MinAI - Về trang chủ
Lý thuyết
45 phút
Bài 12/15

Permissions & Roles

Role-based access control (RBAC) trong n8n - workflow sharing, credential permissions, và team access management

🔐 Permissions & Roles

Access Control

Access control là critical cho production n8n. Bài này covers role-based permissions, workflow sharing, và credential management chi tiết.

N8N Role System

Built-in Roles:

Text
1ROLE HIERARCHY
2──────────────
3 
4┌─────────────────────────────────────────────────┐
5│                    INSTANCE                     │
6│  ┌─────────────────────────────────────────┐   │
7│  │             GLOBAL OWNER                 │   │
8│  │  • Full system access                    │   │
9│  │  • User management                       │   │
10│  │  • All settings                          │   │
11│  └─────────────────────────────────────────┘   │
12│                      │                          │
13│  ┌─────────────────────────────────────────┐   │
14│  │          GLOBAL ADMIN (Enterprise)       │   │
15│  │  • User management                       │   │
16│  │  • Some settings                         │   │
17│  │  • Access all workflows                  │   │
18│  └─────────────────────────────────────────┘   │
19│                      │                          │
20│  ┌─────────────────────────────────────────┐   │
21│  │              GLOBAL MEMBER               │   │
22│  │  • Create workflows                      │   │
23│  │  • Own credentials                       │   │
24│  │  • Personal settings                     │   │
25│  └─────────────────────────────────────────┘   │
26└─────────────────────────────────────────────────┘

Workflow-Level Roles:

Text
1WORKFLOW PERMISSIONS
2────────────────────
3 
4OWNER (per workflow)
5├── Full access
6├── Edit workflow
7├── Execute
8├── Share
9├── Delete
10└── Transfer ownership
11 
12EDITOR
13├── View workflow
14├── Edit workflow
15├── Execute
16└── Cannot delete/share
17 
18VIEWER (Enterprise)
19├── View only
20├── See executions
21└── Cannot modify

Workflow Sharing

Share Via UI:

Text
11. Open workflow
22. Click "Share" button (top right)
33. Select users to share with
44. Set permission level:
5   - Editor: Can modify
6   - Viewer: Read only (Enterprise)
75. Save changes

Sharing Best Practices:

Text
1SHARING MATRIX
2──────────────
3 
4Workflow Type       │ Share With    │ Permission
5────────────────────┼───────────────┼────────────
6Production Critical │ Team leads    │ Editor
7                    │ Team members  │ Viewer
8────────────────────┼───────────────┼────────────
9Development         │ Team members  │ Editor
10                    │ Others        │ None
11────────────────────┼───────────────┼────────────
12Utility/Tools       │ All users     │ Viewer
13                    │ Maintainer    │ Editor
14────────────────────┼───────────────┼────────────
15Templates           │ All users     │ Viewer
16                    │ Template team │ Editor

API Workflow Sharing:

Bash
1# Share workflow via API
2curl -X POST \
3  "https://n8n.yourdomain.com/rest/workflows/1/share" \
4  -H "Content-Type: application/json" \
5  -H "X-N8N-API-KEY: your_api_key" \
6  -d '{
7    "shareWith": {
8      "userId": "user-uuid-here",
9      "role": "editor"
10    }
11  }'
12 
13# List workflow shares
14curl "https://n8n.yourdomain.com/rest/workflows/1/shares" \
15  -H "X-N8N-API-KEY: your_api_key"

Credential Sharing

Share Credentials:

Text
11. Settings → Credentials
22. Select credential
33. Click "Sharing"
44. Add users/workflows
55. Note: Secrets never shown to shared users

Credential Share Types:

Text
1CREDENTIAL SHARING OPTIONS
2──────────────────────────
3 
4WORKFLOW-SPECIFIC
5├── Credential only works in specific workflow
6├── Cannot be used in other workflows
7├── Recommended for sensitive data
8└── Example: API key for specific integration
9 
10USER-SPECIFIC
11├── Shared user can use in their workflows
12├── Can create new workflows with this credential
13├── Cannot see actual secrets
14└── Example: Shared database connection
15 
16EVERYONE (Owner only)
17├── All users can use
18├── Useful for common services
19├── Still cannot see secrets
20└── Example: Company Slack token

Credential Permission Matrix:

