With the introduction of Connection Manager, you now have complete flexibility about how you create, use, and manage connections across all your workflows.
As you may have already read, the new Connection Manager gives workflow designers, site owners and administrators a way to create a centralized and updatable set of managed credentials. We’ve heard you loud and clear that you don’t want to store usernames/passwords inside the action -- i.e. it’s become a governance and security concern -- and we address this head-on in this latest feature.
As you start to use Connection Manager, there are some important concepts you'll find helpful. The first is about how we enable governance around who can create connections, where they can be created from, and the impact on usability across the tenant.
Before creating a connection it’s important to give some thought about how the connection will be used. Are you creating it for your own use, do you want to share it with a specific set of designers, or make it available only to a specific site? You can do any or all of these via personal and shared connections.
Personal vs Shared Connections
Let me explain a bit about the differences between personal and shared connections.
Create a Personal connection if you are the only consumer and don't need to share it with anyone else. Typically this would be in a development scenario or when you are creating a connection with high level of privileges (for example an Office 365 Create site).
The only way you can create a Personal connection is via the action configuration. Any connection created using the action is automatically personal, and once it is created, it cannot be changed to a shared connection.
By contrast, create a Shared connection when you want to create a connection that can be shared with other workflow designers. You can then scope it for use across a site collection, individual site, or even down to a set of individual users.
Shared connections can only be created by a site collection administrator or a site owner via the new Connection tab in the workflow gallery. Users without this level of access will not even see the Shared connection. But any Shared connection is always shared and cannot be changed to a personal connection.
As mentioned, you can scope a Shared connection down to only those designers who you want to use it. By default, when creating a Shared connection, it is automatically available to all designers in the current site collection. However, you can easily change this later via the edit screen on the gallery page.
Apart from being able to update credentials (for example if a password changes) or enable/disable the connection, there are several additional options for scoping a connection on the Edit connection screen:
- Current owners – the set of users who can update and edit the connection details (the screen above).
- User with access – allows scoping of the connection down to an individual user(s), be aware the default is set to All users.
- Available in – specifies where in the tenant this connection is available. If you are a site collection admin, you can make it available across the current site collection. However, if you are a site owner you can only scope to the current site (and "This site collection" will not be available).
Finally, on the screen above, we display a list of workflows that are currently using the connection.
It's important to think through how you want the connection to be used, and then use the rules above to determine where and how you create it.
What if I don’t want everyone creating new Connections?
To provide a tighter level of governance, we’ve created a setting that lets site collection administrators allow or prevent workflow designers to create new connections within the action. Disabling this option means that only site collection admins or site owners can create connection and only via the connection gallery page. You can access this setting via the cog in the workflow gallery.
You may find workflow designers are reporting back they can't create connections during authentication due to an message saying they need Admin Approval, if so then refer to Connection consent page in help to help resolve the issue.
Enjoy the new connection manager and let us know what you think.