Introduction
Workflow graphs are maps that show how generic applications are connected to datasets and other generic applications. These are collaborative objects where multiple users can provide their own objects and approvals.
There are two types of workflows - draft and final.
- Draft workflows are unapproved/in-progress items that do not grant any permissions to applications.
- Final workflows are versioned and quorum approval protected objects. These workflows grant the applications access to datasets if they have requested and received certificates that confirm they are running in the required approved workflow.
An application running inside a Final Workflow is allowed to access all connected datasets, this means:
- The enclave will have access to the protected data guarded by input datasets.
- It can upload data to the protected locations defined by output datasets.
To move from a draft workflow to a final workflow, you require approvals. For approvals:
- A Fortanix CCM Account Administrator will invite other users to join the account.
- The users join the account and provide data in the form of datasets and applications/application configurations.
For example, in this article we have the following users:
- Account Owner
- Data Owner
- Application Owner
Data Owners and Application Owners collaborate on a graph. After the graph is completed, the Administrator will submit it for approval. A Workflow graph must be approved by all the users of the graph.
Create a Workflow
To create a workflow:
- Click the Workflows icon in the CCM left panel.
- On the Workflows page, click +WORKFLOW to create a new workflow.
Figure 1: Create workflow - In the CREATE WORKFLOW dialog box, enter the workflow Name and Description (optional). Click CREATE to go to the workflow graph.
- Add an app to the workflow graph. To add an app to a workflow graph, drag the App icon and drop it into the graph area. Click +APPLICATION. In the ADD APPLICATION dialog box, the App Owner must select an existing application image from the list of available application images.
Figure 2: Select application - For the selected application image, the App Owner must create a new app config/add an existing app config.
Figure 3: Add application config
Figure 4: Select/add new configuration - Click SELECT APPLICATION to select the application.
Figure 5: Select application - Click SAVE AS DRAFT to save the draft Workflow.
Figure 6: Save workflow draft - To access the draft workflow, click the Draft tab in the Workflows left menu.
- Add an input and output dataset to the workflow graph. To add a dataset to a workflow graph, drag the dataset icon and drop it into the graph area. Click +DATASET. In the ADD DATASET dialog, the Data Owner must select from existing datasets or create a new dataset. Click CREATE DATASET to create the dataset.
Figure 7: Create input dataset - Create connections between the applications and input/output datasets. To do that, drag the Input Dataset connection point and join it with the Application connection point. This opens a dialog to select the ports. In the SELECT PORTS dialog, select the Target port as “input”. Repeat the same to connect the Application to the Output Dataset, and select the Target port as “Output”.
Figure 8: Select connection ports - If the workflow is complete, the user must click the REQUEST APPROVAL button to generate the approval process for the Workflow.
Figure 9: Request workflow approval - The workflow is in “pending” state until all the users approve it. In the Pending tab click SHOW APPROVAL REQUEST to approve a Workflow.
Figure 10: Workflow in pending approval state - In the APPROVAL REQUEST - CREATE WORKFLOW dialog, click APPROVE to approve the workflow or DECLINE to reject a workflow.
Figure 11: Approve workflow - All the users of a workflow must approve to finalize it. If a user declines a workflow, it is rejected. When all the users approve the workflow, it is deployed.
- CCM configures apps to access the Datasets.
- CCM creates the Workflow Application Configs.
- CCM returns the list of hashes needed to start the apps.
Edit Workflow Graphs
To edit a Workflow:
- In the Approved tab, click the overflow menu for a workflow and select EDIT WORKFLOW to edit the workflow. When a workflow is edited, a new version of the workflow is created for editing in “draft” state. The existing version stays unchanged. For example, if the first version (Version 1) of an approved workflow “Workflow 1.0” is edited, a new version (Version 2) of “Workflow 1.0” is created.
Figure 12: Edit a workflow - Update the workflow graph with the required changes and click REQUEST APPROVAL to submit the workflow for approval.
Figure 13: Request edited workflow for approval - A new version (Version 2) of the workflow is created in “pending” state. Click SHOW APPROVAL REQUEST to approve the workflow.
Figure 14: Edited workflow in pending state - Click APPROVE to approve the workflow.
Figure 15: Approve the workflow - After Workflow Version 2 is approved, it will be linked to Version 1. Now, the user can either delete Workflow Version 1 or restore it.
Figure 16: Workflow version 1
Clone Workflow Graphs
A workflow is cloned when you want to create a copy of an existing workflow instead of creating it from scratch. To create a workflow clone:
- For an approved or draft workflow, click the overflow menu on the right and select CLONE WORKFLOW to copy the workflow. When a workflow is cloned, the new workflow is created with a modified name. For example, if the approved workflow “Workflow 1.0” is cloned, a new workflow “Workflow 1.0 (clone)” is created. The user can modify the workflow name using the Edit
icon next to the name.
Figure 17: Clone a workflow - Update the workflow graph with the required changes and click REQUEST APPROVAL to submit the workflow for approval.
- A new workflow is created in “pending” state.
Delete Workflow Graphs
To delete a workflow:
- For an approved workflow, click the overflow menu on the right and select DELETE WORKFLOW to delete the workflow.
Figure 18: Delete a workflow - In the DELETE WORKFLOW dialog box, click DELETE to confirm.
- The workflow is deleted.
Comments
Please sign in to leave a comment.