Configuring Collaboration Groups Using Data Connectors and Scripts

  • Updated on Mar 2, 2026
  • Published on Jun 12, 2024
  • 13 minute(s) read
Prev Next

1.0 Introduction

This article describes the steps to create, update, and revoke collaborating groups in Fortanix Confidential Computing Manager (CCM).

A Collaborating Group in Fortanix CCM represents a collaboration established between two groups that belong to different Fortanix CCM accounts. Through this collaboration, the participating groups can securely share selected resources and work together on common workflows.

This document explains the end-to-end collaboration process, including creating collaborating groups, sharing collaboration tokens, building shared workflows, approving workflows, and managing collaboration lifecycle events.

2.0 Collaborating Groups Using Scripts and Data Connectors

A Fortanix CCM collaborating group is created when groups from different Fortanix CCM accounts establish a collaboration. Through this collaboration, the groups can share resources and participate together in workflows.

In a collaborating setup:

  • One group acts as the consumer group and initiates the collaboration.

  • One or more groups act as publisher groups and participate by contributing permitted resources.

The collaboration is represented and managed through shared workflows, which enforce controlled interaction, approval sequencing, and access restrictions between participating groups.

This section describes collaboration between three Fortanix CCM groups from different Fortanix CCM accounts using a workflow that includes a Script and two Data Connectors. In this example, one group acts as the consumer group and the other two groups act as publisher groups.

3.0 Create Consumer Group

This section describes how to create consumer groups that participate in a workflow collaboration with publisher groups.

In this example, a consumer group is created in a Fortanix CCM account and initiates collaboration with publisher groups using a shared workflow. The consumer group adds Scripts and placeholder Data Connector nodes to the workflow, enabling publisher groups to contribute Data Connectors to the shared workflow.

Perform the following steps to create a consumer group for workflow-based collaboration:

  1. Log in to Fortanix CCM and create a new account, for example, DemoA, or log in to an existing account. For more information on how to log in and create a new Fortanix CCM account, refer to the Logging In guide.

  2. In the CCM left navigation panel, click the Groups menu item, and on the Groups page, click + ADD GROUP to create the consumer group.

    Figure 1: Create consumer group

  3. In the GROUP form, do the following:

    1. Name: Enter a name for the group. For example, DemoA-Group1.

    2. Description (optional): Enter a short description for the group.

    3. Labels (optional): Add one or more key–value labels to the group.

  4. Click SAVE to create the consumer group.

    Figure 2: Consumer group created

The group is created successfully.

3.1 Create Scripts

Perform the following steps to create scripts:

  1. Click the group to open the detailed view of the consumer group.

  2. Create a new script in the consumer group to participate in the workflow collaboration. From the group’s details page, go to the SCRIPTS menu item.

  3. On the Scripts page, click + ADD SCRIPT to add an SQL script.

    Figure 3: Consumer group details page

  4. In the SCRIPT form, do the following:

    1. Name: Enter the required name for your script in the provided field.

    2. Description (optional): Enter a brief description of your script.

    3. Select query language: Click the appropriate radio button to select the query language as SQL, SQL Aggregate or Python for your script. Use the provided text area to enter the relevant SQL commands or Python code.

  5. Click SAVE to initiate the script creation.

  6. Repeat Steps 3 to 5 to create an SQL Aggregate script in the consumer group.

    Figure 4: Create script for the consumer group

The SQL statement and SQL Aggregate scripts are created successfully.

4.0 Create Publisher Groups

This section describes how to create publisher groups that participate in workflow collaboration with a consumer group.

In this example, two publisher groups are created in different Fortanix CCM accounts and contribute inbound and outbound connectors to a shared workflow initiated by the consumer group.

NOTE

To collaborate with resources in the consumer group, you must create two additional groups in different Fortanix CCM accounts as collaboration between groups within the same account is not supported.

Perform the following steps to create two publisher groups:

  1. Create two new Fortanix CCM accounts, for example, DemoB and DemoC, or log in to existing accounts if they already exist. For more information on how to log in and create a new Fortanix CCM account, refer to the Logging In guide.

  2. Repeat Steps 2 to 4 in Section 3.0: Create Consumer Group, to create the two new publisher groups, for example, DemoB-Group2 and DemoC-Group3.

