Define Flow Role Permissions with GAT Flow

Define Flow Role Permissions with GAT Flow #

Flow roles give Google Workspace administrators precise control over what non-admin users can do within GAT Flow.

Custom Flow Roles: The Flow administrator can create specialized roles with specific permissions. The access can be granted to a specific section of Flow or Specific actions within the section.

All those roles/permissions can be mixed and matched, and the access to the tool can be set up at a very granular level.

Delegate Flow: Once you’ve created custom roles, you can assign them to specific users or groups using the Delegate Flow feature. This gives those users access to the Flow functions that their role permits.

Flexible Permissions: Flow roles can be very granular. You can give users access to specific Flow features, or to all of them. This allows you to tailor permissions to the exact needs of each user or group.

For example, you could give someone access to:

• Only the Users module: They can manage users directly, but can’t create workflows, events, or recurring workflows.
  • Access to Users can also be adjusted so the Admin (delegated user) can Edit the user, but not Delete or Create
• Only the Groups module: They can manage groups but nothing else, and can not access the Users module or Event or Recurring workflows.
  • Access to Groups can also be adjusted so the Admin (delegated user) can create a group, but not delete it.
• Only the Event workflow module – The User can manage Event workflows
  • Access to event workflows can also be adjusted so the admin (delegated user) can create event workflows but not delete or edit them.
• Specific actions within a module: Maybe they can edit users, but can’t delete them.

This granular control means you can tailor each person’s access to exactly what they need in their role.

Core Flow Modules and Permissions #

• Flow – Grants permission to workflow, event workflow, recurring workflow, and action set.
• Workflow – Grants permission to view, create, delete, and edit workflows.
  • Workflow results – Grants permission to view workflows.
  • Create workflow – Grants permission to create workflows, save, and delete drafts.
• Event workflow – Grants permission to view, create, delete, and edit event workflows.
  • View – Grants permission to view event workflows.
  • Create – Grants permission to create event workflows.
  • Delete – Grants permission to delete event workflows.
  • Edit – Grants permission to edit event workflows.
• Recurring workflow – Grants permission to view, create, delete, and edit recurring workflows.
  • View – Grants permission to view recurring workflows.
  • Create – Grants permission to create recurring workflows.
  • Delete – Grants permission to delete recurring workflows.
  • Edit – Grants permission to edit recurring workflows.
• Action set – Grants permission to view, create, delete, and edit action sets.
  • View – Grants permission to view action sets.
  • Create – Grants permission to create action sets.
  • Delete – Grants permission to delete action sets.
  • Edit – Grants permission to edit action sets.

User – Access to the User module #

• User – Grants permission to view, create, delete, and edit users in the Flow user module.
  • View – Grants permission to display users in the Flow user module.
  • Create – Grants permission to create users in the Flow user module.
  • Delete – Grants permission to delete users in the Flow user module.
  • Extract e-mails – Grants permission to extract emails from the user mailbox in the Flow user module.
  • Edit – Grants permission to edit every user field in the Flow user module.
    • Edit general – Grants permission to edit user general fields (Name, Surname, Primary Org., Gender, Global directory, Contacts, Recovery phone/email, Private email) in the Flow user module.
    • Edit org. Unit – Grants permission to edit the user org. unit field in the Flow user module.
    • Edit Admin – Grants permission to edit the user admin field in the Flow user module.
    • Edit groups – Grants permission to edit user groups in the Flow user module.
    • Edit password – Grants permission to edit the user password in the Flow user module.
    • Edit suspension – Grants permission to edit user suspension in the Flow user module.
    • Edit email address – Grants permission to edit the user’s email address in the Flow user module.
    • Edit email aliases – Grants permission to edit user email aliases in the Flow user module.
    • Edit email filters – Grants permission to edit user email filters in the Flow user module.
    • Edit email signature – Grants permission to edit user email signatures (Send as) in the Flow user module.
    • Edit email delegations -Grants permission to edit user email delegations in the Flow user module.
    • Edit email forwarding – Grants permission to edit user email forwarding in the Flow user module.
    • Edit auto-reply – Grants permission to edit the user’s auto-reply in the Flow user module.
    • Edit custom attributes – Grants permission to edit user custom attributes in the Flow user module.
    • Edit licenses – Grants permission to edit user licenses in the Flow user module.

