In Workiva, your ability to access and interact with a feature is set according to your role. Roles allow companies to scope an employee's access to only the tools necessary for their job. Once a role is assigned, access can be further restricted through the use of permissions -- such as the ability to view or edit a particular file.
Chains works much the same, but with one important difference: permissions can be applied to a single chain, an environment, or an entire workspace.
Understanding roles
Chains has three unique roles that can be assigned through the Members section of the Workspace settings screen:
-
Chain Owner: This legacy role grants full access to all Chains settings and objects; it's equivalent to the Workspace Owner role and supersedes all permissions. It can change workspace settings, variables, environments, and connections within the workspace. We recommend only trusted, top-level administrators be assigned this role.
Note: Workspace owners have the same abilities as the Chain Owner role.
-
Chain Builder: The Chain Builder role allows access to the Chains homepage, but nothing else — each team member's abilities are entirely dictated by the permissions they've been assigned. We recommend this role for most team members.
Note: Content managers have the same abilities as the Chain Builder role.
- Chain Security Admin: This role assigns permissions to other users and can designate them as Environment Security Admins. This role can be assigned to a specific environment, a workplace, or the entire organization.
Additionally, there are two unique roles that can be assigned at the org level:
- Org Security Admin: This role can enable and disable connectors for the org.
-
Org Chain Security Admin: This role manages connections and runners across workspaces, and can view the Chains security audit log.
Access granted by each role
| Page within Chains | Ability | Role |
| Connections | View connections |
Chain Owner |
| Connections | Edit connections |
Chain Owner |
| Connections | Create connections |
Chain Owner |
| Connections | Delete connections |
Chain Owner |
| Templates | Edit templates | Chain Owner |
| Templates | Create templates | Chain Owner |
| Templates | Delete templates | Chain Owner |
| Templates | Create/Edit template folders | Chain Owner |
| Templates | View templates |
Chain Owner Chain Builder |
| Templates | View partner templates |
Chain Owner Chain Builder |
| Templates | Edit partner templates | Not Allowed |
| Templates | Create partner templates | Not Allowed |
| Workspace Settings - Runners | View runner details |
Chain Owner |
| Workspace Settings - Runners | Create runners |
Chain Owner |
| Workspace Settings - Runners | Edit runners |
Chain Owner |
| Workspace Settings - Runners | Delete runners |
Chain Owner |
| Workspace Settings - Users & Groups - Users | Edit Security Admin | Chain Security Admin |
| Workspace Settings - Users & Groups - Permissions | View permissions | Environment Security Admin |
| Workspace Settings - Users & Groups - Permissions | Edit permissions | Environment Security Admin |
Understanding permissions
Once roles are assigned, a Chain Security Admin can assign permissions to each user group in the workspace. For most team members, permissions will work hand in hand with the Chain Builder role: Chain Builder grants access to the Chains homepage, and permissions dictate what they can do once there.
In all, there are five permission levels assignable from Chains:
- Viewer: Permission to view chains, but not run, edit, or delete chains.
- Executor: Permission to view and run chains, but not edit or delete chains.
- Editor: Permission to view, run, and edit chains, but not create new chains, or delete existing chains.
- Creator: Permission to view, run, edit, delete, and create chains.
- Admin: Full admin access to chains in the Workspace.
Note: Viewer and Admin permissions cannot be manually assigned at the workspace level. Viewer permission is a default permission given to all members of the workspace, and Admin permission is granted by the user's role.
Access granted by each permission
| Page within Chains | Ability | Permission |
| Chains | View chains | Viewer |
| Chains | Run chains | Executor |
| Chains | Enable or disable chains | Executor |
| Chains | Copy chains | Creator |
| Chains | Create chains | Creator |
| Chains | Create chain from template | Creator |
| Chains | Create template from chain | Creator |
| Chains | Edit chains | Editor |
| Chains | Publish chains | Editor |
| Chains | Promote chains to another environment | Editor (and Creator in the target environment) |
| Chains | Revert chain to prior version | Editor |
| Chains | Add or remove tags | Editor |
| Chains | Delete chains | Admin, Creator |
| Chains | Export chains | Editor |
| Chains | Import chain | Creator (in the target workspace environment) |
| Environments | View environments | Viewer |
| Environments | Edit environments | Creator (on parent workspace) |
| Environments | Create environments | Editor |
| Environments | Delete environments | Admin |
| Resources | View resources | Viewer (on parent environment) |
| Resources | Edit resources | Write (on parent environment) |
| Resources | Create resources | Creator (on parent environment) |
| Resources | Delete resources | Admin (on parent environment) |
| Workspace Settings | Add variables | Editor |
| Workspace Settings | Edit/Delete variables | Editor |