Available Celonis Platform permissions
The Celonis Platform offers granular permission controls, giving you control over who (users) or what (applications and external systems) can access features, content, and data. Depending on the Celonis Platform service that you're using, you can assign granular user permissions on a maximum of three levels: Service, container, and object:
These levels work on a hierarchy, with the highest level (the service level) overriding any conflicts in either the container or object level.
Celonis Platform permission types - Service level, container level, and object level
Service level permissions
This is the highest level, giving user permissions across a service within your Celonis Platform, such as Studio. In this example, you're granting the user permissions to everything in Studio.
Services can contain multiple containers and objects, whereas a container and its object are stored within a service.
All service permissions can be assigned and managed by team admins by clicking Admin & Settings - Permissions:
Container level permissions
This is the top-level object within a service, such as Studio - Package. For container level permissions, each Service has its own permission system depending on the container that you're assigning permissions to.
In this Studio example, you're granting the user permissions just within this Studio Package.
Object level permissions
This is the specific object within a container, such as Studio - Package - View. For object level permissions, each Service has its own permission system depending on the object that you're assigning permissions to.
In this Studio example, you are granting the user permissions within just the View within the Package.
Permissions overview table
When assigning and managing permissions in the Celonis Platform, refer to this table:
Service | Container(s) | Object(s) |
---|---|---|
Action Engine | Project | N/A |
Data Integration | Data Pool | Data Model |
File Storage Manager | Buckets | N/A |
Machine Learning | Workspaces | App |
On-Prem Automation | Agents (permissions can't be assigned to agents) | N/A |
Process Repository | Categories | N/A |
Studio | Space See: Studio Space permissions. Package | Assets: Action Flow, Analysis, Data Explorer, Knowledge Model, Skill, View. |
Task Mining | Project | N/A |
Team See: Team service permissions. | N/A | N/A |
Transformation Center | Objectives | KPIs (permission can be assigned to KPIs but these are covered by the objective permissions) |
Transformation Hub | N/A | N/A |
User Provisioning | N/A | N/A |
You can assign and manage both service and container (known as projects) level permissions for Action Engine:
Action Engine service permissions
Admins can assign and manage the following Action Engine service permissions in the Celonis Platform:
My Inbox (Viewer) - The user has access to 'My Inbox'.
Manage Skills (Analyst) - The user has access to 'My Inbox' and can manage skills and see projects.
Access All Projects (Analyst) - The user has access to 'My Inbox' and can see adoption.
Create Projects (Analyst) - The user has access to 'My Inbox' and can create new projects
Action Engine project permissions
Within the Action Engine service, you can assign the following project based permissions:
Access (Analyst) - The user can view, edit, and delete the Action Engine project.
To assign Action Engine project permissions while viewing the project, click Options - Manage Permissions:
With the Data Integration service, you can assign and manage permissions on a service, container (Data Pools), and object (Data Models) level:
Data Integration service permissions
Your Data Integration service permissions define who can access (and configure) your Data Integration services area. This is controlled from the Admin & Settings area.
Admins can assign and manage the following Data Integration service permissions in the Celonis Platform:
Use all Data Models (Viewer) - The user can assign any Data Model from any Data Pool to, e.g. a variable in Studio and use it from there. This does not give any permission to access or make changes in Data Integration.
View all Data Pool (Analyst) - The user can view all Data Pools of this team in a read-only mode and has no permission to modify any of them.
Edit all Data Pools (Analyst) - The user has “edit” permissions and can perform all operations for all Data Pools except deleting a Data Pool and managing permissions.
Create Data Pools (Analyst) - The user can create new Data Pools in Data Integration and will automatically have Manage Data Pool Permissions in those.
Manage all Data Pools (Analyst) - The user has "edit" permissions and can perform all operations, including sensitive ones on all Data Pools of this team.
Data Integration Data Pool permissions
Data Pool permissions control who can access and edit individual Data Pools (and all their data connections, jobs, and Data Models accordingly) with your Data Integration service.
You can assign the following Data Pool permissions within the Data Integration service:
Use all Data Models (Viewer) - The user can assign any Data Model from any Data Pool to, e.g. a variable in Studio and use it from there. This does not give any permission to access or make changes in Data Integration.
