Skip to main content

Celonis Product Documentation

Apps - Permissions

Responsible: IT / System Administration

General Information

Permissions can be granted granularly on multiple levels at Admin and Settings - Permissions. Both users and application keys are seen as equivalent regarding permissions as they can take certain actions within EMS. Permissions regarding Action Flows are handled in the section Automation Permissions.

60361746.png
Studio Permissions
  1. Within EMS Studio, permissions can be configured on three levels.

    1. Space Level - Permissions

    2. Package Level

    3. Asset Level

  2. The permissions are configurable for each user and each application key that was created.

  3. The permissions only handle available actions within Studio.

App / Connection Permissions
User Connection Permissions

Each use of an App in Action Flows requires a user connection to that service. The connection can be established via

1. API Key / Application Key

60361810.png

2. Basic authentication with Username & Password

60361747.png

3. OAuth

60361811.png

User Connection Access

The connections you create with your personal credentials are shared within the same Studio package.

Hence, your team can use and delete connections that were created in this package. This way you can easily collaborate across your team to speed up automations. Please follow the Best Practices below to avoid traceability and audibility issues.

If you want to know which permissions are necessary for which app, please check the respective app help page to get more information. Necessary permissions for the different integrations vary. Generally, Action Flows require only the smallest set of permissions to perform a given action. However, some applications do not allow limiting permissions, which is why Action Flows sometimes asks for the complete set of permissions of that application.

After a connection has been established, you can maintain and oversee the already integrated connections and permissions on theAutomation Global Pages - User Connections.

Some apps (like SAP) do not show the used permissions, please check the respective App page instead, e.g. SAP - Permissions. If the requirements are not listed, please reach out with a Knowledge request on ServiceDesk.

For more information on how to restrict Celonis access to your account registered to those services, see the application-specific documentation.

Connection to On-prem System

If the Celonis On-Prem Agentis involved for an On-Prem System, please check Automation Global Pages - Agent to see whether the Agent is running and you are able to reach your On-Prem system.

Before creating the user connection in the App in Action Flows, a system Connections has to be established - please check Add System Connections.

System Connection Access

Each system connection is available to any user of the team that has access to the same Agent.

Best Practices

Tip

  1. Use different Application Keys for different Packages and Actions to enable structured permission control as a team admin.

  2. Create Packages closely related to the Permissions as many permission can only be granted and configured on Package level.

  3. Separate Celonis Studio packages per department, as system connections (incl. permissions), are shared within one package.

  4. If a technical user is used to restrict permissions, separate technical users per department.

Permissions for Email Use Case

If you want to implement action flows that automatically send emails to customers or to internal stakeholders, please follow the information below to connect to your own Email accounts. Internal IT might have certain requirements for this action and the following document contains the necessary information to support the decision of which method is feasible.

If you do not find a feasible solution for your IT system, please submit a feature request or get in touch with your contact at Celonis.

59048137.png

Setup options (recommended):

  • General Email

  • Gmail

  • Microsoft 365 Email

  • Other email apps

  • Alternatives:

    • Email by Celonis via Skills

    • Email (SMTP) via Skills

    • HTTP (On-Prem)

General Email App
59048696.png

Additional information: Email

The general email app within Action Flows allows a connection to any email server and can be secured via TLS or self-signed certificates. This makes it easy to configure and can be adjusted to your needs.

Requirements for outgoing SMTP setup:

  • SMTP server from your provider

  • Access to server from cloud must be permitted

Authentication options:

  • SMTP

  • TLS connection

  • Self-signed certificates with the rejection of unauthorized certificates

Note

If you need to whitelist an IP address that will make a request to your SMTP server, please whitelist the cluster IP that your team runs on, see Step 2- Setting up the SAP Extractor Service.

Warning

Minimum requirement for SMTP

If you need to whitelist an IP address that will make a request to your SMTP server, please whitelist the cluster IP that your team runs on: see here

Gmail App
59048695.png

Additional information: Gmail

The Gmail Action Flow app is directly integrated with Google and works with Oauth when using a GSuite account, or a custom OAuth client has to be set up to send emails via Gmail with a standard Gmail account.

Requirements:

  • Google account

Authentication options

  • GSuite through Company account (@company.com)

    • Authorization via OAuth1 / OAuth2

  • Gmail with personal account (@gmail.com, or googlemail.com):

    • Authorization via custom OAuth Client

Specific permissions (when asked for confirmation):

59048700.png
Microsoft 365 Email App
59048697.png

Additional information: Microsoft 365 Email

The Microsoft 365 Email App offers authentication via OAuth and is simple to set up.

Requirements:

  • Microsoft Email 365 Account

Authentication options:

  • Authorization via OAuth1 / OAuth2

Specific permissions necessary for the different actions:

59048701.png
59048702.png
Other Email Apps

Action Flows offer native integrations with many applications that can be used as an email programme.

Below are two possible examples with other forms of authentication listed, but this list is not exhaustive. Please refer to the respective documentation pages within Celonis.

Mandrill
59048698.png

Requirements

  • Mandrill account

Authentication option:

  • API key

Zoho Mail
59048699.png

Requirements:

  • Zoho account

  • Regional Code

Authentication options:

  • Authentication viaUsername / Password

Note

Many more apps that include similar functionality can be found in Action Flows ...

Alternatives

If none of the solutions from above solve the issue, there are more methods to solve it. However, these are more complex and not as easy to maintain.

Email (SMTP) via Skills

Additional information: Email (SMTP)

With SMTP (Agent), you are able to send emails automatically from your own SMTP server which does not need to be accessible from outside your network.This option is needed if the SMTP server is ONLY reachable from within your network.

However, this implementation combines Action Flows with Skills, which makes this solution rather complex and difficult to maintain. Further information regarding the agent architecture can be found at IT Architecture - Agent.

Requirements:

  • Live Celonis Agent on your system that is connected to EMS

  • SMTP server

Authentication options:

  • SMTP

  • TLS connection

  • Self-signed certificates with rejection of unauthorized certificates

Email by Celonis via Skills

The general use case for this module can be seen as testing of new modules. The following template sets up the entire workflow with Action Flows - Send Email by Celonis.

Requirements:

  • None

Authentication options:

  • None

Disadvantages:

  • Not full control over the server

  • Email domain @celonis.com

  • Max. 100 uses per day

  • Complex setup and maintenance

  • No traceability of sent elements

  • No visibility of bounce messages

  • No request for customer to be blacklisted possible

  • Emails cannot be responded to

HTTP (On-Prem)

Additional information: HTTP (On-Prem)

If you have an internal API endpoint that can be accessed through HTTP to communicate with an internal email server, you can also use that gateway to send emails. Further information regarding the agent architecture can be found at IT Architecture - Agent.

Requirements:

  • Live Celonis Agent on your system that is connected to EMS

Authentication:

  • None