---
title: "Collaborating Groups and Shared Workflow - AMD SEV-SNP Applications"
slug: "collaborating-groups-and-shared-workflows-amd-sev-snp"
updated: 2026-05-25T09:36:48Z
published: 2026-05-25T09:36:48Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Collaborating Groups and Shared Workflow - AMD SEV-SNP Applications

## 1.0 Introduction

This article describes the steps to create collaborating groups in Fortanix Confidential Computing Manager (CCM) for Advanced Micro Devices (AMD) Secure Encrypted Virtualization (SEV) - Secure Nested Paging (SNP) and run the application on AMD SEV-SNP.

A **Collaborating Group**in Fortanix CCM represents a collaboration established between two groups that belong to different Fortanix CCM accounts. Through this collaboration, the participating groups can securely share selected resources and work together on common workflows.

This document explains the end-to-end collaboration process, including creating collaborating groups, sharing collaboration tokens, building shared workflows, approving workflows, and managing collaboration lifecycle events.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/CollaboratingGroups.png)

**Figure 1: Collaborating groups and shared workflows**

## 2.0 Collaborating Groups for AMD SEV Applications

A Fortanix CCM collaborating group is created when groups from different Fortanix CCM accounts establish a collaboration. Through this collaboration, the groups can share resources and participate together in workflows.

In a collaborating setup:

- One group acts as the [*consumer group*](/v1/docs/users-guide-groups-and-collaboration-groups-concepts#31-consumer-group) and initiates the collaboration.
- One group acts as the [*publisher group*](/v1/docs/users-guide-groups-and-collaboration-groups-concepts#32-publisher-group) and participates by contributing permitted resources.

The collaboration is represented and managed through shared workflows, which enforce controlled interaction, approval sequencing, and access restrictions between participating groups.

This article describes collaboration between two Fortanix CCM groups from different Fortanix CCM accounts using a workflow that includes an AMD SEV-SNP application. In this example, one group acts as the consumer group and another group acts as the publisher group.

## 3.0 Create Consumer Group (Enterprise)

This section describes how to create a consumer group that participates in a workflow collaboration with a publisher group.

A Consumer Group is created by an enterprise that wants to run a proprietary model on-premises.

In this example, a consumer group is created in a Fortanix CCM account and initiates collaboration with a publisher group using a shared workflow. The consumer group adds an AMD SEV-ANP placeholder application to the workflow, enabling the publisher group to contribute the application to the shared workflow.

Perform the following steps to create a consumer group for workflow-based collaboration:

1. Log in to Fortanix CCM and create a new account, for example, **DemoA,** or log in to an existing account. *For more information on how to log in and create a new Fortanix CCM account, refer to*[*Logging In*](https://support.fortanix.com/hc/en-us/articles/360034373551-User-s-Guide-Logging-in).
2. In the CCM user interface (UI) left navigation panel, click the **Groups** menu item, and on the**Groups**page, click **+ ADD GROUP** to create the consumer group or use an existing group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-z90xoo5u.png)

**Figure 2: Create consumer group**
3. On the **GROUP** form:
  1. **Name**: Enter a name for the group. For example, **DemoA-Group1**.
  2. **Description (optional)**: Enter a short description for the group.
  3. **Labels (optional)**: Add one or more key–value labels to the group.
4. Click **SAVE** to create the consumer group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-i18z6v0b.png)

**Figure 3: Consumer group created**

## 4.0 Create Publisher Group (Model Owner)

This section describes how to create a publisher group that participates in workflow collaboration with a consumer group.

A Publisher Group is established by the model owner to securely share their application (proprietary model) with enterprises without disclosing the model, model weights, or other configurations.

In this example, a publisher group is created in a different Fortanix CCM account and contributes the application to a shared workflow initiated by the consumer group.

> [!NOTE]
> NOTE
> 
> To collaborate with resources in the consumer group, you must create an additional group in a different Fortanix CCM account, as collaboration between groups within the same account is not supported.