View all Data Pool (Analyst) - The user can view all Data Pools of this team in a read-only mode and has no permission to modify any of them.
Edit all Data Pools (Analyst) - The user has “edit” permissions and can perform all operations for all Data Pools except deleting a Data Pool and managing permissions.
Create Data Pools (Analyst) - The user can create new Data Pools in Data Integration and will automatically have Manage Data Pool Permissions in those.
Manage all Data Pools (Analyst) - The user has "edit" permissions and can perform all operations, including sensitive ones on all Data Pools of this team.
To assign Data Pool permissions from the Data Pool overview page, click Options - Permissions:
Data Integration Data Model permissions
You can assign and manage both usage and data permissions for your Data Models within the Data Integration service:
Usage permissions: This gives users and applications the ability to use this Data Model in other Celonis Platform areas, such as Studio. This does not give them access to access or edit the Data Model within the Data Integration service.
Data permissions: Without any assigned Data Permissions, every user and group will be able to access the data of this Data Model - once loaded - via the Celonis Studio. You can set these permissions either manually or via data permission tables:
To assign Data Model permissions from the Data Model overview page, click Options - Usage Permissions / Data Permissions:
You can assign and manage File Storage Manager permissions on a service and container (buckets) level in the Celonis Platform.
File Storage Manager service permissions
Admins can assign and manage the following File Storage Manager service permissions in the Celonis Platform:
Get (Viewer) - The user can view all files in a storage bucket.
Create (Analyst) - The user is able to create storage buckets.
Delete (Analyst) - The user is able to delete storage buckets.
Admin (Analyst) - The user is able to create and delete storage buckets.
List (Analyst) - The user is able to call a list of all storage buckets.
File Storage Manager bucket permissions
You can assign and manage the following user permissions for individual buckets within the File Storage Manager service:
Get (Viewer) - The user can view all files in the bucket.
Create (Analyst) - The user is able to create content that is stored in this bucket.
Delete (Analyst) - The user is able to delete content within the bucket and delete the bucket itself.
Admin (Analyst) - The user is able to create and delete content within the bucket and delete the bucket itself.
List (Analyst) - The user is able to call a list of all content within this bucket.
To assign bucket permissions within the File Storage Manager, click Options - Permissions:
You can assign and manage Machine Learning permissions on a service, container (workspace), and object (app) level in the Celonis Platform.
Machine Learning service permissions
Admins can assign and manage the following Machine Learning service permissions in the Celonis Platform:
Create Apps (Analyst) - The user can create new apps.
Use all Apps (Viewer) - The user can use all existing Apps.
Manage All Apps (Analyst) - The user can edit, upgrade, delete, update the associated application key and update the permissions for all apps.
Create Workspaces (Analyst) - The user can create workspaces.
Manage All Workspaces (Analyst) - The user can edit, delete all workspaces.
Machine Learning workspace permissions
You can assign and manage the following workspace permissions within the Machine Learning service:
Create Apps (Analyst) - The user can create new apps within this workspace.
Use all Apps (Viewer) - The user can use all existing apps in this workspace.
Manage All Apps (Analyst) - The user can edit, upgrade, delete, update the associated application key and update the permissions for all apps in this workspace.
Create Workspaces (Analyst) - The user can create additional workspaces.
Manage All Workspaces (Analyst) - The user can edit, delete all workspaces.
To assign workspace permissions from the Machine Learning service, click Apps - Options - Permissions:
Machine Learning app permissions
You can assign and manage the following app permissions within the Machine Learning service:
Use App (Viewer) - The user can access and use this app.
Manage App (Analyst) - The user can edit, upgrade, delete, update the associated application key and update the permissions for this app.
To assign apps permissions from within a Machine Learning workspace, click Options - Permissions:
You can assign and manage On-Prem Automation permissions on a service level only in the Celonis Platform. While On-Prem Automations has a container level (agents), you can't assign permissions to these directly.
On-Prem Automation service permissions
Admins can assign and manage the following On-Prem Automation service permissions in the Celonis Platform:
View agents (Viewer) - The user can view the list of agents in the Automation global page.