4.1 Create Inbound Connectors

Perform the following steps to create an inbound connector:

  1. Create an inbound connector in the first publisher group (DemoB-Group2) to participate in the workflow collaboration.

    From the detailed view of DemoB-Group2, click the INBOUND CONNECTORS menu item, and on the Inbound Connectors page, click + ADD CONNECTORS to create a new inbound connector.

    Figure 5: Add inbound connector

  2. In the INBOUND CONNECTOR form, select BigQuery as the connector type.

  3. Click NEXT to proceed further.

  4. On the INBOUND CONNECTOR page, do the following:

    1. Connector name: Enter a name for the inbound connector.

    2. Description (Optional): Enter a short description of the connector.

    3. Labels: Add one or more key–value labels to the connector.

    4. Project ID: Enter the ID of the BigQuery project.

    5. Dataset name: Enter the name of the dataset from which you want to import data.

    6. Table name: Enter the name of the table within the specified dataset.

    7. API key: Enter the API key (Service Account JSON) required for accessing the BigQuery service in the text box provided. You can also upload the API key in Raw or Base64 format using the browse option. For more information on how to generate this API key, refer to Google Cloud: Create an API Key.

      NOTE

      The API key cannot be viewed again after submission.

  5. Click SAVE to create the inbound connector.

    Figure 6: Create inbound connector – publisher group 1

The inbound connector is created successfully.

4.2 Create Outbound Connectors

Perform the following steps to create an outbound connector:

  1. Create an outbound connector in the second publisher group (DemoC-Group3) to participate in the workflow collaboration.

    From the detailed view of DemoC-Group3, click the OUTBOUND CONNECTORS menu item, and on the Outbound Connectors page, click + ADD CONNECTORS to create a new outbound connector.

    Figure 7: Add outbound connector

  2. On the OUTBOUND CONNECTOR page, do the following:

    1. Connector name: Enter a required name for the outbound connector.

    2. Description (Optional): Add a brief description to provide additional context if needed.

    3. Labels (Optional): Add one or more key–value labels to the connector.

    4. URL: Enter the pre-signed URL where the CSV file is located containing the exported data from the script.

  3. Click SAVE to create the outbound connector.

    Figure 8: Create outbound connector – publisher group 2

The outbound connector is created successfully.

5.0 Generate Collaboration Token

To initiate collaboration, a consumer group must authenticate itself to a publisher group. Without authentication, a publisher group could receive unsolicited or spam collaboration requests from multiple consumer groups. To prevent this, the publisher group administrator generates a “collaboration token”, which serves as proof of identity for collaboration requests.

When a consumer group requests collaboration, it includes the collaboration token provided by the publisher group in the request. The publisher group then verifies the token and authenticates the consumer group before allowing the collaboration to proceed.

Perform the following steps to generate the collaboration token:

  1. Go to the detailed view of DemoB-Group2 in the DemoB account.

  2. Click COLLABORATE to generate a new collaboration token.

    Figure 9: Collaborate

  3. On the COLLABORATE dialog box, click + GENERATE to generate the token.

    Figure 10: Generate token

  4. Click COPY to copy the collaboration token.  

    You must share this collaboration token with the consumer group administrator to enable collaboration. The method used to share the collaboration token is outside the scope of this article.

    Figure 11: Copy collaborating token

  5. Similarly, go to the detailed view of DemoC-Group3 in the DemoC account and repeat Steps 1 to 4 to generate and copy the collaboration token for DemoC-Group3. Then, share this token with the consumer group.

  6. Click SHOW TOKENS to view the previously generated tokens.

    Figure 12: View token

6.0 Create Collaboration Group

This section explains the collaboration process between the consumer group and the publisher group using the collaboration token shared by the publisher group.

Perform the following steps to create a collaborating group for workflow collaboration:

  1. Open the detailed view of the consumer group, for example DemoA-Group1, in the DemoA account.

  2. Click ACCEPT TOKEN.

    Figure 13: Accept collaboration token

  3. In the ACCEPT TOKEN dialog box, paste the collaboration token shared by the publisher group in Section 5.0: Generate Collaboration Token.