1. Create a new Fortanix CCM account, for example **DemoB**, or log in to an existing account if it already exists. *For steps to log in and create a new Fortanix CCM account, refer to*[*Logging In*](https://support.fortanix.com/hc/en-us/articles/360034373551-User-s-Guide-Logging-in)*.*
2. Repeat *Steps 2 to 4 in*[*Section 3.0: Create Consumer Group (Enterprise)*](/v1/docs/run-the-workflow-web-interface-amd-sev-snp-applications-1#30-create-consumer-group-enterprise), to create a new publisher group, for example **DemoB-Group2** or use an existing group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-f7ial1p9.png)

**Figure 4: Create publisher group**

## 

### 4.1 Create Application

Perform the following steps to create an application:

1. Click the group to open the detailed view of the consumer group.
2. Create a new ACI application in the **consumer group** to participate in the workflow collaboration. From the group’s details page, go to the **APPLICATIONS** tab.
3. On the **Applications** page, click **+ ADD APPLICATION** to add a new application.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Publisher_createApp(1).png)

**Figure 5: Publisher create app**
4. On the **APPLICATION** dialog box, select **AMD SEV-SNP**, and then click **PROCEED**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Screenshot (3579) - Copy.png)

**Figure 6: Select application**

*For more information on how to create an AMD SEV-SNP application, refer to*[*Add and Edit an Application*](/v1/docs/users-guide-add-and-edit-an-application#80-add-amd-sevsnp-application).

*For more information on how to create an AMD SEV-SNP application image, refer to*[*Create an Image*](/v1/docs/users-guide-create-an-image#35-amd-sevsnp-applications).

### 4.2 Create Application Configuration

Once the application image is created, create an application configuration to associate the image with a group and enable its participation in the workflow.

Perform the following steps to create application configuration:

1. Go to the **CONFIGURATION** tab and then click **+ ADD CONFIGURATION** to add a new configuration.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/App-Cong-Create.png)

**Figure 7: Add app configuration**
2. In the **APPLICATION CONFIGURATION** dialog box:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AppConfig.png)

**Figure 8: Application configuration form**
  1. Select **Add new configuration**.
  2. **Image**: Select the application image for which the configuration will be created.
  3. **Configuration name**: Enter a name for the configuration.
  4. **Group**: Select the required group from the drop down menu to associate the configuration with that group. For example, **DemoB-Group2**.
  5. **Description** (optional): Enter a description for the configuration.
  6. **Ports**: Keep this field empty.
  7. **Labels**: Add any meaningful key value pair to identify your application configuration.
  8. **Configuration items**: Keep this field empty.
3. Click **SAVE**to save the configuration.

The application configuration is created successfully.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AppConfigCreated.png)

**Figure 9: App configuration added**

## 5.0 Generate Collaboration Token

To initiate collaboration, a consumer group must authenticate itself to a publisher group. Without authentication, a publisher group could receive unsolicited or spam collaboration requests from another consumer group. To prevent this, the publisher group administrator generates a “collaboration token”, which serves as proof of identity for collaboration requests.

When a consumer group requests collaboration, it includes the collaboration token provided by the publisher group in the request. The publisher group then verifies the token and authenticates the consumer group before allowing the collaboration to proceed.

Perform the following steps to generate the collaboration token:

1. Go to the detailed view of **DemoB-Group2** in the **DemoB** account.
2. Click **COLLABORATE** to generate a new collaboration token.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-2kpmt8b4.png)

**Figure 10: Collaborate**
3. On the **COLLABORATE** dialog box, click **+ GENERATE** to generate the token.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-cwvrm5uo.png)

**Figure 11: Generate token**
4. Click **COPY** to copy the collaboration token.

You must share this collaboration token with the consumer group administrator to enable collaboration. The method used to share the collaboration token is outside the scope of this guide.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-g06jz0wo.png)

**Figure 12: Copy collaboration token**
5. Click **SHOW TOKENS** to view the previously generated tokens.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-fqvi61d3.png)

**Figure 13: View token**

## 6.0 Create Collaborating Group

This section explains the collaboration process between the consumer group and the publisher group using the collaboration token shared by the publisher group.

