We have a problem that relates to the permission management. We would like to provide permission to the user to be able to create the workflow and at the same time also be able to use apps which is linked to our core database.
Problem:
The problem is, if we provide the workflow + apps + resources, with this permission, the user will be able to run queries on our core database which we want to block, but the problem is if we remove the core database permission from the user, then they won't be able to use the apps.
We already created the replicate database called "Redshift" for this user which allows users to run the query as they want instead of the core database.
What we do now:
We have to remove all the workflow permissions from all the users and also change the "Select type" to "Define specific workflow access" so there won't be no one able to run the query through the workflow.
What we need:
The user must be able to use an app that is linked to the core database and has permission to create the workflow and run the query ONLY on the "Redshift", and the user MUST NOT be able to run the query on our core database.
This sounds very similar to an issue with in-app resource queries that we fixed not too long ago. This one is a little more nuanced, though, as workflows don't really execute within the context of a specific user.
Regardless, this is definitely something that we should take a close look at. I've filed a ticket internally and will provide an update here as soon as I have news to share!
After I have a meeting internally on my side. We would like to clarify if what I've requested and mentioned in this post is possible or not so that on my side, we can look for another solution.
Hey @Kanin_Amornratanasiri - I appreciate your patience here. I tracked down the work that we did a few months ago to fix a similar issue with the app editing experience and confirmed that we are planning to do the same for workflows. That said, it's not a trivial fix and the owning team isn't able to commit to any particular timeline.
Unfortunately, I also don't think there's a great workaround in the meantime. If I think of something - or if I have any updates on the timeline - I'll let you know here.
