
Key benefits
Faster Onboarding
Data Isolation
Enhanced Access Control
Key concepts
Workspace
A workspace is a logical grouping of entities and assets defined in FlowX that are only available to a subset of users who are given explicit access. Each workspace operates independently, ensuring data and configuration separation between different business contexts.Multi-workspace user access
Users can be granted access to multiple workspaces and can switch between them as needed. When a user has access to multiple workspaces, they can select which workspace to enter after authentication.Data isolation
Workspaces provide logical data isolation, meaning that resources (projects, libraries, themes, etc.) are scoped to specific workspaces and cannot be accessed from other workspaces without explicit sharing configurations.Additional terminology
- Group: A collection of users who share common characteristics, responsibilities, or access needs within a system. Groups are used to simplify access control by managing permissions collectively rather than assigning them individually to each user.
- Permissions: Define what actions can be performed on resources. They are fine-grained access controls that specify privileges for a resource type, such as: read process, edit process, delete process.
- Roles: Collections of permissions grouped together based on job functions or responsibilities. They simplify permission management by assigning a set of permissions to users instead of managing them individually.
org_admin role is the only one assigned to users directly at the organization level.Workspace use cases
Multiple Business Lines
Multiple Business Lines
- Shared users across business lines
- Shared library builds
- Shared themes (configurable)
Regional Separation
Regional Separation
- Libraries and common processes
- Some shared users with multi-region access
Distinct Organizations
Distinct Organizations
How workspaces work
Authentication and access flow
User Authentication
Permission Retrieval
Workspace Selection
Context Loading
Workspace selection experience
The workspace selection experience varies based on user access:- Single Workspace Access
- Multiple Workspace Access
- No Workspace Access
Session management
Error handling and access denied scenarios
No Access to Selected Workspace
No Access to Selected Workspace
workspace/403 error pageCommon Causes:- Workspace access was revoked
- User navigated to an invalid workspace ID
- Workspace was deleted or renamed
No Access to Resource
No Access to Resource
403 error pageCommon Causes:- Insufficient project-level permissions
- Resource is restricted to specific roles or groups
- Project access was revoked
Resource management
- Project Isolation
- Library Sharing
- Theme Management
- Media Files & Fonts
Additional workspace features
Command Center (AI Agents)
Audit Logs
Audit log entry in main menu for every workspace will be available only for users with Workspace Admin role. The reason for this is that global audit log includes all logs for all projects/libraries in workspace.Access control
Role-based access control (RBAC)
Predefined Roles
- Project editor - Can modify project content, processes, and configurations. Includes all Project Viewer permissions.
- Project viewer - Read-only access to project content and processes. Cannot make modifications.
- Workspace user - View only access to workspace entities. Can create projects, but only sees projects they have explicit access to.
- Owner - Automatically assigned to project creators. Full control over project settings, access management, and can delete the project.
- Theme editor - Extends workspace user role to include permissions to manage themes and associated resources (global media files).
- Workspace admin - Manages all workspace level resources including users, roles, themes. Can configure access and content, but cannot manage organization-wide settings.
- Runtime editor - Enables users to test runtime functionality and manage runtime policies without full configurator permissions. Commonly used by QA teams and testers who need to manage “change active policy” operations and test processes during runtime without broader editing capabilities.
Workspace-Specific
Detailed role permissions
To add a user to a workspace, and to assign a role to the user, you need to go to Organization settings page and select your desired workspace, then add the user to the workspace and assign the role to the user.- Workspace admin: Manages all workspace level resources including users, roles, themes. Can configure access and content, but cannot manage organization-wide settings.
- Workspace user: View only access to workspace entities. Can create projects, but only sees projects they have explicit access to.
- Theme editor: Extends workspace user role to include permissions to manage themes and associated resources (global media files).
- Runtime editor: Enables users to test runtime functionality and manage runtime policies without full configurator permissions. Commonly used by QA teams and testers who need to manage “change active policy” operations and test processes during runtime without broader editing capabilities.

User groups
- Default Groups: Each workspace includes an “Everyone in workspace” default group
- Custom Groups: Create groups based on teams, departments, or project requirements
- Inherited Permissions: Users automatically inherit permissions from their group memberships
Access control lists (ACLs)
Resource-Specific Permissions
Resource-Specific Permissions
project_viewer role can be granted edit access to a specific project without becoming a full configurator.Exception-Based Access
Exception-Based Access
Owner Management
Owner Management
Project-level access control
Projects and libraries support fine-grained access control through dedicated project roles that work alongside workspace-level permissions.Project Owner
Project Editor
Project Viewer
Creating a project
Create Project
Owner Assignment
Extend Access