Manage permissions (Analyst) - The user can update permissions related to automation.
Register agents (Analyst) - The user can register new agents in the Celonis Platform team. Meaning, the user can create a connection between the agent installed in a customer's on-prem environment and the Celonis Platform team.
Edit agents (Analyst) - The user can edit or delete agents in the Automation global page.
You can assign and manage Process Repository permissions on a service and container (category) level in the Celonis Platform.
Process Repository service permissions
Admins can assign and manage the following Process Repository service permissions in the Celonis Platform:
Use categories (Viewer) - The user can use existing process repository categories but not create them.
Create and modify categories (Analyst) - The user can create and modify existing process categories but, unless combined with other permissions, can't delete existing categories.
Modify existing categories (Analyst) - The use can modify existing process categories but, unless combined with other permissions, can't create categories.
Delete existing categories (Analyst) - The use can delete existing process categories but, unless combined with other permissions, can't create or modify categories.
Process Repository category permissions
You can assign and manage the following category permissions within the Process Repository service:
Use categories (Viewer) - The user can use the existing Process Repository category but not edit or delete it.
Edit category (Analyst) - The user can use, edit, and delete the Process Repository category.
To assign and manage category permissions from within Process Repository service, click Options - Permissions:
With the Studio service, you can assign and manage permissions on a service, container (Space, Package), and object (Action Flow, Analysis, Data Explorer, Knowledge Model, Skill, View.) level:
Studio service permissions
Admins can assign and manage the following Studio service permissions in the Celonis Platform:
Edit all spaces (Analyst) - The user can only edit existing space names but can create, edit, delete and set permissions for spaces and content they have created unless permissions are removed.
Delete all spaces (Analyst) - The user can create, edit, delete and set permissions to spaces and content they have created, unless permissions are removed. They can't delete other spaces unless this permissions is combined with Edit all Spaces.
Create space (Analyst) - The user can create a new space, package or install from Marketplace. Once the space is created the user can edit, delete and assign permissions to the created space and its contents.
Manage permissions (Analyst) - The user can create, edit, delete and set permissions to spaces and content they have created, unless permissions are removed. They can't manage permissions to other spaces unless this permissions is combined with Edit all Spaces.
Studio Space permissions
Within the Studio service, you can assign and manage the following Space permissions:
Use all packages (Viewer) - The user can use all content in the granted Space from within Apps. The space content isn't accessible via Studio.
Edit Space (Analyst) - The user can see the name of space they have been granted and can edit the space name.
Edit all packages (Analyst) - The user can create new or edit all packages and assets within the space they have been granted, they can't delete anything.
Delete all packages (Analyst) - The user can only see the Space they have been granted and can't do anything. This permission must be combined with Edit all Packages to work.
Delete space (Analyst) - In Studio, the user can delete the granted space and everything in it, but can't see the content. They can see the content in Apps.
Create package (Analyst) - The user can see the name of the space they have been granted and can create a new package within it. They can't see existing packages. The user can delete and grant permission to packages they have created, unless permissions are removed.
Manage permissions (Analyst) - The user can manage permissions of the space they are granted. They can see all content in Apps.
To assign and manage Studio space permissions from the space overview page, click Options - Permissions:
Studio package permissions
Within a Studio space, you can assign and manage the following package permissions:
Use package (Viewer) - The user can "use" the package they have been granted in Apps.
Edit package (Analyst) - The user can edit the package and create, edit all assets within the package, they can't delete anything.
Delete package (Analyst) - When checked alone, the user can only see the Space they have been granted and can't do anything. This permission must be combined with Edit Package to work.
Manage permissions (Analyst) - When checked alone, this does nothing other than show the space, with no packages shown. This permission must be combined with Edit Package to work.
To assign and manage Studio package permissions from within a Studio Space, click Options - Permissions:
Studio package asset permissions
Within Studio packages you can create and manage Studio assets (see: Asset types. For each Studio package asset, you can assign and manage the following permissions:
Use (Viewer) - The user can use the view they are granted permissions to. They can also see the package the view is within.
