1. Fortanix
  2. Confidential Computing Manager
  3. User Guide
  4. Workflows

User's Guide: Create, Update, Clone, and Delete Workflows

Last Updated: 
Disclaimer: The Fortanix CCM Workflows feature will only be enabled for Customers with an "Enterprise" license.

Introduction

Workflow graphs are maps that show how generic applications are connected to datasets and other generic applications. These are collaborative objects where multiple users can provide their own objects and approvals.

There are two types of workflows - draft and final.

  • Draft workflows are unapproved/in-progress items that do not grant any permissions to applications.
  • Final workflows are versioned and quorum approval protected objects. These workflows grant the applications access to datasets if they have requested and received certificates that confirm they are running in the required approved workflow.

An application running inside a Final Workflow is allowed to access all connected datasets, this means:

  • The enclave will have access to the protected data guarded by input datasets.
  • It can upload data to the protected locations defined by output datasets.

To move from a draft workflow to a final workflow, you require approvals. For approvals:

  • A Fortanix CCM Account Administrator will invite other users to join the account.
  • The users join the account and provide data in the form of datasets and applications/application configurations.

For example, in this article we have the following users:

  • Account Owner
  • Data Owner
  • Application Owner

Data Owners and Application Owners collaborate on a graph. After the graph is completed, the Administrator will submit it for approval. A Workflow graph must be approved by all the users of the graph.

Create a Workflow

To create a workflow:

  1. Click the Workflows icon in the CCM left panel.
  2. On the Workflows page, click +WORKFLOW to create a new workflow. CCM_workflow1.png
    Figure 1: Create workflow
  3. In the CREATE WORKFLOW dialog box, enter the workflow Name and Description (optional). Click CREATE to go to the workflow graph.
  4. Add an app to the workflow graph. To add an app to a workflow graph, drag the App icon and drop it into the graph area. Click +APPLICATION. In the ADD APPLICATION dialog box, the App Owner must select an existing application image from the list of available application images. CCM_workflow2.png
    Figure 2: Select application 
  5. For the selected application image, the App Owner must create a new app config/add an existing app config. CCM_workflow3.png
    Figure 3: Add application config CCM_workflow4.png
    Figure 4: Select/add new configuration
  6. Click SELECT APPLICATION to select the application. CCM_workflow5.png
    Figure 5: Select application
  7. Click SAVE AS DRAFT to save the draft Workflow. CCM_workflow6.png
    Figure 6: Save workflow draft
  8. To access the draft workflow, click the Draft tab in the Workflows left menu.
  9. Add an input and output dataset to the workflow graph. To add a dataset to a workflow graph, drag the dataset icon and drop it into the graph area. Click +DATASET. In the ADD DATASET dialog, the Data Owner must select from existing datasets or create a new dataset. Click CREATE DATASET to create the dataset. CCMAppNew33.png
    Figure 7: Create input dataset
  10. Create connections between the applications and input/output datasets. To do that, drag the Input Dataset connection point and join it with the Application connection point. This opens a dialog to select the ports. In the SELECT PORTS dialog, select the Target port as “input”. Repeat the same to connect the Application to the Output Dataset, and select the Target port as “Output”. CCM_workflow8.png
    Figure 8: Select connection ports
  11. If the workflow is complete, the user must click the REQUEST APPROVAL button to generate the approval process for the Workflow. CCM_workflow10.png
    Figure 9: Request workflow approval
    WARNING
    When a draft workflow is submitted for approval, it will be removed from the drafts list and the user will no longer be able to edit it directly once it is in "pending or “approved” state.
  12. The workflow is in “pending” state until all the users approve it. In the Pending tab click SHOW APPROVAL REQUEST to approve a Workflow.                                                         CCM_workflow11.png
    Figure 10: Workflow in pending approval state
  13. In the APPROVAL REQUEST - CREATE WORKFLOW dialog, click APPROVE to approve the workflow or DECLINE to reject a workflow.
    CCM_workflow12a.png
    Figure 11: Approve workflow
    NOTE
    • A user can also approve/decline a workflow from the Fortanix CCM Tasks tab.
    • Notice that the users who have approved the workflow have a green tick WorkflowEx27.png against their icon.
  14. All the users of a workflow must approve to finalize it. If a user declines a workflow, it is rejected. When all the users approve the workflow, it is deployed.
    1. CCM configures apps to access the Datasets.
    2. CCM creates the Workflow Application Configs.
    3. CCM returns the list of hashes needed to start the apps.

Edit Workflow Graphs

To edit a Workflow:

  1. In the Approved tab, click the overflow menu for a workflow and select EDIT WORKFLOW to edit the workflow. When a workflow is edited, a new version of the workflow is created for editing in “draft” state. The existing version stays unchanged. For example, if the first version (Version 1) of an approved workflow “Workflow 1.0” is edited, a new version (Version 2) of “Workflow 1.0” is created. CCM_workflow13a.png
    Figure 12: Edit a workflow
  2. Update the workflow graph with the required changes and click REQUEST APPROVAL to submit the workflow for approval. CCM_workflow24.png
    Figure 13: Request edited workflow for approval
  3. A new version (Version 2) of the workflow is created in “pending” state. Click SHOW APPROVAL REQUEST to approve the workflow. CCM_workflow14a.png
    Figure 14: Edited workflow in pending state
  4. Click APPROVE to approve the workflow. CCM_workflow22.png
    Figure 15: Approve the workflow
  5. After Workflow Version 2 is approved, it will be linked to Version 1. Now, the user can either delete Workflow Version 1 or restore it. CCM_workflow23.png
    Figure 16: Workflow version 1

Clone Workflow Graphs

A workflow is cloned when you want to create a copy of an existing workflow instead of creating it from scratch. To create a workflow clone:

  1. For an approved or draft workflow, click the overflow menu on the right and select CLONE WORKFLOW to copy the workflow. When a workflow is cloned, the new workflow is created with a modified name. For example, if the approved workflow “Workflow 1.0” is cloned, a new workflow “Workflow 1.0 (clone)” is created. The user can modify the workflow name using the Edit CCM_workflow17.png icon next to the name. CCM_workflow16.png
    Figure 17: Clone a workflow
  2. Update the workflow graph with the required changes and click REQUEST APPROVAL to submit the workflow for approval.
  3. A new workflow is created in “pending” state.

Delete Workflow Graphs

To delete a workflow:

  1. For an approved workflow, click the overflow menu on the right and select DELETE WORKFLOW to delete the workflow. CCM_workflow18.png
    Figure 18: Delete a workflow
  2. In the DELETE WORKFLOW dialog box, click DELETE to confirm.
  3. The workflow is deleted.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful