If the default user roles are not sufficient, Automate MFT uses a folder based Role-Based Access Control (RBAC) model. Permissions are assigned at the folder level, inherited by subfolders, and apply to all tasks within those folders.

Task Folder Permission Levels

The following permission levels apply to task folders:
  • No Access – Folder and tasks are not visible.
  • Viewer – View tasks and task activity.
  • Operator – View and run tasks and view task activity.
  • Editor – View, run, and edit tasks and view task activity.
  • Creator – View, run, edit, create, and delete tasks and view task activity.

Subfolders inherit permissions from their parent folder. If a parent folder is assigned a specific permission level, all of its subfolders inherit at least that level of access. Permission levels for subfolders cannot be reduced below those of the parent folder, but they may be elevated if required.

The All Tasks view displays all tasks the user is authorized to access, aggregates tasks across all permitted folders. The All Tasks does not expose tasks outside the user’s permissions. Tasks not assigned to folders are visible to administrators and must be moved into folders to be shared.

Library Permission Levels

The following permission levels apply to libraries:
  • No Access – Libraries are not visible.
  • Viewer – View all entities in the library.
  • Editor – View and edit entries in the library.
  • Creator – View, edit, create, and delete entries in the library.

If a user has access to any task folder, Automate MFT enforces Viewer access to all libraries. This ensures users can view task configuration details such as referenced endpoints, schedules, agents, and authentication methods.

User Roles

Users may be assigned multiple roles. Effective permissions are calculated using a union model: If any role grants a higher permission, that permission applies.

Identity Provider Mapping

For tenants using Single Sign On, Automate MFT supports mapping identity provider groups to Automate MFT roles. When enabled, Identity Provider group membership becomes the authoritative source of role assignment for SSO users. Each mapping links one Identity Provider group to one Automate MFT role. A role may be mapped to multiple Identity Provider groups, but an Identity Provider group may be mapped to only one role. Both predefined and custom roles can be mapped.

Role mapping cannot be enabled unless at least one Identity Provider group is mapped to the Administrator role. This validation prevents administrative lockout. The tenant Owner always retains the Administrator role and cannot be disabled.

Role Evaluation During Login

If Mapping is disabled:

  • Users authenticate via SSO.
  • Local role assignments determine access.
  • Identity Provider group mappings are ignored.

If Mapping is enabled:

  • Users authenticate via SSO.
  • Identity Provider group claims are evaluated.
  • All matching mapped roles are assigned.
  • Permissions are based on the assigned roles.