Skip to main content
FlowX 5.0 introduces a comprehensive role-based access control system with predefined roles at organization, workspace, and project levels.

Overview of workspaces access rights

FlowX 5.0 provides a structured role hierarchy designed to support multi-tenant workspace architecture while maintaining security and governance. The system includes predefined roles that cannot be modified, ensuring consistent access patterns across all FlowX deployments.

Authentication and authorization architecture

FlowX 5.0 separates authentication and authorization into distinct systems:
  • Authentication (Keycloak)
  • Authorization (CAS/auth-system)
Handles user identity and login
  • User login and identity verification
  • Token generation for authenticated users
  • User creation and management in identity provider
  • Service account identification with SA_FLOWX role
Designer vs Runtime Permissions
  • Designer Permissions (New in 5.0): Control access to FlowX Designer interface, managed through workspaces and the new role system
  • Runtime Permissions: Control process execution and data access, continue to be managed through Keycloak roles and remain unchanged from FlowX 4.x
All roles and permissions described in this document apply only to FlowX Designer access.

Role architecture

Organization Level

Cross-workspace administrative access for managing the entire FlowX organization

Workspace Level

Workspace-specific roles for managing resources, users, and configurations within a workspace

Project Level

Project-specific roles for controlling access to individual projects and their resources

Organization level roles

Organization admin (org_admin)

Organization Admin

Full administrative access across the entire FlowX organizationKey Characteristics:
  • Cannot be edited, duplicated, or deleted
  • Can only be assigned in the Organization admin interface
  • Hidden from workspace role lists
  • Highest level of access in the FlowX hierarchy
Use Cases:
  • Platform administrators
  • IT managers responsible for FlowX deployment
  • System architects managing multi-workspace environments

Organization admin default permissions

The following table shows the specific permissions assigned to the organization admin role:
Legend: βœ… Permission assigned | ❌ Permission not set | ⬜ Permission not available to configure
ResourceReadEditCreateDeleteAdminComments
Organization Administration
Organizationβ¬œβœ…β¬œβ¬œβ¬œOrganization settings management
Workspacesβœ…βœ…βœ…βœ…βœ…Complete workspace lifecycle control
Usersβœ…βœ…βœ…βœ…β¬œOrganization user management
Groupsβœ…βœ…βœ…βœ…β¬œUser group management
System Management
Out of officeβœ…βœ…βœ…βœ…β¬œOut of office policy management
Fontsβœ…βœ…βœ…βœ…β¬œGlobal font resource management
Monitoring & Audit
Audit logsβœ…βŒβŒβŒβ¬œRead-only access to system audit
Platform statusβœ…βŒβŒβŒβ¬œSystem health monitoring
Org Env Infoβœ…βœ…βŒβŒβ¬œEnvironment information management
Org Audit logβœ…βŒβŒβŒβ¬œOrganization-specific audit access
The Organization Admin role should be assigned sparingly and only to users who need full cross-workspace administrative access. The organization admin has access to all the projects in all workspaces.

Workspace level roles

Workspace admin (workspace_admin)

Workspace Admin

Complete control over workspace-level resources and usersKey Characteristics:
  • Cannot be edited or deleted
  • Can be assigned to users and groups within the workspace
  • Listed in workspace role management interfaces
  • Cannot manage organization-wide settings
Use Cases:
  • Business unit managers
  • Workspace administrators
  • Team leads with full workspace responsibility

