1.0 Introduction
Welcome to the Fortanix Confidential Computing Manager (CCM) User Guide. This article describes the steps to create, update, and revoke third-party groups in CCM.
A Fortanix CCM third-party group is an entity that is created when two groups from different Fortanix CCM accounts wish to collaborate. During collaboration, they can share the Dataverse objects of each other’s groups.
2.0 Create Source Group
The following section describes an example to explain the collaboration between three CCM groups from different CCM accounts using a workflow where one group will be the Source group and the other two groups will be the Recipient groups.
Perform the following steps to create a third-party source group for workflow collaboration:
Log in to Fortanix CCM and create a new account. For example: DemoA or go to an existing account. For steps to log in and create a new Fortanix CCM account, refer to User’s Guide: Logging In.
On the Groups page, click ADD GROUP on the top-right corner of the screen to create the source group.
Figure 1: Create Source Group
In the Create Group form, enter the Name of the source group. For example: DemoA-Group1.
Click CREATE GROUP to create the source group.
Figure 2: Create Source Group
The group is successfully created.
2.1 Create Scripts
Perform the following steps to add multiple scripts to the source group, DemoA-Group1:
Click the group to go to the detailed view of the source group.
Create new scripts in the source group to participate in the workflow collaboration. Click the add button
on the Scripts tile.
Figure 3: Source Group - Detailed View
In the ADD SCRIPT form, enter the following details:
Name: Enter the required name for your script in the provided field.
Description (optional): Enter a brief description of your script.
Select query language: Click the corresponding radio button to select the query language as SQL or Python for your script. Use the provided text area to enter the commands relevant to your script.
Click the CREATE SCRIPT button to initiate the script creation process for the source group DemoA-Group1.
Repeat Step 2 to 4 to create SQL Aggregate script in the source group.
Figure 4: Create Script for the Source Group
The SQL statement and SQL Aggregate scripts are created successfully.
3.0 Create Recipient Groups
Perform the following steps to create the recipient groups to participate in a workflow collaboration:
NOTE
To collaborate with the resources in the source group, you need to create two new additional groups in different Fortanix CCM accounts.
Create two new Fortanix CCM accounts, For example: DemoB and DemoC or log in to existing accounts if already present. For steps to log in and create a new Fortanix CCM account, refer to User’s Guide: Logging In.
Repeat Steps 2 to 4 in Section 2.0: Create Source Group, to create the two new recipient groups. For example: DemoB-Group2 and DemoC-Group3.
3.1 Create Inbound Connectors
Perform the following steps to add an inbound connector to the recipient group, DemoB-Group2:
Click the group to go to the detailed view of the recipient group.
Create new inbound data connector in the recipient group to participate in the workflow collaboration. Click the add button
on the Inbound connector tile.
Figure 5: Recipient Group - Detailed View
In the INBOUND CONNECTOR form, select either of the following connecter types:
BigQuery: Select this option if you want to import data from BigQuery.
CSV: Select this option if your data is in CSV format and you want to import it using this connector.
Click the NEXT button to proceed further.
On the Create INBOUND CONNECTOR page,
If you have selected the BigQuery option in Step 3, enter the following details:
Connector name: Enter a required name for the inbound connector.
Description (Optional): Add a brief description to provide additional context if needed.
Labels: Assign one or more key-value labels to categorize or tag the connector.
Project ID: Enter the ID of the BigQuery project.
Dataset name: Enter the name of the dataset from which you want to import data.
Table name: Enter the name of the table within the specified dataset.
API key: Enter the API key required for accessing the Big Query service in the text box provided. You can also upload the API key in Raw or Base64 format using the browse option. To know the steps for generating this API key, refer to the Google Cloud: Create an API Key documentation.
NOTE
The API key cannot be viewed again after submission.
If you have selected the CSV option in Step 3, enter the following details:
Connector name: Enter a required name for the inbound connector.
Description (Optional): Add a brief description to provide additional context if needed.
Labels: Assign one or more key-value labels to categorize or tag the connector.
Group: Select the required group name from the drop down menu to associate this connector with that group.
URL: Enter the URL where the CSV file is located for importing data.
NOTE
Pre-designed URL is supported for Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP).
Click the ADD INBOUND CONNCETOR button to initiate the inbound connector creation process for the source group DemoB-Group2.
Figure 6: Create Inbound Connectors for the Recipient Group
The inbound data connector is created successfully.
4.2 Create Outbound Connectors
Perform the following steps to add multiple outbound connectors to the recipient group, DemoC-Group3:
Click the group to go to the detailed view of the recipient group.
