Skip to main content

Celonis Product Documentation

Users and roles

To prepare users to work with Orchestration Engine and Make, you need to configure their accounts and set the correct authorizations. The users have to be added to the tenant and assigned to proper user groups with sets of access rights for the roles they will perform.

To achieve this, open the Users and Groups dashboard, which allows you to manage the users’ data for Orchestration Engine. Using the dashboard, you can add, edit, and delete user data. You can also manage users by filtering or sorting by first name, last name, e-mail address, department, or status.

The status types are:

  • Green - the user is active.

  • Gray - the user account is locked.


This diagram shows a high-level view of the relationships between users, groups, and roles:

Adding a new user

To add a new user to Management Dashboard:

  1. Click Add New User.

  2. Fill in all the fields.

    They're all mandatory.

  3. Click Save to add your new user to the user's list.

The user will receive an email invitation to join the tenant.

If you decide to stop adding the new user, you can use the Discard option. It clears all the fields and removes the data you entered.


If the user already had an active account, or is an existing user of a different tenant, they will be visible as an active user right away, without the provisioning status.


To allow your user to access the dashboard, you need to set up the correct access controls. To do this, assign the users to the correct user groups. Every user group can be assigned roles with associated permissions. When you assign a user to a group, you give them the permissions that the roles have.


The default groups for Orchestration Engine are:

User group

Description - level of access and permissions

Access - roles in Orchestration Engine

Access - roles in Make


The users in the viewers group have read access only. They cannot modify anything.

Read access



The users in the editors group can edit Orchestration Engine digital processes and Make scenarios.

Read and edit access

  • Make application developer integromat.app_developer

  • Make scenario editor integromat.scenario_edit


The users in the group can conduct the development tasks, such as creating applications in Make.

Read, edit, and manage access

  • Make application developer integromat.app_developer

  • Make scenario editor integromat.scenario_edit


The users in this group can conduct administration tasks such as adding users to the tenant or creating applications in Make.

Read, edit, manage, and admin access.

  • Make owner

  • integromat.scenario_edit

Adding a new user group


We recommend that you use only the Orchestration Engine user groups that are provided by default.

However, it is possible to create a new user group in the Management Dashboard. The groups are created in the Groups tab. You need to provide a group name with a description, and set the relevant access controls.


When creating a new group, or editing an existing one, you can add the group’s users right away in the Members tab.

Roles and permissions

In the Administration dashboard, under Users and Groups > Access Controls, you can view and assign all the roles available for your tenant users and their specified permissions. This diagram shows the relationship between user groups, roles, access controls, and permissions in Orchestration Engine.


In the dashboard you can view all the roles available for your tenant users and their specified permissions.

To learn more about the way how identity and access management work in Emporix, see Identity and access management (IAM) and IAM Service API documentation.

To learn more about the roles in Make, see Make - Organization Roles.

Synchronizing users between Orchestration Engine and Make


  • The user must be a part of one or more user groups

  • The user must have at least one of these roles assigned within the  user group:

    • integromat.scenario_edit

    • integromat.app_developer

To start the synchronization:

  1. Choose the users that you want to have access to Make and assign them to the right groups as defined in the prerequisites section. The system automatically scans all Orchestration Engine users' permissions and identifies those users who have the integromat.scenario_edit or integromat.app_developer roles.

  2. Add the selected users to your Make organization (tenant). Once the eligible users are identified, the system automatically adds them to the list of authorized users of their corresponding Make organization as member users.

When you add a user to your Make organization, they receive an email notification with instructions how to access and set up their accounts.

To learn more about managing users in Make, see Make - Adding Users to Organizations.


If a user's group membership is modified and the user no longer has one of the two specified roles assigned (Integromat Scenario Editor or Integromat App Developer), the user still retains access to the Make organization. In this case, an administrator should manually remove the user's entry from the Make organization to maintain a consistent and secure environment.

User reports

To check all the permissions given to a specific user, you can use the Generate Report functionality.

  1. Go to OE > Administration > Roles and Permissions.

  2. Choose Generate Report.

  3. Select the tenant user.

  4. Choose Show Selected User.

This shows a summary of all the details relating to the roles of one selected tenant user. If needed, you can export the data as a CSV file.