Skip to main content

Access Control

With Orkes Cloud, your Conductor server may be running in a different hosted environment than your workers. The APIs to run your workflows are exposed on the internet, so controlling access is needed.

To ensure that all workflow executions & worker tasks are only run by authorized users, Orkes has added a layer of Access Control to all parts of the Orchestration workflow lifecycle.


In the context of Access control, an application grants programmatic access to a process or application through access keys. Each application will have its own set of Access Keys. An application can grant access to workflows, tasks or both.

Workflow & Task permissions

When an application is created, tasks and workflows are chosen that can be run under the auspices of the application. There are several roles in the Access Control (Role Based Access Control or RBAC) that can be turned on and off in the UI:

  • Worker: Poll and update Tasks. (Default on)
  • Metadata API: Create and manage Workflow and Task Definitions. (Default off)
  • Application API: Create and manage Applications & Access Keys. (Default off)

Each workflow/task in the application can have different permissions:

  • Read - User can see the workflow/task, but cannot modify or run. Requires Metadata API Role to be on.
  • Execute - Allows the user to run the workflow or task. Requires Worker Role to be on.
  • Update - Allows the user to update to the workflow/task. Requires Metadata API Role to be on.
  • Delete = Allows the user to delete to the workflow/task. Requires Metadata API Role to be on.


Click Applications and then Create Application. To add a Workflow/Task permission, click the + at the top of the Workflow/Task permission table. A box will open, and can be populated with a workflow or task type, the name of the item, and the permission.

permission dialog

Once all of the workflows and tasks have been added, the table will display them all. This application is set for running the order fulfillment codelab.

Note: When adding tasks, you can specify a domain

permissions table

It is possible to add, change and remove workflow/task access from this table.

Access Keys

Once your application's permission levels are created, access must be granted to the application. This is done by generating an Access Key. This will generate a unique Key and Secret that can be used to access the application. These values are only shown once, so keep them in s secure location.

application key and secret

Once a key has been created, the table of Access Keys allows for 2 actions:

  • Pausing the key: Temporarily restrict access. Access can be resumed by "un-pausing" the key access.
  • Delete the key: Permanently remove access. This cannot be undone. A new key will have to be generated.

application key and secret

Using Access Keys

The Access Key & Secret created above can be used to create a Java Web Token (JWT) that is used to authenticate the user, and allow a connection to the Conductor server. All of the Conductor SDKs support this authentication step. When using a Conductor SDK, the Key & Secret is provided to the SDK, and the authentication is handled automatically.

Outside of the SDK, a JWT may be created via an API call. Here's an example call to the Orkes Playground:

curl -s -X "POST" "" \
-H 'Content-Type: application/json; charset=utf-8' \
-d '{"keyId": "<your keyId>","keySecret": "<your secret>"}'

{"token":"<JWT Token>"}

Sending the keyId and Secret generates a JWT. This JWT can be used to make calls to the Conductor instance. The header for authentication is X-Authorization:.

For example, this call to the super_weather workflow uses a JWT token to get the weather in Beverly Hills, CA:

curl -s -X "POST" "" \
-H 'Content-Type: application/json; charset=utf-8' \
-H 'X-Authorization: <JWT Token>'\
-d '{"zip": "90210"}'

Users & Groups

Note: This feature currently only available to Admins of a Conductor instance.

To access Users and Groups, click Users in the left navigation menu.


A user can have the following roles:

  • Admin - Full access to the Conductor instance.
  • User - Access to user's workflows and tasks (and any shared Applications)
  • Metadata Manager - An "admin" for metadata. Can Create/Update/Delete any workflow or task.
  • Workflow Manager - Can Run/pause/rerun any workflow.

Create application user


Groups are a way to quickly share Workflows&tasks amongst your team. Create a new group, and add users with the same permission level for many tasks and workflows.

Each group has 3 tables:

  • Members: The members of the group can be selected from all of the accounts affiliated with the Conductor instance.

Once a group of members has been created, two types of access can be given: Roles and Workflow and Task Permissions.

Note: It is possible to only grant one type of access to a Group - meaning that just roles OR just Workflow and Task Permissions can be added.

Roles: Admin, User, Metadata Manager, Workflow Manager

If a Role is defined for these members, they will all be given this role for the Conductor instance. For example, if Admin is selected, all members of the group are now admins.

Workflow and Task Permissions: Tasks and workflows to be shared amongst the group. The permission levels are the same as for Applications.

When Workflows and Tasks are added to the group, every member of the group will be able to execute these workflows and tasks - allowing easy sharing of processes in the team.