Create new outbound data connector in the recipient group to participate in the workflow collaboration. Click the add button
on the Outbound connector tile.
Figure 7: Recipient Group - Detailed View
On the Create OUTBOUND CONNECTOR page, enter the following details:
Connector name: Enter a required name for the outbound connector.
Description (Optional): Add a brief description to provide additional context if needed.
Labels: Assign one or more key-value labels to categorize or tag the connector.
URL: Enter the URL where the CSV file is located containing the exported data from the script.
Click the ADD OUTBOUND CONNCETOR button to initiate the outbound connector creation process for the source group DemoC-Group3.
Figure 8: Create Outbound Connector for the Recipient Group
The outbound connector is created successfully.
4.0 Share Participation Token
For a Fortanix CCM source group to request a Fortanix CCM recipient group for collaboration, the source group must prove itself to be an authenticated group. This can be achieved if the recipient groups create a 'group participation token', that can be used to identify themselves. When the source group requests a recipient group for collaboration, the recipient group provides the group participation token to identify itself. The recipient group verifies the participation token in the request and authenticates the source group.
To share the participation token:
Go to the detailed view of DemoB-Group2 in the DemoB account.
Navigate to the GENERAL tab → Participation Tokens section → GENERATE TOKEN button to generate a new participation token.
Figure 9: Generate Token
Click the COPY icon to copy the participation token. This participation token must be shared with the source group for collaboration. The means by which the token can be shared is out of the scope of this guide.
Figure 10: Copy Participation Token
Similarly, go to the detailed view of DemoC-Group3 in the DemoC account and repeat Steps 2 to 3 above to copy the participation token of DemoC-Group3 and share it with the source group, DemoA-Group1.
You can also view the generated participation token by clicking the VIEW TOKENS button.
Figure 11: View Token
2.4 Create Third-Party Shared Group
Perform the following steps to create a third-party group for workflow collaboration:
Go to the detailed view of the source group, that is, DemoA-Group1, in the account DemoA.
Click the SHARE button on the top-right corner of the page.
Figure 12: Share Group
In the TOKENS dialog box, paste the group participation token shared by the recipient group in Section 4.0: Share Participation Token.
Click the SHARE button to create the third-party group.
Figure 13: Enter Participation Token
On the Groups page, click the THIRD PARTY GROUPS tab.
On the Third Party Groups page, under the SOURCE ROLE tab, you will see that the source group DemoA-Group1 in the GROUP column is now associated with a recipient group DemoB-Group2 in the RECIPIENT GROUP column.
Figure 14: Source Group Association
In the STATUS column, you will see that the status of the third-party group creation is still in a Pending state.
NOTE
The recipient groups must accept the third-party group so that collaboration can begin between the respective source and the recipient groups
Go to the recipient group DemoB-Group2 and click the THIRD PARTY GROUPS tab.
Click the RECIPIENT ROLE tab. Observe that the recipient group DemoB-Group2 now shows an association with the source group DemoA-Group1.
Figure 15: Recipient Group Association
Click the more option
icon for the recipient group row and expand the UPDATE STATUS menu to approve the third-party group association.
Click the APPROVE button to approve the collaboration.
Figure 16: Approve Collaboration
The status is now updated to Accepted in the recipient and source groups.
Figure 17: Status Accepted
Go to the source group and observe that the status is now updated to Accepted.
Figure 18: Status Accepted
Similarly, repeat Steps 1 to 13 above to create a third-party shared group between the source group DemoA-Group1 and the recipient group DemoC-Group3 using the participation token shared by the DemoC-Group3 group member with DemoA-Group1 group administrator.
Figure 19: Third Party Shared Group
6.0 Create a Shared Workflow
The source group administrator will now initiate the collaboration between the source and recipient groups by creating a shared workflow. To create a shared workflow for workflow collaboration, the source group administrator will create placeholder nodes and assign these nodes to the group members of the recipient groups to update the node with the data connectors for the collaboration.
Perform the following steps as a source group administrator to create a shared workflow:
In the DemoA account, click the Workflows menu item in the CCM user interface (UI) left navigation bar.
On the Workflows page, click +WORKFLOW to create a new workflow.
In the CREATE NEW WORKFLOW form,
Enter the workflow Name.
In the Group field (optional), select the source group for the shared workflow. If no group is selected, the default group will be considered.
Click CREATE WORKFLOW, to create the shared workflow.
Figure 20: Create Shared Workflow
On the workflow graph, add an inbound connector placeholder node that belongs to the recipient group DemoB-Group2.
