Groups and Collaboration Groups - Concepts

  • Updated on Feb 26, 2026
  • Published on Jun 11, 2024
  • 5 minute(s) read
Prev Next

1.0 Introduction

This article describes groups and collaborating groups in Fortanix Confidential Computing Manager (CCM).

A Fortanix CCM group is a collection of users and objects. In Fortanix CCM, users can own resources such as workflows, datasets, and applications through their individual accounts. By default, these resources are accessible only within the same account and are not visible to users from other Fortanix CCM accounts.  

The collaborating groups enable secure collaboration across accounts by allowing users from different Fortanix CCM accounts to access and manage shared resources through a common group. This capability allows multiple accounts to collaborate on workflows, datasets, and applications while maintaining clear ownership boundaries and access controls.

This guide explains how collaborating groups work in Fortanix CCM and how they enable controlled cross-account collaboration.

2.0 Group

In the Fortanix CCM’s organizational hierarchy, a group is a collection of users and objects and helps users to manage identities, create collaborating groups as described in Section 4.0: Collaborating Group, and help in organizing and securing applications, datasets, and workflows that belong to the group. A group is used to control access and usage of objects in a workflow. A group is an entity under a Fortanix CCM account. A user of an account who is an account administrator can create a group. The user who creates a group automatically gets assigned the role of group administrator. The group administrator can add more users to the group in the role of administrators or auditors.  

NOTE

  • For existing Fortanix CCM accounts, after the CCM 3.35 release, a group will automatically be created for all the resources, such as applications, datasets, workflows, and so on, and set as default.

  • For a new Fortanix CCM account, you must create a group manually.

  • From the group list page, you can check all the associated datasets and workflows.

  • You can create new datasets and workflows from the group details page.

  • After a dataset, workflow, application, and application configuration are created, the group_id value cannot be changed.

  • You can assign a group_id to datasets, workflows, and application configurations from their respective creation forms.

  • For users in a group, you can assign the following two permissions:

    • Group administrator

    • Group auditor

For more information about the group roles and how to add them, refer to Create Groups.

3.0 Collaborating Group

A collaborating group in Fortanix CCM represents a collaboration established between two groups that belong to different Fortanix CCM accounts. Through this collaboration, the participating groups can securely share selected resources and work together on common workflows.

NOTE

  • A Fortanix CCM group can act as a consumer group and create collaborating groups to initiate collaboration with one or more publisher groups from different Fortanix CCM accounts. When this relationship is established, the consumer group and the publisher group(s) participate in a collaboration that is represented as a workflow.

  • Fortanix CCM does not allow collaboration between groups that belong to the same Fortanix CCM account.

  • Depending on the role of the group (consumer or publisher), a collaborating group can be in one of the following states:

    • Pending

    • Accepted

    • Rejected

    • Revoked

  • A collaboration begins only after the publisher group accepts the collaboration request from the consumer group.

  • Within a collaborative workflow, the consumer group user assigns placeholder nodes to the publisher groups with which it has an approved collaboration.

  • Each publisher group user can fill only the placeholder node assigned to their group and cannot add, delete, or modify any other nodes in the workflow.

  • Placeholder nodes allow participating groups to contribute their respective resources, such as applications or datasets, to the shared workflow.

  • In a shared workflow for Nitro or ACI applications, users in the consumer group can contribute applications, application configurations, and datasets to the workflow, while users in the publisher group can contribute only datasets.

  • In a shared workflow for AMD-DEV-SNP applications, users in the consumer groups can request a single application from a user in the publisher group, while users in the publisher group can contribute only applications. Datasets are not supported in this scenario at present.

  • Azure Confidential Virtual Machine applications are not supported in a shared workflow at present.

  • After all placeholder nodes are filled and the workflow is ready, each publisher group must approve the workflow first. The consumer group cannot approve the workflow until all publisher groups have approved it. Once all participating groups approve the workflow, it becomes an approved workflow.

  • If any participating group revokes the collaboration with the consumer group, the workflow does not progress.

3.1 Consumer Group

A Fortanix CCM consumer group is the group that initiates collaboration or sharing of resources with another group from a different Fortanix CCM account.

3.2 Publisher Group

A Fortanix CCM publisher group is the group that receives a collaboration request from a consumer group to participate in shared workflows to share resources.

3.3 Group Participation Token

To initiate collaboration, a consumer group must authenticate itself to a publisher group. Without authentication, a publisher group could receive unsolicited or spam collaboration requests from multiple consumer groups. To prevent this, the publisher group administrator generates a “collaboration token”, which serves as proof of identity for collaboration requests.

When a consumer group requests collaboration, it includes the collaboration token provided by the publisher group in the request. The publisher group then verifies the token and authenticates the consumer group before allowing the collaboration to proceed.

NOTE

  • Creating and sharing a collaboration token between a consumer group and a publisher group is a prerequisite for establishing collaboration between groups.

  • To collaborate with a publisher group, a consumer group must know the collaboration token generated by the publisher group. A publisher group user with administrator privileges can generate a collaboration token from the group’s details page and share it with the consumer group. If the collaboration token already exists, the publisher group can reuse and share that token.

  • The method used to share a collaboration token between the groups is outside the scope of this guide and is left to user discretion.

  • A publisher group can generate multiple collaborating tokens as needed. There is no one-to-one relationship between a consumer group and a collaboration token.

  • A publisher group administrator can revoke a collaboration token at any time. Revoking a collaboration token does not affect existing active collaborations that were established using that token.

3.4 Placeholder Nodes

It is a node in the Fortanix CCM workflow graph. This node can be filled with various Fortanix CCM resources, such as applications, datasets, and so on.

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo