Flow Studio
Managed Identities
Service accounts for automated workflow execution — how to create managed identities in Passport, assign them to scheduled/webhook triggers, and what permissions they hold.
What is a Managed Identity?
A managed identity is a non-human identity registered in Passport for use by automated systems. Scheduled workflows, webhook-triggered workflows, and background sub-workflows need an actor — managed identities fill this role without requiring a human user to be online.
Managed Identity vs User
| Aspect | Human User | Managed Identity |
|---|---|---|
$context.actorType | user | managed-identity |
| Authentication | OAuth/SAML session | Client credentials (secret stored in credential store) |
| Can log into WorkDesk | Yes | No |
| Has email address | Yes | Service email (e.g., svc-payroll@acme-system.com) |
| Can be assigned HIL tasks | Yes | No — HIL tasks always require a human |
| Audit trail | Named user | Named service account |
Assigning to a Trigger
// Scheduled trigger config — managed identity is the actor:
{
"triggerType": "Schedule",
"cron": "0 8 * * MON",
"managedIdentityId": "svc-weekly-payroll-run",
"timezone": "Europe/London"
}
// Webhook trigger — default actor when no identity in request:
{
"triggerType": "Webhook",
"defaultManagedIdentityId": "svc-erp-integration",
"signatureVerification": true
}Permissions
Managed identities are assigned permissions in Passport exactly like human users. A PermissionCheckNode checking $context.actorId works identically for managed identities. Grant only the permissions the service needs — principle of least privilege.
HIL tasks and managed identities: Approval nodes, UserFormNodes, and WidgetNodes cannot be assigned to managed identities. HIL tasks must have a human actor. If a scheduled workflow reaches a HIL step, it will route to the error port or fail — design the workflow to route human-needed steps only when triggered by a human.