Text
1ACTION                   │ Owner │ Shared User
2─────────────────────────┼───────┼─────────────
3View credential name     │  ✅   │     ✅
4Use in workflows         │  ✅   │     ✅
5See secret values        │  ✅   │     ❌
6Edit credential          │  ✅   │     ❌
7Delete credential        │  ✅   │     ❌
8Re-share credential      │  ✅   │     ❌

Project/Team Setup (Enterprise)

Project Structure:

Text
1PROJECT ORGANIZATION
2────────────────────
3 
4📁 Project: Marketing Automations
5
6├── 👤 Project Admin
7│   ├── Full project access
8│   ├── Manage project members
9│   └── All workflows & credentials
10
11├── 👥 Project Members
12│   ├── Access project resources
13│   └── Create within project
14
15├── 📋 Workflows
16│   ├── Email Campaign Handler
17│   ├── Social Media Poster
18│   └── Lead Nurture Sequence
19
20└── 🔑 Credentials
21    ├── Marketing-Mailchimp
22    ├── Marketing-Twitter
23    └── Marketing-HubSpot

Project Environment Config:

Bash
1# Enable projects (Enterprise)
2N8N_ENTERPRISE_FEATURES_ENABLED=true
3 
4# Project isolation
5N8N_PROJECT_ISOLATION_MODE=strict
6 
7# Project settings
8N8N_DEFAULT_PROJECT_ID=default-project-id

Access Control Patterns

Pattern 1: Department Isolation

Text
1Marketing Department
2├── Workflows: Marketing-*
3├── Credentials: Marketing-*
4├── Users: marketing-team@company.com
5└── Isolation: Cannot access Sales workflows
6 
7Sales Department
8├── Workflows: Sales-*
9├── Credentials: Sales-*
10├── Users: sales-team@company.com
11└── Isolation: Cannot access Marketing workflows
12 
13Shared Resources
14├── Workflows: Shared-*
15├── Credentials: Common-*
16├── Users: All departments
17└── Read-only for most

Pattern 2: Environment-Based

Text
1Production
2├── Limited users (admins only)
3├── Strict credential access
4├── No experimental workflows
5└── Full monitoring
6 
7Staging
8├── More users
9├── Test credentials only
10├── Clone of production
11└── Testing allowed
12 
13Development
14├── All developers
15├── Personal credentials
16├── Experimentation encouraged
17└── Less restrictions

Pattern 3: Role-Based

Text
1Workflow Developers
2├── Create/edit workflows
3├── Use shared credentials
4├── Cannot manage users
5└── Cannot access admin settings
6 
7Integration Specialists
8├── Full credential access
9├── Setup external services
10├── Document integrations
11└── Support developers
12 
13Platform Admins
14├── User management
15├── Instance settings
16├── Monitoring & logs
17└── Backup management

Security Configurations

Restrict Dangerous Nodes:

Bash
1# Disable code execution
2N8N_NODES_EXCLUDE="[\"n8n-nodes-base.executeCommand\",\"n8n-nodes-base.code\"]"
3 
4# Disable file system access
5N8N_NODES_EXCLUDE="[\"n8n-nodes-base.readBinaryFile\",\"n8n-nodes-base.writeBinaryFile\",\"n8n-nodes-base.readFile\",\"n8n-nodes-base.writeFile\"]"
6 
7# Disable SSH
8N8N_NODES_EXCLUDE="[\"n8n-nodes-base.ssh\"]"
9 
10# Combined restrictions
11N8N_NODES_EXCLUDE="[\"n8n-nodes-base.executeCommand\",\"n8n-nodes-base.ssh\",\"n8n-nodes-base.readBinaryFile\"]"

IP Allowlist (nginx):

nginx
1# Allow specific IPs for certain users
2location /api/v1/workflows {
3    # Restrict write operations to office IP
4    limit_except GET {
5        allow 203.0.113.0/24;  # Office IP range
6        deny all;
7    }
8    
9    proxy_pass http://n8n:5678;
10}

Audit & Compliance

Permission Audit Script:

SQL
1-- List all workflow permissions
2SELECT 
3    w.name as workflow_name,
4    u.email as owner_email,
5    sw."userId" as shared_with,
6    sw.role as permission
7FROM workflow_entity w
8JOIN "user" u ON w."userId" = u.id
9LEFT JOIN shared_workflow sw ON sw."workflowId" = w.id
10ORDER BY w.name;

Credential Audit:

