In this release, we're introducing a new set of roles and permissions that allow a greater degree of control over the Chain Builder platform. When assigned by a designated administrator, these roles will permit staff members to access only the specific parts of the system required for their job.
This differs from the previous all-or-nothing model which depended entirely on the legacy Chain Owner role. This single role provided full access not just to Chain Builder, but to all Chains settings, admin abilities, and run history.
New roles
Here are the new roles included with this release:
- Org Chain Security Admin (Org level): This role grants access to the Org Admin Panel in Chains where all connections and runners are managed. It must be paired with either the Chain Builder, Chain Security Admin, or Chain Owner role.
- Chain Security Admin (Workspace level): This grants access to the permissions page in Chains. From the permissions page, the Chain Security Admin can set levels of access for each user group in the workspace.
- Chain Builder (Workspace level): This grants access to the Chains product itself, but no other abilities. (Abilities within Chains are now based on the member's user group and permission levels, as set by the Chain Security Admin.)
Additionally, we've placed all existing Chains users into a new user group named Default. This user group is only visible in Chains and will not appear in the rest of Workiva. It cannot be deleted or removed. For more on the Default user group, jump to Step 1.
Overview
This guide will walk you through the steps necessary to establish new roles and permissions in your Chains workspace. This includes how to:
- Create new user groups in your workspace
- Add your staff members to those groups
- Assign appropriate roles to each staff member
- Set permissions for your new user groups
Step 1: Remove permissions from the Default user group
Before establishing new user groups in your workspace, you'll need to remove permissions from the Default user group. Because all new and existing Chains users are automatically placed in this group, we recommend granting this group a very limited set of permissions.
Note: The Chain Security Admin role is required to assign permissions in Chains.
- In Chain Builder, click Settings at the top left.
- From the navigation bar at the top, select Users & Permissions.
- From the Permissions tab, select the Default user group.
- On the right side, uncheck the boxes to remove all permissions. Your changes will save automatically.
Moving forward, all new staff members will be automatically placed in the Default group and have no access to Chains.
Step 2: Create the Chain Owners user group
Now that you've removed permissions from the Default group, you'll need to create new groups and sort your staff members. These groups define the abilities that each person has in your software.
At minimum, you must create a Chain Owners group that permits users to view, run, edit, and create chains.
Here's how:
- From Workiva Home, click Settings at the top left.
- Under Workplace Settings, select the Groups tab.
- Click Create Group on the right side.
- Name this group Chain Owners.
- Now add workspace members to the group by searching for or selecting individuals. Remember that users in this group will have the ability to view, run, edit, and create chains.
- Click the Create Group button to finish.
You'll set the permissions for this group in Step 4.
Note: Need more help? Click here to see our full article on setting up user groups.
Creating additional user groups
You've now set up a Chain Owner group that has complete access to chains. This is the only required group, but you may want to allow other staff members to access chains as well.
In this case, we recommend creating two additional groups:
- Chain viewers: This group has view-only access to Chains.
- Chain runners: This group can view and run chains, but can't modify or create them.
Step 3: Assign new user roles
Now that you've set up user groups for your staff members, you'll need to assign each person an updated role.
Here's what we recommend:
- Remove the Chain Owner role from all Chains users: This legacy role grants admin access to all Chains settings and objects. It is no longer necessary and may allow users unwanted access to your chains.
- Assign the Chain Builder role to all Chains users: The Chain Builder role grants access to the Chains platform itself, but grants no other abilities on it's own. (Abilities are now based on the member's user group and permission level instead.)
- Assign the Chain Security Admin role to at least one person: This role allows the administrator to assign permissions to other users. At least one person should have this ability.
To update your members' roles, follow these steps:
- From Workiva Home, click the People icon at the top left to access the Members screen.
- From the Members screen, check the box next to each person you want to update.
- Click Edit Roles at the top.
- Check to apply a role or uncheck to remove a role. A dash in a checkbox indicates that some of the selected members already have this role.
- Click Apply to finish.
Note: Need more help? Click here to see our full article on changing roles.
Step 4: Set permissions for your new groups
At this point, your staff members should be assigned their new roles and groups. The final step is to assign unique permissions to each group; these permissions, in turn, will decide the level of access granted to each staff member.
Note: The Chain Security Admin role is required to assign permissions in Chains.
Here's how to assign permissions:
- In Chain Builder, click Settings at the top left.
- From the navigation bar at the top, select Users & Permissions.
- From the Permissions tab, select the Chain Owners group.
- Under Permissions on the right side, place a checkmark under Creator. Your changes will save automatically.
At this point, you've finished applying permissions to the Chain Owners group. If you created the optional Chain Viewers or Chain Runners groups, repeat this step and choose the appropriate permissions for that group.
Understanding permission levels
Permission levels in Chains are leveled and correlated, meaning some permissions are automatically enabled when a higher-level permission is enabled. For instance, the Creator permission will automatically grant the Executor and Editor permission.
Please note that not all checkboxes can be selected within a workspace.
| Permission | Abilities granted |
| Viewer | Permission to view chains, but not run or edit them. (Not assignable here.) |
| Executor | Permission to view and run chains, but not edit or create them. |
| Editor | Permission to view, run, and edit chains, but not create new ones. |
| Creator | Permission to view, run, edit, and create chains. |
| Admin | Full admin access to chains in the Workspace. (Not assignable here.) |
Note: Viewer and Admin permissions cannot be assigned at the Workspace level. Viewer permission is a default permission given to all members of the workspace, and Admin permission is granted by the user's role.
FAQ
Is this required?
There are no forced changes included in this release. The only difference you may notice is the addition of a new user group named "Default" within your Chains settings. This group is made up entirely of existing chain users, and its permissions have been automatically set to ensure your workflow is not interrupted.
If you're happy with the old permission model, then you can ignore this new group and continue as normal.
Can I assign permissions to individual chains?
Yes, but this does require Environment Security Admin rights in the chain's parent environment.