Skip to main content

Celonis Product Documentation

Available Celonis Platform permissions

The Celonis Platform offers granular permission controls, giving you control over who (users) or what (applications and external systems) can access features, content, and data. Depending on the Celonis Platform service that you're using, you can assign granular user permissions on a maximum of three levels: Service, container, and object:

These levels work on a hierarchy, with the highest level (the service level) overriding any conflicts in either the container or object level.

Hierarchy_of_permissions.png
Celonis Platform permission types - Service level, container level, and object level
Service level permissions

This is the highest level, giving user permissions across a service within your Celonis Platform, such as Studio. In this example, you're granting the user permissions to everything in Studio.

Services can contain multiple containers and objects, whereas a container and its object are stored within a service.

All service permissions can be assigned and managed by team admins by clicking Admin & Settings - Permissions:

Accessing_permissions.png
Container level permissions

This is the top-level object within a service, such as Studio - Package. For container level permissions, each Service has its own permission system depending on the container that you're assigning permissions to.

In this Studio example, you're granting the user permissions just within this Studio Package.

Manage_package_permissions_from_space.png

 

Object level permissions

This is the specific object within a container, such as Studio - Package - View. For object level permissions, each Service has its own permission system depending on the object that you're assigning permissions to.

In this Studio example, you are granting the user permissions within just the View within the Package.

asset_permissions.png
Permissions overview table

When assigning and managing permissions in the Celonis Platform, refer to this table:

Service

Container(s)

Object(s)

Action Engine

See: Action Engine service permissions.

Project

See: Action Engine project permissions.

N/A

Data Integration

See: Data Integration service permissions.

Data Pool

See: Data Integration Data Pool permissions.

Data Model

See: Data Integration Data Model permissions.

File Storage Manager

See: File Storage Manager service permissions.

Buckets

See: File Storage Manager bucket permissions.

N/A

Machine Learning

See: Machine Learning service permissions.

Workspaces

See: Machine Learning workspace permissions.

App

See: Machine Learning app permissions.

On-Prem Automation

See: On-Prem Automation service permissions.

Agents (permissions can't be assigned to agents)

N/A

Process Repository

See: Process Repository service permissions.

Categories

See: Process Repository category permissions.

N/A

Studio

See: Studio service permissions.

Space

See: Studio Space permissions.

Package

See: Studio package permissions.

Assets: Action Flow, Analysis, Data Explorer, Knowledge Model, Skill, View.

See: Studio package asset permissions.

Task Mining

See: Task Mining service permissions.

Project

See: Task Mining project permissions.

N/A

Team

See: Team service permissions.

N/A

N/A

Transformation Center

See: Transformation Center service permissions.

Objectives

See: Transformation Center objectives permissions.

KPIs (permission can be assigned to KPIs but these are covered by the objective permissions)

Transformation Hub

See: Transformation Hub service permissions.

N/A

N/A

User Provisioning

See: User Provisioning service permissions.

N/A

N/A

You can assign and manage both service and container (known as projects) level permissions for Action Engine:

Action Engine service permissions

Admins can assign and manage the following Action Engine service permissions in the Celonis Platform:

  • My Inbox (Viewer) - The user has access to 'My Inbox'.

  • Manage Skills (Analyst) - The user has access to 'My Inbox' and can manage skills and see projects.

  • Access All Projects (Analyst) - The user has access to 'My Inbox' and can see adoption.

  • Create Projects (Analyst) - The user has access to 'My Inbox' and can create new projects

action_engine_permissions.png
Action Engine project permissions

Within the Action Engine service, you can assign the following project based permissions:

  • Access (Analyst) - The user can view, edit, and delete the Action Engine project.

To assign Action Engine project permissions while viewing the project, click Options - Manage Permissions:

Action_Engine_-_Project_permissions.png

With the Data Integration service, you can assign and manage permissions on a service, container (Data Pools), and object (Data Models) level:

Data Integration service permissions

Your Data Integration service permissions define who can access (and configure) your Data Integration services area. This is controlled from the Admin & Settings area.

Admins can assign and manage the following Data Integration service permissions in the Celonis Platform:

  • Use all Data Models (Viewer) - The user can assign any Data Model from any Data Pool to, e.g. a variable in Studio and use it from there. This does not give any permission to access or make changes in Data Integration.

  • View all Data Pool (Analyst) - The user can view all Data Pools of this team in a read-only mode and has no permission to modify any of them.

  • Edit all Data Pools (Analyst) - The user has “edit” permissions and can perform all operations for all Data Pools except deleting a Data Pool and managing permissions.

  • Create Data Pools (Analyst) - The user can create new Data Pools in Data Integration and will automatically have Manage Data Pool Permissions in those.

