Skip to main content
All CollectionsBuild AutomationsWorkspaces
Explore Torq's RBAC Architecture: An In-Depth Guide
Explore Torq's RBAC Architecture: An In-Depth Guide

Explore Torq's RBAC architecture: workspace segmentation, user roles and scopes, and cross-workspace resource sharing.

Updated over 2 months ago

Torq's Role-Based Access Control (RBAC) system is a foundational element designed to enhance security and streamline management within organizations.

Core Concepts and Structure

  • Torq Organization: This represents the overarching structure provided to subscribers, encapsulating a comprehensive framework for hyperautomation.

  • Torq Workspace: Functions as a compartment for hyperautomation resources within an organization. Workspaces are uniquely autonomous, supporting various operational needs such as team segregation, environmental staging, and client management. Notably, resources within these workspaces can be explicitly shared, adhering to RBAC protocols to maintain strict access control.

    • Common uses for different workspaces include:

      • Segregation of activities for different teams in an enterprise organization

      • Segregation between development, staging, and production environments for automation

      • Segregation between different geographies in a large distributed organization

      • Segregation between different customers for Managed Security Services Providers (MSSPs) or Managed Services Providers (MSPs)

  • RBAC Scopes: Defined at the workspace level, these scopes determine user or API client permissions, ensuring precise control over resource operations. Scopes evolve in tandem with new functionalities, ensuring robust access management.

  • User Roles: Aggregate specific scopes within workspaces, enabling users to perform designated tasks. Torq facilitates both predefined and customizable roles, catering to diverse operational needs.

  • SSO Claim Mapping Rules: These ordered directives refine how roles are assigned during Single Sign-On processes, leveraging specific user claims to bolster security and management efficiency. Torq also allows for processes with an Identity Provider (IdP), based on specific user claims, enhancing security and user management. The claims may pertain to a persistent user property, such as Group Membership in an IdP, or to a transient property, such as the user's location or device.

  • Workspace Resources are various persistent or transient components of Torq configuration and activity contained within specific workspaces.

Workspace Resources and Segregation

Torq's strategic use of workspaces underpins its RBAC structure, offering scalable and straightforward solutions for complex automation challenges. Resources within workspaces encompass a broad range, from integrations and workflows to permissions and API keys, each integral to the tailored functioning of a workspace.

The diagram below illustrates an example of a Torq organization consisting of multiple workspaces, each containing distinct resources. Some resources are shared among multiple workspaces:

Share resources between workspaces

Workspace resources contained within each workspace may vary, but generally, they can be categorized as follows:

  • Step integrations

  • Trigger integrations

  • Workflows

  • Custom steps

  • Global variables

  • Workspace variables

  • Activity and audit logs

  • User permissions (specifically set or claim mappings based on the organizational IdP)

  • Step runners

  • API keys

Customization and Support for Complex Environments

Torq stands ready to support the intricate requirements of larger organizations, including the provision for multiple organizational Identity Providers (IdPs). Custom roles can be developed to meet specific operational strategies, enhancing the system's flexibility and automation capabilities. Contact Torq support to expand upon the out-of-the-box roles.

  • The mapping of User → Workspace → Role can be done either on an individual user level (not recommended for enterprise environments) or based on organizational SSO Claims.

  • For larger organizations, support for multiple organizational IdPs is available for different workspaces upon request.

Did this answer your question?