Workspace admin default permissions

The following table shows the specific permissions assigned to the workspace admin role:
Legend: βœ… Permission assigned | ❌ Permission not set | ⬜ Permission not available to configure
ResourceReadEditCreateDeleteAdminComments
Workspace Management
Workspace settingsβœ…βœ…β¬œβ¬œβ¬œConfigure workspace parameters and policies
User & Group Management
Usersβœ…βœ…βœ…βœ…β¬œAdd, remove, and manage workspace users
Groupsβœ…βœ…βœ…βœ…β¬œCreate and manage user groups
Projects & Libraries
Projectsβœ…βœ…βœ…βœ…β¬œFull project lifecycle management
Librariesβœ…βœ…βœ…βœ…β¬œComplete library management control
Dependenciesβœ…βœ…βœ…βœ…β¬œManage project and library dependencies
Content & Branding
Themesβœ…βœ…βœ…βœ…β¬œTheme creation and customization
Fontsβœ…βœ…βœ…βœ…β¬œFont resource management
Media assetsβœ…βœ…βœ…βœ…β¬œUpload and organize media files
Runtime & Configuration
Runtime configurationsβœ…βœ…βœ…βœ…β¬œManage runtime settings and parameters
Environment configsβœ…βœ…βœ…βœ…β¬œConfigure deployment environments
Integrationsβœ…βœ…βœ…βœ…β¬œSet up external system connections
Monitoring & Audit
Workspace audit logsβœ…βŒβŒβŒβ¬œRead-only access to workspace audit
Usage analyticsβœ…βŒβŒβŒβ¬œView workspace usage statistics
Performance metricsβœ…βŒβŒβŒβ¬œMonitor workspace performance

Workspace user (workspace_user)

Workspace User

Standard workspace access with project creation capabilitiesKey Characteristics:
  • Cannot be edited or deleted
  • Default role for most workspace members
  • Limited administrative capabilities
Use Cases:
  • Business analysts and configurators
  • Process designers and developers
  • Team members who build projects within defined boundaries
  • Users who need to create and manage their own work

Workspace user default permissions

The following table shows the specific permissions assigned to the workspace user role:
Legend: βœ… Permission assigned | ❌ Permission not set | ⬜ Permission not available to configure
ResourceReadEditCreateDeleteAdminComments
Workspace entities
Projects & librariesβŒβ¬œβœ…β¬œβŒCan create new projects and libraries but cannot read all existing ones
Fontsβœ…βŒβŒβŒβ¬œRead-only access to workspace fonts
Global media libraryβœ…βŒβŒβŒβ¬œView workspace media assets
Themes (includes fonts)βœ…βŒβŒβŒβ¬œRead-only access to workspace themes
Global audit logsβœ…β¬œβ¬œβ¬œβ¬œLimited audit log visibility
Workspace access management
Workspace managementβœ…βŒβ¬œβ¬œβ¬œWORKSPACE_READ permission required for basic workspace visibility
Usersβœ…βŒβŒβŒβ¬œView workspace users but cannot manage
Groupsβœ…βŒβŒβŒβ¬œView workspace groups but cannot manage
[out of scope for 5.0] Out of officeβœ…βŒβŒβŒβ¬œOut of office management not available in 5.0
Platform statusβœ…β¬œβ¬œβ¬œβ¬œSystem status monitoring access
Environment informationβœ…β¬œβ¬œβ¬œβ¬œEnvironment configuration visibility
Runtime permissions
Buildsβœ…β¬œβŒβ¬œβ¬œView build information for accessible projects
Active policyβœ…βŒβ¬œβ¬œβ¬œRead-only access to active policies
Scheduled processesβœ…βŒβ¬œβŒβ¬œView scheduled process information
Configuration parameters overridesβœ…βŒβŒβŒβ¬œRead-only access to configuration parameters
Process instancesβœ…βŒβ¬œβ¬œβ¬œView process instances for accessible projects
Task managerβœ…β¬œβ¬œβ¬œβ¬œTask management visibility

Theme editor (theme_editor)

Theme Editor

Specialized role for visual design and branding managementKey Characteristics:
  • Same base permissions as workspace_user
  • Additional permissions for visual asset management
  • Focused on design and branding elements
Use Cases:
  • UI/UX designers
  • Brand managers
  • Visual design specialists
  • Marketing team members managing brand assets