Group – Access to the Group module #

• Group – Grants permission to view, create, delete, and edit groups in the Flow group module.
  • View – Grants permission to display groups in the Flow group module.
  • Create – Grants permission to create groups in the Flow group module.
  • Delete – Grants permission to delete groups in the Flow group module.
  • Edit – Grants permission to edit every group field in the Flow group module.
    • Edit general – Grants permission to edit group general fields (Name, Description) in the Flow group module.
    • Edit members – Grants permission to edit group members in the Flow group module.
    • Edit email address – Grants permission to edit the group email address in the Flow group module.
    • Edit email aliases –  Grants permission to edit group email aliases in the Flow group module.
    • Edit email signature – Grants permission to edit group email signature in the Flow group module.
    • Edit settings – Grants permission to edit group settings in the Flow group module.
    • Edit Flow dynamic groups – Grants permission to edit the group flow dynamic group settings in the Flow group module.

Organizational unit – Access to the Organization Units module #

• Organizational unit – Grants permission to view, create, delete, and edit org. units in the Flow org. unit module.
  • View – Grants permission to display org. units in the Flow org. unit module.
  • Create – Grants permission to create org. units in the Flow org. unit module.
  • Delete – Grants permission to delete org. units in the Flow org. unit module.
  • Edit – Grants permission to edit every org. unit field in the Flow org. unit module.
    • Edit general – Grants permission to edit org. unit general fields (Description) in the Flow org. unit module.
    • Edit org. unit path – Grants permission to edit org. unit path in the Flow org. unit module.
    • Edit members – Grants permission to edit org. unit members in the Flow org. unit module.

Custom attributes – Access to the custom attributes module #

• Custom attributes – Grants permission to view, create, delete, and edit custom attributes in the Flow custom attribute module.
  • View – Grants permission to display custom attributes in the Flow custom attribute module.
  • Create – Grants permission to create custom attributes in the Flow custom attribute module.
  • Delete – Grants permission to delete custom attributes in the Flow custom attribute module.
  • Edit – Grants permission to edit every custom attribute field in the Flow custom attribute module.

Classroom – Access to the Classroom module #

• Classroom – Grants permission to view, create, delete, and edit classrooms in the Flow classroom module.
  • View – Grants permission to display org. units in the Flow classroom module.
  • Create – Grants permission to create org. units in the Flow classroom module.
  • Delete – Grants permission to delete org. units in the Flow classroom module.
  • Edit – Grants permission to edit every org. unit field in the Flow classroom module.
    • Edit general –
      Grants permission to edit classroom general fields (Name, Description, Section, Room) in the Flow classroom module.
    • Edit owner – Grants permission to edit the classroom owner in the Flow classroom module.
    • Edit state – Grants permission to edit classroom state in the Flow classroom module.
    • Edit members – Grants permission to edit classroom members (Students and Teachers) in the Flow classroom module.
    • Edit guardians – Grants permission to edit students’ guardians in the Flow classroom module.

