Workflows

For any custom permission set, you can assign Workflows to authorize accessing it directly via the REST endpoint or to authorize the business function modeled in the Workflow.

Managing Granted Workflows

• Add Command: Use this to add new Workflow(s) to the Permission Set.
• Revoke Command: Use this to revoke selected Workflow(s) from the Permission Set.
• Add All Command: Grants all workflows to the user (not recommended for production environments).
• Revoke All Command: Revokes all granted Workflows from the Permission Set.

Adding a Workflow will list projections used in the Workflow. This list will be updated at each deployment of the Workflow.

Types of Grants

For more information, refer to Types of Grants.

• Granting External Access

Add a Workflow using the 'Add/Revoke' button and use the 'Grant Access' button to provide external access. The workflow status will then change to 'Granted'. Since external access does not require the projections in the Workflow to be reviewed, the status of the projections will change to 'Not Applicable'.

This can be done for several workflows at the same time by selecting the Workflows.

With the 'Grant External Access to All Workflows' option, external access can be granted to all the Workflows already added to this list.

• Granting Internal Access:

Add a Workflow using the 'Add/Revoke' command. This will list all activities performed in the Workflow in the 'Available Projections' section. Admins must review this information before assigning the internal grant using the 'Grant Access' command. Hence, the status of the projections will change to 'Reviewed' when internal access is given.

• Granting Full Access:

Add a Workflow using the 'Add/Revoke' command and assign 'Full Access' with the 'Grant Access' command.

Note: In the 'Available Projections' section, all projections used in all Workflows will be listed. The standard search functionality of the list can be used to filter the projections used in a given Workflow.

The above diagram represents various states of Workflow grants. Below are some possible scenarios explaining different transitions in the diagram:

Initial State

State: Not Granted/ All APIs not Reviewed

• The Workflow is added to the permission set, but no APIs have been reviewed yet.

• If an External Grant is provided

  • Workflow grant status changes to 'Granted'.

  • The status of all APIs changes to 'Not Applicable' since external access does not require the projections in the Workflow to be reviewed.

  • Refer to Granting External Access.

• If an Internal or Full Grant is provided after a review

  • Workflow grant status changes to 'Granted'.
  • The status of all APIs changes to 'Reviewed'.
  • Refer to Granting Internal Access and Granting Full Access.

Internal/Full Granted State

State: Granted/ All APIs Reviewed

• The APIs are reviewed and the Workflow has either 'Internal' or 'Full' access.

• If an External Grant is provided

  • Workflow grant status changes to 'Granted'.

  • The status of all APIs changes to 'Not Applicable' since external access does not require the projections in the Workflow to be reviewed.

  • Refer to Granting External Access.

• If Workflow is redeployed after adding more projections

  

  • Workflow grant status changes to 'Invalidated' since with the change in the Workflow, the previous grant is not valid anymore.

  • The status of some or all APIs changes to 'Not Reviewed'.

External Granted State

State: Granted/ All APIs Not Applicable

• The Workflow has 'External' access

• If an Internal or Full Grant is provided after a review

  • Workflow grant status changes to 'Granted'.
  • The status of all APIs changes to 'Reviewed'.
  • Refer to Granting Internal Access and Granting Full Access.

• If Workflow is redeployed after adding more projections

  

  • Workflow grant status remains as 'Granted'.
  • The status of all APIs remains as 'Not Applicable'.

Invalidated State

For more details, please refer to the section outlining scenarios in which a grant may have the 'Invalidated' status.

State: Invalidated/ Some or All APIs not reviewed

• The Workflow grant is in the 'Invalidated' state since the already given grant is not valid anymore. The new APIs added are shown as 'Not Reviewed'.

• If an External Grant is provided

  • Workflow grant status changes to 'Granted'.

  • The status of all APIs changes to 'Not Applicable' since external access does not require the projections in the Workflow to be reviewed.

  • Refer to Granting External Access.

• If an Internal or Full Grant is provided after reviewing the changes

  • Workflow grant status changes to 'Granted'.

  • The status of all APIs changes to 'Reviewed'.

  • Refer to Granting Internal Access and Granting Full Access.

Scenarios where a Grant can have the 'Invalidated' Status

Scenarios:

• New Activities Added to a Workflow:

When new activities are introduced into an existing Workflow, the grant may become invalidated.

• Changes to Existing Activities:

If existing activities within a Workflow are modified, the grant may also become invalidated.

Points to Consider:

• Activity Deletion:

When an activity is deleted from a Workflow, the grant status will not change.

• Upgrading to Version 25R1 or Later:

Upon upgrading to version 25R1 or later, all existing Workflow grants will be displayed as 'External' grants.