Apps - Permissions
Responsible: IT / System Administration
General Information
Permissions can be granted on multiple levels within Admin & Settings. Both users and application keys are seen as equivalent regarding permissions as they can take certain actions within Celonis Platform. Permissions regarding Action Flows are handled in the section Automation Permissions.
Studio Permissions
Within Celonis Platform Studio, permissions can be configured on three levels.
Space Level - Permissions
Package Level
Asset Level
The permissions are configurable for each user and each application key that was created.
The permissions only handle available actions within Studio.
App / Connection Permissions
User Connection Permissions
Each use of an App in Action Flows requires a user connection to that service. The connection can be established via:
1. API Key / Application Key
2. Basic authentication with Username & Password
3. OAuth
User Connection Access
The connections you create with your personal credentials are shared within the same Studio package.
Hence, your team can use and delete connections that were created in this package. This way you can easily collaborate across your team to speed up automations. Please follow the Best Practices below to avoid traceability and audibility issues.
If you want to know which permissions are necessary for which app, please check the respective app help page to get more information. Necessary permissions for the different integrations vary. Generally, Action Flows require only the smallest set of permissions to perform a given action. However, some applications do not allow limiting permissions, which is why Action Flows sometimes asks for the complete set of permissions of that application.
After a connection has been established, you can maintain and oversee the already integrated connections and permissions on the Automation Global Pages - User Connections.
Some apps (like SAP) do not show the used permissions, please check the respective App page instead, e.g. SAP - Permissions. If the requirements are not listed, raise a Support ticket to request the information.
For more information on how to restrict Celonis access to your account registered to those services, see the application-specific documentation.
Connection to On-prem System
If the Celonis On-Prem Agent is involved for an On-Prem System, please check Automation Global Pages - Agent to see whether the Agent is running and you are able to reach your On-Prem system.
Before creating the user connection in the App in Action Flows, a system Connections has to be established.
System Connection Access
Each system connection is available to any user of the team that has access to the same Agent.
Best Practices
Tip
Use different Application Keys for different Packages and Actions to enable structured permission control as a team admin.
Create Packages closely related to the Permissions as many permission can only be granted and configured on Package level.
Separate Celonis Studio packages per department, as system connections (incl. permissions), are shared within one package.
If a technical user is used to restrict permissions, separate technical users per department.
Permissions for Email Use Case
If you want to implement action flows that automatically send emails to customers or to internal stakeholders, please follow the information below to connect to your own Email accounts. Internal IT might have certain requirements for this action and the following document contains the necessary information to support the decision of which method is feasible.
If you do not find a feasible solution for your IT system, please submit a feature request or get in touch with your contact at Celonis.
Setup options (recommended):
General Email
Gmail
Microsoft 365 Email
Other email apps
Alternatives:
Email by Celonis via Skills
Email (SMTP) via Skills
HTTP (On-Prem)
General Email App
Additional information: Email
The general email app within Action Flows allows a connection to any email server and can be secured via TLS or self-signed certificates. This makes it easy to configure and can be adjusted to your needs.
Requirements for outgoing SMTP setup:
SMTP server from your provider
Access to server from cloud must be permitted
Authentication options:
SMTP
TLS connection
Self-signed certificates with the rejection of unauthorized certificates
Note
If you need to allowlist an IP address that will make a request to your SMTP server, please allowlist the cluster IP that your team runs.
Warning
Minimum requirement for SMTP
If you need to allow an IP address that will make a request to your SMTP server, please add your the cluster IP to the allow list: Allowlisting domain names and IP addresses
Gmail App
Additional information: Gmail
The Gmail Action Flow app is directly integrated with Google and works with Oauth when using a GSuite account, or a custom OAuth client has to be set up to send emails via Gmail with a standard Gmail account.
Requirements:
Google account
Authentication options
GSuite through Company account (@company.com)
Authorization via OAuth1 / OAuth2
Gmail with personal account (@gmail.com, or googlemail.com):
Authorization via custom OAuth Client
Specific permissions (when asked for confirmation):
Microsoft 365 Email App
Additional information: Microsoft 365 Email
The Microsoft 365 Email App offers authentication via OAuth and is simple to set up.
Requirements:
Microsoft Email 365 Account
Authentication options:
Authorization via OAuth1 / OAuth2
Specific permissions necessary for the different actions:
Other Email Apps
Action Flows offer native integrations with many applications that can be used as an email program.
Below are two possible examples with other forms of authentication listed, but this list is not exhaustive. Please refer to the respective documentation pages within Celonis.
Mandrill
Requirements
Mandrill account
Authentication option:
API key
Zoho Mail
Requirements:
Zoho account
Regional Code
Authentication options:
Authentication via Username / Password
Note
Many more apps that include similar functionality can be found in Action Flows.
Alternatives
If none of the solutions from above solve the issue, there are more methods to solve it. However, these are more complex and not as easy to maintain.
Email (SMTP) via Skills
Additional information: Email (SMTP)
With SMTP (Agent), you are able to send emails automatically from your own SMTP server which does not need to be accessible from outside your network. This option is needed if the SMTP server is ONLY reachable from within your network.
However, this implementation combines Action Flows with Skills, which makes this solution rather complex and difficult to maintain.
Requirements:
Celonis Agent for Skills v0.4.4
Live Celonis Agent on your system that is connected to Celonis Platform
SMTP server
Authentication options:
SMTP
TLS connection
Self-signed certificates with rejection of unauthorized certificates
Email by Celonis via Skills
The general use case for this module can be seen as testing of new modules. The following template sets up the entire workflow with Action Flows - Send Email by Celonis.
Requirements:
None
Authentication options:
None
Disadvantages:
Not full control over the server
Email domain @celonis.com
Max. 100 uses per day
Complex setup and maintenance
No traceability of sent elements
No visibility of bounce messages
No request for customer to be blacklisted possible
Emails cannot be responded to
HTTP (On-Prem)
Additional information: HTTP (On-Prem)
If you have an internal API endpoint that can be accessed through HTTP to communicate with an internal email server, you can also use that gateway to send emails.
Requirements:
Celonis Agent for Action Flows v1.0.1 Agent Setup
Live Celonis Agent on your system that is connected to Celonis Platform
Authentication:
None