Theme editor default permissions

The following table shows the specific permissions assigned to the theme editor role:
Legend: βœ… Permission assigned | ❌ Permission not set | ⬜ Permission not available to configure
ResourceReadEditCreateDeleteComments
Workspace entities
Projects & libraries❌⬜❌❌Cannot create or manage projects/libraries - view only own work
Fontsβœ…βœ…βœ…βœ…Full font management capabilities
Global media libraryβœ…βœ…βœ…βœ…Complete media asset management
Themesβœ…βœ…βœ…βœ…Full theme creation and customization
Global audit logsβœ…βŒβ¬œβ¬œRead-only audit log access
Workspace Access management
Workspace managementβœ…βŒβ¬œβ¬œWORKSPACE_READ permission required for basic workspace access
Usersβœ…βŒβŒβŒView workspace users but cannot manage
Groupsβœ…βŒβŒβŒView workspace groups but cannot manage
Platform statusβœ…β¬œβ¬œβ¬œSystem status monitoring access
Environment informationβœ…β¬œβ¬œβ¬œEnvironment configuration visibility
Runtime permissions
Buildsβœ…β¬œβŒβ¬œView build information for accessible projects
Active policyβœ…βŒβ¬œβ¬œRead-only access to active policies
Scheduled processesβœ…βŒβ¬œβŒView scheduled process information
Configuration parameters overridesβœ…βŒβŒβŒRead-only access to configuration parameters
Process instancesβœ…βŒβ¬œβ¬œView process instances for accessible projects
Task managerβœ…β¬œβ¬œβ¬œTask management visibility

Workspace runtime editor (workspace_runtime_editor)

Workspace Runtime Editor

Extended workspace user role with runtime configuration capabilitiesKey Characteristics:
  • Same base permissions as workspace_user
  • Additional permissions for runtime environment management
  • Focused on runtime settings and configurations
Use Cases:
  • DevOps engineers
  • Runtime environment administrators
  • Technical team members managing deployment configurations
  • System administrators with runtime responsibilities

Workspace runtime editor default permissions

The following table shows the specific permissions assigned to the workspace runtime editor role:
Legend: βœ… Permission assigned | ❌ Permission not set | ⬜ Permission not available to configure
ResourceReadEditCreateDeleteAdminComments
Workspace entities
Projects & librariesβŒβ¬œβœ…β¬œβŒCan create new projects and libraries, but can read only those to which they have been granted access
Fontsβœ…βŒβŒβŒβ¬œRead-only access to workspace fonts
Global media libraryβœ…βŒβŒβŒβ¬œView workspace media assets
Themes (includes fonts)βœ…βŒβŒβŒβ¬œRead-only access to workspace themes
Global audit logsβœ…β¬œβ¬œβ¬œβ¬œLimited audit log visibility
Workspace access management
Workspace managementβœ…βŒβ¬œβ¬œβ¬œWORKSPACE_READ permission required for basic workspace visibility
Usersβœ…βŒβŒβŒβ¬œView workspace users but cannot manage
Groupsβœ…βŒβŒβŒβ¬œView workspace groups but cannot manage
Platform statusβœ…β¬œβ¬œβ¬œβ¬œSystem status monitoring access
Environment informationβœ…β¬œβ¬œβ¬œβ¬œEnvironment configuration visibility
Runtime permissions
Buildsβœ…β¬œβœ…β¬œβ¬œCan create builds and view build information
Active policyβœ…βœ…β¬œβ¬œβ¬œCan edit active policies and runtime configurations
Scheduled processesβœ…βœ…β¬œβœ…β¬œFull management of scheduled processes
Configuration parameters overridesβœ…βœ…βœ…βœ…β¬œComplete control over configuration parameter overrides
Process instancesβœ…βœ…β¬œβ¬œβ¬œCan view and edit process instances
Task managerβœ…β¬œβ¬œβ¬œβ¬œTask management visibility

Project level roles

Project owner (project_owner)

Project Owner

Complete ownership and governance of project resourcesKey Characteristics:
  • Automatically assigned to project creator
  • Cannot be edited, duplicated, deleted, or manually assigned
  • Hidden from role selection interfaces
  • System-managed role with highest project-level access
Assignment:
  • Automatically granted when creating a project
  • Cannot be transferred or reassigned through UI
  • Permanent assignment for project lifecycle