To assign and manage Studio package assets from within the package, click Options - Permissions:
When using the Task Mining service, you can assign and manage permissions on a service and container (project) level:
Task Mining service permissions
Admins can assign and manage the following Task Mining service permissions in the Celonis Platform:
Edit Client Settings (Analyst) - Analysts are granted permissions to see and edit everything behind the menu point "Client Setups" in Task Mining.
Edit Users (Analyst) - Analysts are granted permissions to see and edit everything behind the menu point "Users & Invite".
Task Mining project permissions
Within the Task Mining service, you can assign and manage the following project permissions:
Edit client settings (Analyst) - Analysts are granted permissions to see and edit everything behind the menu point "Client Setups" in Task mining
Edit users (Analyst) - Analysts are granted permissions to see and edit everything behind the menu point "Users & Invite"
Team permissions control who and what can access and manage your Admin & Settings area in the Celonis Platform.
Team service permissions
Admins can assign and manage the following team service permissions in the Celonis Platform:
Import members (Viewer) - The granted user can import members from one team to another.
Use Audit Logs API (Analyst) - The granted user can now configure an API to export audit logs.
Use Login History API (Analyst) - The granted user can now configure an API to export login history logs.
Use Studio Adoption API (Analyst) - The granted user can now configure an API to export user adoption events.
Manage Audit Logs (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Audit Logs in the menu.
Manage Login History (Analyst) - The granted user gets limited access to Admin & Settings, but can only see login history in the menu.
Manage General Settings (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Settings in the menu.
Manage SSO Settings (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Single sign-on in the menu.
Manage Members (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Users in the menu.
Manage Groups (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Groups in the menu.
Manage Permissions (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Permissions in the menu.
Manage Member Locking Policy (Analyst) - The granted user gets limited access to Admin & Settings, but can only see User locking policy in the menu.
Manage License Settings (Analyst) The granted user gets limited access to Admin & Settings, but can only see License in the menu.
Manage Admin Notifications (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Notifications in the menu.
Manage Uplink Integrations (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Uplink integrations in the menu.
Manage Event Collection on Premises (Analyst) - The granted user gets limited access to Admin & Settings, but can only see Permissions in the menu.
Manage Adoptions Views (Analyst) - The granted user gets limited access to Admin & Settings, but can only see User Adoption Views in the menu.
Manage Download Portal (Analyst) - The granted user gets full access to the Download Portal, giving them access to files which support Celonis provided apps.
When using the Transformation Center service, you can assign and manage permissions on a service and container (objectives) level. While you can create KPIs within objectives, these permissions are managed as part of the objective permissions.
Transformation Center service permissions
Admins can assign and manage the following Transformation Center service permissions in the Celonis Platform:
View Objective (Viewer) - The user can view existing objectives.
Create Objective (Analyst) - The user can create an objective.
Edit Objective (Analyst) - The user can edit an existing objective.
Delete Objective (Analyst) - The user can delete an objective.
Create KPI (Analyst) - The user can create and edit KPIs.
Export Content (Analyst) - The user can export KPIs and objectives.
Move to (Analyst) - The user can move content.
Manage permissions (Analyst) - The user can manage service permissions.
Transformation Center objectives permissions
You can assign and manage the following permissions for Transformation Center objectives:
View Objective (Viewer) - The user can view this objective.
Edit Objective (Analyst) - The user can edit this objective.
Create KPI (Analyst) - The user can create and edit KPIs within .
Delete Objective (Analyst) - The user can delete this objective.
Manage permissions (Analyst) - The user can manage the permissions for this objective.
To assign objective permissions within the Transformation Center, click Options - Permissions:
You can assign and manage Transformation Hub permissions on a service level only in the Celonis Platform.
Transformation Hub service permissions
Admins can assign and manage the following Transformation Hub service permissions in the Celonis Platform:
Access Transformation Hub (Analyst) - The user can access the Transformation Hub service.
You can assign and manager User Provisioning permissions on a service level only in the Celonis Platform.
User Provisioning service permissions
User Provisioning service permissions are available when single sign-on (SSO) is enabled for the Celonis Platform team. When enabled, admins can assign and manage the following User Provisioning service permissions in the Celonis Platform:
SCIM (Viewer) - The user can configure SCIM API for user provisioning (If enabled).