> ## Documentation Index
> Fetch the complete documentation index at: https://docs.incident.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Restrict workflow management to a team

> Let teams manage their own workflows

Every user can create and manage workflows out of the box, because the default **Standard** base role includes the **Manage workflows** permission. As you grow and more teams build their own workflows, you might want tighter control over who can manage what, so each team looks after its own.

You can do that by scoping workflow management to the team that owns each workflow. You'll bring together three things: an **owning team** on the workflow, a **team role** that grants **Manage workflows**, and a base role that no longer hands **Manage workflows** to everyone. This guide walks through each.

<Info>
  This changes who can **manage** workflows. Everyone can still **view** workflows and their run history; viewing isn't
  team-scoped.
</Info>

## Before you start

You'll need:

* **Teams set up in the catalog**, with the right people as members. See [Getting started with teams](/catalog/teams).
* **Permission to manage roles.** You'll create a team role and adjust your base roles at **Settings → Permissions**, which needs the **Manage user roles** permission, typically held by admins and owners.

The permission you'll be working with is **Manage workflows**, which can be granted to a [team role](/admin/team-roles) so it only applies to the workflows a team owns.

## Step 1: Give your workflows an owning team

Open a workflow to create or edit it. At the top of the editor, use the **Owned by** control (it reads **No team** until you set one) to choose the team or teams that should own the workflow. You can also set this from the **Advanced settings** panel.

Once a workflow has an owning team, the people who can edit, enable, disable, or delete it are restricted to:

* Anyone with the **Manage workflows** permission granted globally (such as an admin)
* Members of an owning team who have the permission granted to that team

A workflow with no owning team can be managed by anyone who holds **Manage workflows** globally, which by default is everyone (see [Step 3](#step-3-remove-the-account-level-default)).

## Step 2: Create a team role with the permission

Go to **[Settings → Permissions](https://app.incident.io/~/settings/permissions)**, and on the **Team-level** tab create a team role (or edit an existing one), selecting **Manage workflows**.

Assign this role to the members of each team who should manage their own workflows. You control who has which role from the **Members** tab of the team's page. See [Team roles](/admin/team-roles) for more on how this works.

## Step 3: Remove the account-level default

Unlike some other team resources, **Manage workflows** is included in the **Standard** base role by default, so out of the box every user can manage every workflow. Team ownership only starts to restrict management once you remove this global grant.

Go to **[Settings → Permissions → Account-level](https://app.incident.io/~/settings/permissions)**, edit the base roles that shouldn't manage all workflows (typically **Standard**), and remove **Manage workflows**. Keep it on **Admin** and **Owner** if you want admins to manage workflows across every team. From then on, each workflow can be managed only by its owning team's members with the team role, plus anyone who still holds the permission globally.

<Warning>
  If you skip this step, team ownership has no effect on who can manage a workflow: everyone still holds **Manage
  workflows** globally through their base role, so they can edit any workflow regardless of its owning team.
</Warning>

## Step 4: Confirm it's working

Someone outside an owning team will see the edit, enable, disable, and delete controls disabled, with a tooltip explaining they don't have permission for that workflow. Members of the owning team, and anyone who holds the permission globally, can manage it as normal.

## FAQs

<AccordionGroup>
  <Accordion title="Who can change which team owns a workflow?">
    Reassigning ownership always requires the **Manage workflows** permission granted globally. A team can manage a
    workflow they own, but they can't hand it to another team or remove their own team from it. This stops a team from
    quietly giving away (or locking others out of) a shared workflow.
  </Accordion>

  <Accordion title="What happens to workflows with no owning team?">
    They can be managed by anyone who holds **Manage workflows** globally. If you haven't removed that permission from
    your base roles, that's everyone. See [Step 3](#step-3-remove-the-account-level-default).
  </Accordion>

  <Accordion title="Can a workflow be owned by more than one team?">
    Yes. You can assign multiple owning teams, and a member of any one of them (with the permission granted to that
    team) can manage the workflow.
  </Accordion>

  <Accordion title="Can admins still manage every workflow?">
    Yes. Anyone who holds **Manage workflows** globally can manage any workflow, regardless of which team owns it. This
    lets a small set of administrators step in across teams.
  </Accordion>
</AccordionGroup>