Project owner default permissions

The following table shows the specific permissions assigned to the project owner role:
Legend: βœ… Permission assigned | ❌ Permission not set | ⬜ Permission not available to configure
ResourceReadEditCreateDeleteAdmin/OwnerComments
Projects & Librariesβœ…βœ…β¬œβœ…βœ…Complete project ownership and governance control
Config permissions
Processesβœ…βœ…βœ…βœ…β¬œComplete process definition and workflow management
Enumerationsβœ…βœ…βœ…βœ…β¬œFull enumeration management (also covers substitution tags functionality)
Media library & Document Intelligenceβœ…βœ…βœ…βœ…β¬œComplete media asset and document intelligence management
Notification templatesβœ…βœ…βœ…βœ…β¬œFull notification template configuration
Document templatesβœ…βœ…βœ…βœ…β¬œComplete document template management
Viewsβœ…βœ…βœ…βœ…β¬œUI view configuration and management
Stagesβœ…βœ…βœ…βœ…β¬œProcess stage definition and configuration
Allocation rulesβœ…βœ…βœ…βœ…β¬œTask and resource allocation rule management
Systemsβœ…βœ…βœ…βœ…β¬œExternal system integration configuration
Workflowβœ…βœ…βœ…βœ…β¬œWorkflow definition and management
Reusable UIβœ…βœ…βœ…βœ…β¬œComplete UI component management with permission inheritance from project role
Reusable Functionsβœ…βœ…βœ…βœ…β¬œFull function component management with permission inheritance from project role
Dependenciesβœ…βœ…βœ…βœ…β¬œProject and library dependency management
Configuration parametersβœ…βœ…βœ…βœ…β¬œProject configuration parameter management
AI agentsβ¬œβœ…β¬œβ¬œβ¬œAI agent configuration (read not available, edit only)
Runtime permissions
Buildsβœ…β¬œβœ…β¬œβ¬œCan create and view builds
Active policyβœ…βœ…β¬œβ¬œβ¬œRuntime policy management
Scheduled processesβœ…βœ…β¬œβœ…β¬œScheduled process management
Configuration parameters overridesβœ…βœ…βœ…βœ…β¬œRuntime configuration parameter override management
Process instancesβœ…βœ…β¬œβ¬œβ¬œProcess instance monitoring and management
Task managerβœ…βœ…βœ…βœ…β¬œComplete task management capabilities

Project editor (project_editor)

Project Editor

Full project configuration and management capabilitiesKey Characteristics:
  • Assignable to users and groups
  • Comprehensive project access without ownership rights
  • Standard role for project team members
Use Cases:
  • Senior developers and configurators
  • Technical leads on project teams
  • Business analysts with advanced permissions
  • Team members with full project configuration needs

Project editor default permissions

The following table shows the specific permissions assigned to the project editor role:
Legend: βœ… Permission assigned | ❌ Permission not set | ⬜ Permission not available to configure
ResourceReadEditCreateDeleteSubmit VersionComments
Projects & Librariesβœ…βœ…β¬œβœ…β¬œFull project management except creation (handled at workspace level)
Config permissions
Processesβœ…βœ…βœ…βœ…β¬œComplete process definition and workflow management
Enumerationsβœ…βœ…βœ…βœ…β¬œFull enumeration management (also covers substitution tags functionality)
Media library & Document Intelligenceβœ…βœ…βœ…βœ…β¬œComplete media asset and document intelligence management
Notification templatesβœ…βœ…βœ…βœ…β¬œFull notification template configuration
Document templatesβœ…βœ…βœ…βœ…β¬œComplete document template management
Viewsβœ…βœ…βœ…βœ…β¬œUI view configuration and management
Stagesβœ…βœ…βœ…βœ…β¬œProcess stage definition and configuration
Allocation rulesβœ…βœ…βœ…βœ…β¬œTask and resource allocation rule management
Systemsβœ…βœ…βœ…βœ…β¬œExternal system integration configuration
Workflowβœ…βœ…βœ…βœ…β¬œWorkflow definition and management
Reusable UIβœ…βœ…βœ…βœ…β¬œComplete UI component management with permission inheritance from project role
Reusable Functionsβœ…βœ…βœ…βœ…β¬œFull function component management with permission inheritance from project role
Dependenciesβœ…βœ…βœ…βœ…β¬œProject and library dependency management
Configuration parametersβœ…βœ…βœ…βœ…β¬œProject configuration parameter management
AI agentsβ¬œβœ…β¬œβ¬œβ¬œAI agent configuration (read not available, edit only)
Runtime permissions
Buildsβœ…β¬œβœ…β¬œβ¬œCan create and view builds
Active policyβœ…βœ…β¬œβ¬œβ¬œRuntime policy management
Scheduled processesβœ…βœ…β¬œβœ…β¬œScheduled process management
Configuration parameters overridesβœ…βœ…βœ…βœ…β¬œRuntime configuration parameter override management
Process instancesβœ…βœ…β¬œβ¬œβ¬œProcess instance monitoring and management
Task managerβœ…βœ…βœ…βœ…β¬œComplete task management capabilities

