Skip to main content

Celonis Product Documentation

Apps - Permissions

Responsible: IT / System Administration

General Information

Permissions can be granted on multiple levels within Admin & Settings. Both users and application keys are seen as equivalent regarding permissions as they can take certain actions within Celonis Platform. Permissions regarding Action Flows are handled in the section Automation Permissions.

Studio Permissions
  1. Within Celonis Platform Studio, permissions can be configured on three levels.

    1. Space Level - Permissions

    2. Package Level

    3. Asset Level

  2. The permissions are configurable for each user and each application key that was created.

  3. The permissions only handle available actions within Studio.

App / Connection Permissions
User Connection Permissions

Each use of an App in Action Flows requires a user connection to that service. The connection can be established via:

1. API Key / Application Key


2. Basic authentication with Username & Password


3. OAuth


User Connection Access

The connections you create with your personal credentials are shared within the same Studio package.

Hence, your team can use and delete connections that were created in this package. This way you can easily collaborate across your team to speed up automations. Please follow the Best Practices below to avoid traceability and audibility issues.

If you want to know which permissions are necessary for which app, please check the respective app help page to get more information. Necessary permissions for the different integrations vary. Generally, Action Flows require only the smallest set of permissions to perform a given action. However, some applications do not allow limiting permissions, which is why Action Flows sometimes asks for the complete set of permissions of that application.

After a connection has been established, you can maintain and oversee the already integrated connections and permissions on the Automation Global Pages - User Connections.

Some apps (like SAP) do not show the used permissions, please check the respective App page instead, e.g. SAP - Permissions. If the requirements are not listed, raise a Support ticket to request the information.

For more information on how to restrict Celonis access to your account registered to those services, see the application-specific documentation.

Connection to On-prem System

If the Celonis On-Prem Agent is involved for an On-Prem System, please check Automation Global Pages - Agent to see whether the Agent is running and you are able to reach your On-Prem system.

Before creating the user connection in the App in Action Flows, a system Connections has to be established.

System Connection Access

Each system connection is available to any user of the team that has access to the same Agent.

Best Practices


  1. Use different Application Keys for different Packages and Actions to enable structured permission control as a team admin.

  2. Create Packages closely related to the Permissions as many permission can only be granted and configured on Package level.

  3. Separate Celonis Studio packages per department, as system connections (incl. permissions), are shared within one package.

  4. If a technical user is used to restrict permissions, separate technical users per department.

Permissions for Email Use Case

If you want to implement action flows that automatically send emails to customers or to internal stakeholders, please follow the information below to connect to your own Email accounts. Internal IT might have certain requirements for this action and the following document contains the necessary information to support the decision of which method is feasible.

If you do not find a feasible solution for your IT system, please submit a feature request or get in touch with your contact at Celonis.


Setup options (recommended):

  • General Email

  • Gmail

  • Microsoft 365 Email

  • Other email apps

  • Alternatives:

    • Email by Celonis via Skills

    • Email (SMTP) via Skills

    • HTTP (On-Prem)

General Email App

Additional information: Email

The general email app within Action Flows allows a connection to any email server and can be secured via TLS or self-signed certificates. This makes it easy to configure and can be adjusted to your needs.

Requirements for outgoing SMTP setup:

  • SMTP server from your provider

  • Access to server from cloud must be permitted

Authentication options:

  • SMTP

  • TLS connection

  • Self-signed certificates with the rejection of unauthorized certificates


If you need to allowlist an IP address that will make a request to your SMTP server, please allowlist the cluster IP that your team runs.


Minimum requirement for SMTP

If you need to allow an IP address that will make a request to your SMTP server, please add your the cluster IP to the allow list: Allowlisting domain names and IP addresses

Gmail App

Additional information: Gmail

The Gmail Action Flow app is directly integrated with Google and works with Oauth when using a GSuite account, or a custom OAuth client has to be set up to send emails via Gmail with a standard Gmail account.


  • Google account

Authentication options

  • GSuite through Company account (

    • Authorization via OAuth1 / OAuth2

  • Gmail with personal account (, or

    • Authorization via custom OAuth Client

Specific permissions (when asked for confirmation):

Microsoft 365 Email App

Additional information: Microsoft 365 Email

The Microsoft 365 Email App offers authentication via OAuth and is simple to set up.


  • Microsoft Email 365 Account

Authentication options:

  • Authorization via OAuth1 / OAuth2

Specific permissions necessary for the different actions:

Other Email Apps

Action Flows offer native integrations with many applications that can be used as an email program.

Below are two possible examples with other forms of authentication listed, but this list is not exhaustive. Please refer to the respective documentation pages within Celonis.



  • Mandrill account

Authentication option:

  • API key

Zoho Mail


  • Zoho account

  • Regional Code

Authentication options:

  • Authentication via Username / Password


Many more apps that include similar functionality can be found in Action Flows.


If none of the solutions from above solve the issue, there are more methods to solve it. However, these are more complex and not as easy to maintain.

Email (SMTP) via Skills

Additional information: Email (SMTP)

With SMTP (Agent), you are able to send emails automatically from your own SMTP server which does not need to be accessible from outside your network. This option is needed if the SMTP server is ONLY reachable from within your network.

However, this implementation combines Action Flows with Skills, which makes this solution rather complex and difficult to maintain.


  • Celonis Agent for Skills v0.4.4

  • Live Celonis Agent on your system that is connected to Celonis Platform

  • SMTP server

Authentication options:

  • SMTP

  • TLS connection

  • Self-signed certificates with rejection of unauthorized certificates

Email by Celonis via Skills

The general use case for this module can be seen as testing of new modules. The following template sets up the entire workflow with Action Flows - Send Email by Celonis.


  • None

Authentication options:

  • None


  • Not full control over the server

  • Email domain

  • Max. 100 uses per day

  • Complex setup and maintenance

  • No traceability of sent elements

  • No visibility of bounce messages

  • No request for customer to be blacklisted possible

  • Emails cannot be responded to

HTTP (On-Prem)

Additional information: HTTP (On-Prem)

If you have an internal API endpoint that can be accessed through HTTP to communicate with an internal email server, you can also use that gateway to send emails.


  • Celonis Agent for Action Flows v1.0.1 Agent Setup

  • Live Celonis Agent on your system that is connected to Celonis Platform


  • None