Skip to main content

Object-centric process mining service permissions

Celonis controls access to object-centric process mining (OCPM) through roles and data pool permissions. These determine who can view, edit, and publish objects, events, transformations, and perspectives.

Available roles and permissions

The following standard roles are available:

  • Admins: Admins have full access across the team. This includes:

    • View, edit, and publish all objects, events, transformations, and perspectives.

    • Manage object-centric data models in any data pool.

    • Configure environments and permissions.

  • Analysts (edit permissions): Analysts with edit permissions for a data pool can:

    • View and edit all objects, events, transformations, and perspectives in that data pool.

    • Publish changes to development and production environments.

    If object-centric data models are enabled for all data pools, analysts need edit permissions for each data pool they are allowed to work in.

  • Analysts (view permissions): Analysts with view permissions for a data pool can.

    • View objects, events, transformations, and perspectives.

    This role is suitable for review or read-only access.

  • Members: View only permissions. Members permission mean:

    • Cannot access objects, events, transformations, or perspectives directly.

    • Can use applications and assets built on published perspectives.

Data access and security considerations

When working with a single OCPM data pool, it is not possible to restrict analysts’ access to specific objects, processes, or events in the Objects and Events dashboard.

If you need to protect sensitive data during modeling:

  • Enable object-centric process mining for multiple data pools.

  • Assign analysts access only to the data pools containing the data they are permitted to work with.

  • Use separate object-centric data pools to enforce strict data separation.

Setting data permissions for a perspective

You can apply data permissions to individual perspectives, similar to case-centric models. These permissions allow you to:

  • Restrict data visibility for end users.

  • Apply user or group filters (for example, limiting data to a specific region or business unit).

These restrictions apply when users interact with apps or analyses built on the perspective.

To set the data permissions for a perspective:

  1. Click Data - Data Integration and select the data pool where you're working with objects and events.

  2. Find the perspective in the Data Models section of the data pool, and choose Data Permissions from the context menu.

  3. Click Add user or group. Click the name of a user or group in the listing to add them.

  4. Select the user or group name and click Add Rule.

  5. Click Select and choose a column. Type all permitted values from that column, and click Save.

  6. Add further rules in the same way. The rules have an AND relationship - users must have permission under all rules that apply to an object to view its data. If a user can’t see an object, they also can’t see objects that are connected to it by a relationship, unless they are connected to other objects that they can see.

Important

If your perspective contains any standalone objects, or any distinct groups of objects that are connected to each other but not to other groups, check your data permissions carefully. Rules that you set on a group of interconnected objects apply to the objects in the group, but don't apply to objects and groups that are not connected to them.

For example, if your perspective contains these groups of objects:

(A-B-C) (D-E) (F)

  • Data permissions placed on object F don't affect any of the other objects.

  • Data permissions placed on objects D and E affect each other, but not A, B, C, and F.

  • Data permissions placed on objects A, B, and C affect each other, but not D, E, or F.