Managing Celonis Platform permissions
In the Celonis Platform, permissions are used to control who (users) and what (applications and external systems) can access your team and content. Permissions can be assigned on a team or granular level, giving you full control over access to your data and how it’s used.
You can manage the following permission types:
User roles and permissions
A user is an individual who has access to your Celonis Platform team, identified by their unique email address. Depending on your Celonis Platform license, your team has either a defined or an unlimited number of seats to allocate to users.
As an admin, you can view the current allocation of users by clicking Admin & Settings - Users:
 |
When managing user permissions, you have the following topics:
User permissions and team roles: When a user is invited to your team, they are allocated one of three user role (Admin, Analyst, or Member). These roles control what permissions that user holds within your team, with Admin permissions giving them access to all settings and content.
To learn more about user permissions and team roles, see: User and team roles.
Variable admin permissions: By default, a user with team admin permissions has access to all features and settings within your Celonis Platform. Admins can manage users, edit team security settings, and update service permissions. However you may want to enable some users to only perform a selection of those admin roles, such as managing users or content only. To achieve this, you can assign variable admin permissions to users and groups within your Celonis Platform .
To learn more about variable admin permissions, see: Variable admin permissions.
Granular user permissions: You can assign granular permissions based on service, container, and object levels within your Celonis Platform team. These levels work on a hierarchy, with the highest level (the service level) overriding any conflicts in either the container or object level.
To learn more about granular permissions for service, container, and object, see: Available permissions.
Application and external systems permissions
In addition to individual users, you can also assign and manage permissions for applications and external systems such as identity providers and data sources.
You can assign and manage permissions for applications and external systems in the following ways:
OAuth 2.0: OAuth 2.0 is an industry-standard framework that allows different applications to securely interact with each other on behalf of users without sharing sensitive credentials. To enable this, you can create an OAuth client and then define the scopes assigned to that client. These scopes allow you to manage who or what has access to your Celonis Platform features such as Studio, User Provisioning, and audit logs. This is based on the security principle of least privilege, so that an OAuth client gets only the required privilege to perform a certain task and not more.
For more information about OAuth 2.0, see: Using OAuth 2.0.
Application keys: Creating applications enables you to give access and permissions to any applications you create, either within your Celonis Platform team or externally. Once created, an application must be granted the necessary permissions within your Celonis Platform. By default, applications are created without any permissions set.
For more information about application keys, see: Application keys.
API keys: Using API keys is an effective and secure method of communicating between your Celonis Platform and external systems, such as an identity provider. API keys are created within an individual user profile in your Celonis Platform team, with the key’s permissions mirroring those of the user who created them.
For more information about API keys, see: API keys.