Figure 21: Add Inbound Connector to Workflow Graph
For more information on how to create a workflow graph, refer to User’s Guide: Create Workflow.
Add an SQL or Python script node that belongs to the source group DemoA-Group1.
Figure 22: Add Script to Workflow Graph
NOTE
The script can belong to any internal group that the user is part of.
Add an SQL Aggregate script that belongs to the source group, DemoA-Group1.
Figure 23: Add Script to Workflow Graph
Add an outbound connector placeholder node that will be assigned to the recipient group DemoC-Group3.
Figure 24: Add Outbound Connector to Workflow Graph
Make a connection between the data connectors and scripts.
Click SAVE AS DRAFT to save the workflow as a draft so that the members of the recipient groups will see the draft workflow in their respective accounts and fill the placeholder nodes.
Figure 25: Connect the Data Connectors and Scripts
7.0 Fill the placeholder Nodes with Actual Data
The following steps must be performed by the recipient group members:
As a group member of the recipient group DemoB-Group2 in the account DemoB, go to the Workflows page and click the Draft workflow tab.
You will see the placeholder node that has been assigned to you by the group administrator of the source group DemoA-Group1.
Figure 26: Fill Placeholder Nodes with Data
Click the placeholder node to add the inbound connector. In the INBOUND CONNECTOR form, select the inbound connector that you created earlier in Section 3.1: Create Inbound Connectors from the list.
Figure 27: Select Inbound Connector
After adding the inbound connector, click SAVE AS DRAFT to save the updated shared workflow.
Figure 28: Save Workflow Draft
As a group member of the recipient group DemoC-Group3, go to the DemoC account and repeat Steps 1 to 4 above to fill the placeholder node with the outbound connector that you created earlier in Section 3.2: Create Outbound Connectors.
Figure 29: Save Workflow Draft
Now the workflow is complete with all the placeholder nodes filled by the respective recipient group members.
8.0 Request Approval to Create Approved Workflow
After a workflow with placeholder nodes is filled with the objects from the required recipient groups and is ready to go, each of the recipient groups should approve it.
NOTE
The source group cannot approve the request until all recipient groups approve it. This is to ensure that the recipient group members are confident about the data sharing.
After the shared workflow is approved by all participant groups, the shared workflow will be an approved workflow. Perform the following steps to create an approved workflow:
As a group administrator of the source group DemoA-Group1, go to the Draft workflow tab, and click the REQUEST APPROVAL button to request the recipient group members for workflow approval.
Figure 30: Request Shared Workflow Approval
The workflow is now pending approval from other recipient group members. Click the Pending tab to see the workflow in the pending approval state.
Figure 31: Pending Approval
As group members from the recipient groups, you must approve the workflow. Go to the Workflows page in DemoB account, and in the Pending tab, click SHOW APPROVAL REQUEST to approve the workflow.
Figure 32: Approve the Workflow
In the APPROVAL REQUEST – CREATE WORKFLOW dialog box, click APPROVE to approve the workflow.
Figure 33: Approve Workflow
As a group member of the recipient group DemoC-Group3, repeat Steps 2 to 3 above to approve the workflow.
Figure 34: Approve Workflow
After the recipient group members have approved the workflow, the group administrator of the source group must finally approve the workflow to complete the workflow approval process.
Figure 35: Approve Workflow
The shared workflow will now appear in the Approved tab.
Figure 36: Workflow Approved
NOTE
After a shared workflow is in the approved state, no further changes can be made to the workflow. If you want to make changes using the EDIT WORKFLOW option as described in User’s Guide: Create Workflow, a new version of the workflow will be created. After the new version of the workflow is approved, it supplants the first version of the workflow.
9.0 Run the Shared Workflow
A shared workflow can only be run by the owner of the workflow, that is, the source group administrator. The participants, that is, the recipient group members, cannot run the workflow.
To run the workflow, refer to the User's Guide - Configure and Run the Workflow documentation.
After running a workflow, the workflow execution logs will only be available for viewing at the source group. The recipient group members cannot view the execution logs.
10.0 Revoke Token
A “Group Participation Token” can be revoked by the recipient group member. Revoking of a Group Participation Token does not affect the existing third-party group collaboration between the recipient group and the source group. The workflow collaboration will not work after this.

11.0 Revoke Status
To revoke the collaboration with the recipient or source group, click the More options icon in the Third Party Groups page, and click REVOKE against the source or recipient group’s row to revoke or break the collaboration. The workflow collaboration will not work after this. The collaboration can be revoked from the source or recipient groups.

Figure 38: Revoke Collaboration Status