Skip to main content

Celonis Product Documentation

Controlling access and permission for Action Flows

Celonis offers a set of controls to allow customers to define which systems can be automated and by whom.

Here's an overview of the different levels on which the controls can be set:

Controls on the system connectivity level allow Administrators to define in which systems the actions can be automated. Different sets of controls can be defined for connections to on-premise and cloud third-party systems.

On-premise systems

Execution of automations in the customer’s on-premise applications, like SAP ECC or Oracle EBS, from Celonis Execution Management System (EMS) is only possible using Celonis on-prem clients. Installation of on-prem clients on customers' central servers has to be authorized by the IT Administrator. For more information, see Installing on-prem clients.

Cloud systems

Different third party applications deployed within an enterprise environment may require additional processes to be followed in order to enable an end-user to grant Celonis EMS to operate on their behalf see details. To learn more, see Security details

To execute an automation in a third-party system like SAP, it is a prerequisite that a connection to the system has been established and access has been authorized. The connection to the source system can be established using a “service” account. The permissions that were configured for the service account in the source system are respected when doing calls from EMS to the source system. We advise taking special care when using “service" accounts to provide an Action Flow with elevated authority in source systems, compared to the authority of the EMS user.

The source system logs contain information about the account that had been used to establish the connection to the system before an action was executed. To learn how to start logging Action Flow events in EMS, see Audit logs for Action Flows .

Action Flows are built and maintained in Studio. Action Flows can also be executed from inside Studio (one-time triggering). Different levels of controls can be set on user level in EMS by the EMS Admin user to control the permissions to create, maintain and execute the Action Flows inside Studio:

  • Studio access and permissions: “Member” EMS users don’t have access to Studio and can’t create and maintain Action Flows. Admins can define which EMS users can have access to Studio. This is described in the next section, Control analyst access to Action Flow assets (Limited Availability).

  • Package access and permissions: Only users who have “edit” access to a package can create, maintain, or execute Action Flows in that package. Thus, if personal credentials are being used to create the connections in Action Flows, it’s recommended that access to the package containing those Action Flows is limited only to the users whose credentials are being used.

Using the controls on EMS levels, IT Admins can also define different sets of permissions on sandbox and production environments.

You have the option to control which analysts can access Action Flows to view, edit, and activate them. When you request activation of this feature, we’ll remove access to Action Flows for users with the Analyst role by default. You can enable access for the users or groups that you want in the Action Flow section of the Permissions pane in Admin & Settings.

Take a look at Assigning granular user permissions for more information.

Users without access can't see Action Flows, and can't activate Action Flows, though they can still publish a package that contains them. Users with the Admin role always have access to Action Flows.

This option is in Limited Availability status. If you’d like us to activate this solution for your team, ask your Celonis point of contact.