Define Flow Role Permissions with GAT Flow

Flow roles give Google Workspace administrators precise control over what non-admin users can do within GAT Flow.

Getting started #

Custom Flow Roles: The Flow administrator can create specialized roles with specific permissions. The access can be granted to a specific section of Flow or Specific actions within the section.

All those roles/permissions can be mixed and matched and the access to the tool can be set up in a very granular level.

Delegate Flow: Once you’ve created custom roles, you can assign them to specific users or groups using the Delegate Flow feature. This gives those users access to the Flow functions that their role permits.

Flexible Permissions: Flow roles can be very granular. You can give users access to specific Flow features, or to all of them. This allows you to tailor permissions to the exact needs of each user or group.

For example, you could give someone access to:

• Only the Users module: They can manage users directly but can’t create workflows, or event or recurring workflows.
  • Access to Users can also be adjusted so the Admin (delegated user) can Edit the user, but not Delete or Create
• Only the Groups module: They can manage groups but nothing else, and can not access the Users module and Event or Recurring workflows.
  • Access to Groups can also be adjusted so the Admin (delegated user) to Create a group, but not Delete
• Only the Event workflow module – The User can manage Event workflows
  • Access to event workflows can also be adjusted so the admin (delegated user) can create event workflows but not delete or edit them.
• Specific actions within a module: Maybe they can edit users but can’t delete them.

This granular control means you can tailor each person’s access to exactly what they need in their role.

Core Flow Modules and Permissions #

• Flow – Grants permission to workflow, event workflow, recurring workflow, and action set.
• Workflow – Grants permission to view, create, delete, and edit workflows.
  • Workflow results – Grants permission to view workflows.
  • Create workflow – Grants permission to create workflows, and save and delete drafts.
• Event workflow – Grants permission to view, create, delete, and edit event workflows.
  • View – Grants permission to view event workflows.
  • Create – Grants permission to create event workflows.
  • Delete – Grants permission to delete event workflows.
  • Edit – Grants permission to edit event workflows.
• Recurring workflow – Grants permission to view, create, delete, and edit recurring workflows.
  • View – Grants permission to view recurring workflows.
  • Create – Grants permission to create recurring workflows.
  • Delete – Grants permission to delete recurring workflows.
  • Edit – Grants permission to edit recurring workflows.
• Action set – Grants permission to view, create, delete, and edit action sets.
  • View – Grants permission to view action sets.
  • Create – Grants permission to create action sets.
  • Delete – Grants permission to delete action sets.
  • Edit – Grants permission to edit action sets.

User – Access to User module #

• User – Grants permission to view, create, delete, and edit users in the Flow user module.
  • View – Grants permission to display users in the Flow user module.
  • Create – Grants permission to create users in the Flow user module.
  • Delete – Grants permission to delete users in the Flow user module.
  • Extract e-mails – Grants permission to extract emails from the user mailbox in the Flow user module.
  • Edit – Grants permission to edit every user field in the Flow user module.
    • Edit general – Grants permission to edit user general fields (Name, Surname, Primary Org., Gender, Global directory, Contacts, Recovery phone/email, Private email) in the Flow user module.
    • Edit org. Unit – Grants permission to edit user org. unit field in the Flow user module.
    • Edit Admin – Grants permission to edit the user admin field in the Flow user module.
    • Edit groups – Grants permission to edit user groups in the Flow user module.
    • Edit password – Grants permission to edit user password in the Flow user module.
    • Edit suspension – Grants permission to edit user suspension in the Flow user module.
    • Edit email address – Grants permission to edit the user email address in the Flow user module.
    • Edit email aliases – Grants permission to edit user email aliases in the Flow user module.
    • Edit email filters – Grants permission to edit user email filters in the Flow user module.
    • Edit email signature – Grants permission to edit user email signatures (Send as) in the Flow user module.
    • Edit email delegations -Grants permission to edit user email delegations in the Flow user module.
    • Edit email forwarding – Grants permission to edit user email forwarding in the Flow user module.
    • Edit auto-reply – Grants permission to edit user auto-reply in the Flow user module.
    • Edit custom attributes – Grants permission to edit user custom attributes in the Flow user module.
    • Edit licenses – Grants permission to edit user licenses in the Flow user module.