Perform the following steps to create a collaborating group for workflow collaboration:

1. Open the detailed view of the consumer group, for example **DemoA-Group1**, in the **DemoA** account.
2. Click **ACCEPT TOKEN**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-q21qwj2r.png)

**Figure 14: Share group**
3. In the **ACCEPT TOKEN** dialog box, paste the collaboration token shared by the publisher group in *Section 5.0: Generate Collaboration Token*.
4. Click **PROCEED** to initiate the collaboration request.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-m21vrvgm.png)

**Figure 15: Enter collaborating token**
5. Navigate to **Groups** and select the **COLLABORATION GROUPS** tab.
6. On the **CONSUMER** tab, verify that the consumer group **DemoA-Group1** appears associated with the publisher group **DemoB-Group2**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-rn2mgx7y.png)

**Figure 16: Publisher group association**
7. In the **Status** column, observe that the collaboration request is in the **Pending** state.

> [!NOTE]
> NOTE
> 
> The publisher group must accept the collaboration request before collaboration can begin.
8. Go to the publisher group (**DemoB-Group2**) and select the **COLLABORATION GROUPS** tab.
9. On the **PUBLISHER** tab, verify that **DemoB-Group2** shows an association request from **DemoA-Group1**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-b84lclrx.png)

**Figure 17: Publisher group association**
10. Click the overflow menu ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/BYOE_Overflow_Icon(3).png) for the publisher group row and click **ACCEPT** to approve the collaboration request.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-fmgmytk3.png)

**Figure 18: Approve collaboration**
11. Verify that the collaboration status updates to **Accepted** in the publisher group view.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-bvq2t1ko.png)

**Figure 19: Status accepted**
12. Return to the consumer group account (**DemoA**) and confirm that the collaboration status for the consumer group (**DemoA-Group1**) also shows **Accepted**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-7fh961sz.png)

**Figure 20: Status accepted**

## 7.0 Create Shared Workflow

After creating the collaborating groups, the consumer group administrator initiates collaboration by creating a shared workflow.

In the shared workflow, the consumer group administrator creates a [placeholder node](/v1/docs/users-guide-groups-and-collaboration-groups-concepts#34-placeholder-nodes). The placeholder node is assigned to the publisher group, and only administrators of that publisher group can populate the placeholder nodes assigned to them.

Perform the following steps as a consumer group administrator to create a shared workflow:

1. In the **DemoA** account, click the **Workflows** menu item in the CCM UI left navigation panel.
2. On the **Workflows** page, click **+ ADD WORKFLOW** to create a new workflow.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-52gpbgxm.png)

**Figure 21: Select workflow**
3. On the **WORKFLOW**form:

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-xc0w3gy5.png)

**Figure 22: Create shared workflow**
  1. **Name**: Enter a name for the workflow.
  2. **Group**: Select the consumer group for the shared workflow. If you do not select a group, Fortanix CCM uses the default group.
  3. Click **SAVE** to create the shared workflow.
4. Add the application placeholder node to the workflow and assign it to the publisher group, **DemoB-Group2**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Shared-Workflow.png)

**Figure 23: Add placeholder node**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Shared-Workflow1(1)(1).png)

**Figure 24: Assign application to publisher group**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Shared-Workflow2.png)

**Figure 25: Add application to workflow graph**
5. Click **SAVE AS DRAFT** to save the workflow.

Saving the workflow as a draft makes it available to the publisher group, allowing the administrator of the assigned publisher group to access the draft workflow in its respective account and populate the placeholder node assigned to it.

### 7.1 Fill the Placeholder Nodes with Actual Data

After the consumer group creates the shared workflow and assigns placeholder nodes, members of the publisher groups populate the placeholder nodes with their own resources.

Each publisher group can update only the placeholder node assigned to its group. Publisher group administrators cannot add, remove, or modify other nodes in the workflow.

Perform the following steps as a publisher group administrator:

1. Log in to the **DemoB** account and click the **Workflows** menu item in the Fortanix CCM left navigation panel.
2. On the **Workflows** page, click the **Draft** menu item. The draft shared workflow created by the consumer group appears in the list.
3. Select the workflow and locate the **placeholder node** assigned to the publisher group **DemoB-Group2**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-a7d80lpe.png)

**Figure 26: Fill placeholder nodes with data**
4. Click the placeholder node to add the application. In the **APPLICATION**form, select the AMD SEV-SNP application image that was automatically created in [*Section 4.1: Create Application*](/v1/docs/collaborating-groups-and-shared-workflows-amd-sev-snp#41-create-application).

