Integration with Node Capabilities
NodeCapabilityPolicy uses Passport IAM to restrict which roles can design or execute workflows containing specific capability types — preventing unauthorized access to sensitive integrations.
What Is NodeCapabilityPolicy?
In Flow Studio, every execution node has a capability type — the category of integration it performs (Webhook, Form, Messaging, Identity, DIDComm, MCP, etc.). NodeCapabilityPolicy is a Passport-backed security policy that restricts which roles can include nodes of a given capability type in a workflow design, and which roles can execute workflows containing those nodes.
NodeCapabilityPolicy Model
// From ProcessSecurity module
public class NodeCapabilityPolicy
{
public required string PolicyId { get; init; }
public required string CapabilityType { get; init; } // e.g., "DIDComm", "MCP", "Identity"
public required string TenantId { get; init; }
public required string[] AllowedRoles { get; init; } // roles that can USE this capability
public required string[] DesignRoles { get; init; } // roles that can DESIGN with it
public bool RequireMfa { get; init; } // MFA required for execution
public string? AuditLevel { get; init; } // "standard" or "enhanced"
}
// Example policy: only admins can design with DIDComm nodes
// only admins and managers can execute workflows containing DIDComm
{
"capabilityType": "DIDComm",
"allowedRoles": ["admin", "manager"],
"designRoles": ["admin"],
"requireMfa": true,
"auditLevel": "enhanced"
}Capability Types and Default Policies
| Capability Type | Default Allowed Roles | Default Design Roles | Notes |
|---|---|---|---|
| Webhook | admin, manager, user | admin, manager | Standard integration — broad access |
| Form | admin, manager, user | admin, manager | Form rendering/submission nodes |
| Messaging | admin, manager | admin, manager | Slack/Email execution nodes |
| Identity | admin, manager | admin | Passport identity operations — restricted |
| BusinessServices | admin, manager, user | admin, manager | ERP/CRM integration nodes |
| Datasources | admin, manager | admin | Database access nodes — data sensitivity |
| DIDComm | admin | admin | Decentralized identity — high privilege |
| MCP | admin | admin | Model Context Protocol — AI tool access |
| Processes | admin, manager | admin, manager | Sub-workflow invocation |
How the Check Works at Runtime
// During workflow execution — ProcessSecurity checks capability access
public sealed class NodeCapabilityGuard(
IPassportClient passport,
INodeCapabilityPolicyRepository policyRepo)
{
public async Task<bool> CanExecuteCapabilityAsync(
string capabilityType,
IDInfo actor,
CancellationToken ct)
{
// 1. Load policy for this capability type
var policy = await policyRepo.GetPolicyAsync(capabilityType, actor.TenantId, ct);
if (policy is null) return true; // no policy = allow
// 2. Check if actor's roles include any allowed role
var actorRoles = new HashSet<string>(actor.Roles, StringComparer.OrdinalIgnoreCase);
var allowed = policy.AllowedRoles.Any(r => actorRoles.Contains(r));
if (!allowed)
{
await AuditDenyAsync(capabilityType, actor, policy, ct);
return false;
}
// 3. If MFA required, verify MFA claim in token
if (policy.RequireMfa)
{
var hasMfa = actor.Claims.Any(c => c.Type == "amr" && c.Value == "mfa");
if (!hasMfa) return false;
}
return true;
}
}Creating a Custom Capability Policy
POST /passport/admin/node-capability-policies
Authorization: Bearer {admin-token}
Content-Type: application/json
{
"capabilityType": "DIDComm",
"tenantId": "tenant-abc",
"allowedRoles": ["admin"],
"designRoles": ["admin"],
"requireMfa": true,
"auditLevel": "enhanced",
"description": "DIDComm nodes are restricted to administrators with MFA"
}Capabilities like DIDComm, MCP, and Identity nodes have access to sensitive systems. Always restrict design roles to admin only and require MFA for execution. A workflow designer with access to DIDComm could exfiltrate identity data — capability policies are the last line of defense at the workflow layer.