  • Manage all Data Pools (Analyst) - The user has "edit" permissions and can perform all operations, including sensitive ones on all Data Pools of this team.

data_integration_permissions.png
Data Integration Data Pool permissions

Data Pool permissions control who can access and edit individual Data Pools (and all their data connections, jobs, and Data Models accordingly) with your Data Integration service.

You can assign the following Data Pool permissions within the Data Integration service:

  • Use all Data Models (Viewer) - The user can assign any Data Model from any Data Pool to, e.g. a variable in Studio and use it from there. This does not give any permission to access or make changes in Data Integration.

  • View all Data Pool (Analyst) - The user can view all Data Pools of this team in a read-only mode and has no permission to modify any of them.

  • Edit all Data Pools (Analyst) - The user has “edit” permissions and can perform all operations for all Data Pools except deleting a Data Pool and managing permissions.

  • Create Data Pools (Analyst) - The user can create new Data Pools in Data Integration and will automatically have Manage Data Pool Permissions in those.

  • Manage all Data Pools (Analyst) - The user has "edit" permissions and can perform all operations, including sensitive ones on all Data Pools of this team.

To assign Data Pool permissions from the Data Pool overview page, click Options - Permissions:

Data_Integration_-_Data_pool_permissions.png
Data Integration Data Model permissions

You can assign and manage both usage and data permissions for your Data Models within the Data Integration service:

  • Usage permissions: This gives users and applications the ability to use this Data Model in other Celonis Platform areas, such as Studio. This does not give them access to access or edit the Data Model within the Data Integration service.

  • Data permissions: Without any assigned Data Permissions, every user and group will be able to access the data of this Data Model - once loaded - via the Celonis Studio. You can set these permissions either manually or via data permission tables:

To assign Data Model permissions from the Data Model overview page, click Options - Usage Permissions / Data Permissions:

Data_Integration_-_Data_Model_permissions.png

You can assign and manage File Storage Manager permissions on a service and container (buckets) level in the Celonis Platform.

File Storage Manager service permissions

Admins can assign and manage the following File Storage Manager service permissions in the Celonis Platform:

  • Get (Viewer) - The user can view all files in a storage bucket.

  • Create (Analyst) - The user is able to create storage buckets.

  • Delete (Analyst) - The user is able to delete storage buckets.

  • Admin (Analyst) - The user is able to create and delete storage buckets.

  • List (Analyst) - The user is able to call a list of all storage buckets.

file_storage_manager_permissions.png
File Storage Manager bucket permissions

You can assign and manage the following user permissions for individual buckets within the File Storage Manager service:

  • Get (Viewer) - The user can view all files in the bucket.

  • Create (Analyst) - The user is able to create content that is stored in this bucket.

  • Delete (Analyst) - The user is able to delete content within the bucket and delete the bucket itself.

  • Admin (Analyst) - The user is able to create and delete content within the bucket and delete the bucket itself.

  • List (Analyst) - The user is able to call a list of all content within this bucket.

To assign bucket permissions within the File Storage Manager, click Options - Permissions:

File_storage_manager_-_bucket_permissions.png

You can assign and manage Machine Learning permissions on a service, container (workspace), and object (app) level in the Celonis Platform.

Machine Learning service permissions

Admins can assign and manage the following Machine Learning service permissions in the Celonis Platform:

  • Create Apps (Analyst) - The user can create new apps.

  • Use all Apps (Viewer) - The user can use all existing Apps.

  • Manage All Apps (Analyst) - The user can edit, upgrade, delete, update the associated application key and update the permissions for all apps.

  • Create Workspaces (Analyst) - The user can create workspaces.

  • Manage All Workspaces (Analyst) - The user can edit, delete all workspaces.

machine_learning_permissions.png
Machine Learning workspace permissions

You can assign and manage the following workspace permissions within the Machine Learning service:

  • Create Apps (Analyst) - The user can create new apps within this workspace.

  • Use all Apps (Viewer) - The user can use all existing apps in this workspace.

  • Manage All Apps (Analyst) - The user can edit, upgrade, delete, update the associated application key and update the permissions for all apps in this workspace.

  • Create Workspaces (Analyst) - The user can create additional workspaces.

  • Manage All Workspaces (Analyst) - The user can edit, delete all workspaces.

To assign workspace permissions from the Machine Learning service, click Apps - Options - Permissions:

machine_learning_-_workspace_permissions.png
Machine Learning app permissions

You can assign and manage the following app permissions within the Machine Learning service:

  • Use App (Viewer) - The user can access and use this app.

  • Manage App (Analyst) - The user can edit, upgrade, delete, update the associated application key and update the permissions for this app.

