Flow Studio
Identity Capability Overview
How workflow nodes query the Passport IAM system — looking up users, resolving roles, checking permissions, and reading the execution actor from $context.actorId.
What Identity Nodes Do
Identity nodes bridge Flow Studio workflows with the Passport IAM service. Instead of hard-coding user IDs or role lists, workflows dynamically resolve identities at runtime — making them portable across tenants and environments.
Available Identity Nodes
| Node Type | Purpose | Output |
|---|---|---|
UserLookupNode | Resolve a user by email, employeeId, or username | { userId, email, displayName, roles } |
RoleMembersNode | Get all active users in a named role | { members: [{ userId, email, displayName }] } |
PermissionCheckNode | Assert that a user holds a permission — fails node on miss | No data; routes to error port on failure |
Actor Context
Every execution has an actor — the user (or managed identity) that triggered it. The actor is available in all expression contexts without any node lookup:
// Available in any expression field
$context.actorId // string UUID of the actor
$context.actorEmail // actor's primary email
$context.actorName // actor's display namePassport IAM Integration
WorkflowNode (UserLookup / RoleMembers / PermissionCheck)
│
▼
IPassportClient.QueryAsync(request, tenantId)
│
▼
Passport IAM Service
├── User directory
├── Role registry
└── Permission graph
Tenant scoping: All identity queries are automatically scoped to the execution's tenant. A workflow running for
tenant-acme can only resolve users and roles within tenant-acme. Cross-tenant queries are blocked at the IPassportClient level.