Summary

The Permissions.md documentation for the orchestrator.workflow.[workflowId] permission is incomplete. It only mentions workflow definition access, but the code shows this permission also grants access to workflow instances (filtered by initiator).

Current Documentation

File: Permissions.md

The current description for orchestrator.workflow.[workflowId] states:

Allows the user to list and read the details of a single workflow definition

Actual Code Behavior

In router.ts (lines 904-909), the specific permission IS used to authorize instance access via getInstanceById:

const decision = await authorize(
  request,
  [
    orchestratorWorkflowPermission,
    orchestratorWorkflowSpecificPermission(workflowId),  // Used for instance access
  ],
  permissions,
  httpAuth,
);

The initiatorEntity filter (lines 846-867) is then applied, meaning users only see instances they created (unless they have instanceAdminView).

Inconsistency

The generic permission orchestrator.workflow correctly documents instance access:

Allows the user to list and read any workflow definition and their instances that they created

But the specific permission orchestrator.workflow.[workflowId] omits this, even though both permissions grant the same instance visibility behavior.

Recommended Fix

Update the orchestrator.workflow.[workflowId] description to:

Allows the user to list and read a single workflow definition and its instances that they created

References

• File: https://github.com/redhat-developer/rhdh-plugins/blob/main/workspaces/orchestrator/docs/Permissions.md
• Code reference: workspaces/orchestrator/plugins/orchestrator-backend/src/service/router.ts lines 846-867, 904-909