Group – Access to Group module #

• Group – Grants permission to view, create, delete, and edit groups in the Flow group module.
  • View – Grants permission to display groups in the Flow group module.
  • Create – Grants permission to create groups in the Flow group module.
  • Delete – Grants permission to delete groups in the Flow group module.
  • Edit – Grants permission to edit every group field in the Flow group module.
    • Edit general – Grants permission to edit group general fields (Name, Description) in the Flow group module.
    • Edit members – Grants permission to edit group members in the Flow group module.
    • Edit email address – Grants permission to edit the group email address in the Flow group module.
    • Edit email aliases –  Grants permission to edit group email aliases in the Flow group module.
    • Edit email signature – Grants permission to edit group email signature in the Flow group module.
    • Edit settings – Grants permission to edit group settings in the Flow group module.
    • Edit Flow dynamic groups – Grants permission to edit group Flow dynamic group settings in the Flow group module.

Organizational unit – Access to Organization units module #

• Organizational unit – Grants permission to view, create, delete, edit org. units in the Flow org. unit module.
  • View – Grants permission to display org. units in the Flow org. unit module.
  • Create – Grants permission to create org. units in the Flow org. unit module.
  • Delete – Grants permission to delete org. units in the Flow org. unit module.
  • Edit – Grants permission to edit every org. unit field in the Flow org. unit module.
    • Edit general – Grants permission to edit org. unit general fields (Description) in the Flow org. unit module.
    • Edit org. unit path – Grants permission to edit org. unit path in the Flow org. unit module.
    • Edit members – Grants permission to edit org. unit members in the Flow org. unit module.

Custom attributes – Access to custom attributes module #

• Custom attributes – Grants permission to view, create, delete, and edit custom attributes in the Flow custom attribute module.
  • View – Grants permission to display custom attributes in the Flow custom attribute module.
  • Create – Grants permission to create custom attributes in the Flow custom attribute module.
  • Delete – Grants permission to delete custom attributes in the Flow custom attribute module.
  • Edit – Grants permission to edit every custom attribute field in the Flow custom attribute module.

Classroom – Access to Classroom module #

• Classroom – Grants permission to view, create, delete, and edit classrooms in the Flow classroom module.
  • View – Grants permission to display org. units in the Flow classroom module.
  • Create – Grants permission to create org. units in the Flow classroom module.
  • Delete – Grants permission to delete org. units in the Flow classroom module.
  • Edit – Grants permission to edit every org. unit field in the Flow classroom module.
    • Edit general –
      Grants permission to edit classroom general fields (Name, Description, Section, Room) in the Flow classroom module.
    • Edit owner – Grants permission to edit classroom owner in the Flow classroom module.
    • Edit state – Grants permission to edit classroom state in the Flow classroom module.
    • Edite members – Grants permission to edit classroom members (Students and Teachers) in the Flow classroom module.
    • Edit guardians – Grants permission to edit students’ guardians in the Flow classroom module.

In summary: #

• Flow roles provide a way to manage what non-admin users can do in Flow.
• Custom roles can be created to fit the specific needs of your organization.
• Delegate Flow is used to assign roles to users or groups.

By using Flow roles, you can ensure that users only have access to the Flow features they need, while still maintaining the security and integrity of your data.

How to implement #

Create a Custom Flow role #

Navigate to Flow > Configuration > Flow roles > Create role

The menu will be displayed where any permissions can be selected and the custom role created.

Enter a role name and pick all the permissions you want.

Click to Save the role

Result of the Custom Role #

As a result, a Flow role will be created.

This custom role then can be assigned to any user via the Delegate Flow feature.

Activate the Custom Flow role #

Navigate to Flow > Delegate flow > Create role

Fill in the details for the custom Flow role

• User – select the user for the Flow role
• Role – Select the custom Flow role needed
• Active – enable or disable the role
• Valid to – select the valid date until the Role is active.
• Save – Click to Save the custom Flow role

The result of the Delegated access #

When the custom Flow role is assigned to the user, they will be able to log into Flow and only use sections of Flow allowed by the custom Flow role.

The user who is granted Flow access will receive an automated email with details for the access they have been granted.

They will be able to log into Flow and use only the sections allowed by their custom Flow role.

By using Flow roles, you can ensure that users only have access to the Flow features they need, maintaining the security and integrity of your data.

Finally, the user will have access to only what the custom Flow role allows.

• Workflow – permission to view, create, delete, and edit workflows.
• Workflow result –  permission to view workflows.
• Create workflow – permission to create workflows, save and delete drafts.
• User – permission to view, create, delete, and edit users in the Flow user module.
• Group view – permission to display groups in the Flow group module.
• Group create permission to create groups in the Flow group module.
• Group – Edit general, members’ email addresses, email aliases, edit settings, and edit flow dynamic groups.