2.6.4 Overview of Role-Based Access Control for MicroTx Workflows

MicroTx Workflows uses hierarchical role-based access control (RBAC) to secure APIs and operational capabilities. These mappings ensure that users are granted appropriate permissions in MicroTx Workflows based on the roles assigned by your identity provider. This supports robust authorization controls for both system administrators and regular users of MicroTx Workflows.

The roles are ordered by privilege as follows:

READ_ONLY_USER < USER < METADATA_MANAGER < ADMIN < SUPER_ADMIN

Higher-privileged roles automatically inherit permissions granted to lower-level roles. The WORKER role is a specialized runtime role used for task-processing APIs and must be explicitly included in higher-role mappings when task operations are required.

READ_ONLY_USER provides observability-only access to workflows, metadata, connectors, storage, scheduler information, and version APIs. USER extends these capabilities by allowing workflow execution, workflow updates, storage operations, notifications, conversational APIs, and MicroTx runtime operations. METADATA_MANAGER is intended for workflow and platform administrators who manage metadata, connectors, schedulers, and workflow bulk operations. ADMIN provides administrative access to queues, events, secrets, and other platform-level APIs. SUPER_ADMIN has unrestricted access to all APIs and operations across the platform.

In general:

• GET and READ operations require READ_ONLY_USER
• Workflow execution and runtime POST operations require USER
• Metadata and scheduler management require METADATA_MANAGER
• Administrative and infrastructure operations require ADMIN
• Full platform access requires SUPER_ADMIN
• Task-processing APIs require WORKER

This model enables separation of duties between platform administrators, workflow developers, runtime users, and automated worker services while ensuring controlled privilege escalation through inheritance.