Permissions

Flows must have a role to be accessible by users. You can define a role in the Keel schema using the @permission directive. Only Flows that match the user's role will be visible in the console.

role Staff {
	domains {
		"myco.com"
	}
}
 
flow RefundOrder {
	inputs {
		orderId Text?
	}
	@permission(roles: [Staff])
}

Permission expressions

Flows also support permission expressions, allowing you to define more granular access control based on the user's identity or environment variables.

flow RefundOrder {
	inputs {
		orderId Text?
	}
	// Allow access if the user is on a specific team
	@permission(expression: ctx.identity.user.team == "myTeam")
}

You can also use environment variables in expressions:

flow RefundOrder {
	inputs {
		orderId Text?
	}
	// Allow access if the user's team matches an environment variable
	@permission(expression: ctx.identity.user.team == ctx.env.ADMIN_TEAM)
}

For flows that should be accessible to any authenticated user, use:

flow RefundOrder {
	inputs {
		orderId Text?
	}
	@permission(expression: true)
}

Completion Scheduling