Project viewer (project_viewer)

Project Viewer

Read-only access to project configuration and settingsKey Characteristics:
  • Can be assigned when granting project access
  • Safe role for stakeholders needing visibility
  • No modification capabilities
  • Suitable for audit and review purposes
Use Cases:
  • Business stakeholders and executives
  • Quality assurance team members
  • External consultants needing project visibility
  • Audit and compliance personnel
  • New team members during onboarding

Project viewer default permissions

The following table shows the specific permissions assigned to the project viewer role:
Legend: βœ… Permission assigned | ❌ Permission not set | ⬜ Permission not available to configure
ResourceReadEditCreateDeleteComments
Projects & Librariesβœ…β¬œβ¬œβŒRead-only access to project and library information
Config permissions
Processesβœ…βŒβŒβŒView process definitions and workflows
Project data modelβœ…βŒβŒβŒRead-only access to project data structure
Enumerationsβœ…βŒβŒβŒView enumeration values and data structures
Media library & Document Intelligenceβœ…βŒβŒβŒView media assets and document intelligence configurations
Notification templatesβœ…βŒβŒβŒView notification template configurations
Document templatesβœ…βŒβŒβŒView document template configurations
Viewsβœ…βŒβŒβŒView UI configuration definitions
Stagesβœ…βŒβŒβŒView process stage definitions
Allocation rulesβœ…βŒβŒβŒView task and resource allocation rules
Systemsβœ…βŒβŒβŒView system integrations and endpoints
Workflowβœ…βŒβŒβŒView workflow definitions and configurations
Reusable UIβœ…βŒβŒβŒRead-only UI component access with permission inheritance
Reusable Functionsβœ…βŒβŒβŒRead-only function component access with permission inheritance
Dependenciesβœ…βŒβŒβŒView project and library dependencies
Configuration parametersβœ…βŒβŒβŒView project configuration parameters
AI agents⬜❌⬜⬜Limited AI agent visibility (read not available)
Runtime permissions
Buildsβœ…β¬œβŒβ¬œView build information and status
Active policyβœ…βŒβ¬œβ¬œView active runtime policies
Scheduled processesβœ…βŒβ¬œβŒView scheduled process information
Configuration parameters overridesβœ…βŒβŒβŒView runtime configuration parameter overrides
Process instancesβœ…βŒβ¬œβ¬œView process instance information and status
Task managerβœ…βŒβŒβŒView task management information

Special project features

FlowX 5.0 Changes:
  • AI Agents permission is now a project-level permission
  • Command Center is only available on project or library pages
  • No longer available as a global workspace feature
  • Access controlled through project role assignments

Role management rules

Predefined role restrictions

All predefined roles are protected from deletion to ensure system consistency and security. This prevents accidental removal of critical access controls.
Core permission structures of predefined roles cannot be altered. This ensures consistent behavior across all FlowX deployments and prevents security vulnerabilities.
Role assignment follows specific rules:
  • Organization roles: Only assignable in organization admin interface
  • Workspace roles: Assignable within workspace boundaries
  • Project roles: Can be assigned when granting project access
  • Owner roles: System-assigned only, cannot be manually granted

Role visibility rules

  • Organization Interface
  • Workspace Interface
  • Project Access Management
  • org_admin: org_admin role needs to be assigned to at least one user; during environment setup, a user must be configured to have the org_admin role
  • Assignable to multiple organization users (from Designer Users page)

Special permission features

Read-only view behavior

Read-Only ModeUsers with read-only permissions (project_viewer role) will see a read-only view in the resource page. This ensures they can access information for audit and review purposes without the ability to make changes.
Key characteristics of read-only mode:
  • All configuration elements are visible but not editable
  • Export and audit functionalities remain available
  • Usage overview and resource tracking accessible
  • Copy operations to other projects/libraries permitted
  • Can test processes, workflows
This role allows user to test the project resources through the interface.

