Controlling access and permission for Action Flows
Celonis offers a set of controls to allow customers to define which systems can be automated and by whom.
Here's an overview of the different levels on which the controls can be set:
Controls on the system connectivity level allow Administrators to define in which systems the actions can be automated. Different sets of controls can be defined for connections to on-premise and cloud third-party systems.
On-premise systems
Execution of automations in the customer’s on-premise applications, like SAP ECC or Oracle EBS, from Celonis Platform (Celonis Platform) is only possible using Celonis on-prem clients. Installation of on-prem clients on customers' central servers has to be authorized by the IT Administrator. For more information, see Installing.
Cloud systems
Different third party applications deployed within an enterprise environment may require additional processes to be followed in order to enable an end-user to grant Celonis Platform to operate on their behalf see details. To learn more, see Security details
To execute an automation in a third-party system like SAP, it is a prerequisite that a connection to the system has been established and access has been authorized. The connection to the source system can be established using a “service” account. The permissions that were configured for the service account in the source system are respected when doing calls from Celonis Platform to the source system. We advise taking special care when using “service" accounts to provide an Action Flow with elevated authority in source systems, compared to the authority of the Celonis Platform user.
The source system logs contain information about the account that had been used to establish the connection to the system before an action was executed. To learn how to start logging Action Flow events in Celonis Platform, see Audit logs for Action Flows .
Action Flows are built and maintained in Studio. Action Flows can also be executed from inside Studio (one-time triggering). Different levels of controls can be set on user level in Celonis Platform by the Celonis Platform Admin user to control the permissions to create, maintain and execute the Action Flows inside Studio:
Studio access and permissions: “Member” Celonis Platform users don’t have access to Studio and can’t create and maintain Action Flows. Admins can define which Celonis Platform users can have access to Studio. This is described in the next section, Control analyst access to Action Flow assets (Limited Availability).
Action Flows should consider validating inputs coming from Views or Tasks to ensure expected values and permission checks are always correctly enforced at this final step of Action Flow execution.
Package access and permissions: Only users who have “edit” access to a package can create, maintain, or execute Action Flows in that package. Thus, if personal credentials are being used to create the connections in Action Flows, it’s recommended that access to the package containing those Action Flows is limited only to the users whose credentials are being used.
Using the controls on Celonis Platform levels, IT Admins can also define different sets of permissions on sandbox and production environments.
You have the option to control which analysts can access Action Flows to view, edit, and activate them. When you request activation of this feature, we’ll remove access to Action Flows for users with the Analyst role by default. You can enable access for the users or groups that you want in the Action Flow section of the Permissions pane in Admin & Settings.
Users without access can't see Action Flows, and can't activate Action Flows, though they can still publish a package that contains them. Users with the Admin role always have access to Action Flows.
This option is in Limited Availability status. If you’d like us to activate this solution for your team, ask your Celonis point of contact.