  4. Click PROCEED to initiate the collaboration request.

    Figure 14: Enter collaborating token

  5. Navigate to Groups and select the COLLABORATION GROUPS tab.

  6. On the CONSUMER tab and verify that the consumer group DemoA-Group1 appears associated with the publisher group DemoB-Group2.

    Figure 15: Consumer group association

  7. In the Status column, observe that the collaboration request is in the Pending state.

    NOTE

    The publisher group must accept the collaboration request before collaboration can begin.

  8. Go to the publisher group (DemoB-Group2) and select the COLLABORATION GROUPS tab.

  9. On the PUBLISHER tab, verify that DemoB-Group2 shows an association request from DemoA-Group1.

    Figure 16: Publisher group association

  10. Click the overflow menu  Overflow.png for the publisher group row and click ACCEPT to approve the collaboration request.

    Figure 17: Approve collaboration request

  11. Verify that the collaboration status updates to Accepted in the publisher group view.

    Figure 18: Collaboration approved

  12. Return to the consumer group account (DemoA) and confirm that the collaboration status for the consumer group (DemoA-Group1) also shows Accepted.

    Figure 19: Status accepted

  13. Repeat Steps 1 to 12 to create a collaborating group between DemoA-Group1 and DemoC-Group3 using the collaboration token generated by DemoC-Group3.

    Figure 20: Collaborating group created

6.1 Create a Shared Workflow

After creating the collaborating groups, the consumer group administrator initiates collaboration by creating a shared workflow.

In the shared workflow, the consumer group administrator creates placeholder nodes. Each placeholder node is assigned to a specific publisher group, and only administrators of that publisher group can populate the placeholder nodes assigned to them.

Perform the following steps as a consumer group administrator to create a shared workflow:

  1. In the DemoA account, click the Workflows menu item in the CCM UI left navigation panel.  

  2. On the Workflows page, click + ADD WORKFLOW to create a new workflow.

    Figure 21: Select workflow

  3. In the WORKFLOW form, do the following:

    1. Name: Enter a name for the workflow.

    2. Group: Select the consumer group for the shared workflow. If you do not select a group, Fortanix CCM uses the default group.

    3. Click SAVE to create the shared workflow.

    Figure 22: Create shared workflow

  4. On the workflow canvas, add the SQL script that belongs to the consumer group, DemoA-Group1 created in Section 3.1: Create Scripts.

    Figure 23: Add SQL script to workflow

  5. On the workflow canvas, add the SQL aggregate script that belongs to the consumer group, DemoA-Group1 created in Section 3.1: Create Script.

    Figure 24: Add SQL aggregate script to workflow

  6. Add an inbound connector placeholder node to the workflow and assign it to the publisher group, DemoB-Group2.

    Figure 25: Add inbound connector placeholder

  7. When prompted, select DemoB-Group2 as the publisher group that will populate this inbound connector placeholder.

    Figure 26: Add inbound connector – DemoB-Group2

  8. Repeat Steps 6 and 7 to add an outbound connector placeholder node and assign it to the publisher group, DemoC-Group3.

    Figure 27: Select publisher group – DemoB-Group2

    Figure 28: Add outbound connector – DemoC-Group3

  9. Connect the scripts nodes to both data connectors placeholder nodes to define the workflow data flow.

    Figure 29: Select publisher group – DemoC-Group3

  10. Click SAVE DRAFT to save the workflow.

Saving the workflow as a draft makes it available to the publisher groups, allowing administrators of the assigned publisher groups to access the draft workflow in their respective accounts and populate the placeholder nodes assigned to them.

6.2 Fill the Placeholder Nodes with Actual Data

After the consumer group creates the shared workflow and assigns placeholder nodes, members of the publisher groups populate the placeholder nodes with their own resources.

Each publisher group can update only the placeholder node assigned to its group. Publisher group administrators cannot add, remove, or modify other nodes in the workflow.

Perform the following steps as a publisher group administrator:

  1. Log in to the DemoB account and in the CCM left navigation panel, click the Workflows menu item.

  2. On the Workflows page, click the Draft menu item. The draft shared workflow created by the consumer group appears in the list.