SQL
1-- List credential sharing
2SELECT 
3    c.name as credential_name,
4    c.type as credential_type,
5    u.email as owner,
6    sc."userId" as shared_with
7FROM credentials_entity c
8JOIN "user" u ON c."userId" = u.id
9LEFT JOIN shared_credentials sc ON sc."credentialsId" = c.id
10ORDER BY c.name;

Export Permissions Report:

Bash
1#!/bin/bash
2# permissions-report.sh
3 
4REPORT_DIR="/opt/n8n-reports"
5DATE=$(date +%Y%m%d)
6 
7# Workflow permissions
8docker exec n8n-postgres psql -U n8n -d n8n -c "
9COPY (
10    SELECT 
11        w.name,
12        u.email as owner,
13        string_agg(su.email, ', ') as shared_with
14    FROM workflow_entity w
15    JOIN \"user\" u ON w.\"userId\" = u.id
16    LEFT JOIN shared_workflow sw ON sw.\"workflowId\" = w.id
17    LEFT JOIN \"user\" su ON sw.\"userId\" = su.id
18    GROUP BY w.id, u.id
19) TO STDOUT WITH CSV HEADER;
20" > "$REPORT_DIR/workflow_permissions_$DATE.csv"
21 
22echo "Report saved: $REPORT_DIR/workflow_permissions_$DATE.csv"

Multi-Instance Strategy

Separate Instances by Security Level:

Text
1HIGH SECURITY (Finance/HR)
2├── Isolated network
3├── Admin access only
4├── Strict credential handling
5├── Full audit logging
6└── Separate backups
7 
8STANDARD (General Business)
9├── Team access
10├── Department credentials
11├── Standard monitoring
12└── Regular backups
13 
14DEVELOPMENT (Sandbox)
15├── All developers
16├── Test credentials only
17├── Relaxed policies
18└── Optional backups

Cross-Instance Communication:

yaml
1# webhook-based communication
2# High-security instance exposes limited webhooks
3# Standard instance calls these webhooks
4 
5# Example: HR workflow calls Finance for budget check
6# HR Instance (caller)
7- HTTP Request node
8  - URL: https://finance.n8n.company.com/webhook/budget-check
9  - Auth: Bearer token (shared secret)
10  - Data: { "department": "HR", "amount": 5000 }
11 
12# Finance Instance (receiver)
13- Webhook node
14  - Auth: Header auth (validate token)
15  - Respond with approval/denial only

Troubleshooting Permissions

Cannot Access Workflow:

Text
1Error: "You don't have permission"
2 
3Check:
41. Is workflow shared with you?
52. What's your permission level?
63. Is credential accessible?
7 
8Fix:
9- Ask owner to share
10- Check credential sharing
11- Verify not disabled user

Credential Not Working:

Text
1Error: "Credential not found"
2 
3Possible causes:
41. Credential not shared
52. Credential deleted
63. Credential for different workflow
7 
8Fix:
9- Request credential sharing
10- Create personal credential
11- Check workflow-specific credentials

Permission Check Query:

SQL
1-- Check user's accessible workflows
2SELECT w.name, w.active
3FROM workflow_entity w
4WHERE w."userId" = 'user-uuid'
5   OR EXISTS (
6       SELECT 1 FROM shared_workflow sw 
7       WHERE sw."workflowId" = w.id 
8       AND sw."userId" = 'user-uuid'
9   );

Best Practices Summary

Security Guidelines

Permission Best Practices:

  1. Least Privilege - Give minimum necessary access
  2. Regular Audits - Review permissions monthly
  3. Prompt Deprovisioning - Remove access immediately when people leave
  4. Document Sharing - Record why access was granted
  5. Credential Rotation - Rotate after team changes

Bài Tập Thực Hành

Permission Setup Challenge

Implement access control:

  1. Define 3 user roles for your team
  2. Create workflow sharing policy document
  3. Set up credential sharing strategy
  4. Write audit query to list all permissions
  5. Document permission request process
  6. Test access controls work correctly

Build secure team access! 🔐

Key Takeaways

Remember
  • 👤 Owner can do everything - Including transfer
  • 🔑 Credentials stay secret - Shared users can use, not see
  • 📊 Audit regularly - Permissions drift over time
  • 🚫 Restrict dangerous nodes - Code, SSH, file access
  • 📋 Document everything - Who has access and why

Tiếp Theo

Bài tiếp theo: Monitoring & Alerting - Track executions, performance metrics, và error alerting.