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-kzmy2kmo.png)

**Figure 27: Select dataset – publisher group**
5. Click **SAVE DRAFT** to save the updated shared workflow.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-ewf1v0kf.png)

**Figure 28: Save draft - publisher group**

After the publisher group populates its assigned placeholder node, the shared workflow is complete and ready for approval.

### 7.2 Request Approval to Create Approved Workflow

After the publisher group fills its assigned placeholder nodes, the shared workflow is ready for approval.

The publisher group must review and approve the workflow before the consumer group can complete the approval process.

> [!NOTE]
> NOTE
> 
> The consumer group cannot approve the workflow until the publisher group approves it. This ensures that the publisher group explicitly consents to the sharing of data.

Perform the following steps to request and approve the shared workflow:

1. Log in to the **DemoA** account as a consumer group administrator.
2. In the Fortanix CCM left navigation panel, click the **Workflows** menu item.
3. Click the **Draft** menu item and select the shared workflow for which you want to request approval.
4. Click **SAVE AND REQUEST APPROVAL** to send the approval request to all the publisher groups.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-lz41fgck.png)

**Figure 29: Request shared workflow approval – consumer group**

A confirmation dialog appears. Click **REQUEST APPROVAL**to submit the approval request to the publisher groups.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-7lqyzmiu.png)

**Figure 30: Confirm action**

The workflow moves to the **Pending** state.
5. Go to the **Pending** tab to view workflows awaiting approval.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-rra2dobu.png)

**Figure 31: Pending approval – consumer group**
6. Log in to the **DemoB** account as a publisher group administrator. Navigate to the **Workflows**menu item and click the **Pending** menu item.
7. Select the shared workflow from the list and click **VIEW REQUEST** for the shared workflow.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Workflow-viewrequest.png)

**Figure 32: Approve the workflow – publisher group**
8. In the **APPROVAL REQUEST FOR CREATING WORKFLOW** dialog box, click **APPROVE**.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Workflow-approve.png)

**Figure 33: Approve workflow – publisher group**
9. After the publisher group approves the workflow, log in to the **DemoA** account as the consumer group administrator and approve the workflow to complete the approval process.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Workflow-approve-consumer.png)

**Figure 34: Approve request – consumer group**

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Workflow-approve-consumer1.png)

**Figure 35: Approve workflow - consumer group**
10. The workflow now appears in the **Approved** tab.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-jd08j2au.png)

**Figure 36: Workflow approved - consumer group**

> [!NOTE]
> NOTE
> 
> After a shared workflow reaches the **Approved** state, it cannot be modified. To make changes, edit the workflow to create a new version using the **EDIT WORKFLOW** option. After approval, the new version replaces the previous one.

### 7.3 Run the Shared Workflow

Only the consumer group administrator, who owns the workflow, can run a shared workflow.

The members of the publisher groups cannot run the workflow.

Perform the following steps to run the workflow:

1. Click the workflow application and copy the **Runtime configuration hash** from the **APPLICATION**dialog box. This value is used for `APPCONFIG_ID` parameter.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/AppConfigHash(1).png)

**Figure 37: App config ID**
2. Extract the VM image files:
3. Modify the following `launch_cvm.sh` script, and add the `APPCONFIG_ID` value copied in *Step 1*.