To assign apps permissions from within a Machine Learning workspace, click Options - Permissions:

machine_learning_-_app_permissions.png

You can assign and manage On-Prem Automation permissions on a service level only in the Celonis Platform. While On-Prem Automations has a container level (agents), you can't assign permissions to these directly.

On-Prem Automation service permissions

Admins can assign and manage the following On-Prem Automation service permissions in the Celonis Platform:

  • View agents (Viewer) - The user can view the list of agents in the Automation global page.

  • Manage permissions (Analyst) - The user can update permissions related to automation.

  • Register agents (Analyst) - The user can register new agents in the Celonis Platform team. Meaning, the user can create a connection between the agent installed in a customer's on-prem environment and the Celonis Platform team.

  • Edit agents (Analyst) - The user can edit or delete agents in the Automation global page.

on-prem_automation_permissions.png

You can assign and manage Process Repository permissions on a service and container (category) level in the Celonis Platform.

Process Repository service permissions

Admins can assign and manage the following Process Repository service permissions in the Celonis Platform:

  • Use categories (Viewer) - The user can use existing process repository categories but not create them.

  • Create and modify categories (Analyst) - The user can create and modify existing process categories but, unless combined with other permissions, can't delete existing categories.

  • Modify existing categories (Analyst) - The use can modify existing process categories but, unless combined with other permissions, can't create categories.

  • Delete existing categories (Analyst) - The use can delete existing process categories but, unless combined with other permissions, can't create or modify categories.

process_repository_permissions.png
Process Repository category permissions

You can assign and manage the following category permissions within the Process Repository service:

  • Use categories (Viewer) - The user can use the existing Process Repository category but not edit or delete it.

  • Edit category (Analyst) - The user can use, edit, and delete the Process Repository category.

To assign and manage category permissions from within Process Repository service, click Options - Permissions:

Process_Repository_-_category_permissions.png

With the Studio service, you can assign and manage permissions on a service, container (Space, Package), and object (Action Flow, Analysis, Data Explorer, Knowledge Model, Skill, View.) level:

Studio service permissions

Admins can assign and manage the following Studio service permissions in the Celonis Platform:

  • Edit all spaces (Analyst) - The user can only edit existing space names but can create, edit, delete and set permissions for spaces and content they have created unless permissions are removed.

  • Delete all spaces (Analyst) - The user can create, edit, delete and set permissions to spaces and content they have created, unless permissions are removed. They can't delete other spaces unless this permissions is combined with Edit all Spaces.

  • Create space (Analyst) - The user can create a new space, package or install from Marketplace. Once the space is created the user can edit, delete and assign permissions to the created space and its contents.

  • Manage permissions (Analyst) - The user can create, edit, delete and set permissions to spaces and content they have created, unless permissions are removed. They can't manage permissions to other spaces unless this permissions is combined with Edit all Spaces.

Studio_permissions.png

Studio Space permissions

Within the Studio service, you can assign and manage the following Space permissions:

  • Use all packages (Viewer) - The user can use all content in the granted Space from within Apps. The space content isn't accessible via Studio.

  • Edit Space (Analyst) - The user can see the name of space they have been granted and can edit the space name.

  • Edit all packages (Analyst) - The user can create new or edit all packages and assets within the space they have been granted, they can't delete anything.

  • Delete all packages (Analyst) - The user can only see the Space they have been granted and can't do anything. This permission must be combined with Edit all Packages to work.

  • Delete space (Analyst) - In Studio, the user can delete the granted space and everything in it, but can't see the content. They can see the content in Apps.

  • Create package (Analyst) - The user can see the name of the space they have been granted and can create a new package within it. They can't see existing packages. The user can delete and grant permission to packages they have created, unless permissions are removed.

  • Manage permissions (Analyst) - The user can manage permissions of the space they are granted. They can see all content in Apps.

To assign and manage Studio space permissions from the space overview page, click Options - Permissions:

Studio_-_space_permissions.png
Studio package permissions

Within a Studio space, you can assign and manage the following package permissions:

  • Use package (Viewer) - The user can "use" the package they have been granted in Apps.

  • Edit package (Analyst) - The user can edit the package and create, edit all assets within the package, they can't delete anything.

  • Delete package (Analyst) - When checked alone, the user can only see the Space they have been granted and can't do anything. This permission must be combined with Edit Package to work.

  • Manage permissions (Analyst) - When checked alone, this does nothing other than show the space, with no packages shown. This permission must be combined with Edit Package to work.

To assign and manage Studio package permissions from within a Studio Space, click Options - Permissions:

Studio_-_package_permissions.png
Studio package asset permissions

Within Studio packages you can create and manage Studio assets (see: Asset types. For each Studio package asset, you can assign and manage the following permissions:

  • Use (Viewer) - The user can use the view they are granted permissions to. They can also see the package the view is within.