Flow HR – Access to the Flow HR module

• Flow HR – Grant permission to view tree charts, view domain info, and export tree charts in the Flow HR module (only available for Enterprise domains)
  • View Grant permission to view tree charts in the Flow HR Module
  • View domain info – grant permission to view domain info in the Flow HR module
  • Export Flow HR – grant permission to export the tree chart in the Flow HR module

Chat – Access to Chat module

• Chat – Grant permission to view, create, delete, or edit Google Chat spaces in the Flow Chats module
  • View – grant permission to view cats in the Flow chats module
  • Create – grant permission to create chats in the Flow chats module
  • Delete – grant permission to delete chats in the Flow chats module
  • Edit – grant permission to edit every chat field in the Flow chats module
    • Edit general – grant permission to edit chat general fields in the Flow chats module
    • Edit members – grant permission to edit chat members in the Flow chats module
    • Edit settings – grant permission to edit chat settings in the Flow chats module

Calendar – Access to the Calendar module in Flow

• Calendar – grant permission to view, create, delete, and edit calendars in the calendar module
  • View – grant permission to display calendars in the calendars module
  • Create – grant permission to create calendars in the calendars module
  • Delete calendars – grant permission to delete calendars in the calendars module
  • Wipe calendars – grant permission to wipe calendars in the calendars module
  • Delete events – grant permission to delete events in calendars in the calendars module
  • Edit – grant permission to create calendars in the calendars module
    • Edit general – grant permission to edit the calendar general field in calendars in the calendars module
    • Edit members (ACL) – grant permission to edit calendar members (ACL) in the calendars module
    • Edit event attendees – grant permission to edit event attendees in the calendars module

In summary: #

• Flow roles provide a way to manage what non-admin users can do in Flow.
• Custom roles can be created to fit the specific needs of your organization.
• Delegate Flow is used to assign roles to users or groups.

By using Flow roles, you can ensure that users only have access to the Flow features they need, while still maintaining the security and integrity of your data.

How to implement #

Create a Custom Flow role #

Navigate to Flow > Configuration > Define roles > New Role 

The menu will display where any permissions can be selected and a custom role created.

Enter a role name and pick all the permissions you want.

Click to Create at the bottom to create the role

Result of the Custom Role #

As a result, a Flow role will be created.

This custom role can then be assigned to any user via the Delegate Role.

Activate the Custom Flow role #

Navigate to Flow > Configuration > Delegate Role

Fill in the details for the custom Flow role

• User – select the user for the Flow role
• Role – Select the custom Flow role needed
• Active – enable or disable the role
• Valid to – select the valid date until the Role is active.
• Create – Click to Save the custom Flow role

The result of the Delegated access #

When the custom Flow role is assigned to the user, they can log in to Flow and access only the sections allowed by the custom Flow role.

The user who is granted Flow access will receive an automated email with details for the access they have been granted.

They will be able to log into Flow and use only the sections allowed by their custom Flow role.

By using Flow roles, you can ensure that users have access to the Flow features they need, maintaining the security and integrity of your data.

Finally, the user will have access to only what the custom Flow role allows.

FAQ #

1: Can I allow a manager to update user passwords without giving them the power to delete the user account?

Yes. GAT Flow permissions are designed for exactly this type of “least-privileged access.” To set this up, you would create a Custom Flow Role and navigate to the User module settings.

• Action: Enable View (so they can see the user list) and Edit password.
• Security: Leave the Delete permission unchecked. This ensures the manager can assist with login issues but cannot accidentally or intentionally remove a user from the Google Workspace domain.

2: What happens if I set a “Valid to” date when delegating a Flow role?

The Valid to field acts as an automatic expiration timer for administrative access. This is particularly useful for temporary projects, seasonal staff, or external auditors.

• Behavior: Once the selected date and time pass, the user’s access to the GAT Flow interface is automatically revoked.
• Benefit: It reduces the “security debt” of forgotten admin privileges, ensuring that users don’t maintain high-level access indefinitely.

3: Can a delegated user create automated workflows if I only give them access to the “Users” module?

No. In GAT Flow, access to modules is strictly compartmentalized.

• The Users module only allows for direct, manual actions on user accounts (like editing a profile or changing an OU).
• To create automated or bulk processes, the user must specifically be granted permissions within the Flow module and the use of Unlock and Security Officer approval(which includes Workflow, Event workflow, or Recurring workflow). If you want them to manage both, you must “mix and match” these permissions when defining their specific Custom Role.