Skip to main content
5.8.0+: assignment model changed. Up to 5.7.0, a role assigned to a user or group at organization level granted access on every project that listed the role. Starting with 5.8.0, role assignment is per-solution: define roles and groups here at organization level, then assign them to users or groups from the Share modal on the Solutions page. End-user groups also moved from Keycloak to FlowX. See Runtime authorization for the new model.

Overview

End-user access management lets organization admins control who can access published solutions at runtime. Unlike Designer users (who build processes and workflows), end users interact with the finished solutions through the container app. Manage end users from Organization SettingsAccess Management, where two sections handle runtime access:
  • End-Users: Invite and manage users who access solutions
  • End-Users Groups: Organize users into groups with role assignments and custom attributes
You define end-user roles per project, not in Access Management: see End-users roles below.

End-users

View and manage the list of end users in your organization. End users are separate from Designer users. They access published solutions but cannot modify processes or workflows. To invite an end user:
  1. Navigate to Organization SettingsAccess ManagementEnd-Users
  2. Click Add to invite a new user
  3. Enter the user’s details
End users authenticate through the same Keycloak realm as the organization. SMTP must be configured in Keycloak for invitation emails to be sent.

End-users roles

Roles define what end users can access at runtime. Roles live in an organization-level catalog, so the same role is reusable across projects, but you create and manage them from a project’s version settings. There is no roles section under Access Management.

Managing roles

1

Open the project's version settings

In your project, go to Version SettingsEnd-User Roles.
2

Add a role to the version

Click Add Role, then pick an existing role from the organization catalog or select Create New Role to define a new one. The role name is visible to end users when the solution is shared.
3

Assign roles to resources

Assign the version’s roles on process swimlanes and UI Flow permissions to control what each role can access at runtime.
Roles become assignable to users and groups in the Share modal once the build that defines them is set as the project’s Active Policy. See Runtime authorization for the assignment model.

End-users groups

Groups organize end users and assign them roles and custom attributes. A group can have multiple roles and multiple key-value attributes.

Managing groups

1

Navigate to End-Users Groups

Go to Organization SettingsAccess ManagementEnd-Users Groups.
2

Create a group

Click Add new and configure:
3

Add attributes (optional)

Click Add attribute to add custom key-value pairs. Each attribute has a Key and one or more comma-separated Values. Attributes can be used for business filters and data-driven access control.

Permissions

These permissions are available to Organization Admin and Organization Owner roles.

Organization settings

Overview of all organization-level settings

Roles and permissions matrix

Complete reference for all platform roles and permissions

Swimlanes

Configure role-based task assignment in processes

Business filters

Filter data visibility based on user roles and attributes
Last modified on July 10, 2026