Access management inheritance
- Project Editor role automatically includes Project Viewer permissions
- Multiple roles: Users can have both workspace-level and project-level roles simultaneously
- Permission union: When users have multiple roles, their access is the combination of all permissions from all assigned roles
Organization administration
Organization admin role
org_admin role is the only role assigned directly to users at the organization level, not workspace level.- Go to Organization Settings → Users.
- Find the user in the list and open their context menu (the three-dot menu).
- Select Set as ORG Admin.
User management
The Organization Users page lists only Designer users — users who have logged into FlowX Designer at least once, or who were manually created by an organization admin. It does not list end users, who access published solutions at runtime. Designer users and end users are managed separately:- Designer users — managed in Organization Settings → Users. Control access to the FlowX Designer, workspaces, projects, and libraries.
- End users — managed in Organization Settings → Access Management (End-Users and End-Users Groups). Control access to published solutions at runtime (e.g., who can start or view a process). End-user roles are defined per project in Version Settings → End-User Roles.
User creation scenarios
- LDAP/Active Directory Users
- Direct FlowX Creation
- User logs into FlowX Designer for the first time
- They are redirected to a “You’re not assigned to a workspace yet” message page
- User account is now created in FlowX and appears in the Users list in Organization Settings
- Organization admin assigns workspace access with appropriate role (Workspace User, Workspace Admin, Theme Editor, or Runtime Editor)
- On next login, user will have access to assigned workspaces
Additional organization settings
Runtime roles and groups
Runtime roles and end-user groups are managed in FlowX (not in Keycloak). End users and end-user groups live under Organization Settings → Access Management (End-Users and End-Users Groups); runtime roles are defined per project in Version Settings → End-User Roles. Together they control the permissions end users hold on published solutions.Set environment info
Configuring client and environment information is available only in Organization settings section under Platform status page.Workspace management
Creating and managing workspaces
Admin Access Required
Workspace Configuration
User Assignment

Workspace environment type
Workspaces are labeled with an Environment Type that indicates their purpose within your deployment. The label is visible in every workspace listing, so users can immediately tell whether they are working in development, testing, or live data — particularly important when the same project (by UUID) is imported into more than one workspace via cross-workspace project import.Available types
Setting the type
The Environment Type is set at workspace creation and can be changed later by a Workspace or Organization Admin:- At creation: the Create Workspace dialog includes an Environment Type dropdown. Pick the type that matches the workspace’s intended use.
- After creation: go to Organization Settings → select your workspace → adjust the Environment Type dropdown.
Multi-workspace identification
Because the same FlowX environment can host multiple workspaces, and the same project (same UUID) can be imported into more than one workspace, the Environment Type label is the primary cue for where a user is working. Without it, a designer opening a project cannot tell at a glance whether they are about to edit a Sandbox copy or the Production copy of the same project. Recommended patterns:- On a non-production FlowX environment, label every workspace Sandbox — the environment itself is not customer-facing, regardless of how the workspaces are organized internally.
- On a production FlowX environment that hosts multiple workspaces (for example, UAT, Staging, and Production for the same project), use Staging for the validation workspace and Production for the live workspace. The Environment Type lets users distinguish them inside the same Designer.
- Avoid mixing labels arbitrarily across an environment — the value of the cue depends on the label matching the workspace’s role.
User management within workspaces
- Adding Users
- Role Assignment
- Access Matrix
- Direct Assignment: Add users directly to workspace with specific roles
- Group Membership: Add users to groups that inherit workspace permissions
- Multi-Workspace Access: Users can be members of multiple workspaces
Migration and compatibility
Initial setup requirements
- To create the first user in FlowX Designer with organization admin role, an environment variable
SPRING_LIQUIBASE_PARAMETERS_DEFAULTORGADMINUSERNAMEneeds to be configured with the username of the user from Identity Store (Keycloak/ other Identity Store from where the users are used to login in FlowX.AI). - If request to Keycloak fails, the fallback is to use
SPRING_LIQUIBASE_PARAMETERS_DEFAULTORGADMINUSERSUBJECTIDto create the organization admin user. Value that must be set is the subject identifier. (sub in JWT token OR user’s id in Keycloak).
For existing FlowX customers
For existing FlowX customers
For new FlowX 5.x installations
For new FlowX 5.x installations
- Configure the first workspace administrator user
- Create the initial workspace
- Set up users and role assignments
- Begin creating projects and processes
Best practices
Workspace design
Clear Boundaries
Naming Conventions
Documentation
Scalability Planning
Permission management
- Principle of Least Privilege: Grant minimum necessary permissions
- Group-Based Management: Use groups for permission management rather than individual assignments
- Regular Audits: Periodically review and audit workspace permissions
- Clear Ownership: Establish clear ownership models for workspace resources
Resource sharing
- Controlled Sharing: Implement clear policies for resource sharing between workspaces
- Dependency Management: Track and manage dependencies between shared resources
- Version Control: Maintain version control for shared libraries and themes
Common use cases
Banking - Multi-Division Operations
Banking - Multi-Division Operations
- Retail Banking Workspace
- Corporate Banking Workspace
- Investment Banking Workspace
- Shared Compliance Workspace (for common libraries)
Insurance - Geographic Separation
Insurance - Geographic Separation
- US Operations Workspace
- EU Operations Workspace
- APAC Operations Workspace
Cross-workspace project import
You can import the same project into multiple workspaces on the same environment. This feature enables organizations to use workspaces to represent different operational environments (such as UAT, staging, pre-production) on a single FlowX deployment, reducing operational costs.How it works
Import to Multiple Workspaces
Independent Lifecycle
No Impact on Original
Separate Process Instances
Import behavior
Limitations and considerations
Current limitations
- Resource Isolation: Direct access to resources from other workspaces is not possible
- Single Environment Sharing: Library sharing only works within the same FlowX environment
- Permission Inheritance: Workspace permissions don’t automatically inherit across workspace boundaries
Additional limitations
Planning considerations
- Change Management: Organizational alignment needed for governance models
- User Training: Users need to understand workspace selection and navigation
- Governance Policies: Clear policies needed for resource sharing and access management
- Migration Planning: Existing customers should plan workspace structure before creating additional workspaces


