Flow Studio
Cross-Workflow Security
Who can start, cancel, and pause another workflow — the Executor role requirement and tenant isolation for process operations.
Permission Requirements
| Operation | Required Permission | Scope |
|---|---|---|
| Start workflow | workflow:execute | On the target processId |
| Cancel workflow | workflow:cancel | On the target processId or by being the execution's owner |
| Pause workflow | workflow:pause | On the target processId |
| Query status | workflow:read | On the target processId or by being the execution's owner |
Tenant Isolation
All process operations are scoped to the execution's tenant. A workflow cannot start, cancel, pause, or query executions belonging to another tenant. The IWorkflowOrchestrator enforces this — no configuration can override it.
Cross-Workflow Execution Ownership
An execution always records its actorId. The actor who started an execution can always query its status and cancel it, even without a specific permission grant. Orchestrator workflows use a managed identity with the required permissions on all child processes they coordinate.
Managed identity scoping: When using a managed identity to orchestrate child workflows, grant it only the permissions required for the specific processes it needs to control. Granting
workflow:execute on all processes is an over-privilege pattern — restrict to the specific process IDs.