For modern enterprises, automation is the engine of efficiency. But for automation to truly scale, it must evolve from a specialized tool managed by a few experts into a collaborative capability shared across IT, security, and the business as a whole. The challenge for leadership isn’t just building more automations—it’s doing so with a governance model that scales.
To help our customers drive their automation journeys forward with confidence, we are excited to announce the Early Access (EA) release of Folder-Level Role-Based Access Control (RBAC) and Folder-Scoped Connections for Okta Workflows.
The Vision: Empowering the Enterprise Automation Journey
Our goal is to transform Okta Workflows into a collaborative platform that supports the entire organization. By introducing granular access controls, we are enabling IT teams to move beyond being the primary builders and instead become the strategic enablers who empower every department to automate safely.
With these new controls, you can grant different teams the autonomy to manage their own automation needs while maintaining centralized oversight. Business units—from HR to Finance—can now build and manage their own departmental solutions within a governed environment. This effectively removes the IT bottleneck, freeing up valuable IT resources for other mission-critical tasks while empowering teams across the company to accelerate their digital transformation.
Secure Delegation through Folder-Level RBAC
Security and agility shouldn’t be a trade-off. With Folder-Level RBAC, you can now manage users and resources with precision. Rather than granting broad, org-wide access to the Workflows platform, admins can organize resources into folders—structured by project, department, or geographic region—and assign specific roles within those distinct boundaries. This "walled garden" approach ensures that users have exactly the permissions they need to be productive, without the risk of seeing or modifying resources beyond their scope.
New Roles for Every Persona
In addition to the three previously released roles (Workflows Administrator, Workflows Auditor, and Connection Manager) that provide visibility across the Workflows org as a whole, we’ve released 4 new folder-level roles:
- Folder Manager: Acts as the "admin" of a specific folder with full control over all resources and the ability to manage user role assignments for that folder.
- Folder Editor: Provides full access to create and manage flows, tables, and connections, making it the ideal role for primary automation builders who do not need to manage user access.
- Folder Runner: Offers read-only access to folder resources while allowing users to manually trigger flows and review execution history for troubleshooting and operational support.
- Folder Reader: Grants strictly read-only access to view the logic of flows and tables, providing a safe environment for trainees or stakeholders to learn without the risk of making changes.
Mitigating Risk with Scoped Connections
In a complex automation environment, managing access to third-party APIs and service accounts is a top security priority. With the introduction of Folder-Scoped Connections, you can now restrict the use of highly privileged credentials to specific, authorized folders and users.
What this means for your security posture:
- Enforcing Least Privilege: This allows you to restrict high-privilege connections (like a sensitive HR system) to only the specific teams and folders that require them.
- Limiting the "Blast Radius": By scoping a connection to a folder, helps you ensure that even if a flow is misconfigured or a user makes an error, the potential for escalated privileges is strictly contained within that folder's boundary.
- Proactive Governance & Visibility: Before assigning a connection to a folder, admins receive a clear view of exactly how many users have access to that folder. This visibility prevents sensitive credentials from being "over-shared" unintentionally.
Taming Automation Sprawl
Expanding access to more teams is powerful, but without the right controls, 'automation sprawl' can create visibility gaps that make it difficult for IT to secure every connection and flow. Folder-level management of users and connections provides the logical structure needed to keep your environment organized and secure.
By providing more control over what automations users can build and which resources they can use, organizations can maintain a high standard of governance. This means that every flow built is intentional, documented, and aligned with internal policies, even as the volume of active automations grows across the enterprise.
Drive Your Journey Forward
Folder-Level RBAC and Folder-Scoped Connections are available now in Early Access. This release is about providing a secure foundation for exponential growth. Whether you are training new users in a "Reader" capacity to build your future talent pool, or empowering a global DevOps team with "Folder Manager" rights to handle regional tasks, Okta Workflows now gives you the tools to help you scale securely.
Getting Started
- Explore the roles: Check out our technical documentation for a full breakdown of role bindings and permissions.
- Organize your resources: We recommend starting by auditing your current flows and organizing them into a folder structure that mirrors your organizational or departmental needs.
- Audit Your Connections: Use this release as an opportunity to review your global connections. Identify high-privilege service accounts that should be restricted to specific folders to reduce your overall security risk.
- Onboard New Builders: Leverage the Folder Reader and Folder Runner roles to help safely introduce new team members to Workflows. They can learn by observing existing logic without the risk of making accidental changes to your production flows.