Administrative control

This inheritance model ensures:
  • Consistent access patterns across all project resources
  • Simplified permission management with single point of control
  • Predictable behavior for users across different resource types
  • Reduced administrative overhead for access control

Default groups

FlowX groups

Workspace Access Management RequirementWhen managing access to projects/libraries, you need to set general access to all workspace users. The solution is to create and manage an all_users_[workspace name] group at workspace level to grant access efficiently.

Everyone in workspace group

all_users_[workspace_name]

Automatically managed group for simplified access controlSystem Requirements:
  • Created automatically when provisioning workspace
  • Cannot be edited, deleted, or duplicated by users
  • Automatically managed membership by the system
  • Pre-selected when creating projects/libraries with role assignment options
  • Returned in user/group search results for granting access to libraries/projects
Automatic Membership Behavior:
  • When a user is associated to a workspace (direct or through group), user is automatically added to this group
  • When a user is removed from the workspace (direct or through group), user is automatically removed from this group
  • Membership cannot be manually modified by administrators
Integration with Project/Library Access:
  • Pre-selected on access management screens when creating projects/libraries
  • Available for role assignment to grant access to all workspace members
  • Appears in search results when looking for users and groups to grant access
Use Cases:
  • Granting project access to all workspace members at once
  • Applying workspace-wide policies and permissions
  • Simplifying bulk access management operations
  • Default group for shared workspace resources

Group naming convention

GroupUI Display NameTechnical Requirements
all_users_[workspace_name]Everyone from <workspace name>System-managed group representing all workspace members

Additional group features

Automatic membership rules:
  • Users are added to all_users_[workspace_name] when granted any workspace access
  • Users are removed when all workspace access is revoked
  • Membership is maintained automatically by the system
  • Cannot be manually modified by administrators
Using default groups effectively:
  • Pre-selected when granting project access to simplify bulk operations
  • Appears in user/group search results for easy selection
  • Ideal for applying workspace-wide policies or shared resource access
  • Reduces administrative overhead for common access patterns
Creating custom groups:
  • Create groups for specific teams, departments, or functions
  • Assign roles to groups for efficient permission management
  • Use descriptive naming conventions (e.g., sales_team, finance_analysts)
  • Document group purposes and intended usage

Legacy role migration

FlowX 4.x to 5.0 role mapping

FlowX 4.x roles stored in Keycloak are not automatically migrated. Manual role assignment is required.
FlowX 4.x RoleFlowX 5.0 EquivalentNotes
FLOWX_ADMINworkspace_adminNow workspace-scoped instead of global
FLOWX_CONFIGURATORworkspace_user or project_editorDepends on required access level
FLOWX_UI_DESIGNERtheme_editorEnhanced with theme management capabilities
FLOWX_VIEWERproject_viewerNow project-specific instead of global
Custom Keycloak rolesManual review requiredAssess against new role structure

Migration considerations

Role Scope Changes

Roles are now workspace-scoped rather than global, requiring reassignment within workspace context

Granular Permissions

More fine-grained permission structure allows for better access control but requires role review

Database Storage

Roles are now stored in FlowX database instead of tokens, providing better performance and control

Hierarchy Changes

New role hierarchy requires review of user access patterns and organizational structure

Access control for import/export operations

Project and library import behavior

Import TypeRequired PermissionAccess Assignment
Project Version (first import)project_create in workspaceImporting user becomes project_owner
Project Version (existing)project_create AND project_editVersion added to existing project
Project Build (first import)project_build_createCreates project, user becomes project_owner
Project Build (existing)project_build_createBuild added to existing project
Library VersionSame as project versionSame ownership rules apply
Library Buildproject_build_createCreates build only, no library config
Cross-Workspace Import RestrictionsIf a project or library with the same configuration exists in another workspace on the same FlowX instance, the import will fail with an error message. Each project/library configuration can only exist in one workspace.

Library build sharing

Library builds can be shared across workspaces using the export/import mechanism, but libraries containing only builds will not be viewable to workspace users outside the Dependencies page.

