Create, Update, Clone, and Delete Workflows

1.0 Introduction

Workflow graphs define how different components interact within Fortanix Confidential Computing Manager (CCM). A workflow graph represents the relationships between applications, datasets, data connectors, and scripts, enabling multiple users to collaborate securely by contributing their own components and approvals.

There are three types of workflows: Draft, Pending, and Final.

• Draft workflows: Draft workflows are in-progress workflows that are still under development. These workflows have not been submitted for approval and do not grant applications access to datasets or other workflow components.

• Pending workflows: Pending workflows represent workflows that have been submitted for approval but have not yet received approval from all required users. During this stage, applications cannot access datasets or execute workflow operations.

• Final workflows: Final workflows are approved and versioned workflows protected by quorum approval. Once approved, the workflow can be deployed. Applications running within a final workflow can securely access the datasets, data connectors, and scripts defined in the workflow after obtaining the required certificates.

When an application runs within a Final workflow, it can access all datasets connected to it in the workflow. This means:

• The enclave can access protected data associated with the input datasets.

• The application can write data to the protected locations defined by the output datasets.

To convert a Draft workflow into a Final workflow, approvals are required from the users participating in the workflow.

The approval process involves the following steps:

• A Fortanix CCM Account Administrator invites users to join the Fortanix Armor IAM account.

• Invited users join the account and contribute their components, such as datasets, applications, or application configurations in Fortanix CCM.

In this example, the following roles are used:

• Account Owner

• Data Owner

• Application Owner

The Data Owner and Application Owner collaborate to build the workflow graph by connecting applications and datasets. Once the workflow graph is complete, the Administrator submits it for approval. A workflow graph must be approved by all participating users before it becomes a Final workflow.

Perform the following steps to create a workflow:

1. In the CCM user interface (UI) left navigation panel, click Workflows.  

2. On the Workflows page, click ADD WORKFLOW to create a new workflow.

   

3. In the Add Workflow form:

   1. Name: Enter a name for the workflow.

   2. Group: Select the Fortanix Armor IAM group for the workflow. If you do not select a group, Fortanix CCM uses the default group.

4. Click ADD WORKFLOW to create the workflow.

2.1 Add Application

1. Add an application to the workflow graph. Drag the Application icon from the component panel and drop it into the graph area.

   

2. Click ADD APPLICATION. In the Add Application form, select an existing application name and image. Select a build for this application. For example, <my-registry>/simple-python-sgx:latest.

   Where, <my-registry> is the location of your container registry.

   For more information to create an application, refer to Add Application.

3. Select an existing app configuration or create a new app configuration using ADD NEW CONFIGURATION for the application build.

2.2 Add Dataset

1. Add input and output datasets to the workflow graph. Drag the Dataset icon into the graph area and click ADD DATASET.

2. In the DATASET form, select an existing dataset, or click ADD DATASET to create a new dataset.

   For more information to create a dataset, refer to Create Datasets.

1. Connect the workflow components. Establish connections between datasets and applications as follows:

   1. Connect the Input Dataset to the Application using the Input target port.

   2. Connect the Application to the Output Dataset using the Output target port.

   

   

2.4 Request Approval

1. After the workflow is completed, click SAVE AND REQUEST APPROVAL to initiate the workflow approval process.

   WARNING

   When a draft workflow is submitted for approval, it is removed from the Drafts list. The workflow cannot be edited while it is in the Pending or Approved state.

2. The workflow remains in a pending state until it receives approval from all users. In the Pending menu item, click VIEW REQUEST to approve a Workflow.

3. In the APPROVAL REQUEST FOR CREATING WORKFLOW dialog, you can either APPROVE or DECLINE a workflow.

   NOTE

   • Users can also approve or decline workflow requests from the Tasks tab in Fortanix CCM.

   • A green tick appears next to users who have approved the workflow.

4. Finalize the workflow. All participants in the workflow must approve the request for the workflow to be finalized.

   • If any user declines the request, the workflow is rejected.

   • When all users approve the workflow, it is deployed.

   During deployment, Fortanix CCM performs the following actions:

   • Configures applications with access to the required datasets.

   • Creates the Workflow Application Configurations.

   • Returns the list of application measurement hashes required to start the applications.

3.0 Edit the Workflow

Perform the following steps to edit a workflow:

1. In the Approved tab, click the overflow menu for the workflow and select Edit workflow.

   When a workflow is edited, a new version of the workflow is created in the Draft state. The previously approved version remains unchanged.

   For example, if Version 1 of an approved workflow named Workflow 1.0 is edited, a new version (Version 2) of Workflow 1.0 is created in the draft state for editing.

2. Update the workflow graph with the required changes. After completing the changes, click SAVE AND REQUEST APPROVAL to submit the updated workflow for approval.

3. A new workflow version (for example, Version 2) is created in the Pending state. Click SHOW APPROVAL REQUEST to review and approve the workflow.

4. Click APPROVE to approve the workflow.

5. After Version 2 of the workflow is approved, it is linked to Version 1. Users can then choose to DELETE THIS VERSION or RESTORE WORKFLOW, if needed.

4.0 Clone the Workflow

Cloning a workflow allows you to create a copy of an existing workflow instead of creating a new one from scratch.

Perform the following steps to clone a workflow:

1. For an Approved or Draft workflow, click the overflow menu for the workflow and select Clone workflow.

2. In the Clone workflow dialog box, click CLONE to confirm the action.

   When a workflow is cloned, a new workflow is created with a modified name.
   For example, if the workflow “Workflow 1.0” is cloned, a new workflow named “Workflow 1.0 (clone)” is created.

   You can modify the workflow name using the Edit icon next to the workflow name.

3. Update the workflow graph with the required changes. After completing the changes, click SAVE AND REQUEST APPROVAL to submit the cloned workflow for approval.

4. After submission, the cloned workflow is created in the Pending state and remains there until it receives approval from all required users.

5.0 Delete the Workflow

Perform the following steps to delete a workflow:

1. In the Approved tab, go to the detailed view of the workflow you want to delete.

2. In the detailed view of the workflow, click the overflow menu and select Delete this version.

3. In the Delete workflow version dialog box, click DELETE to confirm the action.

After confirmation, the selected workflow is permanently deleted.