    Figure 30: Open draft workflow

  3. Select the workflow and locate the placeholder node assigned to the publisher group DemoB-Group2.

    Figure 31: Fill placeholder nodes with data

  4. Click the placeholder node to add the inbound connector.

    In the INBOUND CONNECTOR form, select the inbound connector created earlier in Section 4.1: Create Inbound Connector from the list.

    Figure 32: Select inbound connector – publisher group 1

  5. Click SAVE DRAFT to save the updated shared workflow.

    Figure 33: Save draft - publisher group 1

  6. Log in to the DemoC account and repeat Steps 1 to 5 as an administrator of the publisher group DemoC-Group3, and select the outbound connector created earlier in Section 4.2: Create Outbound Connector.

    Figure 34: Save draft - publisher group 2

After all publisher groups populate their assigned placeholder nodes, the shared workflow is complete and ready for approval.

6.3 Request Approval to Create an Approved Workflow

After all publisher groups fill their assigned placeholder nodes, the shared workflow is ready for approval.

Each publisher group must review and approve the workflow before the consumer group can complete the approval process.

NOTE

The consumer group cannot approve the workflow until all publisher groups approve it. This ensures that each publisher group explicitly consents to the data being shared.

Perform the following steps to request and approve the shared workflow:

  1. Log in to the DemoA account as a consumer group administrator.

  2. In the CCM left navigation panel, click the Workflows menu item.

  3. Click the Draft menu item and select the shared workflow for which you want to request approval.

  4. Click SAVE AND REQUEST APPROVAL to send the approval request to all the publisher groups.

    Figure 35: Request shared workflow approval – consumer group

    A confirmation dialog appears. Click REQUEST APPROVAL to submit the approval request to the publisher groups.

    Figure 36: Confirm action

    The workflow moves to the Pending state.

  5. Go to the Pending tab to view workflows awaiting approval.

    Figure 37: Pending approval – consumer group

  6. Log in to the DemoB account as a publisher group administrator. Navigate to the Workflows menu item and click the Pending menu item.

  7. Select the shared workflow from the list and click REQUEST APPROVAL to approve the shared workflow.

    Figure 38: Approve the workflow – publisher group 1

  8. In the APPROVAL REQUEST – CREATE WORKFLOW dialog box, click APPROVE.

    Figure 39: Approve workflow – publisher group 1

  9. Log in to the DemoC account and repeat Steps 7 and 8 to approve the workflow as an administrator of the publisher group DemoC-Group3.

    Figure 40: Review workflow – publisher group 2

    Figure 41: Approve workflow – publisher group 2

  10. After all publisher groups approve the workflow, log in to the DemoA account as the consumer group administrator and approve the workflow to complete the approval process.

    Figure 42: Approve request – consumer group

    Figure 43: Approve workflow – consumer group

  11. The workflow now appears in the Approved tab.

    Figure 44: Workflow approved – consumer group

NOTE

After a shared workflow reaches the Approved state, it cannot be modified.

To make changes, edit the workflow to create a new version using EDIT WORKFLOW as described in the User’s Guide: Create Workflow. After approval, the new version replaces the previous one.

6.4 Run the Shared Workflow

Only the consumer group administrator, who owns the workflow, can run a shared workflow. The members of the publisher groups cannot run the workflow.

For more information on how to run the workflow, refer to  Configure and Run the Workflow.

After the workflow runs, execution logs are available only to the consumer group. The members of the publisher groups cannot view the workflow execution logs.

7.0 Manage Tokens

7.1 Revoke Token

A collaboration token can be revoked by a publisher group administrator.

Revoking a collaborating token does not affect existing active collaborations between the publisher group and consumer group that were established using that token. Any existing shared workflows continue to function as expected.

Figure 45: Revoke token

7.2 Revoke Status

Perform the following steps to revoke a collaboration between a consumer group and a publisher group:

  1. Navigate to the COLLABORATION GROUPS page.

  2. Locate the collaboration entry you want to revoke.

  3. Click the overflow menu Overflow.png for the corresponding row and select REVOKE from the drop down menu to revoke the collaboration.

You can revoke the collaboration from either the consumer group or the publisher group.

After you revoke the collaboration, the shared workflow cannot progress, and collaboration between the groups stops.

Figure 46: Revoke collaboration

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo