Access
Direct Navigation: Users with access to only one workspace are automatically redirected to the projects page within their workspace.UI Behavior: The workspace dropdown selector is disabled since no selection is needed.Session Flow: Streamlined experience with no additional selection steps required.

​
Session management

Session Persistence: Workspace selection is saved for the user session. On subsequent visits within the same session, users are automatically redirected to their previously selected workspace.

​
Resource management

  • Project Isolation
  • Library Sharing
  • Theme Management
  • Media Files & Fonts
Complete Separation: Projects cannot be exported from one workspace to another on the same environmentWorkspace Scoping: Each project is tagged with its workspace ID and only accessible within that workspaceIndependent Lifecycle: Projects in different workspaces can have the same names and follow independent versioningCritical Constraint: Having the same project or library configuration in multiple workspaces on the same FlowX instance is NOT permittedImport Behavior: Projects created from version or build import are created with access only for the currently logged in user with β€˜Project Owner’ role. Workspace admins are also able to view projects. Access can be extended to required users subsequently.Runtime Permissions: Permissions for Runtime section are received by users with workspace role. Users inherit runtime permissions from workspace role for ALL projects/libraries they have access to.

​
Additional workspace features

​
Command Center (AI Agents)

AI Agents permission is a project level permission starting in FlowX 5.0 release. Consequence: Command center will be available only on projects or libraries pages.

​
Audit Logs

Audit log entry in main menu for every workspace will be available only for users with Workspace Admin role. The reason for this is that global audit log includes all logs for all projects/libraries in workspace.

​
Access control

​
Role-based access control (RBAC)

For detailed role permissions and setup instructions, see Workspaces Access Rights.

Predefined Roles

  • Project editor - Can modify project content, processes, and configurations. Includes all Project Viewer permissions.
  • Project viewer - Read-only access to project content and processes. Cannot make modifications.
  • Workspace user - View only access to workspace entities. Can create projects, but only sees projects they have explicit access to.
  • Owner - Automatically assigned to project creators. Full control over project settings, access management, and can delete the project.
  • Theme editor - Extends workspace user role to include permissions to manage themes and associated resources (global media files).
  • Workspace admin - Manages all workspace level resources including users, roles, themes. Can configure access and content, but cannot manage organization-wide settings.
  • Runtime editor - Enables users to test runtime functionality and manage runtime policies without full configurator permissions. Commonly used by QA teams and testers who need to manage β€œchange active policy” operations and test processes during runtime without broader editing capabilities.

Workspace-Specific

Roles are specific to each workspace - a user can have different roles in different workspaces
In FlowX 5.0 release, only pre-defined roles will be available to use for workspace and project/library access.

​
Detailed role permissions

To add a user to a workspace, and to assign a role to the user, you need to go to Organization settings page and select your desired workspace, then add the user to the workspace and assign the role to the user.
  • Workspace admin: Manages all workspace level resources including users, roles, themes. Can configure access and content, but cannot manage organization-wide settings.
Workspace admins will be able to view and edit ALL projects and libraries in workspace, regardless of project/library access settings.
  • Workspace user: View only access to workspace entities. Can create projects, but only sees projects they have explicit access to.
  • Theme editor: Extends workspace user role to include permissions to manage themes and associated resources (global media files).
  • Runtime editor: Enables users to test runtime functionality and manage runtime policies without full configurator permissions. Commonly used by QA teams and testers who need to manage β€œchange active policy” operations and test processes during runtime without broader editing capabilities.

​
User groups

User groups simplify permission management by allowing you to assign permissions to groups rather than individual users.
  • Default Groups: Each workspace includes an β€œEveryone in workspace” default group
  • Custom Groups: Create groups based on teams, departments, or project requirements
  • Inherited Permissions: Users automatically inherit permissions from their group memberships

​
Access control lists (ACLs)

Grant fine-grained control over individual resources within a workspace, allowing exceptions to general role permissions.Example: A user with project_viewer role can be granted edit access to a specific project without becoming a full configurator.
Provide specific users or groups access to individual resources without requiring full platform permissions.Use Case: External consultants can be given access to specific projects they’re working on without broader workspace access.
Resource creators can manage access to their specific resources without requiring full admin intervention.Benefit: Project owners can add team members to their projects without needing admin approval for each addition.

​
Project-level access control

Projects and libraries support fine-grained access control through dedicated project roles that work alongside workspace-level permissions.

Project Owner

Automatically assigned to project creators. Full control over project settings, access management, and can delete the project.

Project Editor

Can modify project content, processes, and configurations. Includes all Project Viewer permissions.

Project Viewer

Read-only access to project content and processes. Cannot make modifications.

​
Creating a project

1

Create Project

Create a new project by clicking the + icon in the top-right corner of the Projects page.
2

Owner Assignment

The currently logged-in user is automatically assigned as Project Owner with full access rights.
3

Extend Access

Project owners can subsequently add users or groups with Project Editor or Project Viewer roles as needed.

​
Access management inheritance

  • Project Editor role automatically includes Project Viewer permissions
  • Multiple roles: Users can have both workspace-level and project-level roles simultaneously
  • Permission union: When users have multiple roles, their access is the combination of all permissions from all assigned roles

​
Organization administration

​
Organization admin role

The org_admin role is the only role assigned directly to users at the organization level, not workspace level.
Organization admins will be able to see all workspaces and have the same permissions as Workspace Admins inside each workspace. Multiple users can have this role assigned. Role can be assigned/revoked by other org admins.

​
User management

Users are created in FlowX only after their first login in FlowX Designer.
Organization users page lists only users created in FlowX (after first login or manually created by organization admins). User details page shows Workspace access summary.

​
User creation scenarios

  • LDAP/Active Directory Users
  • Direct FlowX Creation
Sync Behavior: Users from customer’s LDAP/Active Directory are not automatically created in FlowX.Onboarding Steps:
  1. User logs into FlowX Designer for the first time
  2. They are redirected to a β€œYou’re not assigned to a workspace yet” message page
  3. User account is now created in FlowX and appears in the Users list in Organization Settings
  4. Organization admin assigns workspace access with appropriate role (Workspace User, Workspace Admin, Theme Editor, or Runtime Editor)
  5. On next login, user will have access to assigned workspaces
Users synced from LDAP will only appear in FlowX after their first login attempt.

​
Additional organization settings

​
Runtime roles and groups

Legacy Roles and Groups pages (for managing roles and groups only in Keycloak) are accessible in Organization Settings section and renamed Runtime Roles and Runtime Groups. Will be used going forward to manage any roles needed for process permission configuration.
All workspaces will share the same list of runtime roles and groups.
If Keycloak is not used as authentication provider, Runtime Roles and Runtime Groups pages will return errors in FlowX 5.0.

​
Set environment info

Configuring client and environment information is available only in Organization settings section under Platform status page.

​
Workspace management

​
Creating and managing workspaces

1

Admin Access Required

Only users with organization administrator permissions can create new workspaces
2

Workspace Configuration

Set workspace name, description, and basic settings during creation
3

User Assignment

Add initial users and assign appropriate roles to get started
Deleting a workspace is not available in FlowX 5.0.

​
User management within workspaces

  • Adding Users
  • Role Assignment
  • Access Matrix
  • Direct Assignment: Add users directly to workspace with specific roles
  • Group Membership: Add users to groups that inherit workspace permissions
  • Multi-Workspace Access: Users can be members of multiple workspaces

​
Migration and compatibility

​
Initial setup requirements

Critical Setup Step: Before starting any FlowX 5.0 environment, the initial organization admin must be configured.
Complete setup instructions are available in the Workspaces Setup Guide.
  1. To create the first user in FlowX Designer with organization admin role, an environment variable SPRING_LIQUIBASE_PARAMETERS_DEFAULTORGADMINUSERNAME needs to be configured with the username of the user from Identity Store (Keycloak/ other Identity Store from where the users are used to login in FlowX.AI).
  2. If request to Keycloak fails, the fallback is to use SPRING_LIQUIBASE_PARAMETERS_DEFAULTORGADMINUSERSUBJECTID to create the organization admin user. Value that must be set is the subject identifier. (sub in JWT token OR user’s id in Keycloak).
This step is important for creating any environment, no matter if there’s a pre-existing env or a newly created one.
IMPORTANT: Instruct DeevOps team to set this user id BEFORE system startup. Otherwise the authorization-service startup will fail. Ensure the correct value is set. The correct value is the subject id of the user, value that will be populated by the authorization service in the access token used for FlowX login.
When upgrading to FlowX 5.0, a default workspace is automatically created containing all your existing resources.
What Happens During Migration:
  • All existing projects, libraries, and themes are moved to a default workspace
  • All existing functionality continues to work without changes
Default workspace details:
  • Name: β€œDefault workspace” (can be changed following the migration)
  • UUID: β€œ00000000-0000-0000-0000-000000000001”
What gets migrated:
  • All active process instances will be migrated under default workspace
  • Failed process start instances migration
  • Workflow instances migration
  • Scheduled processes migration
  • Audit logs migration
Out of office and Fonts will not be migrated under default workspace, as they are managed at organization level.
For clients who need inactive process instances migrated, we’ll provide migration script which will be run post migration.
Post-migration manual steps:
Important: Existing users will not be migrated; they will need to log into FlowX so that their user is created.
  • Organization admin will need to provide individual access to workspace for each user
  • Access to projects and libraries should be additionally configured as per workspace requirements
  • Existing admin roles and groups used for FlowX Designer access are deprecated and should be removed post-migration from Keycloak
Step is optional, but encouraged so that the role list for runtime permissions is manageable. List of deprecated roles (which can be removed) will be provided in documentation.
Initial Setup Process:
  1. Configure the first workspace administrator user
  2. Create the initial workspace
  3. Set up users and role assignments
  4. Begin creating projects and processes

​
Best practices

​
Workspace design

Clear Boundaries

Define workspaces based on clear business, regulatory, or organizational boundaries

Naming Conventions

Use consistent naming conventions for workspaces, roles, and resources

Documentation

Document workspace purposes, user access patterns, and governance policies

Scalability Planning

Plan workspace structure to accommodate future growth and organizational changes

​
Permission management

  • Principle of Least Privilege: Grant minimum necessary permissions
  • Group-Based Management: Use groups for permission management rather than individual assignments
  • Regular Audits: Periodically review and audit workspace permissions
  • Clear Ownership: Establish clear ownership models for workspace resources

​
Resource sharing

  • Controlled Sharing: Implement clear policies for resource sharing between workspaces
  • Dependency Management: Track and manage dependencies between shared resources
  • Version Control: Maintain version control for shared libraries and themes

​
Common use cases

Scenario: Large bank with retail, corporate, and investment banking divisionsWorkspace Structure:
  • Retail Banking Workspace
  • Corporate Banking Workspace
  • Investment Banking Workspace
  • Shared Compliance Workspace (for common libraries)
Benefits: Division autonomy while sharing compliance processes and user management
Scenario: Insurance company operating in multiple countriesWorkspace Structure:
  • US Operations Workspace
  • EU Operations Workspace
  • APAC Operations Workspace
Benefits: Region-specific regulatory compliance while sharing global insurance processes

​
Limitations and considerations

​
Current limitations

Cross-Workspace Project Export: Projects cannot be exported from one workspace to another on the same environment.
  • Resource Isolation: Direct access to resources from other workspaces is not possible
  • Single Environment Sharing: Library sharing only works within the same FlowX environment
  • Permission Inheritance: Workspace permissions don’t automatically inherit across workspace boundaries

​
FlowX 5.0 specific limitations

Additional limitations in FlowX 5.0 release:
  • Move projects or libraries to another workspace feature is not available. Initially (when upgrading to FlowX 5.0), all existing projects and libraries are migrated to Default Workspace.
  • Workspace import/export is out of scope; each FlowX environment will have a default workspace configured initially and workspaces are managed independently on each instance.
  • Transfer project/library ownership feature will be delivered in 5.1 release.

​
Planning considerations

  • Change Management: Organizational alignment needed for governance models
  • User Training: Users need to understand workspace selection and navigation
  • Governance Policies: Clear policies needed for resource sharing and access management
  • Migration Planning: Existing customers should plan workspace structure before creating additional workspaces