To assign and manage Studio package assets from within the package, click Options - Permissions:

Studio_-_asset_permission.png

When using the Task Mining service, you can assign and manage permissions on a service and container (project) level:

Task Mining service permissions

Admins can assign and manage the following Task Mining service permissions in the Celonis Platform:

  • Edit Client Settings (Analyst) - Analysts are granted permissions to see and edit everything behind the menu point "Client Setups" in Task Mining.

  • Edit Users (Analyst) - Analysts are granted permissions to see and edit everything behind the menu point "Users & Invite".

task_mining_permissions.png
Task Mining project permissions

Within the Task Mining service, you can assign and manage the following project permissions:

  • Edit client settings (Analyst) - Analysts are granted permissions to see and edit everything behind the menu point "Client Setups" in Task mining

  • Edit users (Analyst) - Analysts are granted permissions to see and edit everything behind the menu point "Users & Invite"

Team permissions control who and what can access and manage your Admin & Settings area in the Celonis Platform.

Team service permissions

Admins can assign and manage the following team service permissions in the Celonis Platform:

  • Import members (Viewer) - The granted user can import members from one team to another.

  • Use Audit Logs API (Analyst) - The granted user can now configure an API to export audit logs.

  • Use Login History API (Analyst) - The granted user can now configure an API to export login history logs.

  • Use Studio Adoption API (Analyst) - The granted user can now configure an API to export user adoption events.

  • Manage Audit Logs (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Audit Logs in the menu.

  • Manage Login History (Analyst) - The granted user gets limited access to Admin & Settings, but can only see login history in the menu.

  • Manage General Settings (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Settings in the menu.

  • Manage SSO Settings (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Single sign-on in the menu.

  • Manage Members (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Users in the menu.

  • Manage Groups (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Groups in the menu.

  • Manage Permissions (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Permissions in the menu.

  • Manage Member Locking Policy (Analyst) - The granted user gets limited access to Admin & Settings, but can only see User locking policy in the menu.

  • Manage License Settings (Analyst) The granted user gets limited access to Admin & Settings, but can only see License in the menu.

  • Manage Admin Notifications (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Notifications in the menu.

  • Manage Uplink Integrations (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Uplink integrations in the menu.

  • Manage Event Collection on Premises (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Permissions in the menu.

  • Manage Adoptions Views (Analyst) - The granted user gets limited access to Admin & Settings, but can only see User Adoption Views in the menu.

  • Manage Download Portal (Analyst) - The granted user gets full access to the Download Portal, giving them access to files which support Celonis provided apps.

team_permissions.png

When using the Transformation Center service, you can assign and manage permissions on a service and container (objectives) level. While you can create KPIs within objectives, these permissions are managed as part of the objective permissions.

Transformation Center service permissions

Admins can assign and manage the following Transformation Center service permissions in the Celonis Platform:

  • View Objective (Viewer) - The user can view existing objectives.

  • Create Objective (Analyst) - The user can create an objective.

  • Edit Objective (Analyst) - The user can edit an existing objective.

  • Delete Objective (Analyst) - The user can delete an objective.

  • Create KPI (Analyst) - The user can create and edit KPIs.

  • Export Content (Analyst) - The user can export KPIs and objectives.

  • Move to (Analyst) - The user can move content.

  • Manage permissions (Analyst) - The user can manage service permissions.

transformation_center_permissions.png
Transformation Center objectives permissions

You can assign and manage the following permissions for Transformation Center objectives:

  • View Objective (Viewer) - The user can view this objective.

  • Edit Objective (Analyst) - The user can edit this objective.

  • Create KPI (Analyst) - The user can create and edit KPIs within .

  • Delete Objective (Analyst) - The user can delete this objective.

  • Manage permissions (Analyst) - The user can manage the permissions for this objective.

To assign objective permissions within the Transformation Center, click Options - Permissions:

Transformation_Center_-_objective_permissions.png

You can assign and manage Transformation Hub permissions on a service level only in the Celonis Platform.

Transformation Hub service permissions

Admins can assign and manage the following Transformation Hub service permissions in the Celonis Platform:

  • Access Transformation Hub (Analyst) - The user can access the Transformation Hub service.

transformation_hub_permissions.png

You can assign and manager User Provisioning permissions on a service level only in the Celonis Platform.

User Provisioning service permissions

User Provisioning service permissions are available when single sign-on (SSO) is enabled for the Celonis Platform team. When enabled, admins can assign and manage the following User Provisioning service permissions in the Celonis Platform:

  • SCIM (Viewer) - The user can configure SCIM API for user provisioning (If enabled).

user_provisioning_permissions.png