Comprehensive permission matrices

The following permission matrices provide detailed access control information for all FlowX 5.0 roles. These matrices serve as the authoritative reference for understanding role capabilities and limitations.

Combined permission matrix (summary view)

The following provides a high-level overview of key permissions across roles:

Organization-level permissions

Permissionorg_admin
Workspaces
Create workspaceβœ…
Edit workspace settingsβœ…
Delete workspaceβœ…
View all workspacesβœ…
Organization Users
Add users to organizationβœ…
Remove users from organizationβœ…
Assign organization rolesβœ…
View all user accessβœ…
Global Settings
Configure organization settingsβœ…
Manage global policiesβœ…
Access system configurationsβœ…

Workspace-level permissions

Permissionworkspace_adminworkspace_usertheme_editorruntime_editor
Projects
Create projectβœ…βœ…βœ…βœ…
View projectsβœ…βœ…βœ…βœ…
Delete any projectβœ…βŒβŒβŒ
Libraries
Create libraryβœ…βœ…βœ…βœ…
View librariesβœ…βœ…βœ…βœ…
Delete any libraryβœ…βŒβŒβŒ
Themes & Branding
Create themesβœ…βŒβœ…βŒ
Edit themesβœ…βŒβœ…βŒ
Delete themesβœ…βŒβœ…βŒ
Manage fontsβœ…βŒβœ…βŒ
Runtime Management
Runtime configurationsβœ…βŒβŒβœ…
Runtime deploymentsβœ…βŒβŒβœ…
User Management
Add workspace usersβœ…βŒβŒβŒ
Remove workspace usersβœ…βŒβŒβŒ
Assign workspace rolesβœ…βŒβŒβŒ
Create user groupsβœ…βŒβŒβŒ
Workspace Settings
Configure workspaceβœ…βŒβŒβŒ
Manage workspace policiesβœ…βŒβŒβŒ
View audit logsβœ…βŒβŒβŒ

Project-level permissions

Permissionproject_ownerproject_editorproject_viewer
Process Design
Create processesβœ…βœ…βŒ
Edit processesβœ…βœ…βŒ
Delete processesβœ…βœ…βŒ
View processesβœ…βœ…βœ…
Configuration
Manage enumerationsβœ…βœ…βŒ
Configure templatesβœ…βœ…βŒ
Set up integrationsβœ…βœ…βŒ
Manage parametersβœ…βœ…βŒ
Runtime Management
Create buildsβœ…βœ…βŒ
Deploy to runtimeβœ…βœ…βŒ
Manage active policiesβœ…βœ…βŒ
View runtime statusβœ…βœ…βœ…
Access Control
Grant project accessβœ…βŒβŒ
Modify project permissionsβœ…βŒβŒ
Remove project accessβœ…βŒβŒ
Project Administration
Delete projectβœ…βŒβŒ
Archive projectβœ…βŒβŒ
Export projectβœ…βœ…βŒ

Predefined FlowX roles

The following table provides comprehensive information about all predefined roles in FlowX 5.0:
RoleNameDescriptionTypeKey Characteristics
org_adminOrganization adminComplete administrative access to manage users, workspaces, groups, roles, and system settings across the organization.Organizationβ€’ Cannot be edited, duplicated, deleted
β€’ Only assignable in Organization admin space
β€’ Hidden from workspace role lists
workspace_adminWorkspace adminManages workspace-level resources including users, roles, themes. Cannot manage organization-wide settings.Workspaceβ€’ Cannot be edited, duplicated, deleted
β€’ Listed in workspace role lists
β€’ Can be assigned to users/groups
workspace_userWorkspace userStandard workspace access with project creation capabilities. Ideal for configurators building projects.Workspaceβ€’ Cannot be edited, deleted
β€’ Can be duplicated for customization
β€’ Default role for workspace members
theme_editorTheme editorExtended workspace user with theme, font, and media asset management capabilities.Workspaceβ€’ Same base characteristics as workspace_user
β€’ Additional visual asset management permissions
workspace_runtime_editorRuntime editorExtended workspace user with runtime configuration and deployment management capabilities.Workspaceβ€’ Same base characteristics as workspace_user
β€’ Additional runtime management permissions
project_ownerProject ownerComplete project ownership with governance rights. Automatically assigned to project creators.Projectβ€’ System-managed role, cannot be edited/deleted
β€’ Hidden from role selection interfaces
β€’ Permanent assignment, cannot be transferred
project_editorProject editorFull access to manage project resources, processes, workflows, and runtime settings.Projectβ€’ Can be duplicated for customization
β€’ Standard role for project team members
β€’ Comprehensive access without ownership rights
project_viewerProject viewerRead-only access to project configuration and runtime settings for audit and review purposes.Projectβ€’ Safe role for stakeholders needing visibility
β€’ No modification capabilities
β€’ Suitable for compliance and monitoring