> [!NOTE]
> NOTE
> 
> Ensure that the `launch_cvm.sh` script has all the required variables

```javascript
# before running - (IMAGE, KERNEL, BIOS, MANAGER_ENDPOINT, JOIN_TOKEN, ALT_NAMES_ARR, 
# CPU_TYPE and NUM_CPUS). If above parameters are not populated in the script then 
# this is standard template generated without any input parameters. In this case please 
# fill in these parameters and run the script.
(
set -x
modprobe kvm
modprobe vfio-pci
# Model provider's artifacts locations and configurations - These are measured artifacts
# .qcow2 file
IMAGE="cvm-image-latest.qcow2"
# .efi file
KERNEL="cvm-image-latest.efi"
# OVMF.fd file
BIOS="OVMF.amdsev.fd"
# NVIDIA IT's configuration
# Other config parameters
CPU_TYPE=EPYC-v4
NUM_CPUS=2
ALT_NAMES="fortanix.com"
APPCONFIG_ID="9b3f89c28ba7be6fccde70e7a37b97ae73c7cccab955ebbee9261a3991bc0b62"
#Hardware Settings
NVIDIA_GPU=45:00.0
MEM=16 #in GBs
FWDPORT=9899
doecho=true
docc=true
dogpu=true
while getopts "nexp:" flag
do
        case ${flag} in
                n) dogpu=false;;
                e) doecho=true;;
                x) docc=false;;
                p) FWDPORT=${OPTARG};;
        esac
done
NVIDIA_GPU=$(lspci -d 10de: | awk '/NVIDIA/{print $1}')
NVIDIA_PASSTHROUGH=$(lspci -n -s $NVIDIA_GPU | awk -F: '{print $4}' | awk '{print $1}')
if [ "$doecho" = true ]; then
         echo 10de $NVIDIA_PASSTHROUGH > /sys/bus/pci/drivers/vfio-pci/new_id
fi
if [ "$docc" = true ]; then
        USE_HCC=true
fi
if [ "$dogpu" = true ]; then
        USE_GPU=true
fi
qemu-system-x86_64 \
        -machine memory-encryption=sev0,vmport=off \
        -object memory-backend-memfd,id=ram1,size=16G,share=true,prealloc=false -machine memory-backend=ram1 \
        -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,kernel-hashes=on \
        -enable-kvm -nographic -no-reboot \
        -cpu ${CPU_TYPE} -machine q35 -smp ${NUM_CPUS},maxcpus=31 -m ${MEM}G,slots=2,maxmem=512G \
        -bios ${BIOS} \
        -drive file=${IMAGE},if=virtio,id=disk0,format=qcow2,readonly=on \
        -kernel ${KERNEL} \
        -device virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=vmnic,romfile= \
        -netdev user,id=vmnic,hostfwd=tcp::2223-:22,hostfwd=tcp::80-:8000 \
        -object iommufd,id=iommufd0 \
        -device pcie-root-port,id=pci.1,bus=pcie.0 \
        -device vfio-pci,host=${NVIDIA_GPU},bus=pci.1,iommufd=iommufd0,romfile= \
        -fw_cfg name=opt/ovmf/X-PciMmio64Mb,string=262144 \
        -fw_cfg name=opt/com.fortanix/app_cert_alt_names,string=${ALT_NAMES} \
        -fw_cfg name=opt/com.fortanix/appconfig_id,string=${APPCONFIG_ID} \
        -device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=8
)
```
4. Run the following command to launch the VM:

```bash
sudo ./launch_cvm.sh
```

This will start the AMD SEV-SNP application and trigger the Fortanix Attestation Client.
5. The Publisher (Model Owner) navigates to the application details view to confirm that:
  1. The image is deployed in Fortanix CCM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/ImageDeployed(2).png)

**Figure 38: Image deployed**
  2. The audit log contains a successful `REQUEST_APP_CERTIFICATE` event, indicating that the application certificate was generated.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Publisher-accout-logs.png)

**Figure 39: Audit logs for Publisher**
6. The Consumer (Enterprise) can view audit logs for a successful application certificate event.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Consumer-account-logs.png)

**Figure 40: Audit logs for consumer**

> [!NOTE]
> NOTE
> 
> The audit logs are available in the log tool configured by the Publisher and Consumer.

## 8.0 Manage Tokens

### 8.1 Revoke Token

A collaboration token can be revoked by a publisher group administrator.

Revoking a collaborating token does not affect existing active collaborations between the publisher group and consumer group that were established using that token. Any existing shared workflows continue to function as expected.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-gjilb171.png)

**Figure 40: Revoke token**

### 8.2 Revoke Status

Perform the following steps to revoke a collaboration between a consumer group and a publisher group:

1. Navigate to the **COLLABORATION GROUPS** page.
2. Locate the collaboration entry you want to revoke.
3. Click the overflow menu****for the corresponding row and select **REVOKE** from the drop down menu to revoke the collaboration.

You can revoke the collaboration from either the consumer group or the publisher group.

After you revoke the collaboration, the shared workflow cannot progress, and collaboration between the groups stops.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/run-the-workflow---web-interface---amd-sev-snp-applications-image-74ld9hxr.png)

**Figure 41: Revoke collaboration status**