Role permission summary

Organization Roles

org_admin - Complete administrative access across all workspaces, users, and system settings. See detailed permissions in the organization admin section above.

Workspace Roles

Available roles:
  • workspace_admin - Full workspace management capabilities
  • workspace_user - Standard user with project creation rights
  • workspace_runtime_editor - Extended user with runtime configuration access
  • theme_editor - Extended user with theme and branding management

Project Roles

Available roles:
  • project_owner - Complete project ownership and governance
  • project_editor - Full project configuration and management
  • project_viewer - Read-only access to project settings and status

Best practices

Role assignment strategies

Always start with the minimum required access
  • Begin with project_viewer for new users
  • Upgrade to project_editor only when needed
  • Reserve workspace_admin for actual administrators
  • Limit org_admin to platform administrators
Leverage groups for efficient management
  • Create groups for teams, departments, or functions
  • Assign roles to groups rather than individuals
  • Use the default β€œEveryone in workspace” group for common access
  • Document group purposes and membership criteria
Implement periodic access auditing
  • Review role assignments quarterly
  • Remove access for inactive users
  • Validate that permissions match current responsibilities
  • Document access decisions and approvals
Maintain role assignment documentation
  • Document who has what roles and why
  • Maintain approval records for sensitive role assignments
  • Create role assignment procedures for your organization
  • Train administrators on proper role management

Common role assignment patterns

  • Small Team (5-15 users)
  • Department (15-50 users)
  • Enterprise (50+ users)
Simple structure for small organizations
  • 1-2 workspace_admin (team leads)
  • Most users as workspace_user
  • 1 theme_editor (if visual customization needed)
  • project_editor assigned per project as needed

Current limitations in FlowX 5.0

The following features have specific limitations in FlowX 5.0:
Role Management:
  • Custom roles not available (planned for future versions)
  • Role transfer/ownership transfer not available (planned for 5.1)
  • Bulk role assignment tools not available
Workspace Features:
  • Workspace deletion functionality not available
  • Moving projects/libraries between workspaces not supported
  • Workspace-level audit logs for user management not implemented (planned for 5.1)
Integration Features:
  • Out of office management (planned for 5.1 at organization level)
  • Runtime roles and groups will return errors if Keycloak is not the authentication provider
Migration Features:
  • Cache clearing required after lib2lib migration for proper functionality
  • Inactive process instances require separate migration script if needed

Troubleshooting

Common role assignment issues

Possible Causes:
  • User not assigned to workspace
  • No role assigned in workspace
  • User not in any workspace groups
Solutions:
  1. Verify user is in workspace user list
  2. Check role assignments
  3. Validate group memberships
  4. Review workspace permissions
Possible Causes:
  • Insufficient permissions to assign role
  • Role not available in current context
  • System-managed role being manually assigned
Solutions:
  1. Verify assigner has workspace_admin role
  2. Check role availability in current interface
  3. Confirm role can be manually assigned
  4. Review role assignment restrictions
Possible Causes:
  • Role permissions not properly configured
  • Cached permissions not updated
  • Conflicting role assignments
Solutions:
  1. Clear user session and re-login
  2. Verify role permission matrix
  3. Check for multiple conflicting roles
  4. Review ACL overrides
Possible Causes:
  • User not yet created in FlowX 5.0 system
  • Legacy Keycloak roles still in use
  • Initial organization admin not configured
Solutions:
  1. Ensure user has logged into FlowX Designer at least once
  2. Verify initial organization admin is configured
  3. Assign workspace access to migrated users
  4. Remove deprecated Keycloak Designer roles